Block Customers Rogue DHCP Servers

Arxondas · May 13, 2017, 5:49am

Hello,

I would like some help to block rogue dhcp servers.
We have a network with RB1100 as main router and 140
RB ac hAP Lite connected with capsman and we only offer a
free wifi/cable access with hotspot login for customers.
All customers access internet from mikrotik devices

I would like to use some filters or rules so I can block
any rogue dhcp servers if a customer plugs his own router
or anything else.

We dont use vlans and we dont need clients to communicate
each others.

Any advise plz

Thanks

haik01 · May 13, 2017, 6:51pm

Block DHCP ports on the incoming interface. \

Port 67 en 68 (both UDP) should be dropped in the firewall (input chain).

Arxondas · May 14, 2017, 4:31am

ok thanks.

So in every mikrotik Access Point I’ll create firewall
rules to block DHCP ports. My plan is to block all ports
to be sure.

e.g.
chain : input
protocol : upd
dst port : 67-68
in interface : bridge1 or …
action : drop

In the central router I need any rule or only in the access points ?

Thanks

jarda · May 14, 2017, 4:56am

That won’t work. Your network is bridged most probably do you need these rules at the last bridges (bridge firewall) as close to customer as possible. Both in input and forward chains (maybe output also - think about it) . Just take care you will not block the customer’s dhcp request…

Arxondas · May 14, 2017, 5:05am

I can use the firewall rules on the edge devices that
customers use.

So I need this rule ?

chain : input & forward
protocol : upd
dst port : 67 &68
in interface : bridge1
action : drop

Does this rule will allow customer dhcp request and will block rogue dhcp ?

Thanks

mistry7 · May 14, 2017, 8:52am

And you Network is Not secured in the way, that 2 coustomers Use your Network to Transport there Own Data, just by plug in 2 Laptops?

libyatik · June 29, 2017, 6:55am

http://forum.mikrotik.com/t/auto-detecting-and-blocking-devices-causing-rough-dhcp/109994/1