Management VLAN enabled and management VLAN access set to wireless only.
Customer side (ethernet port) you can still access 169.254.1.1, anyway to disable this similar to this how-to?
Definitely don't want any "curious" end users having any ability to access their rooftop radio.
We have it in the contract that unauthoried access of the radio is not permitted and it is the customer's responsibility to prevent such abuse. We monitor the SM logs and use fail2ban on our log server to send a scripted ethernet port disable to the modem via ssh. Its not pretty nor graceful but once the internet is "broken" for that client, they have to call in to get it fixed. We as a policy do not re-enable the port until we talk to the account holder. This has caused a few groundings and a couple of angry clients, but they already knew that the access page is not for them and login attempts are monitored and will result in a service suspension. We are very up front in this.
We are considering forcing them to a dedicated walled garden to inform them of the issue, but until someone actually tries to go to a website they wont know that the account is suspended and they can hammer away at the login until they get in (which really is only a matter of time). So total ethernet disconnect is the current policy.
Why dont you just put up firewall rule so they cannot get into the radio?
For a couple good reasons:
1) the firewall prevents our techs from accessing the radio if needed (which is needed more often than you would think).
2) firewall rules add delay to the radio and cpu overhead. Though powerfull as these things are, they do not have an abundance of ram nor cpu time.
3) our system NATs at the modem, try blocking access to the local gateway!
4) epmp firewall is a stripped down version of IPTABLES, blocking port 80 on the gateway also stops all port 80 requests from transversing to the rest of the network.
Most dont even try and the few that have, learned their lesson quickly and dont touch it anymore.