Discussion:
[MikroTik] PPPoe implementation
EzAzz Administrator
2004-05-23 05:56:24 UTC
Permalink
Thanks for taking the trouble to elaborate Paul. Much clearer now. A number
of folks have replied so I've put a more genral response in another mail,
same thread.

----- Original Message -----
From: "Paul Julian" <***@redrocksolutions.net>
To: "'EzAzz Administrator'" <***@ezazz.co.uk>; "'General questions about
MikroTik RouterOS'" <***@bruno.pmi.lv>
Sent: Friday, May 21, 2004 7:26 AM
Subject: RE: [MikroTik] PPPoe implementation
PPPOE is a layer 2 protocol.
IP runs at layer 3, so, when traversing a link on layer 2, the IP is
ignored
and/or not required for that information to flow. This is why PPPOE works
across a bridged connection, whereas IP won't unless it's configured of
course.
PPPOE seems to be good, from my perspective, because it allows a bit more
security. In my mind, security can be measured by how much information you
allow people to get about something, and when you don't even give them IP
to
sniff or find, that makes it pretty hard I reckon.
If you run bridge mode on your AP's, the only way you can connect is to
know
exactly the radio parameters, and even then, to get through the PPPOE
server
you need your username and password.
PPPOE seems to me to be the most secure way to authenticate users and
provide simple but effective levels of security by default.
We have looked at using AP/Client modes and running PPTP, and all sorts of
things, but we keep coming back to using PPPOE. The only thing that
worries
us with PPPOE and running in bridge mode, is that we tie ourselves to the
same CPE devices because a lot of gear won't bridge to other products, and
the cost of PPPOE clients. I know there are free ones, but, none free for
commercial use, not that we can find anyway. At least with AP/Client modes
we have choices for CPE and AP's, they are MOSTLY interoperable.
Just my thoughts, I'm always open to other opinions, that's for sure !
Regards
Paul
-----Original Message-----
Sent: Friday, 21 May 2004 4:25 PM
RouterOS
Subject: Re: [MikroTik] PPPoe implementation
Thanks Paul but
? straight over my head I'm afraid. Whole sentences please ...
Is this a yes or a no?
Maybe you're answering
"why a PPPoE may not have an IP address"
but the question is
"why a PPPoE should not have an IP address" Is there a security hole ?
----- Original Message -----
Sent: Friday, May 21, 2004 6:30 AM
Subject: RE: [MikroTik] PPPoe implementation
Cause it uses layer 2, no IP down there....
Regards
Paul
-----Original Message-----
Sent: Friday, 21 May 2004 3:40 PM
To: General questions about MikroTik RouterOS
Subject: Re: [MikroTik] PPPoe implementation
Thanks Kevin,
Of course thats what I've guessed (otherwise my hotspot wouldn't be
working
at all :) ). So do I have a security hole where a user can log on with
previously known pppoe credentials or something similar ?
I confess I don't really understand why a PPPoE should not have an IP
address. I should get my head around this one.
Brian
----- Original Message -----
Sent: Friday, May 21, 2004 4:30 AM
Subject: RE: [MikroTik] PPPoe implementation
Yes. Otherwise the hotspot wouldn't work at all.
Kevin Summers
KISTech Internet
www.kistech.com
-----Original Message-----
Sent: Thursday, May 20, 2004 4:35 PM
To: General questions about MikroTik RouterOS
Subject: Re: [MikroTik] PPPoe implementation
I have hotspot and PPPoE on the same interface. Should I assign IP to
interface or not ?
----- Original Message -----
To: "General questions about MikroTik RouterOS"
Sent: Thursday, May 20, 2004 4:52 PM
Subject: Re: [MikroTik] PPPoe implementation
Yep, the interface on which you set up the PPPoE server should not
have
an IP address.
But, when a user connects, you should see in the routing table of
the
router a new IP, the one you set up (local-address field) when
creating
an account for the remote user. See Local P2P User Database (*/ppp
secret)
Hope this helps.
*
_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
with text in the body "unsubscribe <password>" or "subscribe"
_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
with text in the body "unsubscribe <password>" or "subscribe"
_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
with text in the body "unsubscribe <password>" or "subscribe"
--
Incoming mail is certified Virus Free.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.245 / Virus Database: 262.10.2 - Release Date: 18/05/2004
--
This email has been checked for viruses upon leaving RedRock Solutions
Email
system and has been certified as Virus Free.
RedRock Solutions recommend that you have a functioning and updated
Antivirus Program on your computer system at all times.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.245 / Virus Database: 262.10.2 - Release Date: 18/05/2004
_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
with text in the body "unsubscribe <password>" or "subscribe"
--
Incoming mail is certified Virus Free.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.245 / Virus Database: 262.10.2 - Release Date: 18/05/2004
--
This email has been checked for viruses upon leaving RedRock Solutions
Email
system and has been certified as Virus Free.
RedRock Solutions recommend that you have a functioning and updated
Antivirus Program on your computer system at all times.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.245 / Virus Database: 262.10.2 - Release Date: 18/05/2004
_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
To post to the list, address emails to ***@bruno.pmi.lv
To unsubscribe/subscribe: email to RouterOS-***@bruno.pmi.lv ,
with text in the body "unsubscribe <password>" or "subscribe"
Paul Julian
2004-05-23 09:59:13 UTC
Permalink
No problems

-----Original Message-----
From: routeros-***@bruno.pmi.lv
[mailto:routeros-***@bruno.pmi.lv]On Behalf Of EzAzz Administrator
Sent: Sunday, 23 May 2004 3:56 PM
To: 'General questions about MikroTik RouterOS'
Subject: Re: [MikroTik] PPPoe implementation


Thanks for taking the trouble to elaborate Paul. Much clearer now. A number
of folks have replied so I've put a more genral response in another mail,
same thread.

----- Original Message -----
From: "Paul Julian" <***@redrocksolutions.net>
To: "'EzAzz Administrator'" <***@ezazz.co.uk>; "'General questions about
MikroTik RouterOS'" <***@bruno.pmi.lv>
Sent: Friday, May 21, 2004 7:26 AM
Subject: RE: [MikroTik] PPPoe implementation
PPPOE is a layer 2 protocol.
IP runs at layer 3, so, when traversing a link on layer 2, the IP is
ignored
and/or not required for that information to flow. This is why PPPOE works
across a bridged connection, whereas IP won't unless it's configured of
course.
PPPOE seems to be good, from my perspective, because it allows a bit more
security. In my mind, security can be measured by how much information you
allow people to get about something, and when you don't even give them IP
to
sniff or find, that makes it pretty hard I reckon.
If you run bridge mode on your AP's, the only way you can connect is to
know
exactly the radio parameters, and even then, to get through the PPPOE
server
you need your username and password.
PPPOE seems to me to be the most secure way to authenticate users and
provide simple but effective levels of security by default.
We have looked at using AP/Client modes and running PPTP, and all sorts of
things, but we keep coming back to using PPPOE. The only thing that
worries
us with PPPOE and running in bridge mode, is that we tie ourselves to the
same CPE devices because a lot of gear won't bridge to other products, and
the cost of PPPOE clients. I know there are free ones, but, none free for
commercial use, not that we can find anyway. At least with AP/Client modes
we have choices for CPE and AP's, they are MOSTLY interoperable.
Just my thoughts, I'm always open to other opinions, that's for sure !
Regards
Paul
-----Original Message-----
Sent: Friday, 21 May 2004 4:25 PM
RouterOS
Subject: Re: [MikroTik] PPPoe implementation
Thanks Paul but
? straight over my head I'm afraid. Whole sentences please ...
Is this a yes or a no?
Maybe you're answering
"why a PPPoE may not have an IP address"
but the question is
"why a PPPoE should not have an IP address" Is there a security hole ?
----- Original Message -----
Sent: Friday, May 21, 2004 6:30 AM
Subject: RE: [MikroTik] PPPoe implementation
Cause it uses layer 2, no IP down there....
Regards
Paul
-----Original Message-----
Sent: Friday, 21 May 2004 3:40 PM
To: General questions about MikroTik RouterOS
Subject: Re: [MikroTik] PPPoe implementation
Thanks Kevin,
Of course thats what I've guessed (otherwise my hotspot wouldn't be
working
at all :) ). So do I have a security hole where a user can log on with
previously known pppoe credentials or something similar ?
I confess I don't really understand why a PPPoE should not have an IP
address. I should get my head around this one.
Brian
----- Original Message -----
Sent: Friday, May 21, 2004 4:30 AM
Subject: RE: [MikroTik] PPPoe implementation
Yes. Otherwise the hotspot wouldn't work at all.
Kevin Summers
KISTech Internet
www.kistech.com
-----Original Message-----
Sent: Thursday, May 20, 2004 4:35 PM
To: General questions about MikroTik RouterOS
Subject: Re: [MikroTik] PPPoe implementation
I have hotspot and PPPoE on the same interface. Should I assign IP to
interface or not ?
----- Original Message -----
To: "General questions about MikroTik RouterOS"
Sent: Thursday, May 20, 2004 4:52 PM
Subject: Re: [MikroTik] PPPoe implementation
Yep, the interface on which you set up the PPPoE server should not
have
an IP address.
But, when a user connects, you should see in the routing table of
the
router a new IP, the one you set up (local-address field) when
creating
an account for the remote user. See Local P2P User Database (*/ppp
secret)
Hope this helps.
*
_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
with text in the body "unsubscribe <password>" or "subscribe"
_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
with text in the body "unsubscribe <password>" or "subscribe"
_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
with text in the body "unsubscribe <password>" or "subscribe"
--
Incoming mail is certified Virus Free.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.245 / Virus Database: 262.10.2 - Release Date: 18/05/2004
--
This email has been checked for viruses upon leaving RedRock Solutions
Email
system and has been certified as Virus Free.
RedRock Solutions recommend that you have a functioning and updated
Antivirus Program on your computer system at all times.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.245 / Virus Database: 262.10.2 - Release Date: 18/05/2004
_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
with text in the body "unsubscribe <password>" or "subscribe"
--
Incoming mail is certified Virus Free.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.245 / Virus Database: 262.10.2 - Release Date: 18/05/2004
--
This email has been checked for viruses upon leaving RedRock Solutions
Email
system and has been certified as Virus Free.
RedRock Solutions recommend that you have a functioning and updated
Antivirus Program on your computer system at all times.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.245 / Virus Database: 262.10.2 - Release Date: 18/05/2004
_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
To post to the list, address emails to ***@bruno.pmi.lv
To unsubscribe/subscribe: email to RouterOS-***@bruno.pmi.lv ,
with text in the body "unsubscribe <password>" or "subscribe"


--
Incoming mail is certified Virus Free.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.245 / Virus Database: 262.10.4 - Release Date: 22/05/2004

--
This email has been checked for viruses upon leaving RedRock Solutions Email
system and has been certified as Virus Free.
RedRock Solutions recommend that you have a functioning and updated
Antivirus Program on your computer system at all times.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.245 / Virus Database: 262.10.4 - Release Date: 22/05/2004


_______________________________________________
ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS
To post to the list, address emails to ***@bruno.pmi.lv
To unsubscribe/subscribe: email to RouterOS-***@bruno.pmi.lv ,
with text in the body "unsubscribe <password>" or "subscribe"

Loading...