So how to block "EVERYTHING" except PPPoE from the LAN?


On a bridged ePMP in bridge mode I have 3 layer 2 rules in the radio
(1) Allow PPPoE discovery LAN 8863
(2) Allows PPPoE session LAN 8864
(3) Deny LAN (Action: Deny | Interface: LAN | no EtherType specified).

I really thought rule 3 would stop “anything” from the LAN interface that wasn’t PPPoE so I was surprised to find that I can connect my tablet to the LAN port of the radio and not only scan for / discover other devices but I can use Winbox to connect to things. I haven’t had time to test yet but I’m guessing my users can use other MAC / Network scanning tools to look around also.

So maybe it’s ingress only and I need to stop things coming in the WLAN side also ? So maybe I need to make the same rules for the WLAN ? But even if that works it would also make the radio unreachable for management from either interface… Also, the whole Winbox being able to connect to devices says the layer 2 firewall isn’t stopping anything regardless of which interface I try to block and maybe I need layer 3 ?

I can make a layer 3 rule to block UDP 20561 and stop mactelnet from working to the mikrotik stuff but not sure what the best way to stop the discovery / ARP and really anything and everything other than PPPoE from being passed to the end user/LAN.

So how to block “EVERYTHING” except PPPoE from the LAN on the radio without blocking management access to the radio from the wireless side ?

1 Like

Pppoe is a discovery based protocol. So in short you cant do what you want and still have pppoe working.

What you can do is use per client vlans to the tower router which will act as an LNS and forward the traffic to the LAC. This way your clients can not snoop the network nor bypass the pppoe requirement.

The only problem is that if you have a backhaul link go down all pppoe sessions go down until the LNS reconnects to the LAC using a different path.
A better solution but requires more routing power per tower is to just pppoe to the tower and all client data is routed through the network.