v4.6.1
On a bridged ePMP in bridge mode I have 3 layer 2 rules in the radio
(1) Allow PPPoE discovery LAN 8863
(2) Allows PPPoE session LAN 8864
(3) Deny LAN (Action: Deny | Interface: LAN | no EtherType specified).
I really thought rule 3 would stop “anything” from the LAN interface that wasn’t PPPoE so I was surprised to find that I can connect my tablet to the LAN port of the radio and not only scan for / discover other devices but I can use Winbox to connect to things. I haven’t had time to test yet but I’m guessing my users can use other MAC / Network scanning tools to look around also.
So maybe it’s ingress only and I need to stop things coming in the WLAN side also ? So maybe I need to make the same rules for the WLAN ? But even if that works it would also make the radio unreachable for management from either interface… Also, the whole Winbox being able to connect to devices says the layer 2 firewall isn’t stopping anything regardless of which interface I try to block and maybe I need layer 3 ?
I can make a layer 3 rule to block UDP 20561 and stop mactelnet from working to the mikrotik stuff but not sure what the best way to stop the discovery / ARP and really anything and everything other than PPPoE from being passed to the end user/LAN.
So how to block “EVERYTHING” except PPPoE from the LAN on the radio without blocking management access to the radio from the wireless side ?