PPPOE Hacking on AP (http://forum.ubnt.com/showthread.php?t=44544&highlight=ebtables) We're making use of a similar configuration.

Although "Client Isolation" is enabled, this does not prevent a rogue access concentrator from offering service to customers fed from a different AP. I have settled on something akin to this: Code:
# Flush any existing rules from memory. ebtables -F # Set default policy for all chains. ebtables -P INPUT ACCEPT ebtables -P OUTPUT ACCEPT ebtables -P FORWARD DROP # Prevent wireless clients from talking to the AP ebtables -A INPUT -i ath0 -j DROP # Drop broadcast traffic at egress from radio interface. ebtables -A FORWARD -o ath0 -d ff:ff:ff:ff:ff:ff -j DROP # Allow PPPoE to pass through unhindered. ebtables -A FORWARD -p 0x8863 -j ACCEPT ebtables -A FORWARD -p 0x8864 -j ACCEPT

The key rule here is that any traffic destined for the ethernet broadcast address (such as a PPPoE PADI) is forbidden from egressing the radio interface. So PADI can only go in one direction - wireless to wired. This takes all of the fun away from an access concentrator on the radio side of the AP :-) Of course - using this method, the ebtables rules need to be disabled if you need to pass anything other than PPPoE to/from your CPEs, IP for example. I use a small bash script to raise and lower these filters as necessary. Really not sure if this is anything like what you are looking for, but it works for us. Charlie

PPPOE Hacking on AP

Hi, I'm trying to stop hackers from installing rogued PPPOE Servers and introduce it to My Network through WLAN on AP, so i applied the below configuration using AirOS V3.6.1, but it didn't wronge, if any one has an idea how to do it, i would appreciate it. ebtables.73.cmd=-I FORWARD -p 0x8863 -d FF:FF:FF:FF:FF:FF -o ath0 -j DROP ebtables.73.status=enabled Mohanad