Hi

I have a pppoe server running and works great with usermanager.mikrotik server is 192.168.0.254. User uses pppoe to dail up, gets and ip and gateway, lets say 192.168.0.1 and gateway 192.168.0.254. Problem is if i use manually ip address like lets say 192.168.0.2 and gateway 192.168.0.254 i am able to access my internet with out pppoe dial up. Any way to block this?

Thanks

Remove the IP Address on the PPPOE interface.

create a different ip pool and assign to pppoe clients. and only use NAT for pppoe pool.

Hi

Remove the IP Address on the PPPOE interface.

if i try this i cant use pppoe it gives me username and password invalid.

create a different ip pool and assign to pppoe clients. and only use NAT for pppoe pool.

Ive created a different ip pool and nated it, so now i have and ip pool for 192.168.0.1-192.168.0.254 which is not on pppoe and 192.168.9.1-192.168.9.254 which is. So how does this prevent someone from getting internet access if they use a manual ip and gateway of the router. below is a layout of network

Modem----Ether1--Ether2-------Lan clients

Ether2 has pppoe server on it

thanks

only allow pppoe-encapsulated traffic on the bridge on your pppoe-server, simple as that


add action=accept chain=forward comment="" disabled=no in-bridge=bridge_pppoe mac-protocol=0x8863 out-bridge=bridge_pppoe
add action=accept chain=forward comment="" disabled=no in-bridge=bridge_pppoe mac-protocol=0x8864 out-bridge=bridge_pppoe
add action=drop chain=forward comment="" disabled=no in-bridge=bridge_pppoe out-bridge=bridge_pppoe

by that you only allow pppoe-authentication and encapsulated traffic and drop everything else.

only allow pppoe-encapsulated traffic on the bridge on your pppoe-server, simple as that


add action=accept chain=forward comment="" disabled=no in-bridge=bridge_pppoe mac-protocol=0x8863 out-bridge=bridge_pppoe
add action=accept chain=forward comment="" disabled=no in-bridge=bridge_pppoe mac-protocol=0x8864 out-bridge=bridge_pppoe
add action=drop chain=forward comment="" disabled=no in-bridge=bridge_pppoe out-bridge=bridge_pppoe

by that you only allow pppoe-authentication and encapsulated traffic and drop everything else.

Think I'm doing something wrong

Thanks

What you want can be easily done by removing the IP Address from the PPPOE interface. My network is setup that way and it works.

1. Remove the IP address from the PPPoE Interface
2. Disable DHCP Server for the PPPoE Interface
3. make sure PPP is set to use radius

What you want can be easily done by removing the IP Address from the PPPOE interface. My network is setup that way and it works.

1. Remove the IP address from the PPPoE Interface
2. Disable DHCP Server for the PPPoE Interface
3. make sure PPP is set to use radius

Code: Select all

/ppp aaa set use-radius=yes

1.i disabled the lan ip
2.i dont have a dhcp server
3.ppp is set to radius

Pc cannot connect to pppoe server. also, i am using usermanager.

You have to add the loopback IP Address to radius and user-manager list of routers
Remember to substitute "router-name" and "your-secret" as appropriate

Thanks works Great. Keep up the good work.

More easy and simple way to disallow connecting to the internet using MIKROTIK LAN IP range + Gateway + DNS and Allow internet connection only for connected PPPOE users:

Load winbox console and set the following:
First step:
IP/Pool/Add
Name: PPPOE-Pool
Address: 10.20.30.1-10.20.30.254 ( You can use any range you like )

Second step:
PPP/Profiles/Default
Local address: 192.168.1.1 ( Mikrotik LAN interface IP )
Remote address: PPPOE-Pool

Third step now lets do NAT for PPPOE users only:
IP/Firewall/NAT
Action: masquerade
Chain: srcnat
Src.Address: 10.20.30.1-10.20.30.254
OUT Interface: WAN

Final note:
In this way whatever the client will put ip without connecting to the PPPOE, will not able to use the internet

Hope this small short tutorial clear many people mind and specially those who regret to tell me how to do this. God gave us a brain to use it ...