blocking dhcp over eoip tunnel, but allow local dhcp

jorgb · May 2, 2016, 6:41pm

Hello,

I got two locations connected via a eoip tunnel.
I have the eoip tunnel bridged together with the local LAN on each side to provide a fully bridged LAN between both locations.
I would like to have a DHCP server running on each router:

Location A ← eoip tunnel → Location B
Local DHCP: 192.168.1.10-99 Local DHCP: 192.168.1.100-200
IP: 192.168.1.0/24 IP: 192.168.1.100/24

However, now I have two DHCP servers running on a bridged network… obviously not a good idea.
I would like to filter DHCP traffic between both locations in order to prevent a DHCP mess.

I have a little problem with the filter logic… since both routers have the eoip tunnel bridged with the LAN, I assume I can’t use bridge filters on each side as it would probably also filter the local DHCP traffic.

Any ideas?

Thanks
JB

littlebill · May 2, 2016, 7:00pm

this is a retarded config, having 2 dhcp servers is a recipe for disaster, why are you doing eoip in the first place? why not just use a different subnet and not worry about all the ip conflicts that will occur even if you block one of the dhcp servers from crossing the tunnel?

jorgb · May 2, 2016, 7:33pm

There are a few reasons why I have to maintain the broadcast domain between the 2 locations. There is also a reason why I would prefer to block dhcp traffic over the tunnel. So, I agree that under normal circumstances this is not a preferred config… however, it is what I have to work with (for now).

jarda · May 3, 2016, 6:56am

Drop udp ports 67 and 68 both ways in bridge firewall.

jorgb · May 3, 2016, 2:14pm

Thanks for your help…
I have done that previously (see filter rules below), however, that will also prevent the local dhcp server from functioning on each local side.

0 ;;; Block DHCP request
chain=forward action=drop in-bridge=Corp Network Bridge
out-bridge=Corp Network Bridge mac-protocol=ip dst-port=68 ip-protocol=udp
log=no log-prefix=“”

1 chain=forward action=drop in-bridge=Corp Network Bridge
out-bridge=Corp Network Bridge mac-protocol=ip dst-port=67 ip-protocol=udp
log=no log-prefix="FORWARD: "

2 ;;; Block DHCP request
chain=output action=drop out-bridge=Corp Network Bridge mac-protocol=ip
dst-port=68 ip-protocol=udp log=no log-prefix=“”

3 chain=output action=drop out-bridge=Corp Network Bridge mac-protocol=ip
dst-port=67 ip-protocol=udp log=no log-prefix="OUTPUT: "

4 ;;; Block DHCP request
chain=input action=drop in-bridge=Corp Network Bridge mac-protocol=ip
dst-port=68 ip-protocol=udp log=no log-prefix=“”

5 chain=input action=drop in-bridge=Corp Network Bridge mac-protocol=ip
dst-port=67 ip-protocol=udp log=no log-prefix="INPUT: "

Any more ideas?

Thanks
JB

jarda · May 3, 2016, 3:26pm

Are you using firewall filter or bridge firewall? You should make the drop between the ports of one bridge if you bridged the networks… Better on both sides of the link comming from the linked ports…

Sob · May 3, 2016, 3:31pm

Bridge firewall has in-interface= and out-interface=.

jorgb · May 3, 2016, 4:31pm

Sorry, I should have specified that the rules are made in the Bridge firewall.

JB

ZeroByte · May 3, 2016, 4:44pm

Sob has given the solution for you - limit the filter rules to the EoIP interface.
If the Mikrotiks themselves are acting as DHCP server, you’ll also need to filter input of DHCP requests coming in the EoIP interface, and filter output chain out-interface=eoip as well.

scampbell · May 4, 2016, 9:52am

Input is to the router and output is from the router. If you want to stop dhcp from
Goin through the bridge the forward chain would be where I place those rules on the bridge filter

Sent from my iPhone using Tapatalk

ZeroByte · May 4, 2016, 8:36pm

OP stated that he plans to run DHCP on the routers themselves. This requires using the input/output filters instead.