Only Allow pppoe clients to access network

ackema · February 25, 2022, 6:14am

Hello, dears.

I created a pppoe-server on eth1 and set snat rule from eth1 to eth0.

Pppoe clients work well.

But how can I deny terminals with static ip address to access network?
If I connect a computer to eth1, and set computer’s ip address=192.168.1.100/24, gateway=192.168.1.1 and dns…
The computer can access network without pppoe dial up, that should not be allowed.

Following is my configuration:

wan

set interfaces ethernet eth0 address dhcp

lan

set interfaces ethernet eth1 address 192.168.1.1/24

pppoe-server

set service pppoe-server access-concentrator pppoeoneth1
set service pppoe-server authentication mode local
set service pppoe-server authentication local-users username ppp01 passsword ppp01password
set service pppoe-server interface eth1
set service pppoe-server gateway-address 192.168.1.1
set service pppoe-server name-server 114.114.114.114
set service pppoe-server name-server 223.5.5.5.5
set service pppoe-server client-ip-pool start 192.168.1.10
set service pppoe-server client-ip-pool stop 192.168.1.10

snat

set nat source rule 100 outbound-interface ‘eth0’
set nat source rule 100 source address ‘192.168.1.0/24’
set nat source rule 100 translation address ‘masquerade’

e.khudiyev · February 25, 2022, 7:59am

Hi @ackema , as PPPoE using /32 addresses anyway for the connection, the GW address can be configured out of your client address pool and even it can be also /32 IP address. You can check the following example and see if that helps:

set interfaces ethernet eth1 address '10.100.100.1/32'
set service pppoe-server client-ip-pool start '192.168.0.1'
set service pppoe-server client-ip-pool stop '192.168.0.10'
set service pppoe-server gateway-address '10.100.100.1'

On the pppoe client side it will look like this:

vyos@Router:~$ show interfaces pppoe pppoe0
pppoe0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN group default qlen 3
    link/ppp
    inet 192.168.0.2 peer 10.100.100.1/32 scope global pppoe0
       valid_lft forever preferred_lft forever

vyos@Router:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=64 time=3.06 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=64 time=2.32 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=64 time=2.92 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 4ms
rtt min/avg/max/mdev = 2.320/2.766/3.061/0.326 ms

ackema · February 25, 2022, 8:36am

It works, thanks a lot!

16again · February 25, 2022, 9:53pm

eth1 and pppoes are different L3 interfaces. I’d just use firewall rules on eth1 to block non pppoe traffic

system · February 27, 2022, 9:54pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.