How to block custom DHCP Server?

blinderix · August 30, 2022, 10:01am

Hi,
My ISP has DHCP server, but there are some other DHCP servers in their network. I have tried to block them with firewall filter.
/ip firewall filter
add action=drop chain=forward in-interface=ISP protocol=udp src-address=192.168.0.xxx src-mac-address=AA:BB:CC:DD:EE:FF src-port=67,68
add action=drop chain=input in-interface=ISP src-mac-address=AA:BB:CC:DD:EE:FF
add action=drop chain=forward in-interface=ISP src-mac-address=AA:BB:CC:DD:EE:FF
The counter is rising, but the DHCP Client still accepts offerings from other DHCP servers.
Any idea how to block them?

mkx · August 30, 2022, 10:08am

Not sure if DHCP client binds to raw socket (as it does in most slinux distributions). In this case your only option is to drop packets in /ip firewall raw …

blinderix · August 30, 2022, 10:32am

Thank you! I have just tried, it count the packets but still accept other server offering.

jvanhambelgium · August 30, 2022, 10:41am

Euh, call your ISP to fix this or have it clarified ? I mean, this is happening on the WAN-side of your connection right ? I would not care even if they have 20 DHCP-servers, it might be there for a REASON. And as long as they only “serving” my WAN-interface to the ISP.
Eg. multiples DHCP’s with split scopes etc.
Perhaps you are blocking some DHCP’s that at 1 point in time MUST provide your CPE with a working IP address.

blinderix · August 30, 2022, 10:47am

I have talked to them 2 months ago, takled again today, but the problem still exists. And the dhcp servers are not theirs. They are clients… I couldn’t count on the ISP’s admins.

jvanhambelgium · August 30, 2022, 12:27pm

Really ? Hell, change ISP then
So this means from time to time your service does not work because you are getting some bogus IP address ?!
I cannot understand your ISP does not take action because this impacts the service you are paying for ?!

Try to create a rule to filter on OUPUT-chain! If you know the correct IP/MAC of the ISP DHCP-server try to construct something on output.

Imposss · August 30, 2022, 4:23pm

Hi remove isp port from bridge. not necessary

already natted pppoe client or dhcp client for internet.

or

you can try dhcp snooping on bridge settings

Jotne · August 30, 2022, 5:12pm

I have not tested what happens, but would be interesting to see how my ISP wold handle If I set up a device with fix public IP and DHCP server.
On our company network we do use ip dhcp snooping to prevent clients to setup their own DHCP.