Hi…
as understand, some of person may can use tool like cain and abel to do the dhcp poision to make the same network user point to his laptop and the user will get some page from that laptop.
instead of i create different vlan to different WiFi ap to minimix network interruption.
can we have a rules that, the AP will only accept dhcp from the ethernet and send out via wireless then reject dhcp from wireless?
thanks.
if your broadcast domain is the wlan1 only, try to disable default forward (/int wir set wlan1 default-forwarding=no)
Hi…
my current setup is 1 vlan serve 20 AP (same vlan).
mean, my broadcast domain is on the bridge interface (bridge vlan + wlan1), thus the wireless client isolation will not work right.
correct me if i am wrong on this…
correct.
you need to activate bridge filter on each ap and drop unwanted dhcp packets
Hi, as i enable the “use IP Firewall” under the bridge seting.
then i create a filter “chain=input action=drop protocol=udp in-interface=wlan1 src-port=67,68”
am i doing the right way to drop all the dhcp on whoever plan to poison my network by DHCP router?
appreciate it.
(from http://www.linklogger.com/UDP67_68.htm)
clients broadcast a request to the DHCP server:
UDP 0.0.0.0:68 → 255.255.255.255:67
The DHCP server then responds with something like:
UDP 192.168.1.1:67 → 255.255.255.255:68
if your poisoner is a dhcp server, and you want to block him you must:
chain=forward action=drop protocol=udp in-interface=wlan1 src-port=67
Hi, highly appreciated, i have look around and found that some post is still talking about hte net cut which is higher level on the hijack on the WiFi AP.
as understand, still no solution for this, i afraid a day will meet some one to use the tools like Netcut or cain and abel…