Depois de muita pesquisa e varias tentativas consegui fazer com que so passe trafego pppoe.
-Primeiramente Configure o burlet,naano ou roquet como ap bridge.
-Faça o download do backup da configuraçao do ap ubnt.
-Abra o arquivo do backup com wordpad e acrescente essas linhas:
ebtables.4.cmd=-A FORWARD -p 0x8863 -j ACCEPT
ebtables.4.status=enabled
ebtables.5.cmd=-A FORWARD -p 0x8864 -j ACCEPT
ebtables.5.status=enabled
ebtables.6.cmd=-P FORWARD DROP
ebtables.6.status=enabled
ebtables.7.cmd=-A INPUT -p 0x0800 --in-interface ath0 -j DROP
ebtables.7.status=enabled
OBS:Lenbrando que perdera o acesso do ap pela interface wirelles so sendo possivel acessar pela eternet.
Com isso diminuira Drasticamente o trafego desnecessario.
O arquivo fica assim:
aaa.1.status=disabled
aaa.status=disabled
bridge.1.devname=br0
bridge.1.fd=1
bridge.1.port.1.devname=eth0
bridge.1.port.1.status=enabled
bridge.1.port.2.devname=ath0
bridge.1.port.2.status=enabled
bridge.1.port.3.devname=eth1
bridge.1.port.3.status=enabled
bridge.1.stp.status=disabled
bridge.status=enabled
dhcpc.1.devname=br0
dhcpc.1.status=disabled
dhcpc.status=disabled
dhcpd.1.status=disabled
dhcpd.status=disabled
dnsmasq.1.devname=eth0
dnsmasq.1.status=enabled
dnsmasq.status=disabled
ebtables.1.cmd=-t nat -A PREROUTING --in-interface ath0 -j arpnat --arpnat-target ACCEPT
ebtables.1.status=disabled
ebtables.2.cmd=-t nat -A POSTROUTING --out-interface ath0 -j arpnat --arpnat-target ACCEPT
ebtables.2.status=disabled
ebtables.3.cmd=-t broute -A BROUTING --protocol 0x888e --in-interface ath0 -j DROP
ebtables.3.status=disabled
ebtables.4.cmd=-A FORWARD -p 0x8863 -j ACCEPT
ebtables.4.status=enabled
ebtables.5.cmd=-A FORWARD -p 0x8864 -j ACCEPT
ebtables.5.status=enabled
ebtables.6.cmd=-P FORWARD DROP
ebtables.6.status=enabled
ebtables.7.cmd=-A INPUT -p 0x0800 --in-interface ath0 -j DROP
ebtables.7.status=enabled
ebtables.50.status=disabled
ebtables.51.status=disabled
ebtables.52.status=disabled
ebtables.status=enabled
gui.language=pt_PT
httpd.https.status=disabled
httpd.port.http=80
httpd.port=80
httpd.status=enabled
igmpproxy.status=disabled
iptables.3.status=disabled
iptables.status=disabled
netconf.1.alias.1.status=disabled
netconf.1.alias.2.status=disabled
netconf.1.alias.3.status=disabled
netconf.1.alias.4.status=disabled
netconf.1.alias.5.status=disabled
netconf.1.alias.6.status=disabled
netconf.1.alias.7.status=disabled
netconf.1.alias.8.status=disabled
netconf.1.devname=eth0
netconf.1.ip=0.0.0.0
netconf.1.netmask=255.255.255.0
netconf.1.promisc=enabled
netconf.1.status=enabled
netconf.1.up=enabled
netconf.2.alias.1.status=disabled
netconf.2.alias.2.status=disabled
netconf.2.alias.3.status=disabled
netconf.2.alias.4.status=disabled
netconf.2.alias.5.status=disabled
netconf.2.alias.6.status=disabled
netconf.2.alias.7.status=disabled
netconf.2.alias.8.status=disabled
netconf.2.allmulti=enabled
netconf.2.devname=ath0
netconf.2.ip=0.0.0.0
netconf.2.netmask=255.255.255.0
netconf.2.promisc=enabled
netconf.2.status=enabled
netconf.2.up=enabled
netconf.3.autoip.status=disabled
netconf.3.devname=br0
netconf.3.ip=192.168.1.20
netconf.3.netmask=255.255.255.0
netconf.3.status=enabled
netconf.3.up=enabled
netconf.status=enabled
netmode=bridge
ntpclient.status=disabled
ppp.1.password=
ppp.1.status=disabled
ppp.status=disabled
pwdog.status=disabled
radio.1.ack.auto=enabled
radio.1.ackdistance=600
radio.1.acktimeout=25
radio.1.ampdu.bytes=50000
radio.1.ampdu.frames=32
radio.1.ampdu.status=enabled
radio.1.chanshift=0
radio.1.clksel=1
radio.1.countrycode=840
radio.1.cwm.enable=0
radio.1.cwm.mode=2
radio.1.devname=ath0
radio.1.dfs.status=
radio.1.forbiasauto=1
radio.1.frag=off
radio.1.freq=2412
radio.1.ieee_mode=11nght40plus
radio.1.mcastrate=
radio.1.mode=master
radio.1.polling=disabled
radio.1.rate.auto=enabled
radio.1.rate.mcs=auto
radio.1.rts=off
radio.1.status=enabled
radio.1.subsystemid=0xe202
radio.1.thresh62a=
radio.1.thresh62b=
radio.1.thresh62g=
radio.1.txpower=10
radio.countrycode=840
radio.status=enabled
resolv.host.1.name=UBNT
resolv.host.1.status=enabled
resolv.nameserver.1.ip=0.0.0.0
resolv.nameserver.1.status=enabled
resolv.nameserver.2.status=disabled
resolv.status=enabled
route.1.devname=br0
route.1.gateway=192.168.1.20
route.1.ip=0.0.0.0
route.1.netmask=0
route.1.status=enabled
route.status=enabled
snmp.status=disabled
sshd.port=22
sshd.status=disabled
syslog.remote.status=
syslog.status=disabled
telnetd.status=disabled
tshaper.status=disabled
users.1.name=ubnt
users.1.password=VvpvCwhccFv6Q
users.1.status=enabled
users.2.status=disabled
users.status=enabled
wireless.1.addmtikie=disabled
wireless.1.ap=
wireless.1.authmode=1
wireless.1.compression=0
wireless.1.devname=ath0
wireless.1.fastframes=0
wireless.1.frameburst=0
wireless.1.hide_ssid=disabled
wireless.1.l2_isolation=enabled
wireless.1.mac_acl.1.mac=
wireless.1.mac_acl.1.status=disabled
wireless.1.mac_acl.10.mac=
wireless.1.mac_acl.10.status=disabled
wireless.1.mac_acl.11.mac=
wireless.1.mac_acl.11.status=disabled
wireless.1.mac_acl.12.mac=
wireless.1.mac_acl.12.status=disabled
wireless.1.mac_acl.13.mac=
wireless.1.mac_acl.13.status=disabled
wireless.1.mac_acl.14.mac=
wireless.1.mac_acl.14.status=disabled
wireless.1.mac_acl.15.mac=
wireless.1.mac_acl.15.status=disabled
wireless.1.mac_acl.16.mac=
wireless.1.mac_acl.16.status=disabled
wireless.1.mac_acl.2.mac=
wireless.1.mac_acl.2.status=disabled
wireless.1.mac_acl.3.mac=
wireless.1.mac_acl.3.status=disabled
wireless.1.mac_acl.4.mac=
wireless.1.mac_acl.4.status=disabled
wireless.1.mac_acl.5.mac=
wireless.1.mac_acl.5.status=disabled
wireless.1.mac_acl.6.mac=
wireless.1.mac_acl.6.status=disabled
wireless.1.mac_acl.7.mac=
wireless.1.mac_acl.7.status=disabled
wireless.1.mac_acl.8.mac=
wireless.1.mac_acl.8.status=disabled
wireless.1.mac_acl.9.mac=
wireless.1.mac_acl.9.status=disabled
wireless.1.mac_acl.policy=allow
wireless.1.mac_acl.status=disabled
wireless.1.macclone=disabled
wireless.1.security=none
wireless.1.signal_led1=94
wireless.1.signal_led2=80
wireless.1.signal_led3=73
wireless.1.signal_led4=65
wireless.1.ssid=ubnt
wireless.1.status=enabled
wireless.1.wds=disabled
wireless.1.wmm=enabled
wireless.1.wmmlevel=
wireless.status=enabled
wpasupplicant.device.1.status=disabled
wpasupplicant.status=disabled
Depois salve e upa devolta para o ap ubnt.
Para versoes 5.5.x
ebtables.5.comment=Drop IPV6
ebtables.5.cmd=-A FIREWALL -i eth0 -p 0x86DD -j DROP
ebtables.5.status=enabled
ebtables.4.comment=Drop IPV4
ebtables.4.cmd=-A FIREWALL -i eth0 -p 0x0800 -j DROP
ebtables.4.status=enabled
ebtables.3.comment=
ebtables.3.cmd=-P FORWARD DROP
ebtables.3.status=enabled
ebtables.2.comment=PPPoE Discovery Stage
ebtables.2.cmd=-A FORWARD -p 0x8864 -j ACCEPT
ebtables.2.status=enabled
ebtables.1.comment=PPPoE Session Stage
ebtables.1.cmd=-A FORWARD -p 0x8863 -j ACCEPT
ebtables.1.status=enabled
Lenbrando que esse ultimo tem> que abilitar o firewall
creditos Leonardo Silva
Respostas
Uma regra que elimina muito trafego desnecessario tambem mas para mikrotik em bridge com com varias interfaces.
Ex: uma rb com 3 cartoes e 3 eternet onde eth1 e entra o link ou o ponto a ponto.
/interface bridge filter
add action=drop chain=forward comment="" disabled=no in-interface=!eth1 out-interface=!eth1
Evita o trafego entre as interfaces.
Será que seria uma soluçao para o wintraff?
Ainda nao amigo mas to quase la.
Con esse filtro o wintraf nao passa para outro equipamento mas nao evita o ataque na na rb.
Amigo explica ai melhor em q vai melhorar a rede ?
Eu nao uso pppoe e sim hostpot esta regra faz e feito da minha rede tb ?
Não funciona pra vc não, pois bloqueia todo trafego so passando pppoe, no seu caso se usar, vai parar sua rede!!
Eduarlei Avelar disse:
é isso ai.
obrigado pela dica...
De nada.
O consumo de processamento dos ubnt num aumenta muito não ?