HI,
I have setup like this : Core Router → MT box—> AP---->end users .
All the routing is done in the core router, MT box configured as a bridge and serving as trafick/user management, and transparent proxy cache. So, i have a bridged network.
I was experiementing on pppoe, and i managed to add one user, it suceded loging and working ok.
My question is:
When i will add all users on pppoe, how can i stop others users which dont have a ppp acount to use the network, like thay are using right now.
Ofcourse i have a bridge firewall configured to allow only desired MAC addresses, this way i control my bridged users, but if i deny all MACs i assume they wont pass the bridge even when logged via pppoe.
A short hint: RTFM… There you could read that it’s suggested NOT to have an ip address on interfaces usingas PPPoE server. That way nobody could use your connection without correct ppp auth data…
yeah i read that,
but i mentioned that this MT box is acting as a bridge, so it doesnt need an ip adress anywhay to function.
So, does this mean i cant stop non pppoe users from getting through it if i dont make this MT Box to function as a router?
Is there some way to filter non-pppoe and pppoe users on bridge?
You can filter traffic through the bridge. Actually, in three ways:
You can set the “forwarded protocols” parameter in the bridge settings itself (you surely have seen that).
All packets through the bridge also pass the regular firewall, where you could filter.
There is a special “bridge firewall” section. There, you could for example drop all PPPoE packets in the bridge. To do that create bridge firewall rules to drop the MAC protocols “pppoe-discovery” (0x8863) and “pppoe-session” (0x8864).
Thank you very much for your answer.
If i make the dridge to not forward some protocols, will that stop those protocols for both ppp and others users?
On the bridge firewall i can filter, but i dont want to drop pppoe-discovery and ssession, i want to allow ppp traffic , and drop all other traffic to pass from bridge.
There must be some simple way of stoping computers to pass trough this bridge unles they have ppp acount???
Ok problem solved, and i will describe the solution , in case anyone is in that kind of sittuation.
Have in mind that my MT box is configured as a bridge, no routing, and the traffic is passing through Lan interface to Wan interface.
This box is also acting as DHCP server, Transparent Proxy server, doing Traffic Shaping, and now also as PPPoE server (access concentrator).
Amaizing what a small software with a decent hardware can do.
MikroTik ruleeeeez.
transparent proxxy issue:
dst nat rule was listening only on the Lan interface that way it was not hearing and forwarding pppoe users http requests to proxy port. I had to change the rule to listen to “all” interfaces, and it worked. I hope i didnt do anything bad with that for security concerns.
Stoping service for non-pppoe users.
Added bridge firewall rule to drop all traffic going from Lan interface to Wan interface.
This way the traffic from pppoe interfaces will flow unfiltered, but traffic from LAN to WAN vill be droped, or also can be allowed for some users by addind some accept rule for specific MAC’s above the drop all rule.
