How allow PPPoE in firewall?

JamesTUIAT · June 25, 2025, 7:06am

Hi,

My chains x[ input, output, forward] have as final rule

chain=x action=drop

Which firewall rules should be created (before) to allow proper function of the PPPoE client to the ISP ?

like in First Time Configuration - RouterOS - MikroTik Documentation

Thanks

lurker888 · June 25, 2025, 7:47am

The firewall only interacts with ipv4, ipv6 (and arp) packets. PPPoE is neither, it has its own ethertype.

JamesTUIAT · June 25, 2025, 9:17am

Thank you @lurker888 ,

so when the PPPoE client is configured it shoot directly to the server then, is there any control over it ? or is it unnecessary ?

elico · June 25, 2025, 9:24am

@JamesTUIAT As far as I can tell the only option to manage these is in the ether/bridge/switch level.
The next article pretty makes sense of some of the concepts.
Explanation of MikroTik Layer 2 Firewall Pattern Matchers

JamesTUIAT · June 25, 2025, 10:02am

Thank @elico , sorry I can’t reach your link.

either it’s: Down, use a too strong filter, ~~censored~~ moderated where I live…

jaclaz · June 25, 2025, 3:33pm

It is normally reachable from here.

General hint, very often a copy of a site is on the Wayback Machine, and if it is not an ancient snapshot, can be used as a substitute (i.e. not really suitable for news sites or for highly dynamic content, but technical resources tend to be rather static in nature).
The issue may be that one (or the other) snapshot could be not complete, and you need to try a few ones to get the whole stuff, possibly partially from different snapshots:
https://web.archive.org/web/20250000000000*/http://rickfreyconsulting.com/explanation-of-mikrotik-layer-2-firewall-pattern-matchers

lurker888 · June 25, 2025, 5:55pm

While the linked article is well written, in this context it’s mostly useless. Yes, you can filter PPPoE packets in all the usual L2 ways (MAC address, port, etc.), but for PPPoE (especially if you’re a client) they’re pretty much all-or-nothing.

So I wouldn’t feel the need to filter PPPoE packets as such. The packets are visible after decapsulation in the normal ip firewall - here is where filtering is advised, I would go so far as to say mandatory.

JamesTUIAT · June 26, 2025, 9:46am

is a rule like

ip firewall raw add action=drop chain=prerouting in-interface-list=!LAN

Will block the PPPoE client ?
fyi: The interface dedicated for the WAN (Ethnert1) is not part of the list LAN

lurker888 · June 26, 2025, 9:47am

Nope.

JamesTUIAT · June 26, 2025, 9:50am

Damn @lurker888 ! you reply fast ! Are you FastTrack enabled yourself XD ?