Community discussions

MUM Europe 2020
 
lawhitecross
just joined
Topic Author
Posts: 8
Joined: Wed Dec 12, 2007 8:46 pm

Allow PPPOE deny everything else

Thu Mar 27, 2008 7:46 pm

I have a mikrotik wireless network at the moment with 6 high sites. I want to only allow my PPPOE-clients to have access to the internet. I want to be able to disable someone trying to give their computers an IP address on their local machine without authenicating with PPPOE. any suggestions. I am using DMAsoft's Radius Manager. Using OS 3.4 on the sites and using routes to control everything. I want to prevent people from hacking/using the network without paying. Even if i allow that mac-address to connect. What stops him from giving himself an ip address with gateway etc and using my network.
 
User avatar
magic
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Fri Mar 04, 2005 9:53 pm
Location: Sopron, Hungary
Contact:

Re: Allow PPPOE deny everything else

Fri Mar 28, 2008 10:13 am

Do not give IP address to the interfaces which is for customers and turn of default forward on the wireless interfaces. This won't allow your client to communicate through your AP directly. And if you don't have IP on the interface (PPPOE don't need it) the router won't route them. They can only work through pppoe channel.
Krisztian Gancs
RLAN Internet Ltd.
http://www.rlan.hu
 
lawhitecross
just joined
Topic Author
Posts: 8
Joined: Wed Dec 12, 2007 8:46 pm

Re: Allow PPPOE deny everything else

Fri Mar 28, 2008 2:25 pm

Thank you, seems to be working. So when i client connects on PPPOE the router creates the routes only then. I take it, it is recommended to set up OSPF. However OSPF slowed my network down and had problems with interfaces with multiple networks on it.
 
gacopl
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Sun Jul 29, 2007 5:11 pm
Location: Poland

Re: Allow PPPOE deny everything else

Fri Mar 28, 2008 2:39 pm

OSPF is a must in every modern network, especially if you have many pppoe conentrators (on every AP), unless you want to distribute routes by your self ;), besides that close your backbone network (make it round) turn ospf on and be happy with redundancy and some sort of LB :)

After that there's just at least two different gateways to outside world (from different isps) at different points in your backbone, turn on BGP between them, and be really happy, since then you can think about your self as an excellent ISP:)


cheers
Michal
 
lawhitecross
just joined
Topic Author
Posts: 8
Joined: Wed Dec 12, 2007 8:46 pm

Re: Allow PPPOE deny everything else

Fri Mar 28, 2008 4:03 pm

I have re enabled OSPF with my network once again, will test and let Mikrotik Support know if i still have a problem.

Basically i had done the following: disabled default forwarding on my sectors, given no ip address to the sectors, Enabled OSPF with security, Enabled MAC auth on radius and on the router.

Will this be a secure network?
 
gacopl
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Sun Jul 29, 2007 5:11 pm
Location: Poland

Re: Allow PPPOE deny everything else

Fri Mar 28, 2008 4:18 pm

CERTAINLY NOT, YOU CANNOT AUTHORIZE USERS BY MAC, THIS TOTALLY MISUNDERSTANDING NOWADAYS MAC SPOOF IS JUST FEW CLICKS AWAY, I suggest you to authorize by login and password (strong passwords) with at least chap pppoe handshake.

Cheers
Michal

Who is online

Users browsing this forum: HB1 and 86 guests