Dropping DHCP OFFER packets from certain MAC addresses

burger · August 21, 2017, 10:08am

First, please accept my apologies in case this has been discussed before, I searched and could not find anything that discusses this specific issue.

Second, please note that this is not your typical “how do I protect against rogue DHCP servers” topic that seems abundant around here. This is more interesting, please read on

TL;DR: I need to drop ethernet frames based on MAC address and not IP packets. Can my Mikrotik RB750 do that? I’m running ROS 6.40.1

So anyway, In our new office building, internet service is given using a building-wide LAN. Unfortunately, there seems to be rogue DHCP servers unknowingly ran by people who apparently use their ADSL router as a switch. As there is no way to know where they are short of knocking on everyone’s doors and searching for suspicious devices, I’m trying to use a Mikrotik RB-750 as our border router in order to isolate our network from the rest of the building.

Of course, rogue DHCP servers are confusing Mikrotik’s DHCP client as well, so I need to block these based on MAC address. So I ran wireshark a bit and identified the MAC addresses of the DHCP servers I want to ignore. I then went to IP > Firewall > Filter and added DROP rules to the INPUT chain for packets coming in from these mac addresses. The rules at first seemed to work fine (the counters are going up). I then enabled DHCP debug logging via System > Logging and added an entry for the DHCP topic. After that, when I go to IP > DHCP Client and click on “Renew Lease” I noticet that I keept seeing DHCP OFFER packets from rogue DHCP servers.

Then it hit me: IP filtering can’t work before the IP subsystem is up. So I need to drop Ethernet frames and not IP packets. Can my Mikrotik do that?

Thanks a lot for reading thus far!

pukkita · August 21, 2017, 12:06pm

Post an export, and some description on how the 750 is wired to the rest of the network.

Depending on that, it may be possible to leverage bridge filters to isolate those rogue DHCP servers from the 750.

pe1chl · August 21, 2017, 12:25pm

The DHCP client is likely using a “raw socket” and a property of these is that they receive the traffic without regarding the iptables filters.
So it is not possible to filter the rogue DHCP server like this.
It could be possible to filter in the switch or bridge, but likely the easiest way out is to set a fixed IP address that you first have obtained from the correct router using DHCP.
(i.e. disable the DHCP client and set a fixed address on ether1)
Make sure you allow “ping” from the outside. When your address expires in the DHCP server, it could try to assign it to another client (depending on the type of router
and the number of devices on the network) but usually first mechanisms like reverse-ARP and ping are tried to make sure the address is not already in use.

strods · August 21, 2017, 12:35pm

Have you tried the same as you did with IP/Firewall in Bridge Filters? For example:
/interface bridge filter add action=drop chain=input disabled=yes src-mac-address=XX:XX:XX:XX:XX:XX/XX:XX:XX:XX:XX:XX

waynes · January 18, 2021, 6:15pm

Sorry to bring this thread back to life but, this solution fixed a rogue DHCP device I had down stream in my network.
Thanks.