PPPoE - firewall rules - help

Hello,


i have Mikrotik 493 connected to internet via wireless card. To the 9 ethernet ports are connected 9 PC’s. Every eth. port have PPPoE concentrator. On all PC’s have set PPPoE client.

All works fine, now.

All PC’s have public address and i need set a firewall (access-lists). I need drop spoofing IP adressess. Only IP’s from range /27 can comunicate, all other drop. But don’t work it. If i select in-interface=(pppoe name of interface), then works it, but i need rules on physically eth interfaces.



0 ;;; access-list eth1
chain=forward action=accept src-address=x.y.z.160/27 in-interface=ether1
1 chain=forward action=accept out-interface=ether1
chain=forward action=drop in-interface=ether1

2 ;;; access-list eth2
chain=forward action=accept src-address=x.y.z.160/27 in-interface=ether2
3 chain=forward action=accept out-interface=ether2
chain=forward action=drop in-interface=ether2

4 ;;; access-list eth3
chain=forward action=accept src-address=x.y.z.160/27 in-interface=ether3
5 chain=forward action=accept out-interface=ether3
chain=forward action=drop in-interface=ether3

6 ;;; access-list eth4
chain=forward action=accept src-address=x.y.z.160/27 in-interface=ether4
7 chain=forward action=accept out-interface=ether4
chain=forward action=drop in-interface=ether4

8 ;;; access-list eth5
chain=forward action=accept src-address=x.y.z.160/27 in-interface=ether5
9 chain=forward action=accept out-interface=ether5
chain=forward action=drop in-interface=ether5

10 ;;; access-list eth6
chain=forward action=accept src-address=x.y.z.160/27 in-interface=ether6
11 chain=forward action=accept out-interface=ether6
chain=forward action=drop in-interface=ether6

12 ;;; access-list eth7
chain=forward action=accept src-address=x.y.z.160/27 in-interface=ether7
13 chain=forward action=accept out-interface=ether7
chain=forward action=drop in-interface=ether7

14 ;;; access-list eth8
chain=forward action=accept src-address=x.y.z.160/27 in-interface=ether8
15 chain=forward action=accept out-interface=ether8
chain=forward action=drop in-interface=ether8

16 ;;; access-list eth9
chain=forward action=accept src-address=x.y.z.160/27 in-interface=ether9
17 chain=forward action=accept out-interface=ether9
chain=forward action=drop in-interface=ether9


How i can set rule for block spoofed IP addresses ?

You won’t see the data on etherX - you need to be using the PPPoE interface not the physical Ethernet interface. Something like:

chain=forward action=drop src-address=!192.0.2.1 in-interface=pppoe-client1
chain=forward action=drop src-address=!192.0.2.2 in-interface=pppoe-client2
chain=forward action=drop src-address=!192.0.2.3 in-interface=pppoe-client3
.
.
.

Where the RFC5737 addresses should be replaced with whatever your real IPs are.

Thank you for your reply,

but … if i set rules with in-interface=pppoe-client(x) and the customer (pppoe-client) have disconnect from pppoe, then rules will be off , because in-interface=unknown and this is bad solution ..

Yes - sorry, my mind was elsewhere and you are correct - for you this is not a good solution. Instead, create a new PPP profile for each connection and use the ‘incoming filter’ to do the check/drop.

Or create pppoe server bindings and use these for the firewall rules.