IP Neighbor Discovery

RackKing · November 9, 2018, 2:12pm

I understand the Neighbor Discovery Settings can only run on and interface list. So you can create a list and Add and interface to it like . It will then discover devices that VLAN and advertise them to Winbox correct?

Can you have the "advertised to only a single interface? My management interface for example? I do not wan’t the users of LAN to see the Neighbor info, but I want my management interface like ether5 for example to see it.

I think the answer is NO that is the way neighbors is supposed work by design… , but I thought I would ask.

Thanks

Dude2048 · November 9, 2018, 3:13pm

With a list you can activate a single interface.

RackKing · November 9, 2018, 4:14pm

As in the firewall address list?

RackKing · November 11, 2018, 1:45am

If there is a way to limit the discovery from only showing up on specific interfaces let me know.

“With a list you can activate a single interface”

I am not talking about limiting what port it “discovers on” I want it to only report what it discovers to a single physical interface.

Thank you for any help.

docmarius · November 12, 2018, 7:28am

I think there is a confusion going on here.

On one hand, it does not report the discovered info to an interface.
It reports it to RouterOS, and you need to use Winbox/Webfig/API to read that information.
So, unless your users have access to your router, they can not see the list.

On the other hand, discovery packets on a LAN have a broadcast destination (sent to 255.255.255.255) by design, so every host on that interface can see all discovery packages, and there is nothing you can do other than turning off the sending of the discovery packets on ALL devices connected to that network (this also should include LLDP and CDP).
But they can not see discovery packets from other interfaces.

RackKing · November 12, 2018, 10:05am

@docmarius

That was my understanding thanks for the clarification. Discovery is a nice feature to make some things more convenient but I understand the reason for turning it off. I was contemplating leaving it running on my management interface. My concern is that if somebody gains access to an interface - lets say at an AP, and they run winbox, with it running they can see the device(s). Physical security is broken a that point anyway which is a different problem… and I realize there are other ways to mitigate that kind of attack.

Again - just wondering about the risk/reward of leaving it on - just for management interfaces. Any input appreciated.
Thanks again.

icsterm · November 15, 2018, 10:15am

Just filter out UDP broadcast packets with destination 255.255.255.255 & port 5678 on the devices you don’t want taking part in MNDP.

RackKing · November 15, 2018, 2:05pm

@icsterm Thank you very much. I will give it a shot!

RackKing · November 15, 2018, 3:53pm

So I made this firewall filter rule and drug it to the top.

chain=input action=drop protocol=udp dst-address=255.255.255.255 dst-port=5678 log=no
log-prefix=“”

I still see the connection from the host winbox IP:5678.

Am I missing something?

freemannnn · November 15, 2018, 5:10pm

is chain=input right? input is for traffic going to router itself.
chain=forward maybe?

RackKing · November 15, 2018, 5:16pm

Hi and thanks for your response. I have a rule for both chains now - the only one that ever generates any traffic is the input rule. The remote winbox pc is sending the MNDP broadcast to the input of the router looking for a response - I think. I see the filter rule counter running… but the requesting computer still sees the router in the neighbor section, and it still shows up in the connections tab.

Perhaps a reboot the router and see if that has any affect… but the connection times out anyway.

Thanks again

RackKing · November 16, 2018, 2:34pm

Anybody else have a thought on this?

RackKing · November 17, 2018, 9:50pm

Hi,

I have been blocking all udp 5678 packets input and forward chains with no luck. Anyone have some help - please?

Thanks