I have a Fixed Wireless network where my customers have CPE devices that they then hook up to their local PC or a home router/network. I have had a few issues where the customer plugs the CPE into a LAN port and their home device starts to act as a DHCP server. Does anyone have an idea of how to setup a firewall rule that would squash the errant DHCP offers, and limit them only to offers from my MT router?
DHCP server listens on udp 67 and sends from udp 68 (on any DHCP device), so you could block all traffic coming IN the mikrotik destined for udp/67 and coming from udp/68, but allow the opposite.
I think this is correct, but I could have these reversed.
You can disable ‘default forwarding’ on your AP. This ensures your wireless clients can’t talk with each other which implies all dhcp requests are forwarded to you and only you.
If you disable forwarding users can’t connect to the internet though? wireless → wan = forward. Unregistered users shouldn’t be allowed to forward, but registered users need that don’t they?
default-forwarding on the wireless interface, differs from forwarding or port forwarding as a firewall rule.
‘default-forwarding’ is enabled by default on the wireless interfaces and ensures that all clients connected to your AP can intercommunicate (with themselves!) using your resources. It doesn’t affect ‘port forwarding’/‘forwarding’ and regardless of whether it is enabled or not only authenticated clients will be able to browse.
http://www.mikrotik.com/testdocs/ros/3.0/interface/wireless.php
So you are saying that if we uncheck the Default Forwarding on the wireless interface it will prevent a users DHCP server on their router from causing havoc?
Just wanted to confirm…
Is this on the Mikrotik AP and any client CPE like a UB NanoStation2?
TIA
Nate
It will ensure all DHCP requests from clients connected to your AP are forwarded to only your DHCP server.
The option is only available on the mikrotik AP.