Blocking by MAC address on the external interface

meDi · November 23, 2020, 6:04am

Hi!
I am trying to block the external DHCP server from the provider network by MAC.

chain=input action=drop src-address-type="" in-interface=sfp1 src-mac-address=38:6B:1C:37:15:9A log=yes log-prefix=""

The packet counter for this rule is incremented. In the logs, I see that the rule works.

input: in:sfp1 out:(unknown 0), src-mac 38:6b:1c:37:15:9a, proto UDP, 192.168.1.1:67->255.255.255.255:68, len 576

But I still get the address from this server.
Did I do something wrong or is it impossible?

evince · November 23, 2020, 3:22pm

Hello, if you get an address from sf1 interface it is because dhcp-client is enabled on this interface. Why don’t you disable this dhcp-client instead?

meDi · November 23, 2020, 3:55pm

It is necessary to block this MAC address. My ISP issues addresses from the 172.20.0.0/16 subnet, and this MAC is someone from the neighbors who inserted a WAN cable into the LAN port or his Mercusys router is so good that it gives me a 192.168.1.100 address through its WAN port :).

Sob · November 23, 2020, 5:14pm

It definitely won’t work using “/ip firewall filter”, because dhcp uses raw sockets. I though that “/ip firewall raw” could work, but quick test says that it doesn’t either. Bridge filter would do the trick, if you’d add one and sfp1 as its port. Then you could do:

/interface bridge filter
add chain=input in-bridge=bridge1 src-mac-address=xx:xx:xx:xx:xx:xx/FF:FF:FF:FF:FF:FF action=drop

meDi · November 26, 2020, 6:31pm

Thanks!
It works