How to block DHCP traffic from leaking across subnets?

wifiryan · May 15, 2012, 3:05pm

I have network A] 192.168.50.0/24 and network B] 192.168.1.0/24, each has their own host of computers and their own dedicated Internet connection.

I setup a 3rd Mikrotik Router to route traffic back in forth between the two. I did this by adding an Interface 192.168.50.10 on ether2 and 192.168.1.10 on ether3. I then enabled RIP routing.

On Network A and B I created static routes that direct traffic to the Mikrotik as required. It works great EXCEPT clients from either subnet now occasionally get assigned DHCP from the wrong subnet! I setup firewall rules to block all UDP 67 and 68, but it doesn’t work. I suspect because the layer2 switch connections the two subnets together, and the firewall has no affect.

Do I need to disable the bridge on the switch, or somehow put each ethernet port in its on vlan and route traffic between the two ports? Any help is appreciated,

Ryan

cbrown · May 15, 2012, 5:24pm

Please post /ip address print detail /ip route print detail /ip firewall export /ip interface print detail /ip dhcp-server export

wifiryan · May 15, 2012, 7:32pm

[admin@MikroTik] > ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=192.168.88.1/24 network=192.168.88.0 interface=ether2-master-local
actual-interface=ether2-master-local

1 address=192.168.1.10/24 network=192.168.1.0 interface=ether3-slave-local
actual-interface=ether2-master-local

2 address=192.168.50.10/24 network=192.168.50.0 interface=ether4-slave-local
actual-interface=ether2-master-local

[admin@MikroTik] > ip firewall export

jan/02/1970 01:08:39 by RouterOS 5.6

software id = ZU3M-MRLA

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=
10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s
udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment=“default configuration” disabled=no
protocol=icmp
add action=accept chain=input comment=“default configuration” connection-state=
established disabled=no
add action=accept chain=input comment=“default configuration” connection-state=
related disabled=no
add action=drop chain=input comment=“default configuration” disabled=no
dst-address=0.0.0.0 in-interface=ether1-gateway src-address=0.0.0.0/0
add action=drop chain=input disabled=no dst-port=68 protocol=udp src-address=
0.0.0.0/0 src-port=67
add action=drop chain=input disabled=no dst-port=67 protocol=udp src-port=68
add action=drop chain=input disabled=no dst-port=67 protocol=udp src-port=67
add action=drop chain=input disabled=no dst-port=68 protocol=udp src-port=68
add action=drop chain=output disabled=no dst-port=68 protocol=udp src-port=68
add action=drop chain=output disabled=no dst-port=67 protocol=udp src-port=67
add action=drop chain=input disabled=no dst-port=67-68 protocol=tcp src-port=67
add action=drop chain=forward disabled=no dst-port=67-68 protocol=tcp src-port=
68
add action=drop chain=forward disabled=no dst-port=68 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” disabled=no
out-interface=ether1-gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

[admin@MikroTik] > ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.10
gateway=ether2-master-local
gateway-status=ether2-master-local reachable distance=0 scope=10

1 ADC dst-address=192.168.50.0/24 pref-src=192.168.50.10
gateway=ether2-master-local
gateway-status=ether2-master-local reachable distance=0 scope=10

2 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1
gateway=ether2-master-local
gateway-status=ether2-master-local reachable distance=0 scope=10

[admin@MikroTik] > ip dhcp-server export

jan/02/1970 01:10:59 by RouterOS 5.6

software id = ZU3M-MRLA

/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay bootp-support=static disabled=yes interface=
ether2-master-local lease-time=3d name=default
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.88.0/24 comment=“default configuration” dns-server=192.168.88.1 gateway=192.168.88.1

and finally /ip interface print detail does not work, says[admin@MikroTik] > ip interface print detail
bad command name interface (line 1 column 4)

Thank you for your help

wifiryan · May 16, 2012, 4:01am

I figured it out. Ether-3 and Ether-4 had master port set for “ether1”. I switched them both to none and now it works perfectly, no DHCP leakage anymore.