PPPoE - Prevent Failed PPP Calls

tevolo · February 22, 2012, 9:06pm

Our logs are going crazy with a few different attempts to login to the PPP service via radius, but radius denies because their PPP account is wrong.
In our case, this is probably somebody with our modem that set it up wrong. The problem is that I can only seem to track it via MAC address.

I want to disable these PPP calls from our routing processing them or even hitting our Radius, so I can clear the logs and also so our Radius server isn’t hit with multiple requests every second.

How can I block this?
2012.02.22-14:50:45 <172.16.50.1>: pppoe,info PPP-: PPPoE connection established from 00:E9:0A:91:52:D1
2012.02.22-14:50:45 <172.16.50.1>: pppoe,ppp,info PPP-: : waiting for call…
2012.02.22-14:50:46 <172.16.50.1>: pppoe,ppp,info PPP-: : terminating… - user admin authentication failed
2012.02.22-14:50:46 <172.16.50.1>: pppoe,ppp,info PPP-: : disconnected
2012.02.22-14:50:46 <172.16.50.1>: pppoe,info PPP-: PPPoE connection established from 00:E9:08:91:52:6A
2012.02.22-14:50:46 <172.16.50.1>: pppoe,ppp,info PPP-: : waiting for call…
2012.02.22-14:50:46 <172.16.50.1>: pppoe,ppp,info PPP-: : terminating… - user versace authentication failed
2012.02.22-14:50:46 <172.16.50.1>: pppoe,ppp,info PPP-: : disconnected
2012.02.22-14:50:46 <172.16.50.1>: pppoe,info PPP-: PPPoE connection established from 00:E9:0A:91:52:D1
2012.02.22-14:50:46 <172.16.50.1>: pppoe,ppp,info PPP-: : waiting for call…
2012.02.22-14:50:48 <172.16.50.1>: pppoe,ppp,info PPP-: : terminating… - user admin authentication failed
2012.02.22-14:50:48 <172.16.50.1>: pppoe,ppp,info PPP-: : disconnected
2012.02.22-14:50:48 <172.16.50.1>: pppoe,info PPP-: PPPoE connection established from 00:E9:08:91:52:6A
2012.02.22-14:50:48 <172.16.50.1>: pppoe,ppp,info PPP-: : waiting for call…
2012.02.22-14:50:48 <172.16.50.1>: pppoe,ppp,info PPP-: : terminating… - user versace authentication failed
2012.02.22-14:50:48 <172.16.50.1>: pppoe,ppp,info PPP-: : disconnected
2012.02.22-14:50:48 <172.16.50.1>: pppoe,info PPP-: PPPoE connection established from 00:E9:0A:91:52:D1
2012.02.22-14:50:48 <172.16.50.1>: pppoe,ppp,info PPP-: : waiting for call…
2012.02.22-14:50:48 <172.16.50.1>: pppoe,ppp,info PPP-: : terminating…
2012.02.22-14:50:48 <172.16.50.1>: pppoe,ppp,info PPP-: : disconnected
2012.02.22-14:50:49 <172.16.50.1>: pppoe,info PPP-: PPPoE connection established from 00:E9:0A:91:52:D1
2012.02.22-14:50:49 <172.16.50.1>: pppoe,ppp,info PPP-: : waiting for call…
2012.02.22-14:50:49 <172.16.50.1>: pppoe,ppp,info PPP-: : terminating… - user admin authentication failed
2012.02.22-14:50:49 <172.16.50.1>: pppoe,ppp,info PPP-: : disconnected
2012.02.22-14:50:49 <172.16.50.1>: pppoe,info PPP-: PPPoE connection established from 00:E9:08:91:52:6A
2012.02.22-14:50:49 <172.16.50.1>: pppoe,ppp,info PPP-: : waiting for call…
2012.02.22-14:50:51 <172.16.50.1>: pppoe,ppp,info PPP-: : terminating… - user admin authentication failed
2012.02.22-14:50:51 <172.16.50.1>: pppoe,ppp,info PPP-: : disconnected
2012.02.22-14:50:51 <172.16.50.1>: pppoe,info PPP-: PPPoE connection established from 00:E9:08:91:52:6A
2012.02.22-14:50:51 <172.16.50.1>: pppoe,ppp,info PPP-: : waiting for call…
etc.
etc.

THANKS

tevolo · February 23, 2012, 2:56pm

Seems like these forum posts relate to this question, but nobody has received an answer.
http://forum.mikrotik.com/t/block-pppoe-connection/52281/1
http://forum.mikrotik.com/t/blocking-mac-from-pppoe-server/22351/1

Would a firewall rule block this from happening even though they don’t even have an established connection?

mmmigoro · February 23, 2012, 7:15pm

One solution is to use a managed layer2 switch before MT to temporary filter that MAC address.

tevolo · February 23, 2012, 8:44pm

Unfortunately after speaking with HP about our 1810G procurve, this is not possibe.

There has to be a PPP setting to block calls based on a MAC address right?
If not, there should be something implemented that could allow it the same way you can deny wifi connections in Mikrotik based on MAC in the Connect List.

angboontiong · June 6, 2012, 3:51am

Hi…

i experienced this today as well…
it make me crazy…

Mikrotik, any solution for this?
or we just leave it that way…

thanks…

Caci99 · June 6, 2012, 10:42am

You could try to specify the caller-id in the secret of the user, although I suspect
it is going to cause more headaches
http://wiki.mikrotik.com/wiki/Manual:PPP_AAA#Properties_2

hedele · June 6, 2012, 1:50pm

I don’t understand what’s so difficult in filtering somebody based on mac
Make your PPPoE server run on a bridge interface, and use bridge filters on input chain to temporarily block MAC adresses.

angboontiong · June 6, 2012, 3:29pm

Hi…
if you are the system, you will found this “fellow” is using some software, it will change the mac address with try new id to access…
it change every 1 seconds, thus, you are not able to drop it…

and this is on the pppoe not the normal dhcp, as normal dhcp, yes, it can be done very straight forward…

but the caller id is , , which no way to blocked it, thus i was looking for more expert which can guide to have more better solution…

tevolo · September 18, 2012, 2:17am

I simply want to block it by the MAC address per the caller-id or the username they are trying to authenticate with if anybody has a clue how to do this?

Block either the MAC: 00:E9:0A:91:52:D1 or user Versace so it doesn’t hit the router 30000 a day?

2012.02.22-14:50:48 <172.16.50.1>: pppoe,ppp,info PPP-: : terminating… - user versace authentication failed
2012.02.22-14:50:48 <172.16.50.1>: pppoe,ppp,info PPP-: : disconnected
2012.02.22-14:50:48 <172.16.50.1>: pppoe,info PPP-: PPPoE connection established from 00:E9:0A:91:52:D1
2012.02.22-14:50:48 <172.16.50.1>: pppoe,ppp,info PPP-: : waiting for call…
2012.02.22-14:50:48 <172.16.50.1>: pppoe,ppp,info PPP-: : terminating…
2012.02.22-14:50:48 <172.16.50.1>: pppoe,ppp,info PPP-: : disconnected
2012.02.22-14:50:49 <172.16.50.1>: pppoe,info PPP-: PPPoE connection established from 00:E9:0A:91:52:D1

toolate · October 2, 2012, 6:07pm

tevolo:

I simply want to block it by the MAC address per the caller-id or the username they are trying to authenticate with if anybody has a clue how to do this?

Block either the MAC: 00:E9:0A:91:52:D1 or user Versace so it doesn’t hit the router 30000 a day?

2012.02.22-14:50:48 <172.16.50.1>: pppoe,ppp,info PPP-: : terminating… - user versace authentication failed
2012.02.22-14:50:48 <172.16.50.1>: pppoe,ppp,info PPP-: : disconnected
2012.02.22-14:50:48 <172.16.50.1>: pppoe,info PPP-: PPPoE connection established from 00:E9:0A:91:52:D1
2012.02.22-14:50:48 <172.16.50.1>: pppoe,ppp,info PPP-: : waiting for call…
2012.02.22-14:50:48 <172.16.50.1>: pppoe,ppp,info PPP-: : terminating…
2012.02.22-14:50:48 <172.16.50.1>: pppoe,ppp,info PPP-: : disconnected
2012.02.22-14:50:49 <172.16.50.1>: pppoe,info PPP-: PPPoE connection established from 00:E9:0A:91:52:D1

Simply place your PPPoE interface in a bridge by itself. Now you can use a bridge filter rule to block the MAC address before it gets to the PPPoE server.

/interface bridge filter
add action=drop chain=input comment=“Block User MAC Address” disabled=no in-interface= src-mac-address=00:E9:0A:91:52:D1/FF:FF:FF:FF:FF:FF

Note that you will have to update the PPPoE Service to use the new bridge interface after you have added the port to the bridge. This will also disconnect any existing PPPoE sessions. Don’t forget to update any firewall rules you may have as well.

This works for me on RB1100 with 5.14.

HTH

-Todd

ajmal · June 14, 2015, 10:40am

As of now i did not find any concrete solution for this issue But i am preventing it by creating ACL rule to prevent PADI request for specific MAC.