Community discussions

 
kofaki
just joined
Topic Author
Posts: 4
Joined: Wed Mar 05, 2014 4:11 pm

PPPoE - firewall rules - help

Wed Mar 05, 2014 4:48 pm

Hello,


i have Mikrotik 493 connected to internet via wireless card. To the 9 ethernet ports are connected 9 PC's. Every eth. port have PPPoE concentrator. On all PC's have set PPPoE client.

All works fine, now.

All PC's have public address and i need set a firewall (access-lists). I need drop spoofing IP adressess. Only IP's from range /27 can comunicate, all other drop. But don't work it. If i select in-interface=(pppoe name of interface), then works it, but i need rules on physically eth interfaces.



0 ;;; access-list eth1
chain=forward action=accept src-address=x.y.z.160/27 in-interface=ether1
1 chain=forward action=accept out-interface=ether1
chain=forward action=drop in-interface=ether1

2 ;;; access-list eth2
chain=forward action=accept src-address=x.y.z.160/27 in-interface=ether2
3 chain=forward action=accept out-interface=ether2
chain=forward action=drop in-interface=ether2

4 ;;; access-list eth3
chain=forward action=accept src-address=x.y.z.160/27 in-interface=ether3
5 chain=forward action=accept out-interface=ether3
chain=forward action=drop in-interface=ether3

6 ;;; access-list eth4
chain=forward action=accept src-address=x.y.z.160/27 in-interface=ether4
7 chain=forward action=accept out-interface=ether4
chain=forward action=drop in-interface=ether4

8 ;;; access-list eth5
chain=forward action=accept src-address=x.y.z.160/27 in-interface=ether5
9 chain=forward action=accept out-interface=ether5
chain=forward action=drop in-interface=ether5

10 ;;; access-list eth6
chain=forward action=accept src-address=x.y.z.160/27 in-interface=ether6
11 chain=forward action=accept out-interface=ether6
chain=forward action=drop in-interface=ether6

12 ;;; access-list eth7
chain=forward action=accept src-address=x.y.z.160/27 in-interface=ether7
13 chain=forward action=accept out-interface=ether7
chain=forward action=drop in-interface=ether7

14 ;;; access-list eth8
chain=forward action=accept src-address=x.y.z.160/27 in-interface=ether8
15 chain=forward action=accept out-interface=ether8
chain=forward action=drop in-interface=ether8

16 ;;; access-list eth9
chain=forward action=accept src-address=x.y.z.160/27 in-interface=ether9
17 chain=forward action=accept out-interface=ether9
chain=forward action=drop in-interface=ether9


How i can set rule for block spoofed IP addresses ?
 
User avatar
NAB
Trainer
Trainer
Posts: 503
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

Re: PPPoE - firewall rules - help

Thu Mar 06, 2014 12:28 pm

0 ;;; access-list eth1
chain=forward action=accept src-address=x.y.z.160/27 in-interface=ether1
1 chain=forward action=accept out-interface=ether1
chain=forward action=drop in-interface=ether1
You won't see the data on etherX - you need to be using the PPPoE interface not the physical Ethernet interface. Something like:
chain=forward action=drop src-address=!192.0.2.1 in-interface=pppoe-client1
chain=forward action=drop src-address=!192.0.2.2 in-interface=pppoe-client2
chain=forward action=drop src-address=!192.0.2.3 in-interface=pppoe-client3
.
.
.
Where the RFC5737 addresses should be replaced with whatever your real IPs are.
Nicholas Barnes BSc(hons)
Certified Mikrotik Consultant
Certified Mikrotik Trainer

Vitell - Asterisk, Linux and network consultants
Unofficial IRC channel: #routerboard on irc.z.je
 
kofaki
just joined
Topic Author
Posts: 4
Joined: Wed Mar 05, 2014 4:11 pm

Re: PPPoE - firewall rules - help

Thu Mar 06, 2014 1:46 pm

Thank you for your reply,

but ... if i set rules with in-interface=pppoe-client(x) and the customer (pppoe-client) have disconnect from pppoe, then rules will be off , because in-interface=unknown and this is bad solution ..
 
User avatar
NAB
Trainer
Trainer
Posts: 503
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

Re: PPPoE - firewall rules - help

Sat Mar 08, 2014 2:18 am

in-interface=unknown and this is bad solution..
Yes - sorry, my mind was elsewhere and you are correct - for you this is not a good solution. Instead, create a new PPP profile for each connection and use the 'incoming filter' to do the check/drop.
Nicholas Barnes BSc(hons)
Certified Mikrotik Consultant
Certified Mikrotik Trainer

Vitell - Asterisk, Linux and network consultants
Unofficial IRC channel: #routerboard on irc.z.je
 
Rudios
Forum Veteran
Forum Veteran
Posts: 966
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: PPPoE - firewall rules - help

Sat Mar 08, 2014 3:10 pm

Or create pppoe server bindings and use these for the firewall rules.
Testing setup with: 2 x RB750UP | 2 x RB750GL | 1 x RB951G-2HnD | 1 x RB2011UiAS-IN

Who is online

Users browsing this forum: No registered users and 33 guests