Switch Rule

RouterOS General
1

Hello,

i only will allow PPPoE from ports on CRS317 to uplink-port. no access to switch from customer-ports, nothing. only PPPoE…
I have set these rules:
/interface ethernet switch rule
add disabled=yes mac-protocol=pppoe-discovery new-dst-ports=sfp-sfpplus1-uplink ports=sfp-sfpplus2-205162,sfp-sfpplus3-202669,sfp-sfpplus4-202490,sfp-sfpplus5-201434,sfp-sfpplus6-ebert-hs8a,sfp-sfpplus7-200452,sfp-sfpplus8-206799 switch=switch1
add disabled=yes mac-protocol=pppoe new-dst-ports=sfp-sfpplus1-uplink ports=sfp-sfpplus2-205162,sfp-sfpplus3-202669,sfp-sfpplus4-202490,sfp-sfpplus5-201434,sfp-sfpplus6-ebert-hs8a,sfp-sfpplus7-200452,sfp-sfpplus8-206799 switch=switch1
add disabled=yes new-dst-ports=sfp-sfpplus16-blackhole ports=sfp-sfpplus2-205162,sfp-sfpplus3-202669,sfp-sfpplus4-202490,sfp-sfpplus5-201434,sfp-sfpplus6-ebert-hs8a,sfp-sfpplus7-200452,sfp-sfpplus8-206799 switch=switch1

o.k. Work.only PPPoE is allowed. But when i activated, then the Bridge learns no mac from the ports. So the Bridge sends out the incomming traffic to all ports?!
Must i set
copy-to-cpu (no | yes; Default: no)
Is this not CPU overloading?

thank you
Christian

2

I may be missing something, but as the switch chip is forwarding the traffic among its ports on its own using its own forwarding table implemented in hardware, there is no need that the bridge was learning the MAC addresses as well. It can only learn them from broadcast frames which do not appear any more once all the PPPoE sessions establish, so the MAC addresses age out from the bridge’s table.

Other than that, you don’t need to sacrify one port (sfp-sfpplus16-blackhole) to create a “drop all” rule - it is enough to set new-dst-ports to an empty string in the last rule.

3

Assuming that:
the S+1 interface is the PPPoE server side;
the S+2 interface is the PPPoE client side;
that XX:XX:XX:XX:XX:XX is the MAC of the PPPoE server.

/interface ethernet switch rule
add switch=switch1 ports=S+1 mac-protocol=pppoe-discovery
add switch=switch1 ports=S+1 mac-protocol=pppoe dst-mac-address=XX:XX:XX:XX:XX:XX/FF:FF:FF:FF:FF:FF
add switch=switch1 ports=S+1 new-dst-ports=“”
add switch=switch1 ports=S+2 mac-protocol=pppoe-discovery
add switch=switch1 ports=S+2 mac-protocol=pppoe src-mac-address=XX:XX:XX:XX:XX:XX/FF:FF:FF:FF:FF:FF
add switch=switch1 ports=S+2 new-dst-ports=“”

If there is no configuration in the “Action” tab, this is an accept rule.
If “Set New Dst. Ports” is checked in the “Action” tab and no port is specified, this is a drop rule.

4

An improved version of the rules I posted above would be:

/interface ethernet switch rule
add switch=switch1 ports=S+1,S+2 mac-protocol=pppoe-discovery
add switch=switch1 ports=S+1 mac-protocol=pppoe dst-mac-address=XX:XX:XX:XX:XX:XX/FF:FF:FF:FF:FF:FF
add switch=switch1 ports=S+2 mac-protocol=pppoe src-mac-address=XX:XX:XX:XX:XX:XX/FF:FF:FF:FF:FF:FF
add switch=switch1 ports=S+1,S+2 new-dst-ports=“”

5

Hello, vgdorneles

clearify. You mean, that i must inset the MAC of PPPoE Server and must inset the MAC of PPPoE-User?
No other Way, that the Bridge learn the MAC-Adresses in case of set ‘only PPPoE’ usable from User without “Bridge filter” (that disables Hardware-Offloading) ?

thank you
Christian

6

Hello,

Must i set the PPPoE-Server MAC and the User Mac, to enable only PPPoE in Switch-rule?

7

Hello vgdorneles,

I have install this. But then i loose the connectivity to my switch.
I managed the Switch via VLAN with IP on S+1
The VLAN should be accesible from outside to the switch.
vlan is set on Interface->vlan, it should not be affectet in the switch-rules, but why? same MAC-Adress?

best regards
Christian

8

No, the MAC is only for the PPPoE server. Unless you want to limit MAC access for PPPoE users, you have no reason to do that.

/interface ethernet switch rule
add switch=switch1 ports=S+1,S+2 mac-protocol=pppoe-discovery
add switch=switch1 ports=S+1 mac-protocol=pppoe dst-mac-address=XX:XX:XX:XX:XX:XX/FF:FF:FF:FF:FF:FF
add switch=switch1 ports=S+2 mac-protocol=pppoe src-mac-address=XX:XX:XX:XX:XX:XX/FF:FF:FF:FF:FF:FF
add switch=switch1 ports=S+1,S+2 new-dst-ports=“”

The green rules are Accept rules. The red rules are Drop rules. If you want have management VLAN, you must configure a accept rule to management VLAN before of drop rule:

/interface ethernet switch rule
add switch=switch1 ports=S+1,S+2 mac-protocol=pppoe-discovery
add switch=switch1 ports=S+1 mac-protocol=pppoe dst-mac-address=XX:XX:XX:XX:XX:XX/FF:FF:FF:FF:FF:FF
add switch=switch1 ports=S+2 mac-protocol=pppoe src-mac-address=XX:XX:XX:XX:XX:XX/FF:FF:FF:FF:FF:FF
add switch=switch1 ports=S+1 vlan-id=1234
add switch=switch1 ports=S+1,S+2 new-dst-ports=“”

This goes for anything you don’t want to drop.

9

Hello,

o.k.
now it work’s. PPPoE untagged on the customer port. nothing else. good.

/interface ethernet switch rule
add dst-mac-address=00:00:00:00:00:00/00:00:00:00:00:00 mac-protocol=pppoe-discovery ports=\
    "sfp-sfpplus1-uplink,sfp-sfpplus2-205162,sfp-sfpplus3-202669 src-mac-address=\
    00:00:00:00:00:00/00:00:00:00:00:00 switch=switch1
add dst-mac-address=00:00:00:00:00:00/00:00:00:00:00:00 mac-protocol=pppoe ports=\
    "sfp-sfpplus1-uplink,sfp-sfpplus2-205162,sfp-sfpplus3-202669 src-mac-address=\
    00:00:00:00:00:00/00:00:00:00:00:00 switch=switch1
add new-dst-ports="" ports="sfp-sfpplus2-205162,sfp-sfpplus3-202669 switch=switch1
[admin@ftth-switch1] /interface ethernet switch rule>

but now i will add iptv.
iptv streamer an dhcp-server for cpe on vlan10 on uplink-port.
customer should become an ip adress für his cpe and iptv over vlan10 on his interface. igmp-snooping is not need.
is there a way to enable only dhcp and multicast on vlan10 add to the config above?

thanks and regards
christian