Newbie - Customer still able to access management interface when in NAT with PPPoE

Hi all, first post.

I've setup a test AP (with GPS) and an SM:

The AP is connected to a Mikrotik running a PPPoE server.

The SM is doing NAT & DHCP

The SM picks up its IP address OK

The SM has a separate management address on VLAN 4000

Now, the SM is NAT-ing, getting its IP OK, and routing to clients connected to it.  The manegement interface is reachable from the wireless side but also from the LAN.  I thought that enabling a management VLAN would disable this.

What am I doing wrong?



VLAN 4000 is just another interface on the Mikrotik and will be routed as such.  You will need a firewall rule on the mikrotik to block access from the PPPoE subnet to the VLAN.

On an ePMP AP I know there is an option to only allow management access on the ethernet interface or both on ethernet and wireless.  I don't recall seeing such a setting on CPEs.

Thanks for the reply,

I'll check this out over the weekend and repot back


When in NAT mode the SM is accessible via the Ethernet port.  I haven't tested it, but you may be able to create a firewall rule (Config-->Security) to block it. Alternatively you could move the web server to an obscure port.

Note, if you place the CPE in bridge mode you can disable Ethernet access.

I'm curious, why do you care if the customer can access the web interface?