There is a general guide here

Thanks will use this to set it up

what ISP are you with?

Will be Voyager

Cornelius16:

 

Will be Voyager

 

According to this list, Voyager requires VLAN 10 tagging with PPPOE

Thanks

Make sure you correctly firewall the PPPoE interface or you'll be the subject of a DNS amplification attack within minutes.

sbiddle:

 

Make sure you correctly firewall the PPPoE interface or you'll be the subject of a DNS amplification attack within minutes.

 

 

 

Or turn DNS off.

Also make sure you set an admin password before connecting it to the internet otherwise you will be root'd in very short order.

MichaelNZ:

 

sbiddle:

 

Make sure you correctly firewall the PPPoE interface or you'll be the subject of a DNS amplification attack within minutes.

 

 

 

 

Or turn DNS off.

 

Also make sure you set an admin password before connecting it to the internet otherwise you will be root'd in very short order.

 

But you need a properly configured firewall regardless so turning DNS off is a just a dumb solution. I can't think of a single good reason why you wouldn't want to run a local DNS proxy for 99.9% of situations where it''s  being used a router.

And if you're not going to configure the firewall correctly for PPPoE it won't matter if you change the password or not because unless you're running the latest ROS updates the router can (and probably will eventually if it's sitting in the Internet exposed for long enough) be compromised regardless of what the password is.

At least with newer versions of ROS configuring a PPPoE firewall is a lot simpler because you just add the PPPoE interface to the WAN interface lists which means all the default rules will apply.

My Three Recommendations

* Update ROS (6.44.6)

* Once you have configured your router disable the MAC /tool mac-server 

* On your PPPoE (or WAN) have two firewall rules MINIMUM (1st an Input rule to allow established, related Traffic, 2nd input rule to drop everything else)

Why would you disable the MAC server? You're just making things hard for yourself!

And you need a hell of a lot more than just two firewall rules as a minimum. I'd say for a newbie, the default set is a good start.

chevrolux:

 

Why would you disable the MAC server? You're just making things hard for yourself!

 

At least on the WAN ports

chevrolux:

 

And you need a hell of a lot more than just two firewall rules as a minimum. I'd say for a newbie, the default set is a good start.

 

Agreed, but this is a start 

MichaelNZ:

 

sbiddle:

 

Make sure you correctly firewall the PPPoE interface or you'll be the subject of a DNS amplification attack within minutes.

 

 

 

 

Or turn DNS off.

 

Also make sure you set an admin password before connecting it to the internet otherwise you will be root'd in very short order.

 

damn Michael,

please dont tell me you push 8.8.8.8 through your whole network rather than using dns caches?

The firewall rules out of the box are fine for most domestic situations, just ensure you add the pppoe to the WAN address list and the issues relating to DNS attacks etc go away.

Cyril

chevrolux:

 

Why would you disable the MAC server? You're just making things hard for yourself!

 

And you need a hell of a lot more than just two firewall rules as a minimum. I'd say for a newbie, the default set is a good start.

 

Unless people fully understand firewall rules there is no reason why you'd remove any of the default rules. Only having two input rules overlooks all the forward rules which exist by default for a very good reason.

At least it's much simpler to add a PPPoE client now with the address lists option. It used to require multiple changes historically.