Anyone know a good firewall rule to block rogue DHCP servers? I have made the MT authoriative but still have problems when one of my clients connects my cable to the LAN rather than the WAN side of their router. I’ve been trying various rules so far with no luck.

DHCP works on OSI level 2 so maybe you could try to set up some MAC firewalling rule on the interface of your box ..?

Block replies from their interface for port 67, the server port?

Yes, you can try to block bootps - 67/udp requests to your client.
As an example, this is a rule I have in ipf on FreeBSD to allow DHCP requests to my server on my atheros nic:

allow bootps in for dhcp:

pass in log first quick on ath0 proto udp from 192.168.99.0/24 to 192.168.99.2 port = bootpc keep state keep frags

Keep in mind the DHCP discovery packets will still flow even though you block OSI level 3.

And this is how DHCP requests get blocked to my RouterOS gateway from the Internet:

jan/22/2005 13:26:16 input->DROP, in:WAN, out:(local), src-mac 00:03:2f:23:97:11, 0.0.0.0:68->255.255.255.255:67, len 498