good afternoon. How can you limit access to a mikrotik router to only access it by ppoe to prevent clients from assigning themselves an IP and browsing without limits?
To assign no IP address to the interface through which the PPPoE clients connect is the simplest way to do that.
the problem i have is that clients in this range have static ip
What “this range”? Are you saying you use the same L2 segment for clients with directly assigned IP addresses and for PPPoE clients?
I only use ppoe for client. for example the ppoe 12345678A assigned the public IP12,356,145.3 statically. If another client puts the IP 12.356.145.4 on their router, they can browse without the ppoe limit
You mean that the user sets an arbitrary IP on his PPPoE client, and your Mikrotik accepts that address as a remote one for that client although a different one is set in the /ppp secret item (or, if a pool is configured for the /ppp profile item used by that /ppp secret item, your Mikrotik accepts a user-suggested address which does not fit into the pool)?
Even if that is the case (by common sense it should not be but I have never tested that), you should still be able to defeat this by using one /ppp profile item for users with public addresses, and another /ppp profile item for users with private addresses, and set a different interface-list in each of the profiles. Then, your firewall rules will only permit outgoing traffic which matches both the in-interface-list and the corresponding src-address or src-address-list (you can define a single subnet or a single range as src-address; for several non-contiguous ranges, you have to use the address-list).
Thanks a lot!