Block New Dynamic Leases [Help]

neutronfreak · May 1, 2021, 3:12am

Good Day !
Is there a way to drop connection for those new dynamic leases ?
tia..

k6ccc · May 1, 2021, 4:38am

What are you trying to accomplish? Do you want to have no DHCP client, or only certain ones, or something else?

neutronfreak · May 1, 2021, 8:57am

Only certain ones
i doesn’t use pppoe.
only direct dhcp leases
then every time a new clients is connected ( a new D - dynamic ip) will show - then i’ll make it static
what i want to accomplish :
automatically block new clients connected ( a new D - dynamic ip)
then i will unblock once i grant permission of a certain ip ( a new D - dynamic ip) - then i’ll make it static

tia.

k6ccc · May 2, 2021, 5:58pm

If you have a DHCP server that has no IP pool (or no addresses in the pool), it will be unable to issue dynamic addresses. However it can happily hand out static addresses (some systems call that DHCP reservations) to known MAC addresses. So it you need to add a device, create a new static address in the DHCP server - hint, copy from an existing one is easier - just change the MAC and client ID and of course the desired static IP (DHCP reservation). I do that on several of my LANs.

rextended · May 2, 2021, 8:25pm

yes, block address pool on firewall

neutronfreak · May 6, 2021, 10:35am

thank you..
it seems i cannot find Address Pool in Filter Rules.
i can drop specific addresses but i cant find address pool .

rextended · May 6, 2021, 11:10am

copy-and-paste pool on firewall rules

WeWiNet · May 6, 2021, 12:10pm

make an address list called “allowed DHCP_addresses”.
Then drop traffic on the forward chains NOT from or to this address list.

k6ccc · May 6, 2021, 2:56pm

IP Pool is not in rules. I use WinBox most of the time, so this screen capture should help:

If in a terminal window, see here:

/ip pool
add name=".204 DHCP pool" ranges=192.168.204.100-192.168.204.109
add name=".209 DHCP pool" ranges=192.168.209.100-192.168.209.109

neutronfreak · May 8, 2021, 6:33am

i’ve already created a pool

/ip pool
add name="3-24 DHCP pool" ranges=192.168.89.3-192.168.204.24
add name="25-254 DHCP pool" ranges=192.168.89.25-192.168.209.254

but i cant find Address pool drop down option box to put this .3-24 DHCP pool inside firewall rules.
is this correct ?. ive done this and nothin seems to happen.

/ip firewall address-list
add address=192.168.89.3-192.168.209.24 comment="3-24 DHCP pool" list=3-24 DHCP pool

/ip firewall filter
add action=drop chain=forward in-interface=ether1 src-address-list=3-24 DHCP pool

rextended · May 8, 2021, 7:29am

3-24 DHCP pool< must be quoted: “3-24 DHCP pool”

but the right way is like:

/ip firewall address-list
add list="list blocked DHCP pools" address=192.168.204.100-192.168.204.109 comment="block .204 DHCP pool"
add list="list blocked DHCP pools" address=192.168.209.100-192.168.209.109 comment="block .209 DHCP pool"

/ip firewall raw
add chain=prerouting src-address-list="list blocked DHCP pools" action=drop comment="block DHCP pools"

neutronfreak · May 8, 2021, 7:45am

3-24 DHCP pool< must be quoted: "3-24 DHCP pool"

but the right way is like:

/ip firewall address-list
add list="list blocked DHCP pools" address=192.168.204.100-192.168.204.109 comment="block .204 DHCP pool"
add list="list blocked DHCP pools" address=192.168.209.100-192.168.209.109 comment="block .209 DHCP pool"

/ip firewall raw
add chain=prerouting src-address-list="list blocked DHCP pools" action=drop comment="block DHCP pools"

OMG it really works...
My sincere appreciation...
Thank you so much my friend sir @rextended / @WeWiNet / @k6ccc.

rextended · May 8, 2021, 7:58am

Thanks!