Community discussions

MikroTik App
 
ponline
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Tue Sep 28, 2004 9:19 pm

pppoe client isolation

Thu Mar 30, 2023 10:10 pm

Hello,
What is the best, easiest, and more cpu efective way to isolate clients within pppoe server.
Also, i have more pppoe serves each in separata VLAN interface, next step would be isolationg pppoe servers to eachother.
I want pppoe clients to se only the gateway and nothing else inside out network.

Any input appreciated.
thanks in advance.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: pppoe client isolation

Fri Mar 31, 2023 7:07 am

i think the most optimal way is:

no connection-tracking
fast-path mode on

for isolation use Route Rules
 
ponline
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Tue Sep 28, 2004 9:19 pm

Re: pppoe client isolation

Thu Apr 20, 2023 3:40 pm

i think the most optimal way is:

no connection-tracking
fast-path mode on

for isolation use Route Rules
how to achieve that?
Will no connection-tracking cause other problems? this router is also doing NAT and everything else as a main internet gateway.
I would like just to block every pppoe client see eachother, they should only see the router.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: pppoe client isolation

Thu Apr 20, 2023 3:56 pm

Activat this after placing it on right places.
/ip firewall filter
add action=drop disabled=yes chain=forward in-interface=all-ppp out-interface=all-ppp
But I do not understand how is possible that you do not already have "drop all at the end" on forward, and allow traffic only between all-ppp <-> WAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: pppoe client isolation

Thu Apr 20, 2023 7:21 pm

Because OP has provided neither a diagram NOR a config. So maybe you need to clean your crystal ball! :-)
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: pppoe client isolation

Sun Apr 23, 2023 12:39 pm

@ anav
Because OP has provided neither a diagram NOR a config.
the op did provide both diagram and config, but maybe he just forgot where he put those? ๐Ÿ˜‚
So maybe you need to clean your crystal ball! :-)
no, i don't think @ rextended needs to clean it, he just forgot to switch on the power so the crystal ball doesn't glow? ๐Ÿ˜‚

have a good weekend folks ๐Ÿ˜‚๐Ÿ‘๐Ÿป
 
millenium7
Long time Member
Long time Member
Posts: 538
Joined: Wed Mar 16, 2016 6:12 am

Re: pppoe client isolation

Mon Apr 24, 2023 9:13 am

You need to leave connection tracking on

Sounds like you probably don't want the absolute most CPU optimal method, and it'd be better to have something that's easily managed. As it sounds like this router is doing other duties, so its best to keep things nicely separated into their own compartments. A fairly good and easily managed method is to create multiple PPPoE server profiles with the rules you want

Full isolation between each other can be handled by specifying a 'bridge' interface and entering any value such as 5 into the 'bridge horizon' field. This will ensure that the clients cannot communicate with each other whatsoever, but by default they will be access anything outside of that bridge. So in order to control traffic flow further, you can use a separate Firewall Filter chain, an easy way is to type something into the 'Incoming Filter' field in the PPP Profile, i.e. "PPPFilter-in", alternatively you can specify an Interface List and then just create some rules specific to that list, i.e. "Allow CustomerInterfaces to InternetInterfaces but drop everything else". If you only have a single router in your network and don't care about traffic once it leaves, then that is often enough without specifying additional firewall chains

Now you can setup rules for those groups. If you specify an Incoming Filter, then it will not use the rest of your firewall filter rules (good for performance and manageability). So you may need to double up on some rules (not a performance penalty, since normal traffic will not touch the chain you specify)
I.e. if you have a 'chain=forward connection-state=established,related action=accept' rule then you want to duplicate this rule and change chain to 'PPPFilter-in' as all PPPoE connections that use the new profile you set, will only use that chain (unless you use jump rule)
Then just setup some specific things you want, a simple one is i.e. 'chain=PPPFilter-in out-interface!=InternetConnection action=reject' this would prevent all your PPPoE clients from going anywhere other than out to the internet. Obviously adjust your rules according to whatever your setup is

If you end up with multiple profiles but share some common rules like "All groups can access the internet" then you can create multiple chains and use the 'jump' and 'return' actions to jump to common points in order to keep all your rules simple and in 1 place. Rather than duplicating rules into every chain if you end up having lots of them
But try and keep it as simple as you can so you don't have a mess of spaghetti. At least with different chains you can freely make adjustments that will only affect that group of users

Hopefully this makes sense
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: pppoe client isolation

Mon Apr 24, 2023 11:02 am

more cpu efective way to isolate clients within pppoe server
Put a filter on the firewall on the end user device, where traffic to other PPPoE addresses is not allowed...
(and selectively, if two or more companies need interconnection, you can allow traffic between those)

Easy and costs no CPU on PPPoE server :lol: :lol: :lol: (and save traffic on the transport network)


P.S.: Don't be an asโ€“le, give everyone an L3 MTU of 1500 by adjusting VLAN MTU to 1508 and L2 MTU on paths to at least L2 MTU 1512,
without unnecessarily limiting the MTU for end customers to 1492 or 1480.
Fragmentation / defragmentation costs you more CPU than passing whole packets...
 
JessieJim1
just joined
Posts: 2
Joined: Mon Apr 24, 2023 9:28 am

Re: pppoe client isolation

Mon Apr 24, 2023 11:31 am

To isolate multiple PPPoE servers from each other, you can also use VLANs. You can configure each PPPoE server to use a different VLAN interface, which will ensure that the servers are isolated from each other and can't communicate with each other.
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: pppoe client isolation

Mon Apr 24, 2023 11:56 am

@ ponline

I would like just to block every pppoe client see eachother, they should only see the router.
well, how about try to make a p2p pppoe link for each client, instead of regular broadcast pppoe pool?? ๐Ÿค”

this setup will be expensive in terms of ip number used, subscription maintenance and each pppoe p2p setup. 1 pppoe server for 1 pppoe client, uses 2 ips.

it's good for special guaranteed bandwidth customer, but not for regular shared bandwidth (just use broadcast type shared pool).

that is 1 gateway for 1 client.

have a try and good luck ๐Ÿ‘๐Ÿป

hope this helps.

edited : wrong @ op mentioned.
 
millenium7
Long time Member
Long time Member
Posts: 538
Joined: Wed Mar 16, 2016 6:12 am

Re: pppoe client isolation

Mon Apr 24, 2023 1:47 pm

@ ponline

well, how about try to make a p2p pppoe link for each client, instead of regular broadcast pppoe pool?? ๐Ÿค”

this setup will be expensive in terms of ip number used, subscription maintenance and each pppoe p2p setup. 1 pppoe server for 1 pppoe client, uses 2 ips.
PPPoE is not a broadcast segment and doesn't work like an ethernet broadcast domain. You can duplicate IP addresses (and you should on the server side, just use the same IP across every PPPoE server session).
Infact you don't strictly even need to use valid IP addresses, you could specify almost anything you want and then just blindly throw traffic across it. If the remote side has knowledge of the IP's you are trying to reach, it would work. There's 1 highly useful scenario for that which is multiple non consecutive IP addresses, especially if you use something like a remote RADIUS server for authenticating sessions. If a client has an existing public IP address and requests 4 more of them, you don't need to assign a consecutive /29 block for instance and burn 8 IP's needlessly. You can quite happily give them .103/121/181/197/255 and you'll notice the routes show the destination as the PPPoE interface, not an IP address. The router will throw all traffic down the tunnel without a care in the world for conventional addressing
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: pppoe client isolation

Mon Apr 24, 2023 2:33 pm

@ Millenium7
PPPoE is not a broadcast segment and doesn't work like an ethernet broadcast domain.
partially true. though I could disagree with you in certain pppoe deployment scenario.

i was referring to p2p pppoe as physically 1 server for 1 client, hence the @ op could use any ip address he wants, so he could do whatever link management he wishes with that p2p pppoe link (policies, shaping etc). ie. replacement for any other type of expensive wan.

by pool, i was referring the @ op could use the same broadcast media as access concentrator, for larger amount of package subscriber . again, depends on the network was designed. 1 gateway ip for an ip pool.

yes, don't let that ppp without radius, hence you won't see duplicates clients, like below๐Ÿ‘‡
You can duplicate IP addresses (and you should on the server side, just use the same IP across every PPPoE server session).
Infact you don't strictly even need to use valid IP addresses, you could specify almost anything you want and then just blindly throw traffic across it.
sure. as i said, the network design and its limitations. ie. use edge nat nor full ip routing etc.

after all, experience said what is work and what isn't work for certain deployment design.

nice thought ๐Ÿ‘๐Ÿป
 
ponline
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Tue Sep 28, 2004 9:19 pm

Re: pppoe client isolation

Wed May 10, 2023 4:28 pm

I'm surprised by the number of replies to this post. Normally, if there is no response for a day or two, the topic fades into obscurity.
I apprecciate a lot of replyes which are very expert and informative, I also apretiate the sarcastic ones too, life is boring without humour :lol:

The question is simple and does not require any diagrams - it's just about a client isolation scenario.

@rextended made a valid point with the following:
/ip firewall filter
[add action=drop disabled=yes chain=forward in-interface=all-ppp out-interface=all-ppp

However, I don't understand how it's possible that you don't already have a "drop all at the end" on forward, and only allow traffic between all-ppp <-> WAN.
Thank you for your input.
The issue I'm facing is that I use a series of rules to allow forwarding to my public IP addresses and to the interfaces I need for managing servers, and then drop everything else.
Although it does what it's supposed to do, I'm having several problems , but one is more serious:

My public IP addresses are allowed to see all private clients because the rule accepts them.

I have businesses that require public IP addresses and have two or more locations, one of which has a public IP (for their server), while the others are private. So, I need them to see the public IP and vice versa.
I don't want to create a rule for each client, as that would require two rules for every connection, and also that would require me to change a lot of settings in my netowrok because my private ip's are dynamic.
So to avoid adding a lot of rules or changing my network , I had to create the following general rules instead:

accept forward destination=public ip/24
accept forward source public ip/24

Which allows all public IPs to see all the private IPs.
If I disable those rules the public ip addresses will be seen only from outside my network.


So, instead of asking about my original problem, I thought there might be another simple way to isolate clients (who knows?).
However, I realize that I need to find a workaround to fix these issues.
If anyone has any ideas on how to overcome these problems, I would appreciate it.

Thanks

Who is online

Users browsing this forum: gkoleff, outtahere and 72 guests