Community discussions

MikroTik App
  4. RouterOS
  5. General

Block everything EXCEPT PPPoE

Post Reply
 
andreacoppini
Trainer
Trainer
Topic Author
Posts: 498
Joined: Wed Apr 13, 2005 11:51 pm
Location: Malta, Europe

Block everything EXCEPT PPPoE

Wed May 26, 2021 6:15 pm

I'm trying to build a firewall rule to block EVERYTHING except PPPoE traffic on an interface.

I know I can do this using Bridge Filter rule as there is a MAC-Protocol-Num option, but I don't see this option available in the Firewall->Filter or Firewall->Raw rules, and this interface is not in a bridge,

Is there no MAC-Protocol-Num option in firewall or am I missing something?
Top
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12001
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:
Contact rextended

Re: Block everything EXCEPT PPPoE

Wed May 26, 2021 6:32 pm

PPPoE is layer 2 protocol using ID 0x8864 (session) and 0x8863 (discovery)
You can not block it with layer 3 firewall

You must put the interface in a bridge and apply filters like accepting all pppoe and drop everything else:
Code: Select all
/interface bridge filter
add action=accept chain=forward in-interface=ether2 mac-protocol=pppoe-discovery
add action=accept chain=forward in-interface=ether2 mac-protocol=pppoe
add action=drop chain=forward in-interface=ether2
some routerboard have configurable rules on internal switch to do the same better (redirect to null port / discard the packet)
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19318
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Block everything EXCEPT PPPoE

Wed May 26, 2021 7:21 pm

What is the use case for this setup?
Top
 
andreacoppini
Trainer
Trainer
Topic Author
Posts: 498
Joined: Wed Apr 13, 2005 11:51 pm
Location: Malta, Europe

Re: Block everything EXCEPT PPPoE

Wed May 26, 2021 7:25 pm

What is the use case for this setup?
Ensuring only PPPOE traffic reaches my ISP.

It would also be a use case for ISPs in the forum to secure their PPPOE ACs, they might not want to put their ACs in a bridge.
Top
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Block everything EXCEPT PPPoE

Wed May 26, 2021 8:04 pm

What is the use case for this setup?
Ensuring only PPPOE traffic reaches my ISP.

It would also be a use case for ISPs in the forum to secure their PPPOE ACs, they might not want to put their ACs in a bridge.
What's the point? Route everything that comes into the router over PPPoE and than you don't need any filters.
Top
 
andreacoppini
Trainer
Trainer
Topic Author
Posts: 498
Joined: Wed Apr 13, 2005 11:51 pm
Location: Malta, Europe

Re: Block everything EXCEPT PPPoE

Wed May 26, 2021 8:52 pm

What's the point? Route everything that comes into the router over PPPoE and than you don't need any filters.
The point is so that nothing comes into or out of my router except PPPoE traffic. No MNDP/LLDP/CDP, no STP, no ARP, no OSPF, no RIP... need I go on?

My ISP is an all-bridged WISP, I plugged my "WAN-side" interface into their CPE so that interface is part of the whole WISP's L2. I know it's their responsibility to secure their network, but I can do my part by not accidentally flooding their entire L2 with STP PRIO=0.

Also besides my use-case, an ISP using MT as their PPPOE Access Concentrator (AC) would have that AC on the same L2 as all their customers. They would want to ensure customers can only reach that AC with PPPoE and not try to port-scan, ping-flood, or try to do DoS the AC using MNDP/LLDP/CDP or STP.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19318
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Block everything EXCEPT PPPoE

Wed May 26, 2021 11:58 pm

No worries I was not questioning the validity just to understand it as its unusual to see, plus I have no experience with WISP.
Top
Post Reply

Who is online

Users browsing this forum: ajayrooplall, jookraw and 75 guests
  4. RouterOS
  5. General