Community discussions

MUM Europe 2020
 
Kingroudy
just joined
Topic Author
Posts: 3
Joined: Fri Dec 25, 2009 12:30 pm

Intruder PPPoE server

Fri Dec 25, 2009 12:43 pm

hi,
i work for a local ISP who distributes internet wirelessly and through PPPoE connection. Someone who actually wants to jam our network has connected another PPPoE server (the wireless network is unsecured) and now every time i dial, i get wrong username and password.
we tried mac filtering, but it turned out that he started to use mac addresses of other clients. i need the simplest solution (because i don't want to reconfigure more than 100 devices for the internet clients)
if this thread is in the wrong section please move it.
Thank You
 
Kingroudy
just joined
Topic Author
Posts: 3
Joined: Fri Dec 25, 2009 12:30 pm

Re: Intruder PPPoE server

Tue Dec 29, 2009 5:23 pm

4 days to approve.. i'm just posting so i can bring this on top again, i badly need an answer.
 
Kingroudy
just joined
Topic Author
Posts: 3
Joined: Fri Dec 25, 2009 12:30 pm

Re: Intruder PPPoE server

Tue Dec 29, 2009 5:26 pm

4 days and no answer ? :(
 
Inssomniak
Member
Member
Posts: 326
Joined: Fri Apr 13, 2007 11:21 pm

Re: Intruder PPPoE server

Tue Jan 05, 2010 1:34 am

You could try tunneling your pppoe sessions to your core router (EoIP, VPLS). That way the pppoe requests can only be answered by your core, and there would be no way for an intruder to connect a pppoe server, also make sure default forward is disabled on your APs.
 
User avatar
astounding
Member Candidate
Member Candidate
Posts: 121
Joined: Tue Dec 16, 2008 12:17 am

Re: Intruder PPPoE server

Tue Jan 05, 2010 7:32 am

If your AP is a Mikrotik and is bridging PPPoE packets to your PPPoE access concentrator (i.e. it isn't acting as the PPPoE terminator), you could try blocking PPPoE discovery PADI packets from going out over the wireless network:
/interface bridge filter add chain=forward action=drop mac-protocol=pppoe-discovery out-interface=!ether1 dst-mac-address=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff disabled=no
The above assumes your PPPoE concentrator is connected via the ether1 physical interface, so it DROPS all PPPoE discovery packets TO the broadcast ethernet address going OUT any interfaces that are NOT the PPPoE concentrator. PADI packets are sent to the broadcast MAC address, but there's no reason I can think of that these packets should EVER go out interfaces facing client devices.

I haven't tried this, nor tested it. I have no idea if it would actually work. If anyone knows, let me know. I'm curious to know if it works, or if it breaks anything else.

Aaron out.

Who is online

Users browsing this forum: Baidu [Spider], MSN [Bot] and 20 guests