L2 and L3 Firewall Examples?

Anyone with examples of L2 and L3 Firewall config for Epmp radios?

Looking to mimic Canopy filters


Are there specific features of the Canopy firewall you're trying to replicate?  I'm assuming you're entering rules by hand in the webUI, though SNMP and SSH and cnMaestro options also exist.

On the Configuration->Network page you can disable "DHCP Server Below SM" - this prevents a backwards-connected customer router from handing out DHCP on the network segment, as was commonly done with the Canopy radio firewall option "Bootp Server".  (also as with Canopy gear, it helps greatly to disable SM-to-SM communications - do this on the AP: under Configuration->Network, enable "SM Traffic Isolation")

If you're looking to block windows file shares (SMB and CIFS), you can create a set of L3 firewall rules with: Action=Deny, Protocol=TCP+UDP, Interface=LAN - one rule with port# 445, one with port# 137, one with port# 138, one with port# 139.

IPv4 multicast traffic can be blocked with an L3 rule Denying TCP+UDP traffic with DestIP address of and DestMask of

If there's something else you need to block and can't figure it out, post a request to this thread.




Please confirm the order in whcih rules are considered. Top to bottom ot bottom to top.


i wanna block accest to youtube. ePMP1000 firewall Layer 3. who is this? 


I'm trying to setup the multicast rule on a newish ePMP2000 but it does not like the dest IP (says it has to be a class A or B or C address). Any ideas?

any chance someone has configuration on L2/L3 security pag to stop loops on epmp equipment

Hi @MartinWandira,

could you provide more details? What loops?
Do you mean a switching loop?

We have a network comprising epmp1000 APs, force 180/190/200/300. Noticed of late when a client is broadcasting or looping on their network, it affects multiple clients. Am trying to figure out how the specific SM can block traffic from client end…any configurations I can do on the SM?

Depends on your network design.
You can switch SM to NAT or Router mode. It will keep all broadcasts in client’s network. Also there is Broadcast Packet Limit option in network configuration.
On AP you can switch SM Traffic Isolation and clients will be hidden from each other.

Are your 180/190/200/300 radios in bridge mode ? If so , how to you control access (turn customers on/off / authenticate them) ? Do you control the device in the customer’s premises that the 180/19/200/300 is connected to ?