Wildcards on the CPE firewall?

We are a new PMP320 customer and are trying to figure out the best way to setup the network while being as secure as possible. Since we provide VOIP, and a lot of times have more than one public IP assigned to a customer, we are pretty much forced to use bridging mode.

What I was thinking, to “secure” the network to an extent, was to setup each CPE with it’s firewall enabled and only allow the addresses of the equipment we have sitting behind it to pass through. That way, customer A can’t access customer B’s equipment that’s attached to the same AP. However, while the firewall works, it doesn’t look like there is any way to do wildcards, etc. It just seems to allow one IP address at a time. It would be nice to say, like accept all traffic destined to, say, no matter where it comes from. We can handle the rest of the routing on our core routers as long as it’s handled within the “bridge” of the AP.

I’d really be interested in learning what other people might be doing. I guess the other option is VLANs, but this looks to complicate things quite a bit.

Yeah, you don’t want to restrict access that way. The only thing we use the firewall on the CPE for is to block customer gear from offering DHCP and announcing NetBIOS/SMB shares. (SPort68+DPort67 blocks them from offering DHCP but still permits them to request/receive it, then we block DPort135-139 and DPort445) (oh, and we block ether frame type 0x0806 to cut off service - that blocks ARP, preventing all but the canniest of users from routing packets anywhere)

As far as keeping clients from seeing each other, on the PMP320AP try enabling ‘CPE Isolation’ under Configuration->General->Settings. If you’re using a CMM at the tower, enable port isolation on the CMM as well. (Read up on Port-base VLAN for the CMM first if you’re unfamiliar with it - basically, block all ports from talking to any other port by clicking the ‘Clear All’ button under Configuration->Switch, then check off ‘Uplink Port’ for the port leading to the upstream backhaul, router, whatever - then save all and reboot) For our customers that works out well except the occasional cust who needs to log into the DVR at work (which is also on our network) or something similar - for those situations we tell them a static public IP is required, which puts the device on a /30 public IP gatewayed at the core router, so client traffic to that pub IP goes out to the core router and back in to the destination.


Thanks for all of the really helpful info!!! It is great to know what to really use the CPE firewall for. It was driving us crazy trying to block stuff outside the CPE with it. It seems to only block broadcast/ICMP packets, or something to that effect. Blocking an address on the firewall would keep you from pinging it, but TCP traffic would still go right through, even though the destination ports were listed in the rule on the CPE. Since all we will need to use it for now is broadcast traffic, that won’t matter.

I had thought I had tried the CPE isolation, but it turns out I had disabled it again and didn’t realize it. This solves the problem of the CPEs seeing each other which is a good thing, so thanks very much! What you’re saying about them needing to access the same network does make sense. This is our first wireless project, we have been using T1s and other leased lines to connect everyone before, so our whole network consists of a lot of /30 blocks. To get us started, I’m thinking just to route a /26 block to the tower and then each customer will only use 1 IP out of that range, so that will save us a lot of address space, and should make it pretty easy for us to manage.

I went with the packetflux sync injector vs the CMM so I won’t be able to block traffic between APs. I guess I could use a managed switch or something to do that, but hopefully it will probably be OK like it is. I’m sure that would most likely cut down on broadcast traffic though.

Thanks again for your help, I’ve learned a lot the last couple of weeks!

No problem. Just to let you know, we’ve recently started doing new towers without CMMs as well. SyncPipe for GPS, Canopy and PMP320 SyncInjectors, SiteMonitor, then everything interconnected through a Routerboard RB816. The RB816 has three gigabit ports (perfect for backhauls) and 16 10/100 ports on it. In practice we’ve bridged 4/6 ports together for the SyncInjectors, so the net effect is isolation between the two techs but no effective ‘port isolation’ between APs themselves. We cut our IP space up into /24 chunks then further subdivide as necessary, but generally I route a /24 block to each tower’s local router. Total cost for the router and all the PacketFlux gear comes to just about $1000, quite a bit less costly than a CMM4 PLUS a CMMMicro, the minimum needed to support 6 Canopy APs plus 4 PMP320 APs at one site.