hello all this is my setup to deal with rouge dhcp servers
first run dhcp client on lan interface with (add default rout ,dns ,ntp) OFF
then on dhcp alert use the lan interface and add this code
:local mac $“mac-address”
/ip dhcp-server lease add mac-address=$mac block-access=yes
/ip dhcp-server lease remove [find dynamic]
/system reboot
the device will be blocked from network
and system will reboot
after further testing the rough dhcp was not blocked
another method can be used to ban the ips of the rough on hotspot upon detection to cut internet usage
any idea can help
A firewall filter may work, that said any DHCP that is local to a bridge isn’t going to be blocked by the firewall filter I don’t think. Instead you’d have to use bridge filters.
You may be able to do something looking at how DHCPv4 works. It’s a fairly simple process if you’re not relaying as well. It will send packets with a source IP of the DHCP server that offers the IP back to the client. You could match packets going out to your DHCP clients to ensure that packets on source port 67 have a source IP and MAC of your DHCP server (likely bridge interface MAC). This should prevent packets egressing any bridged interface from getting a complete DHCP process. I’ll have to test it because it seems like a common request.
Additionally you will probably want to drop ICMPv6 RA’s. This is regardless of you having IPv6 or not. I could start pushing RAs out on an IPv4 network and MITM traffic by tunneling the IPv6 out of your network. Not a common attack but if you start making IPv4 MITM attacks like rogue DHCP or ARP protections difficult then they may switch to that.
Cisco switches support these features as RA Guard and ARP Inspection and DHCP Snooping. Might be worth picking up one of those units. RA Guard is fairly easy to replicate with an IPv6 ACL so even an older model can be a significant improvement.