Because of security. I wanna block access to web/ssh/telnet management on other devices. I dont want the customer to see other device. Customers often leave their devices not secured enough, also our management needs to be protected.
But I would presume you are using a management VLAN for your radios etc, correct? So if your CCR1072 is doing the inter-VLAN routing between the customers and the management, you would have the firewall rule there to protect your management from the customers, wouldn't you? Unless you aren't using a management VLAN currently and are doing management on the customer subnet itself.
If your network topology is such that you are having to put bizarre workarounds like that in place for security purposes, your topology is probably not well thought out. In that case, you should fix the topology to make it more secure, and not resort to such strange workarounds.
If you really can't fix the topology, I'm not entirely sure why you are wanting to avoid adding forward chain rules. You wouldn't have to add very many, and it shouldn't place much additional load on those PPPoE AC's.