Hallo guys,
Im working on a (hobby) project were im replacing 2 Cisco devices (1x 24p switch 10/100) and a Cisco 2600 router with my new CRS125-24G-1S-2HnD-IN Cloud Router.
I got the WiFi, routing and DHCP pool settings okay. But im not sure how to config the router to block ilegal DHCP servers on every port. On my Cisco switch I enabled “DHCP snooping” on all client switch ports and marked/allowed the port were the DHCP server (2600 router) was on.
I think I have two options:
Make some kind of firewall rule to block DHCP traffic (UDP 68) on all 22 switch ports?
Currently all the ports are slaved to the Ethernet 2 port as their master. Keeping in mind that the CRS router it self is ofc the DHCP server and should be allowed to assign IP adresses to its clients.
Or better, isolate every ehternet port to only allow traffice between Internet (WAN) and their own ethernet port.
I dont know how to do this and was unable to find it online 
Should I assign VLANs to every single port, or should I make every ethernet port its own master?
In conclusion I just want to Isolate the traffic over each port, since every room/studio has its own internet connection and I want to prefent differend rooms (ports) to see/connect to each other, especially when it comes to users to plugin their own routers with DHCP enabled terrorising the whole network.
I would very much appreciate some help in this matter.
Current config:
Type: Mikrotik CRS125-24G-1S-2HnD-IN Cloud Router
IP: 172.16.254.254 /24
DHCP pool: 172.16.254.1 ~ 172.16.254.200
Port config:
Port 1 for the ISP modem/router (192.168.178.254)
Port 2-24 for clients (port 2 is master for all of them)
WiFi: Enabled and the radio/interface is a member of the bridge so WiFi devices get their adresses out of the same DHCP pool.