ePMP bridged SM - best practice to allow PPPoE and isolate other L2

Hi all,

Creating a fresh thread as there is a little information scattered around about this.

Scenario : ePMP 1000 / 2000 / 3000 AP. SM in bridge mode, Data VLAN used in SM to present L2 (PPPoE) to customer.
Goal : Implement L2 firewall rules on SM to prevent subscriber seeing any other L2 traffic except PPPoE discovery and session. Want to achieve this through cnMaestro with the least effort possible. Need to allow management traffic to SM from WLAN interface.

Working solution :

  • Create template in cnMaestro with wlan-mac variable. You need to copy / paste wlan-mac before sending to SM. Not ideal as manual intervention needed with every SM.

{
“template_props”: {
“templateName”: “”,
“templateDescription”: “”,
“device_type”: “”,
“version”: “4.5.5”
},
“device_props”: {
“l2FirewallEnable”: “1”,
“l2FirewallTable”: [{
“l2FirewallEntryName”: “PPPoE-discovery-WLAN”,
“l2FirewallEntryAction”: “1”,
“l2FirewallEntryInterface”: “1”,
“l2FirewallEntryLog”: “”,
“l2FirewallEntryEtherType”: “34915”,
“l2FirewallEntryVlanID”: “”,
“l2FirewallEntrySrcMAC”: “”,
“l2FirewallEntrySrcMask”: “”,
“l2FirewallEntryDstMAC”: “”,
“l2FirewallEntryDstMask”: “”
},
{
“l2FirewallEntryName”: “PPPoE-discovery”,
“l2FirewallEntryAction”: “1”,
“l2FirewallEntryInterface”: “2”,
“l2FirewallEntryLog”: “”,
“l2FirewallEntryEtherType”: “34915”,
“l2FirewallEntryVlanID”: “”,
“l2FirewallEntrySrcMAC”: “”,
“l2FirewallEntrySrcMask”: “”,
“l2FirewallEntryDstMAC”: “”,
“l2FirewallEntryDstMask”: “”
},
{
“l2FirewallEntryName”: “PPPoE-session-WLAN”,
“l2FirewallEntryAction”: “1”,
“l2FirewallEntryInterface”: “1”,
“l2FirewallEntryLog”: “”,
“l2FirewallEntryEtherType”: “34916”,
“l2FirewallEntryVlanID”: “”,
“l2FirewallEntrySrcMAC”: “”,
“l2FirewallEntrySrcMask”: “”,
“l2FirewallEntryDstMAC”: “”,
“l2FirewallEntryDstMask”: “”
},
{
“l2FirewallEntryName”: “PPPoE-session”,
“l2FirewallEntryAction”: “1”,
“l2FirewallEntryInterface”: “2”,
“l2FirewallEntryLog”: “”,
“l2FirewallEntryEtherType”: “34916”,
“l2FirewallEntryVlanID”: “”,
“l2FirewallEntrySrcMAC”: “”,
“l2FirewallEntrySrcMask”: “”,
“l2FirewallEntryDstMAC”: “”,
“l2FirewallEntryDstMask”: “”
},
{
“l2FirewallEntryName”: “WLAN-dst-mgmt”,
“l2FirewallEntryAction”: “1”,
“l2FirewallEntryInterface”: “1”,
“l2FirewallEntryLog”: “”,
“l2FirewallEntryEtherType”: “”,
“l2FirewallEntryVlanID”: “”,
“l2FirewallEntrySrcMAC”: “”,
“l2FirewallEntrySrcMask”: “”,
“l2FirewallEntryDstMAC”: “${wlan-mac=00:00:00:00:00:00}”,
“l2FirewallEntryDstMask”: “”
},
{
“l2FirewallEntryName”: “WLAN-src-mgmt”,
“l2FirewallEntryAction”: “1”,
“l2FirewallEntryInterface”: “1”,
“l2FirewallEntryLog”: “”,
“l2FirewallEntryEtherType”: “”,
“l2FirewallEntryVlanID”: “”,
“l2FirewallEntrySrcMAC”: “${wlan-mac=00:00:00:00:00:00}”,
“l2FirewallEntrySrcMask”: “”,
“l2FirewallEntryDstMAC”: “”,
“l2FirewallEntryDstMask”: “”
},
{
“l2FirewallEntryName”: “Deny-all-other-from-WLAN”,
“l2FirewallEntryAction”: “0”,
“l2FirewallEntryInterface”: “1”,
“l2FirewallEntryLog”: “”,
“l2FirewallEntryEtherType”: “”,
“l2FirewallEntryVlanID”: “”,
“l2FirewallEntrySrcMAC”: “”,
“l2FirewallEntrySrcMask”: “”,
“l2FirewallEntryDstMAC”: “”,
“l2FirewallEntryDstMask”: “”
},
{
“l2FirewallEntryName”: “Deny-all-other-from-LAN”,
“l2FirewallEntryAction”: “0”,
“l2FirewallEntryInterface”: “2”,
“l2FirewallEntryLog”: “”,
“l2FirewallEntryEtherType”: “”,
“l2FirewallEntryVlanID”: “”,
“l2FirewallEntrySrcMAC”: “”,
“l2FirewallEntrySrcMask”: “”,
“l2FirewallEntryDstMAC”: “”,
“l2FirewallEntryDstMask”: “”
}
]
}
}

Tried using %{wlan-mac} instead, hoping the SM would fill in the wlan-mac itself, but no good.

These threads refer to other’s attempts :


Anyone found an easy way to do this?

Cheers,
Chris

3 Likes

allow 8803 and 8804 and the data vlan, deny the rest
thats how it works for us

1 Like