11-14-2017 10:05 AM
I have a unique configuration situation where I am using an ERX SFP as both a router and a switch. Eth0, Eth2, Eth3 and Eth4 are on Switch0 which is VLAN aware, with Eth0 connected to our fibre ONT vid 35, and the other three ports with other devices that initiate their own PPPoE connections and ae not managed by this router pvid 35. Those three devices establish a PPPoE connection get a public IP to their own devices and work fine.
Eth1 is not connected to switch0 and is used for our local network. The ERX SFP establishes a PPPoE connection and acts as a router for the local network with a PPPoE interfaces created on VLAN 35 which I created on switch0. I can't get a PPPoE connection to connect when the interface is created directly on the switch, despite having VID 35 specified from the switch configuration on Eth0, so as it stands now this seems to be the only way to get it to work.
The weird situation is that I can't specify any firewall rules for the PPPoE connection when it is created on a VLAN of the switch. I can specify firewall rules if the PPPoE connection is created on the switch0 interface itself, or a VLAN of one of the Ethernet interfaces, but not on a VLAN of the switch. The option to set firewall is simply not there fron the command line, and doesn't show up in the tree of the GUI. Unless there's something I'm missing, creating VLAN 35 on the switch is the only way I can tag the VLAN to establish a PPPoE session and maintain the independant PPPoE connections from the three external devices on the same switch interface.
Anyone have any ideas? Seems odd that the only place where I can't specify a firewall rule from the command line for a PPPoE connection is only when it's created on a VLAN of the switch. Or am I going about this the wrong way entirely? NAT is working, but as it stands now there is no firewall running on the PPPoE connection which is hardly ideal.
11-14-2017 10:18 AM
I can confirm this, seems like a bug to me:
admin@ERX# set interfaces switch switch0 vif 100 pppoe 0 ?
access-concentrator default-route host-uniq ipv6 multilink redirect traffic-policy
bandwidth description idle-timeout local-address name-server remote-address user-id
connect-on-demand dhcpv6-pd ip mtu password service-name
11-14-2017 10:42 AM
Yup, that's exactly what I see as well. The firewall option is missing entirely. I would be willing to accept any suggestions on an alternate configuration that will allow a PPPoE session on VLAN 35 to be established and firewalled on the ERX SFP itself while also allowing those three other devices to continue to maintain their own PPPoE sessions passing through the ERX SFP. So far though, the way I have it configured now seems to be the only way I've been able to get everything to work, and the inability to specify a firewall rule is the last hitch I'm dealing with.
11-15-2017 01:49 PM
For what it's worth, I was able to implement a workaround by creating a bridge interface with switch0.35 as the only member, and then creating the pppoe interface on the bridge. PPPoE connects normally and I'm able to specify a firewall rules on that interface. Not an entirely elegant solution, but otherwise meets our needs.