↓
Part #1 : FUN with Mikrotik BRIDGE Series# Filter PPPoE Requests – Part#1 < You are Here
Part #2 : FUN with Mikrotik BRIDGE Series# Redirecting Traffic with Mikrotik Bridge
Disclaimer! This is important!
Every Network is different , so one solution cannot be fit/applied to all. Therefore try to understand logics & create or modify the solutions as per your network scenario. Never follow copy paste blindly.
My humble request is that kindly donot consider me as an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.
So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and try to share tips that worked for me.
Regard’s
Syed Jahanzaib~
If you are running a network or ISP/WISP, and using Mikrotik as a PPPoE server, then you may have ran into this problem that many users have configured wifi router at there home to share internet between mobile/laptop and other devices, its common now a days. Usually PPPoE dialer is configured in user WiFi ROUTER. But the problem begins that if the user account gets expired BUT the router will keep retrying PPPoE dialer again n again 24 hours a day , and imagine if you have lots of routers doing this sort of flooding/bombing, you will see only PPPoE failed authentication messages in Mikrotik logs and you wont be able to see any other valid info due-to continuous logging of failed auth messages. You can ignore it if the number is low, but some times it becomes annoying to see such messages, and also if you are very short in space with lower model of RB, then it will gonna become issue for you. Some times its not just possible to visit at user end to tell him that turn off his router / remove his cable from the switch , OR if you are running layer2 un managed switches, OR you simply don’t want to visit that user. After little searching (did not made extensive search) I found out that from Mikrotik Firewall , you cannot block PPPoE request as it works on BROADCAST.
So I found the following method to block PPPoE request from particular VALID expired users. ( I am using the word VALID expired users, because if the user is not doing it intentionally then its easier to block him at mikrotik level, but if any smart bugger is doing it just to annoy you, you have to hunt him down and cut the cable or block at manageable AP level, because he can change the mac address any time)
Ok the simple theory is ,
1- Create bridge interface,
2- Enable bridge firewall,
3- Add your LAN interface in it,
4- Finally create a filter that blocks PPPoE discovery for that specific MAC address 🙂 and that’s it 🙂
Ok here we go . . .
We will first add virtual BRIDGE interface
/interface bridge add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes disabled=no forward-delay=\ 15s l2mtu=65535 max-message-age=20s mtu=1500 name=bridge1 priority=0x8000 protocol-mode=none \ transmit-hold-count=6
Now we will add LAN interface in this BRIDGE to intercept every traffic passing from it and block it before it passes to LAN interface
/interface bridge port add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none interface=LAN-ether2 \ path-cost=10 point-to-point=auto priority=0x80
Now we will enable BRIDGE FIREWALL, it is necessary as mikrotik IP/FIREWALL will not be applicable to filter traffic in BRIDGE interface.
/interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=no
Finally we will create BRIDGE FILTER(s) to drop traffic from particular user to block PPPoE connection attempts only, using his mac address.
/interface bridge filter add action=drop chain=input comment=\ "Block only PPPoE Discovery (connectivity) from user 'ZAIB' to prevent pppoe flooding" disabled=no \ mac-protocol=pppoe-discovery src-mac-address=00:23:AE:A8:1F:7F/FF:FF:FF:FF:FF:FF
If you want to BLOCK ANY traffic coming from that or other user mac address to pass from bridge to LAN interface. (some times is a good approach 😉 hmmmmm )
## IF you want to BLOCK ANY traffic coming from that or other user #add action=drop chain=input comment="Block ANY traffic from user 'KARACHI'" disabled=yes \ # mac-protocol=ip src-mac-address=00:23:AE:A8:1F:7F/FF:FF:FF:FF:FF:FF
As shown in the image below . . .
↓
↓
ote: I found this method with some R&D using WIRESHARK capturing tool but I am very confident that there could be suitable methods that maybe more simple and easier to implement with simple rules, If you have info, drop me a message so that I can update these little notes.
↓
Regard’s
Syed Jahanzaib
Syed Jahanzaib - Personal Blog to Share Knowledge ! 
dada u are the best
LikeLike
Comment by asdasd — November 24, 2013 @ 3:04 AM
Very Nice zaib bhai
i m usung rb433xxx kia main us main yeh rule apply kersukta hoon jub k already use three ports Lan, Wan, Wan2
LikeLike
Comment by Muhammed Azam Ghouri — November 24, 2013 @ 12:04 PM
yes you can
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — November 24, 2013 @ 1:50 PM
Thanx Sayed nice,
I wanna make the default status to pppoe is blocked, when I get new pppoe user make custom rule to access from pppoe
LikeLike
Comment by Injaznet Injaznet — November 24, 2013 @ 3:48 PM
Is it possible that if we received more then 10 Request from same MAC Adress in 1 hrs time then it should automatically blocked that specific MAC in bridge filter ?? Do you have something like this ??
LikeLike
Comment by Nishit — November 25, 2013 @ 9:14 AM
there is no automatic method do it,or better statement should be , at least I am not aware of it 🙂
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — April 11, 2015 @ 2:59 PM
Ji, I cant find the mac protocol in 6.20 routeros
Can u please rebulid give new script for newer Router OS
LikeLike
Comment by tamilmaran — October 15, 2015 @ 9:52 PM
I have pppoe setup with mikrotik
My client want to set dvr kindly guide how can dvr b accessed from anywhere
LikeLike
Comment by nauman — April 17, 2016 @ 12:16 AM
ITs not working while using hotspot and pppoe on the same bridge. pppoe clients stop browsing while we chose same bridge as hotspot server interface
LikeLike
Comment by faraz — October 31, 2017 @ 2:20 AM
one more Fault. after Bridge pppoe interface. we failed to control our uploading trafice of pppoe clients. online download trafice will be limiting. upload will failed to limit\
LikeLike
Comment by faraz — November 6, 2017 @ 11:38 PM
[…] FUN with Mikrotik BRIDGE Series#1. Filter PPPoE Requests – Part#1 […]
LikeLike
Pingback by Redirecting Traffic with Mikrotik Bridge | Syed Jahanzaib Personal Blog to Share Knowledge ! — March 21, 2018 @ 3:19 PM
hi i need to block certain clients after some bad password attempts and blocking time will be 10 min..
how can i do that in mikrotik using bridge and firewall…
i am doing this but its not time level.
/interface bridge filter
add action=drop chain=input disabled=no mac-protocol=pppoe-discovery src-mac-address=00:23:AE:A8:1F:7F/FF:FF:FF:FF:FF:FF
i need this with automatically mac address catch and then this mac will block for 10 min.. is it possible?
LikeLike
Comment by waqas hussain — December 14, 2018 @ 2:37 PM