Hello

I have googled and searched this forum but I have not found a solution to my problem. When one of our PPPoE user's account is disabled and that user has a router that doing the PPPoE auth for them their router continues to attempt to log on over and over and over and over hundreds or thousands of times an hour. The result is tens of thousands of unnecessary lines of failed connection messages in the radius logs. It causes a few other annoyances also but the big thing is the Staff having to sort through tens of thousands of lines of logs when trying to help other customers.

Now, a while back I had a problem with dictionary attacks attempting to ftp into our Mikrotik router. I found, here I think, a set of firewall rules that allowed me to set X number of failed logon attempts to the FTP and then it bans the IP for 24 hours. Is there a way to do something like this for PPPoE logons ? I tried to do it using the ftp firewall rules as a template but PPPoE auth and FTP auth are nothing alike and I can't figure out how to make it work.

Is there a way to make it stop listening to a PPPoE auth request after 15 failures a minute for x hours ? It would have to do it based on the MAC address since a failed pppoe connection doesn't have an IP.

Is it possible ?

I looked for a solution like yours a while ago without finding a way to block pppoe requests in a dynamic way.
I created a pool of private ip without internet access and redirect all the requests to a webpage that alerts customers that they got some payment issues to solve.
I just change the normal pool range to the "blocked range" and limit the allowed traffic to minimal. (64k for winbox access).
It's already a first step troubleshoot because the customer knows already why the connection is not working.. And the technicians wont look for other issues if they see the IP range.
Hope it Helps

Or you can add the clients mac addresse to the wireless access list and untick the authentication and forwarding buttons..

hope this helps

Medianet are you talking about doing that in your Radius profiles or did you do this somehow in the Mikrotik ? Can you point to more info on this ?

Thanks

In the ppp profile you usually have a default profile pointing to a default address pool with your default IPs (Public ip or private pool natted). Create a new address pool which is not natted to surf internet, change the profile of disabled customers with the new address pool, and here we go!
It's doable without radius

Medianet I guess I'm just to dense to follow what you are telling me there. I don't see anywhere where I would tell mikrotik "use this pppoe profile if auth is successful" or "use this pppoe profile if auth fails".

Spammy,

You can create multiple address pools from which your PPPoE server assigns client addresses from. You simply create a new pool "suspended" on your PPPoE Server(s), and have the suspended client set to that pool. The RADIUS server will pass the attribute to the PPPoE server to assign an address from the "suspended" pool. You'll want to make sure the IP range in the "suspended" pool is non-routable to the internet, or redirects to a page that informs the client their account is suspended for whatever reason.
The above is part of the reply message for a PPP User, setting the Framed-Pool to variable $ppp['FramedPool'] in the MySQL table "radreply".

Basically that attribute needs to be passed to the RADIUS server somehow. I don't know if you use static text files for your users, or a MySQL backend, but either way the attribute needs to be passed for the user to specify the address pool in Mikrotik. Without that attribute it will just use the default pool specified by your Mikrotik's PPPoE default profile.

If you're looking to have a default policy to accept all RADIUS connections -- say a user types in his username or password incorrectly, you could have a default fall through policy in the RADIUS server's user file to accept all PPP connections, but make sure the policy specifies a pool that does not grant them access to network resources. Just an informative web page saying there's a problem with their connection: possible reasons include x,y,z.

Is that a little clearer?