;;; accept DHCP discovery - most of the DHCP packets are not seen by an IP firewall, but some of them are, so make sure that they are accepted;
/ip firewall raw add action=accept chain=prerouting comment=“defconf: accept DHCP discover” dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
Do I understand correctly that “most of the DHCP packets are not seen by an IP firewall” because they will most likely hit the server running in the same LAN segment and won’t need routing?
Sure thing, unless you are doing specific filtering on certain physical LAN-ports on which a device is attached directly.
I do not have such rules and running a “classic” home-network (single “flat” LAN with 1 “bridge” instance/interface) and never had any issues
Correct DHCP packets and the like are not affected mostly.
Tis why even though you will have two vlans 10 and 20 and no devices can exchange data or see each other one can still ping the gateway of the other vlan.
If you look further into the rules you will find that a unicast DHCP request (when a client knows IP of the DHCP server) is dropped. Is there a good reasoning behind only allowing broadcasted DHCP requests?
Raw prerouting comes before ROS determines whether packet is targeting router itself or not. So these rules affect both routed traffic and traffic consumed by router. See packet flow manual.
I fail to see where unicast DHCP packets are dropped though …
Just in time,
Here is something I whipped up…
Although what is missing is how DHCP gets requested and assigned regardless of firewall rules and how one can ping another vlans gateway despite both L2 and L3 supposedly preventing ANY crosstalk (at least data is blocked )
)