Hi, Thanks to everyone on the forum for their input.
It was good feedback with regard to the Canopy filter rules, how much you like them, could these rules be added to ePMP, could specifics be obtained on the rules, and the use cases around filtering. First, people were interested in the following Canopy filters and what their contents were. I have a first pass that may not be exactly right as this is being researched by the Canopy team. When this is ready it will be posted somewhere on the Cambium forum. For the purposes of the issue, let’s assume what I have for the moment is correct to answer people’s questions: PPPoE: EtherType 8863 and EtherType 8864. Bootp Server: Protocol UDP with Port 67 and Protocol UDP with Port 68. SMB: Protocol TCP with Port 445, Protocol TCP+UDP with Port 137, Protocol UDP with Port 138, and Protocol TCP with Port 139. SNMP: Protocol UDP with Port 161 and Protocol TCP+UDP with Port 162. Multicast: Dest MAC 01:00:5E:00:00:00 with Dest Mask FF:FF:FF:80:00:00 – OR -- Dest IP 224.0.0.0 with Dest Mask 224.0.0.0. But, people also wanted to block all traffic except for one intended type. So I will provide the other two filters to enable this: Bootp Client: Protocol UDP with Port 68. ARP: EtherType 0806. Many people asked about having pre-existing rules like Canopy has be implemented on ePMP. Glad to hear that people like this Canopy feature. We can add in pre-existing rules, too. I have added this to our future features database. Right now, I do not have a date for anyone, but we are aware of your desire for this. George Skorup also asked for filtering statistics similar to what exists on Canopy. I have added this to our future features database. Right now, I do not have a date for anyone, but we are aware of your desire for this. You can use the information on the Canopy filters above to set up equivalent functionality on ePMP as for example I describe in the next paragraph. Daniel Gerlach asked about limiting traffic to only PPPoE. Later on Steve indicated that this should pertain to the WAN. My suggestion would be to go to the AP, enable Layer 2 Firewall, and allow EtherType 8863 on the LAN as the first rule, allow EtherType 8864 on the LAN as the second rule, and deny on the LAN as the third rule. This would allow filtering to be done on the AP preventing non-PPPoE packets from going over the WLAN and reaching the SM. *** Please note that I have not specifically tried this out myself to verify it. *** Here are some notes on the ePMP firewall logic: 1. Firewall rules are executed in the order that they are listed. Therefore, if a packet matches more than one rule, it will match first on the earlier rule and never execute the latter rules. 2. Define your allow rules first to make sure that intended packets make it through the firewall. Defining an overall deny rule first will cause bad things to happen. 3. Define your overall deny rule last to make sure that after your intended allow packets make it through, the remaining unintended packets do not make it through. Josh Luthman asked about several filters: 1. Block bootp: On the AP enable Layer 3 Firewall and deny Protocol UDP with Port 67 on the LAN as the first rule and deny Protocol UDP with Port 68 on the LAN as the second rule. 2. Block PPPoE: On the AP enable Layer 2 Firewall and deny EtherType 8863 on the LAN as the first rule and deny EtherType 8864 on the LAN as the second rule. 3. Block SMB: On the AP enable Layer 3 Firewall and deny Protocol TCP with Port 445 on the LAN as the first rule, deny Protocol TCP+UDP with Port 137 on the LAN as the second rule, deny Protocol UDP with Port 138 on the LAN as the third rule, and deny Protocol TCP with Port 139 on the LAN as the fourth rule. *** Please note that I have not specifically tried this out myself to verify it. *** George Skorup asked about four filters: 1. Block Bootp: See Josh Luthman filter 1. 2. Block SNMP: On the AP enable Layer 3 Firewall and deny Protocol UDP with Port 161 on the LAN as the first rule and deny Protocol TCP+UDP with Port 162 on the LAN as the second rule. 3. Block SMB: See Josh Luthman filter 3. 4. A. Block Multicast: On the AP enable Layer 2 Firewall and deny Dest MAC 01:00:5E:00:00:00 with Dest Mask FF:FF:FF:80:00:00 on the LAN as the first rule –OR-- on the AP enable Layer 3 Firewall and deny Dest IP 224.0.0.0 with Dest Mask 224.0.0.0 on the LAN as the first rule. *** Please note that I have not specifically tried this out myself to verify it. *** Dan From: Af [mailto:af-boun...@afmug.com] On Behalf Of George Skorup (Cyber Broadcasting) via Af Sent: Wednesday, November 19, 2014 11:15 AM To: af@afmug.com Subject: Re: [AFMUG] epmp 1000 only PPPOE Filter Downside, none. Unless you're doing something with multicast over an SM link, like maybe OSPF. A few years ago, we had a bunch of customer routers (might have been Linksys or Netgear) that were spewing out multicast. And a large L2 segment of the network (which is now broken up) slowed to a crawl. I think it was IGMP. And SM isolation wouldn't have solved the problem for the entire network. Multicast filter on all of the Canopy SMs reduced the violence. But I think this was around the same time we had some Trango 5580's go stupid. They appeared to be looping traffic, but not all types, just broadcast and multicast. It was really weird. But now all that Trango stuff is gone, every last one. On 11/19/2014 10:09 AM, Ty Featherling via Af wrote: Is there any downside to dropping all multicast from the customers? My brain says no but my other end says don't try it without confirming. -Ty On Tue, Nov 18, 2014 at 5:36 PM, George Skorup (Cyber Broadcasting) via Af <af@afmug.com<mailto:af@afmug.com>> wrote: We do only bridge mode and DHCP to the customer's equipment. But I do check the PPPoE filter because it lets me easily see when a customer's router is configured for PPPoE (Stats > Filter). I also use the filters for BootP server, SNMP, SMB and multicast. This is some of the best stuff about Canopy. So I would prefer the ePMP to work like Canopy, for the most part anyway. On 11/18/2014 3:13 PM, Matt via Af wrote: I am Dan Sullivan and I am the software manager for ePMP at Cambium. Why do you want to filter PPPoE? Can you explain the use case more for me. When our SM is set up as a PPPoE client and is talking to a PPPoE server, it will only accept traffic from the PPPoE server over the wireless interface. With this in mind, why do you need a PPPoE filter for the wireless interface? One other item, when NAT mode is enabled we can set up a L2 filter for a source MAC and EtherType as indicated below, but only the source MAC filter will work. There is a warning message that indicates this when in NAT mode. I think the desired affect is the same as: On Canopy 450 SM "Config / Protocol Filtering" "Packet Filter Configuration" Packet Direction: Filter Direction Upstream Checked Packet Filter Types: Check Everything BUT "PPPoE" This way the customer router/PC they plug into the ethernet port on the SM can only successfully send PPPoE traffic onto our network.
