Interface firewall

xpumpa · December 11, 2017, 1:34pm

Hello all,
sorry for basic question.
I have VDSL modem in bridge mode and it is inserted to ether1 on mikrotik.
i created new PPPoE-VDSL interface for connecting to internet.
it is necessary add firewall filters for both interface ether1 and PPPoE-VDSL or only PPPoE enough?

add chain=input   action=drop   in-interface=ether1                                                           comment="Drop all from WAN input" 
add chain=input   action=drop   in-interface=PPPoE-VDSL                                                       comment="Drop all from WAN input" 
add chain=forward action=drop   connection-state=new connection-nat-state=!dstnat  in-interface=ether1        comment="Drop forward from WAN not DSTNATed" 
add chain=forward action=drop   connection-state=new connection-nat-state=!dstnat  in-interface=PPPoE-VDSL    comment="Drop forward from WAN not DSTNATed" 
..... and other rules using PPPoE and ether1

Thank you.

cdiedrich · December 11, 2017, 3:44pm

Just PPPoE should be enough. The paranoid would surely add ether1 as well (who knows what happens when your modem gets hijacked?)
But you could create an interface list with both interfaces in it and then have just one rule matching both interfaces.

-Chris