On the wiki, there are instructions for blocking DHCP with a bridge firewall. Unfortunately it seems to be out of date.
It uses the “input” chain, where the correct chain seems to be “filter”.
Corrected:
/interface bridge filter
add action=log chain=filter comment=“Block DHCP servers on 192.168.0.0/16”
disabled=no dst-address=255.255.255.255/32 ip-protocol=udp log-prefix=
“ALERT ROGUE DHCP (BLOCKED)” mac-protocol=ip src-address=192.168.0.0/16
src-port=67-68
add action=drop chain=filter comment=“Block DHCP servers on 192.168.0.0/16”
disabled=no dst-address=255.255.255.255/32 ip-protocol=udp mac-protocol=
ip src-address=192.168.0.0/16 src-port=67-68
Even simpler (all I wanted to do was block all DHCP requests through the bridge:
/interface bridge filter
add action=log chain=filter comment=“Block DHCP traffic”
disabled=no ip-protocol=udp mac-protocol=ip src-port=67-68
Remember to turn on “use-ip-firewall=yes”.
I can’t figure out how get registered on the wiki, so I’m posting it here, hoping some one will fix it and save others much wasted time.