Hi there,
i just wanted to ask if there is an option to block traffic from PPPoE Clients to Management Subnet on MT with an interface rule? (not SRC IP)
I saw there is an option to add a filter rule with incoming interface “pppoe-in1”, but my problem that’s just for particular users. Or am i wrong? How can i add a rule for all pppoe-clients?
Best regards
You should probably be thinking about this the other way around. Typically on a firewall configuration you use rules which block all traffic (e.g. a drop all rule on the forward chain) and then add rules to permit the specific traffic which you want to allow.
Good Approach! I’m testing the rule “drop all traffic to management subnet with in-interface=!management-interface”. Thanks so far.
Okay, not so good as i thought. Is there really no option to select PPPoE Server als interface for all Users?
I suggest that you upload the config using /export compact and describe the application.
Backbone ↔ L2TP Server + Radius + Management NMS <->L2TP Client + PPPoE Server ↔ WiFi CPE (which have to reach the Management NMS) ↔ PPPoClient
# may/31/2012 09:30:59 by RouterOS 5.16
# software id = ZFR7-4PTV
#
/interface ethernet
set 0 arp=proxy-arp auto-negotiation=yes disabled=no full-duplex=yes l2mtu=\
1600 mac-address=D4:CA:6D:22:C0:CB mtu=1500 name=ether10 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1600 \
mac-address=D4:CA:6D:22:C0:CC mtu=1500 name=ether9 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1600 \
mac-address=D4:CA:6D:22:C0:CE mtu=1500 name=ether7 speed=100Mbps
set 3 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1600 \
mac-address=D4:CA:6D:22:C0:CD mtu=1500 name=ether8 speed=100Mbps
set 4 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1600 \
mac-address=D4:CA:6D:22:C0:CF mtu=1500 name=ether6 speed=100Mbps
set 5 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:22:C0:D0 \
master-port=none mtu=1500 name=ether5 speed=100Mbps
set 6 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:22:C0:D1 \
master-port=none mtu=1500 name=ether4 speed=100Mbps
set 7 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:22:C0:D2 \
master-port=none mtu=1500 name=ether3 speed=100Mbps
set 8 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:22:C0:D3 \
master-port=none mtu=1500 name=ether2 speed=100Mbps
set 9 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:22:C0:D4 \
master-port=none mtu=1500 name=ether1 speed=100Mbps
/interface ethernet switch
set 0 mirror-source=none mirror-target=none name=switch1
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=\
cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 \
split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m name=default \
shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des \
lifetime=30m name=default pfs-group=modp1024
/ip pool
add name=pppoepool ranges=x.x.x.x/x
/port
set 0 baud-rate=115200 data-bits=8 flow-control=none name=serial0 parity=none \
stop-bits=1
set 1 baud-rate=115200 data-bits=8 flow-control=none name=serial1 parity=none \
stop-bits=1
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=\
default use-encryption=default use-mpls=default use-vj-compression=\
default
add change-tcp-mss=default name=l2tp_profile only-one=default \
use-compression=default use-encryption=yes use-mpls=default \
use-vj-compression=default
add change-tcp-mss=default dns-server=x.x.x.x local-address=\
x.x.x.x name=PPPoE only-one=default remote-address=pppoepool \
session-timeout=1d use-compression=default use-encryption=yes use-mpls=\
default use-vj-compression=default
set 3 change-tcp-mss=yes name=default-encryption only-one=default \
use-compression=default use-encryption=yes use-mpls=default \
use-vj-compression=default
/interface l2tp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=\
x.x.x.x dial-on-demand=no disabled=no max-mru=1460 max-mtu=1460 \
mrru=1600 name=L2TP_Client password="xxx" profile=l2tp_profile \
user="xxx"
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=none name=only-hardware-queue
set 6 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 7 kind=pfifo name=default-small pfifo-limit=10
/routing bgp instance
set default as=65530 client-to-client-reflection=yes disabled=no \
ignore-as-path-len=no name=default out-filter="" redistribute-connected=\
no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no \
redistribute-static=no router-id=0.0.0.0 routing-table=""
/routing ospf instance
set [ find default=yes ] disabled=no distribute-default=never in-filter=\
ospf-in metric-bgp=auto metric-connected=20 metric-default=1 \
metric-other-ospf=auto metric-rip=20 metric-static=20 name=default \
out-filter=ospf-out redistribute-bgp=no redistribute-connected=no \
redistribute-other-ospf=no redistribute-rip=no redistribute-static=no \
router-id=0.0.0.0
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=\
backbone type=default
/snmp community
set [ find default=yes ] address=0.0.0.0/0 authentication-password="" \
authentication-protocol=MD5 encryption-password="" encryption-protocol=\
DES name=public read-access=yes security=none write-access=no
/system logging action
set 0 memory-lines=100 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=100 \
disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote-port=514 src-address=0.0.0.0 \
syslog-facility=daemon syslog-severity=auto target=remote
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,w\
eb,sniff,sensitive,api,!ftp,!write,!policy" skin=default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pa\
ssword,web,sniff,sensitive,api,!ftp,!policy" skin=default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,\
winbox,password,web,sniff,sensitive,api" skin=default
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
no
/interface ethernet switch port
set 0 vlan-header=leave-as-is vlan-mode=fallback
set 1 vlan-header=leave-as-is vlan-mode=fallback
set 2 vlan-header=leave-as-is vlan-mode=fallback
set 3 vlan-header=leave-as-is vlan-mode=fallback
set 4 vlan-header=leave-as-is vlan-mode=fallback
set 5 vlan-header=leave-as-is vlan-mode=fallback
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=\
default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\
default enabled=no keepalive-timeout=60 mac-address=FE:06:5A:E5:C4:FE \
max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pppoe-server server
add authentication=pap,chap,mschap1,mschap2 default-profile=PPPoE disabled=no \
interface=ether2 keepalive-timeout=10 max-mru=1454 max-mtu=1454 \
max-sessions=0 mrru=disabled one-session-per-host=yes service-name=\
PPPoE_Server
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=\
disabled port=443 verify-client-certificate=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=10.0.96.254/24 disabled=no interface=ether2 network=10.0.96.0
add address=10.0.97.254/24 disabled=no interface=ether2 network=10.0.97.0
add address=10.0.98.254/24 disabled=no interface=ether2 network=10.0.98.0
add address=10.0.99.254/24 disabled=no interface=ether2 network=10.0.99.0
add address=10.0.104.254/24 disabled=no interface=ether2 network=10.0.104.0
add address=10.0.107.1/24 disabled=no interface=ether2 network=10.0.107.0
add address=x.x.x.x/x disabled=no interface=ether1 network=x.x.x.x
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1 use-peer-dns=no \
use-peer-ntp=no
/ip dhcp-relay
add delay-threshold=none dhcp-server=192.168.1.101 disabled=no interface=\
ether2 local-address=10.0.107.1 name="SKY-Pilot_Relay"
/ip dhcp-server config
set store-leases-disk=5m
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=4096 servers=""
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=yes ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=yes ports=5060,5061 sip-direct-media=yes
set pptp disabled=yes
/ip hotspot service-port
set ftp disabled=no ports=21
/ip neighbor discovery
set ether10 disabled=no
set ether9 disabled=no
set ether7 disabled=no
set ether8 disabled=no
set ether6 disabled=no
set ether5 disabled=no
set ether4 disabled=no
set ether3 disabled=no
set ether2 disabled=no
set ether1 disabled=no
set L2TP_Client disabled=yes
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=no max-cache-size=none max-client-connections=\
600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \
parent-proxy-port=0 port=8080 serialize-connections=no src-address=\
0.0.0.0
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=L2TP_Client scope=30 \
target-scope=10
add disabled=no distance=1 dst-address=x.x.x.x/x gateway=x.x.x.x/x \
scope=30 target-scope=10
add disabled=no distance=1 dst-address=x.x.x.x/x type=unreachable
add disabled=no distance=1 dst-address=x.x.x.x/x type=unreachable
add disabled=no distance=1 dst-address=x.x.x.x/x type=unreachable
/ip service
set telnet address=\
x.x.x.x/x disabled=no \
port=23
set ftp address="" disabled=yes port=21
set www address="" disabled=yes port=80
set ssh address="" disabled=yes port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="x.x.x.x/x" disabled=no port=8728
set winbox address="x.x.x.x/x" disabled=no port=8291
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=\
all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=no \
max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest password="" read-only=yes
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no \
inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
set [ find default=yes ] disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no \
lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0 \
use-explicit-null=no
/port firmware
set directory=firmware
/ppp aaa
set accounting=yes interim-update=5m use-radius=yes
/queue interface
set ether10 queue=only-hardware-queue
set ether9 queue=only-hardware-queue
set ether7 queue=only-hardware-queue
set ether8 queue=only-hardware-queue
set ether6 queue=only-hardware-queue
set ether5 queue=only-hardware-queue
set ether4 queue=only-hardware-queue
set ether3 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
set ether1 queue=only-hardware-queue
/radius
add accounting-backup=no accounting-port=1813 address=x.x.x.x/x \
authentication-port=1812 called-id="" disabled=no domain="" realm="" \
secret=xxx service=ppp src-address=x.x.x.x/x timeout=300ms
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s \
multiplier=5
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
0.0.0.0 timeout=1m ttl=50
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
redistribute-connected=no redistribute-ospf=no redistribute-static=no \
routing-table=main timeout-timer=3m update-timer=30s
/snmp
set contact="" enabled=no engine-id="" location="" trap-generators="" \
trap-target="" trap-version=1
/system clock
set time-zone-name=Europe/Berlin
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
"jan/01/1970 00:00:00" time-zone=+00:00
/system console
set [ find port=serial0 ] disabled=no port=serial0 term=vt102
/system identity
set name="Mvox Rossbach"
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=yes mode=unicast primary-ntp=130.149.17.21 secondary-ntp=\
131.246.1.116
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
set 5 cpu=auto
set 6 cpu=auto
set 7 cpu=auto
set 8 cpu=auto
set 9 cpu=auto
set 10 cpu=auto
set 11 cpu=auto
set 12 cpu=auto
set 13 cpu=auto
/system routerboard settings
set baud-rate=115200 boot-delay=2s boot-device=nand-if-fail-then-ethernet \
boot-protocol=bootp cpu-frequency=1GHz<400DDR> enable-jumper-reset=yes \
enter-setup-on=any-key force-backup-booter=no silent-boot=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=\
none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=\
100
/tool e-mail
set address=0.0.0.0 from=<> password="" port=25 user=""
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set [ find default=yes ] disabled=no interface=all
/tool mac-server mac-winbox
set [ find default=yes ] disabled=no interface=all
/tool mac-server ping
set enabled=yes
/tool sms
set allowed-number="" channel=0 keep-max-sms=0 receive-enabled=no secret=""
/tool sniffer
set file-limit=1000KiB file-name="" filter-direction=any filter-ip-address=\
192.168.1.101/32 filter-ip-protocol="" filter-mac-address="" \
filter-mac-protocol="" filter-port="" filter-stream=yes interface=all \
memory-limit=100KiB memory-scroll=yes only-headers=no streaming-enabled=\
no streaming-server=0.0.0.0
/tool traffic-generator
set latency-distribution-scale=10 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \
use-radius=no
Found another solution. Thanks.
Drop Input - SRC Address List
ppp profile - incoming filter
It would be better to use an accept rule on the input chain for those interfaces/ip ranges that you want to have access followed by a drop all rule.