I have four Routerboards in the following configuration:
|----AP-TEST < . . . . . . . . >FIXED-SUB (station)
TEST-SERVER------| (ap bridge)< . . . . . . . . >ROGUE-SUB (station)
(GW & DHCP) |
[Routerboards are in CAPS, ethernet links are DASHES, radio links are PERIODS]
- WDS is not enabled.
- The TEST-SERVER is running as a DHCP server.
- The AP-TEST box wireless interface is a VAP and is bridged to the ethernet interface.
- The AP-TEST box is set up as a DHCP-Relay, relaying requests to the TEST-SERVER.
- The ROGUE-SUB has a rogue dhcp server attached.
- The FIXED-SUB has a WinXP PC attached, and is the DHCP client.
I am attempting to block rogue DHCP servers from running on the network, and have implemented the following bridge filter:
/ interface bridge filter
add chain=forward in-interface=fixed1 out-interface=fixed1 in-bridge=bridge1 \
mac-protocol=ip src-port=67 ip-protocol=udp action=drop comment="" \
disabled=no
When using the ‘Repair’ button to grab an address for the WinXP machine, I see the packet counters increment for my bridge filter rule:
[admin@AP-TEST] > interface bridge filter print forward stats
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION BYTES PACKETS
0 forward drop 6336 11
But the packets are not dropped. The DHCP request succeeds and the rogue DHCP server serves an address to the WinXP machine. I have verified this using a sniffer. Interestingly, the source MAC address for the DHCP replies is that of the ROGUE-SUB box and not the rogue DHCP server itself. I do not have proxy-arp enabled on any interface.
I have also tried using the ‘input’ chain and other variations, but get the same result; counters increment, but packets are still forwarded to the other station. FYI when I disconnect the rogue server, the WinXP machine gets its address from the TEST-SERVER.
Is there something fundamentally flawed in my setup?
Regards,
Tom