[原创]关于PPPoE服务器几点注意事项

zisong

1、安全期间，内网网卡不需要设置IP。这样内网的数据必须经过PPP封装、PPP身份验证后，才可以通过PPPoE服务器。
2、建议不启用DHCP服务，PPPoE服务本身可以从地址池中分配地址。
3、防火墙过滤常见病毒端口，以下是小生的Firewall rule，仅供参考：

/ ip firewall rule forward
add dst-address=:135 protocol=tcp action=drop comment="" disabled=no
add dst-address=:445 protocol=tcp action=drop comment="" disabled=no
add dst-address=:137 protocol=udp action=drop comment="" disabled=no
add dst-address=:138 protocol=udp action=drop comment="" disabled=no
add dst-address=:1434 protocol=udp action=drop comment="" disabled=no
add dst-address=:139 protocol=tcp action=drop comment="" disabled=no
add dst-address=:9995 protocol=tcp action=drop comment="" disabled=no
add dst-address=:9996 protocol=tcp action=drop comment="" disabled=no
add dst-address=:4444 protocol=tcp action=drop comment="" disabled=no
add dst-address=:5554 protocol=tcp action=drop comment="" disabled=no
add dst-address=:69 protocol=tcp action=drop comment="" disabled=no
add dst-address=:135 protocol=udp action=drop comment="" disabled=no
add dst-address=:137 protocol=tcp action=drop comment="" disabled=no
add dst-address=:138 protocol=tcp action=drop comment="" disabled=no
add dst-address=:445 protocol=udp action=drop comment="" disabled=no
add dst-address=:593 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1023 protocol=tcp action=drop comment="" disabled=no
/ ip firewall rule input
add dst-address=:137 protocol=udp action=drop comment="" disabled=no
add dst-address=:138 protocol=udp action=drop comment="" disabled=no
add dst-address=:135 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1434 protocol=udp action=drop comment="" disabled=no
add dst-address=:5554 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1023 protocol=tcp action=drop comment="" disabled=no
add dst-address=:445 protocol=tcp action=drop comment="" disabled=no
add dst-address=:139 protocol=tcp action=drop comment="" disabled=no
add dst-address=:69 protocol=tcp action=drop comment="" disabled=no
add dst-address=:137 protocol=tcp action=drop comment="" disabled=no
add dst-address=:135 protocol=udp action=drop comment="" disabled=no
add dst-address=:138 protocol=tcp action=drop comment="" disabled=no
add dst-address=:593 protocol=tcp action=drop comment="" disabled=no
add dst-address=:445 protocol=udp action=drop comment="" disabled=no
add dst-address=:4444 protocol=tcp action=drop comment="" disabled=no
add dst-address=:9995 protocol=tcp action=drop comment="" disabled=no
add dst-address=:9996 protocol=tcp action=drop comment="" disabled=no

4、设置IP Firewall Mangle，解决MTU不匹配导致的个别网站无法访问。

/ ip firewall mangle
add protocol=tcp tcp-options=syn-only action=accept tcp-mss=1400 comment="" \
    disabled=no
5、关闭不需要的IP Service，如果对Router OS命令行熟悉的话，可以只保留SSH;如果需要GUI的话，打开WWW服务;强烈建议关闭Telnet服务。
6、如果PPPoE用户数量较多的话，建议使用单独的radius服务器进行用户账号的存储管理。
7、如果用户多的话，一定要对每个用户限速，以保证大多数人的正常应用。


    以上是小生根据实际应用总结的几点建议，本人才疏学浅，如有不足，还请大家不吝赐教。