today I tried to block everything except Winbox port.
1)
When I rebooted the RB2011 the WAN port got an IP from the DHCP server.
Why is it possible for the WAN port to request an IP (discover to 255.255.255.255) when everything is blocked by firewall rules?
The WAN port can enter state and then the WAN port receives the ack packet.
Are there some default and hidden firewall rules implemented in routerOS?
2)
If the lease is running out, the DHCP server sends a DHCPNAK-packet and asks on this way if the lease should be extended - will this also pass the firewall?
3)
If the client extends the IP firstly this happens with a DHCPREQUEST to the DHCP server. This is also successful if there is no firewall rule which allows/denys this. But when I add two rules the loggin feature works.
output on wan port udp scrport 68 to dhcp-ip:67 new accept and logging
input on wan port udp dhcp-ip:67 to dst-port 68 established accept and logging
But the renewing also works without these rules.
4)
Moreover, the RB2011 sends following parameter list to the dhcp-server: “Subnet-Mask, Classless-Route, Router, Static-Route, Domain-Server, NTP-Server,CAPWAP-Server”
Is it possible to edit this list - I want to remove the Domain-Server and NTP-Server. I do not need these things from my providers DHCP server.
You are not blocking outgoing connections, only incoming. DHCP requests are outgoing from router. Answers from DHCP server are accepted as they are related to initial requests from router.
2)
If the lease is running out, the DHCP server sends a DHCPNAK-packet and asks on this way if the lease should be extended - will this also pass the firewall?
The same as above.
4)
Moreover, the RB2011 sends following parameter list to the dhcp-server: “Subnet-Mask, Classless-Route, Router, Static-Route, Domain-Server, NTP-Server,CAPWAP-Server”
Is it possible to edit this list - I want to remove the Domain-Server and NTP-Server. I do not need these things from my providers DHCP server.
In Winbox:
IP->DHCP client
Open WAN interface settings and uncheck ‘Use peer DNS’ and ‘Use peer NTP’.
I do not understand how the DHCP can be send out, because everything is blocked.
I also unchecked the DNS an NTP feature but in the parameter list these two things will be request furthermore. And then the DHCP server also delivers the DNS entries and the RB2011 sets this parameters. IfI did not try if this DNS setting will be used. But my main problem is how can I get an IP if outgoing an incoming packets for DHCP is blocked - I do not understand this behavior.
parameter_list.PNG
Yes, I have an outgoing rule with output and drop, so TCP and UDP and all other will be blocked.
I have only allowed WinBox port on LAN and on my testing router I have disabled after this rule everything for input, output and forward and the RB2011 gets an IP from the DHCP server.
5 rules:
input lan for winbox
output lan for winbox if established
input drop
output drop
forward drop
My configurration is based on: block everything except which should be allowed
It seems that renewing of the IP address (outgoing dhcp request) is allowed when the device had got an IP before.
I tried to remove the cable modem and waited 5 minutes - then the RB did not get an IP any longer (I did not change my firewall rules).
But it seems that the request to 255.255.255.255 can’t be controlled by firewall rules.
Why can the WAN port get an IP address from the DHCP server if there is no traffic allowed?
I tried to drop everything on a WAN port but the router can communicate with the DHCP server.
I tried it with my provider DHCP server and with an internal DHCP server.
If I compare this behavior with an iptables based firewall it is completly different. Normally the ROS should not be able to get an IP if on one port all the traffic is blocked.
When the router is booting how log will it take that all the firewall rules are loaded?
