↓
If you are running a network or ISP/WISP, and using Mikrotik as a PPPoE
server, then you may have ran into this problem that many users have
configured wifi router at there home to share internet between
mobile/laptop and other devices, its common now a days. Usually PPPoE
dialer is configured in user WiFi ROUTER. But the problem begins that
if the user account gets expired BUT the router will keep retrying PPPoE
dialer again n again 24 hours a day , and imagine if you have lots of
routers doing this sort of flooding/bombing, you will see only PPPoE
failed authentication messages in Mikrotik logs and you wont be able to
see any other valid info due-to continuous logging of failed auth
messages. You can ignore it if the number is low, but some times it
becomes annoying to see such messages, and also if you are very short in
space with lower model of RB, then it will gonna become issue for you.
Some times its not just possible to visit at user end to tell him that
turn off his router / remove his cable from the switch , OR if you are
running layer2 un managed switches, OR you simply don’t want to visit
that user. After little searching (did not made extensive search) I
found out that from Mikrotik Firewall , you cannot block PPPoE request
as it works on BROADCAST.So I found the following method to block PPPoE request from particular VALID expired users. ( I am using the word VALID expired users, because if the user is not doing it intentionally then its easier to block him at mikrotik level, but if any smart bugger is doing it just to annoy you, you have to hunt him down and cut the cable or block at manageable AP level, because he can change the mac address any time)
Ok the simple theory is ,
1- Create bridge interface,Ok here we go . . .
2- Enable bridge firewall,
3- Add your LAN interface in it,
4- Finally create a filter that blocks PPPoE discovery for that specific
MAC addressand that’s it
We will first add virtual BRIDGE interface
1
2
3
4
| /interface bridgeadd admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes disabled=no forward-delay=\15s l2mtu=65535 max-message-age=20s mtu=1500 name=bridge1 priority=0x8000 protocol-mode=none \transmit-hold-count=6 |
1
2
3
| /interface bridge portadd bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none interface=LAN-ether2 \path-cost=10 point-to-point=auto priority=0x80 |
1
2
| /interface bridge settingsset use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=no |
1
2
3
4
| /interface bridge filteradd action=drop chain=input comment=\"Block only PPPoE Discovery (connectivity) from user 'ZAIB' to prevent pppoe flooding <img src="http://s0.wp.com/wp-includes/images/smilies/icon_biggrin.gif?m=1129645325g" alt=":D" class="wp-smiley"> " disabled=no \mac-protocol=pppoe-discovery src-mac-address=00:23:AE:A8:1F:7F/FF:FF:FF:FF:FF:FF |
IF you want to BLOCK ANY traffic coming from that or other user mac address to pass from bridge to LAN interface. (some times is a good approach
hmmmmm )
1
2
3
| ## IF you want to BLOCK ANY traffic coming from that or other user#add action=drop chain=input comment="Block ANY traffic from user 'KARACHI'" disabled=yes \# mac-protocol=ip src-mac-address=00:23:AE:A8:1F:7F/FF:FF:FF:FF:FF:FF |
As showed in the image below . . .
↓
↓
↓Note: I found this method with some R&D using WIRESHARK capturing tool but I am very confident that there are some suitable methods that maybe more simple and easier to implement with simple rules, If you have info, drop me a message so that I can update these little notes.
↓
↓
Regard’s
Naveed Ahmad
0 comments:
Post a Comment