Constant, similar packets being dropped by raw filter rule

I’m posting this here because while it may not be basic, I am very much a beginner to networking and RouterOS alike.

Mikrotik gear: hAP ax3
Cable modem: Motorola MB8611, with a fixed private address of 192.168.100.1
Use case: Simple home (apartment), several VLANs, wifi, internet access.

I’ve set up the hAP ax3 more or less according to pcunite’s Using RouterOS to VLAN Your Network guide, along with some guides on Reddit for firewall rules and address lists. Everything seems to work just fine.

However, I noticed that one of my raw filter rules was dropping a pretty large number of packets, so I enabled logging:

add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_ipv4 log=yes \
    log-prefix=dropbaddst

…and ever since, the log has been full of identical messages, a new one every few seconds:

dropbaddst prerouting: in:ether1 out:(unknown 0), connection-state:invalid src-mac 00:fd:22:**:**:**, proto UDP, 10.81.236.1:67->255.255.255.255:68, len 344

(where the unredacted src-mac is the same as the MAC in the dynamically created ARP corresponding to the ISP-assigned IP on ether1).

My aim in posting this is humbly to seek advice on the following:

1. Where might these packets be coming from? The modem? I don’t recognize the address 10.81.236.1. I believe that’s normally a private address?

2. Should I care? Everything seems to function just fine. It just bothers me that I can’t figure out what these packets are.

3. If I should care, what to do-- presumably I should find a way to let the packets in if they’re benign and useful, continue to drop them if they’re not. And of course, how to do so securely.

I hope this has made sense.

Here is my full configuration. It probably has errors, contradictions, and/or useless bits. If anyone happens to spot any, please feel free to point them out.

[myusername@MikroTik] > /export
# 2024-01-19 15:20:28 by RouterOS 7.13
# software id = NVGV-VFF5
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = **********
/interface bridge
add admin-mac=78:9A:18:10:06:46 auto-mac=no name=bridge1 port-cost-mode=short protocol-mode=none \
    vlan-filtering=yes
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz \
    configuration.country="United States" .mode=ap .ssid=Samuel disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz \
    configuration.country="United States" .mode=ap .ssid=Samuel disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=SWF-guest disabled=no mac-address=7A:9A:18:10:06:4A master-interface=wifi1 \
    name=wifi3 security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=SWF-guest disabled=no mac-address=7A:9A:18:10:06:4B master-interface=wifi2 \
    name=wifi4 security.authentication-types=wpa2-psk,wpa3-psk
/interface vlan
add interface=bridge1 name=BASE_VLAN vlan-id=99
add interface=bridge1 name=BLUE_VLAN vlan-id=10
add interface=bridge1 name=GREEN_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
/ip pool
add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
add name=BASE_POOL ranges=192.168.13.10-192.168.13.254
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
/ip dhcp-server
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
/queue type
add cake-diffserv=besteffort cake-flowmode=dual-dsthost cake-mpu=64 cake-overhead=18 kind=cake name=cake-down
add cake-ack-filter=filter cake-flowmode=dual-srchost cake-mpu=64 cake-nat=yes cake-overhead=18 kind=cake \
    name=cake-up
/queue tree
add bucket-size=0.01 max-limit=55M name=cake-upload-test packet-mark=no-mark parent=ether1 queue=cake-up
add bucket-size=0.01 max-limit=550M name=cake-download-test packet-mark=no-mark parent=bridge1 queue=cake-down
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 internal-path-cost=10 \
    path-cost=10 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 internal-path-cost=10 \
    path-cost=10 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 internal-path-cost=10 \
    path-cost=10 pvid=20
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 internal-path-cost=10 \
    path-cost=10 pvid=99
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 internal-path-cost=10 \
    path-cost=10 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 internal-path-cost=10 \
    path-cost=10 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi3 internal-path-cost=10 \
    path-cost=10 pvid=20
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi4 internal-path-cost=10 \
    path-cost=10 pvid=20
/ip settings
set tcp-syncookies=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=20
add bridge=bridge1 tagged=bridge1 vlan-ids=99
add bridge=bridge1 tagged=bridge1 vlan-ids=10
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=BLUE_VLAN list=VLAN
/ip address
add address=192.168.13.1/24 interface=BASE_VLAN network=192.168.13.0
add address=10.0.20.1/24 interface=GREEN_VLAN network=10.0.20.0
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.13.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.13.1 gateway=10.0.20.1
add address=192.168.13.0/24 dns-server=192.168.13.1 gateway=192.168.13.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 disabled=yes list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=255.255.255.255 comment=RFC6890 list=not_in_internet
add list=ddos-attackers
add list=ddos-targets
add list=not_in_internet
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add list=vlan_subnets
add address=10.0.10.0/24 comment="VLAN subnets" list=vlan_subnets
add address=10.0.20.0/24 comment="VLAN subnets" list=vlan_subnets
add address=192.168.13.0/24 comment="VLAN subnets" list=vlan_subnets
add address=224.0.0.0/4 comment="RAW Filtering - multicast" disabled=yes list=bad_src_ipv4
add address=224.0.0.0/4 comment="RAW Filtering - RFC6890" disabled=yes list=bad_dst_ipv4
add list=bad_ipv4
add list=bad_src_ipv4
add list=bad_dst_ipv4
/ip firewall filter
add action=accept chain=input comment="Accept DHCP from GREEN_VLAN" dst-port=67 in-interface=GREEN_VLAN \
    protocol=udp src-port=68
add action=accept chain=input comment="Accept DNS from GREEN VLAN" dst-port=53 in-interface=GREEN_VLAN \
    protocol=udp
add action=drop chain=input comment="Drop all else from GREEN_VLAN" in-interface=GREEN_VLAN
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow BASE_VLAN full access" in-interface=BASE_VLAN
add action=drop chain=input comment=Drop log-prefix=dropall
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="VLAN Internet access only" connection-state=new in-interface-list=\
    VLAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=jump chain=forward comment="Jump to DDoS detection" connection-state=new in-interface-list=WAN \
    jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos
add action=drop chain=forward comment=Drop
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
/ip firewall nat
add action=masquerade chain=srcnat comment="default masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-targets src-address-list=ddos-attackers
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 \
    dst-port=67 in-interface-list=VLAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_ipv4 log=yes \
    log-prefix=dropbaddst
add action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN log=yes \
    log-prefix=nonglobfromwan src-address-list=not_in_internet
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address-list=\
    lan_subnets in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=\
    VLAN src-address-list=!vlan_subnets
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp
add action=accept chain=prerouting comment="accept all else from VLAN" in-interface-list=VLAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=fd12:672e:6f65:8899::/64 list=allowed
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=100::/64 comment="RAW Filtering - RFC6890 Discard-only" list=not_global_ipv6
add address=2001::/32 comment="RAW Filtering - RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="RAW Filtering - RFC6890 Benchmark" list=not_global_ipv6
add address=fc00::/7 comment="RAW Filtering - RFC6890 Unique-Local" list=not_global_ipv6
add address=::/128 comment="RAW Filtering" list=bad_src_ipv6
add address=ff00::/8 comment="RAW Filtering" list=bad_src_ipv6
add address=::/128 comment="RAW Filtering" list=bad_dst_ipv6
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 \
    protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="drop everything else not coming from VLAN" in-interface-list=!VLAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="drop everything else not coming from VLAN" in-interface-list=!VLAN
/ipv6 firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop packets with bad src ipv6" src-address-list=\
    bad_src_ipv6
add action=drop chain=prerouting comment="defconf: drop packets with bad dst ipv6" dst-address-list=\
    bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN \
    src-address-list=not_global_ipv6
add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment="accept everything else from VLAN" in-interface-list=VLAN
add action=drop chain=prerouting comment="defconf: drop the rest"
/system clock
set time-zone-name=America/My_City
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

I appreciate any help, and if there’s other info I can provide feel free to let me know. Thanks!

These are DHCP packets, sent out by DHCP server at 10.81.236.1 (UDP port 67 is used by DHCP server) and are broadcast (dst address is global broadcast address). Seeing your MAC address as dst-mac-address likely means that modem (or some ISP’s gadget upstream) converted these IP broadcasts to ethernet unicasts, but that’s nothing unheard of.

I’d say that these packets are not harmful and that you don’t have to worry about them. In contrary, I think that for these in particular it would be better not to drop.
To be sure you can sniff them to see exact contents if you’re very interested.

Thank you!

I had a feeling they were probably benign, and likely from the modem or ISP, so thanks for giving me something more than feelings to go on.

What I couldn’t figure out, and frankly still can’t figure out because I’m very new to this, is why they would get caught by that particular rule, and why from that IP…

(Second edit to note that when I get home I will definitely inspect those packets to help answer those questions–I hadn’t even noticed that ROS includes a convenient packet sniffer built in!)

Hi,
It appears you have not disabled the dhcp client on ether1.
So it is sending requests, but never getting a reply due to filter.

The dhcp server may well be trying to give your router the same ip/route information that you configured manually.
(or perhaps sets it up so you wind up with a page on your browser telling you to set it up per the instructions)

Thank you for the reply.

I wasn’t aware that I should disable the DHCP client on ether1. I don’t have a static address from my IP.

So it is sending requests, but never getting a reply due to filter.

Well, this is interesting because everything seems to work just fine when the filter drops those packets–internet access works, communication within VLANS on the private side works, I’m clearly being given a public IP address somehow. Hard to understand (for me), but interesting.

Anyway, I used ROS’s packet sniffer to capture the packets and output them to a file. Filtering to the source IP in question (10.81.236.1), I see that they are DHCP offers and DHCP acks,

The offers take this form:

Internet Protocol Version 4, Src: 10.81.236.1, Dst: 255.255.255.255
User Datagram Protocol, Src Port: 67, Dst Port: 68
Dynamic Host Configuration Protocol (Offer)
    Message type: Boot Reply (2)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0x761f5c2c
    Seconds elapsed: 0
    Bootp flags: 0x8000, Broadcast flag (Broadcast)
    Client IP address: 0.0.0.0
    Your (client) IP address: 68.101.xx.xx 
    Next server IP address: 0.0.0.0
    Relay agent IP address: 68.101.yy.yy
    Client MAC address: Tp-LinkT_xx:xx:xx (d8:07:b6:xx:xx:xx)
    Client hardware address padding: 00000000000000000000
    Server host name not given
    Boot file name not given
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (Offer)
    Option: (1) Subnet Mask (255.255.252.0)
    Option: (3) Router
    Option: (6) Domain Name Server
    Option: (51) IP Address Lease Time
    Option: (59) Rebinding Time Value
    Option: (58) Renewal Time Value
    Option: (54) DHCP Server Identifier (172.19.89.126)
    Option: (2) Time Offset
    Option: (4) Time Server
    Option: (7) Log Server
    Option: (255) End

…where “Your (client) IP address” and “Relay agent IP address” are publicly routable addresses very similar to the one assigned to me, and belong to the same ISP, but not the same; and where the “Client MAC address” is not one that I recognize on my network. I’m more confused than ever, especially because everything seems to work just fine when these packets are dropped by my raw firewall rule.

I also noticed when looking over the captured packets in Wireshark that there are a lot of ARP requests to and from public (or IPv4 shared address space) IPs that I don’t recognize.

Sorry I misread your first post, as indicating the router had a fixed ip address.
So ignore my previous suggestion about the dhcp client.

It sounds like it is perhaps a noisy bridge network you are plugged into.

I am leaning more and more toward this being the case, as well. I’m going to keep letting the packets get dropped, since making an experimental “accept” raw firewall rule didn’t cause them to stop coming every few seconds, and disabling that experimental rule didn’t break anything, and I’m also pretty convinced at this point that they’re not for me anyway. Someone in my neighborhood on the same ISP must have a misconfigured router, or something.

Thanks again to everyone for your help.

I still think that my analysis in post #2 above explains everything. Personally I would stop logging these packets as being dropped … and since I believe they are harmless I even wouldn’t bother to drop them explicitly.

You are certainly correct that they are DHCP packets; inspecting them with Wireshark proved that. They don’t appear to be intended for me, though, unless I’m really missing something here.

You did mention my MAC address being the dst-mac-address in the packets, however, in the log (and upon inspection in Wireshark), my MAC is actually the dst-src-address. I don’t know whether this changes your analysis re: the modem or ISP changing the broadcast to an ethernet unicast.

In any case, since these packets were being dropped by a raw rule that appears to be in common use among Mikrotik owners, and dropping them doesn’t seem to hurt anything, I have indeed stopped logging them as you suggest, but will continue to let the rule keep dropping them unless/until I notice something breaking.

Thanks again for your help.