i had a serious confusion today at work… hmmm what an experience, i have a RB1100AH router with my network settings okay.
a colleague of mine brought a small dlink router, all in the name connecting his personal phone, tab and laptop. He connected it to my LAN only for the router to divide the net work into two(2) that was were my problem all started. my network dhcp is 10.10.1.0/24 and new router dhcp was 192.168.1.0/24. only those under my dhcp could reach the internet while the other on that 192.168.1.0 segment had destination unreachable. i kept on troubleshooting for hours etc..
now my question is how do i set my mikrotik router to be able to take charge or rather not to allow any dhcp service on the LAN to take place its own dhcp server. is it possible???
Since this all happens on your LAN without passing the router there is little to do about it.
The only solution I imagine would be to use a managed L3/L4 switch allowing dhcp replies only from a defined interface, blocking the rest.
(UDP Unicasts on port 67-68, DHCP requests being broadcasts to 255.255.255.255…)
Unfortunately, docmarius is pretty right.
But you can get a little more security in not allowing rogue DHCP servers to pass your router (presuming you have more than one LAN port on your RB1100) by filtering your local bridge according to this tutorial.
So the affected network segemnts can be sort of limited.
Drop DHCP communication on port where drink is connected in both ways and set dlink manually. You’d better to use dlink in Bridge mode and set everything inside the mikrotik for this separate network.
If you need to have/allow the d-link in your network, the solution is simple:
Connect the d-link’s WAN port to the network as any other device. It will get a 10.x.x.x IP via DHCP.
The clients connecting to the d-link will get 192.168.x.x addresses but will use the d-link as a gateway and NAT to your LAN and everything will work just fine.
Except that your LAN will not be browseable from the devices connected to the d-link…
Or just connect the d-link via one of its LAN ports and disable the DHCP server on the d-link and it will be 100% ok.
But the optimal solution is to add a AP to your network, so people don’t need to bring a d-link to work and increase employee satisfaction
This will allow you to restrict access to your LAN as you want/need it, circumventing any security issues.
thank you so much for your swift response but i did not have an idea of the dlink router it was not suppose to be on the network it was in my search for the intruder going from office to office then i found the router that was connected to my network.
so am asking if it is possible to avoid such happening next time where by no router can cos such disruption on my network.
if not someone can be inside his room and mess my whole network up. i dont know if you understand me " teak my mikrotik not to allow other router on the LAN to do dhcp"
As stated above: in case you use multiple ports of your 1100 as LAN ports, you can at least isolate the mess to the connected segment as described in the tutorial I linked in my first post in this thread.
You might additionally want to check this thread showing a, IMHO, very interesting approach.
This is plain and simple not possible!
You can not L2 filter a LAN using a router connected to it.
Routers control the data flow between networks, not inside a network.
Its like trying to block a highway by putting a barricade on an exit.
You have to do it on a L2 device in the middle of it, that device being a switch (or all switches if there are more than one).
The approach shown on the link by cdiedrich prevents router usage for static assigned devices on the SAME network, but still will not prevent the fact that some devices will get DHCP configurations from one router, and others from another router.
Both proposed solutions don’t solve the problem, more exactly to prevent computers to get a DHCP assignment from a “intruding” router.
They will alert the operator or prevent the intruder to get internet access (along with all devices that acquired an IP from it).
But the problem is still there.
The question asked was how to prevent this wrong DHCP assignment using a MT router, and the answer is the same: It is not possible to limit a LAN access using a router connected to that LAN. No workaround on this one other than to use L3 filtering in the LAN switch(es).
The DHCP traffic does not pass the router so it has no and can not have any effect on it.
As I said, you can not block a highway (the LAN) by blocking an exit (the router). You have to block the whole road, and that road goes through the switch.
