Hello,
MikroTik router has a default rule "Drop all not coming from lan (!LAN). I logged this and it drops DHCP (68-67) ports and 5678 port (MikroTik neighbors search) from ISP superior router.
It is OK? But DHCP works well… I am a DHCP client in the ISP network. I am otherwise happy with this rule, I have a public IP (bridged from ISP) and it prevents a lot of attacks. But I don’t know if it’s a good idea to drop packets from the ISP transmitter?
Thank You for the answers and I am sorry for my English.
DHCP uses raw sockets, so it’s not affected by IP firewall. And neighbor discovery is something you can live without.
Even if DHCP wasn’t below firewall radar … device starts by sending DHCP discover packet (which traverses chain=output if any) and when DHCP server answers with DHCP offer this packet is (or should be) considered related of an existing “connection”.
Raw firewall might block these packets though (never tried it myself, if DHCP client is indeed below firewall radar, then raw firewall filter might not block it).
Thank you. So is it unnecessary to make an exception in the firewall for the IP address of the ISP router? And in theory: to what extent would this exception be dangerous - for example, if the ISP router was hacked?
I do not mind it. I only see very large number of hopping drop packets.
You wouldn’t want exception for everything from ISP’s router address. It may be closer than other external addresses, but it still has no business connecting to your router. If you want to accept its neighbour advertisements, add exception only for the one port it uses.
And in case you’d be annoyed by these packets raising your drop counter (e.g. if you’d want to monitor other dropped packets), simply add separate drop rule for these.