First off, before anyone else wastes an excessive amount of time on this, someone in charge of documentation needs to make this point very clear: DHCP packets bypass most aspects of the firewall, and this behavior cannot be changed.

I learned this the hard way, since this point is either not documented at all, or hidden so deeply within the documentation that it’s practically impossible to find.

Second, I want to know exactly how one may achieve any sort of prioritization for DHCP in a queue tree. As DHCP packets don’t seem to reach all of the chains in the mangle table, there’s no way to mark them, therefore there seems to be no practical way to prioritize DHCP within a set of queues.

My goal is to give DHCP replies (from the DHCP server on a RouterOS device) absolute, top priority, for reasons that should be obvious.

If DHCP automatically has top priority, then I’ll be satisfied in knowing this, but if this is the case, then it needs to be documented!

If this is not the case, then someone please explain how this may be achieved.

Thanks in advance,
Dennis

Traffic generated by DHCP server running on the rb is going trough the output chain, using udp port 67 and 68 .

To mark it you can use mangle rules:

/ip firewall mangle
add action=mark-packet chain=output new-packet-mark=DHCP_TRAFFIC protocol=udp src-port=67
add action=mark-packet chain=output new-packet-mark=DHCP_TRAFFIC protocol=udp src-port=68

and then using queue tree assign to packet with packet-mark DHCP_TRAFFIC the maximum priority=1 queue.

Thanks, greencomputing.

In fact, this was my first approach. It does not work. I’ve tried it with V5.14 and V5.19. The byte/packet counters in the mangle table do not increment, nor do the counters in the queue tree. The only other rule in my output chain is specifically for OSPF, and uses only the protocol number. It doesn’t matter whether passthrough is enabled on either, nor does the order of the two make any difference.

I’ve captured and examined DHCP packets after implementing these rules. The packets are being transmitted, and they appear to be perfectly formed, but the mangle table doesn’t want to know about them.

I’ve even gone as far as implementing a Layer 7 rule for DHCP, but this is ignored, as well. (I’m aware that the published and generally accepted regex for Layer 7 DHCP contains an error, but correcting this makes no difference.)

On some forum, I found a posting in which this subject is mentioned. The writer appeared to be someone from Mikrotik, who stated that “DHCP packets are handled before reaching the firewall…,” or words to that effect. This is what leads me to believe that there are hidden firewall rules that prevent DHCP packets from being manipulated.

[/quote]

RouterOS - RouterOS - MikroTik Documentation
67/udp Bootstrap protocol or DHCP Server this is dst
68/udp Bootstrap protocol or DHCP Client this is src

/interface bridge filter print detail
Flags: X - disabled, I - invalid, D - dynamic
0 chain=output action=set-priority new-priority=1 passthrough=yes out-interface=ether2 out-bridge=bridge mac-protocol=ip src-port=68
ip-protocol=udp log=no log-prefix=""

1 chain=output action=set-priority new-priority=1 passthrough=yes out-interface=ether2 out-bridge=bridge mac-protocol=ip dst-port=67
ip-protocol=udp log=no log-prefix=""


[ersitizastes@5g.net 0] > /interface bridge filter print stats
Flags: X - disabled, I - invalid, D - dynamic

CHAIN ACTION BYTES PACKETS

0 output set-priority 3936 12
1 output set-priority 3936 12

Hi,

I need to have a Cos of 6 on the DHCP Request emitted by one of my vlan interface.

The last post is the way to do it ? ie creating a bridge and put the CoS there ? (since dhcp bypass the firewall brick ?)

Thx.