Can anibody help me ? We are small ISP.
We buy Mikrotik RB2011+SFP, but cannot find DHCP snooping function.
Device is working as switch with vlans, not as router.
In example: internet connection is via sfp port, other ports are for clients.
IP addresses for clients assigned from a DHCP server directly via sfp port.
Problem: how to disable clients DHCP server?
cannot find DHCP snooping function.
You can use filters to block ip and mac addresses you want to. Dhcp snooping is nothing else.
Problem: how to disable clients DHCP server?
can’t understand your question.
… or better: I don’t understand what you want to do: who gives out addresses and who ha to receive them, what you want to prevent with snooping.
Problem is simple. On switch are connected some clients: PC or routers. DHCP server recognize clients by mac addressess but on switches no filter by mac. If one client will connect cable not in WAN port we will heve problem, because other clients will get ip adress not from our DHCP router but from this client router.
On cisco , edgecore, tplink,zte switches is simple function DHCP Snooping, which control this situation and blocking DHCP servers from clients ports
Robertas
So, if I understand, you are afraid that someone, connecting on the ports you use as a switch, receives a dhcp address from someone that is on another switch port, right?
if this is your target, I suggest to bridge all ports (“bridge1”, in the example) and add a bridge filter to drop dhcp request going the wrong way, i.e. towards clients instead of “sfp” port (that will be part of the same bridge)
/interface bridge filter
add action=drop chain=forward disabled=no mac-protocol=ip ip-protocol=udp dst-port=67 out-bridge=bridge1 out-interface=!sfp
This should be sufficient, but to be sure you can block dhcp responses not coming from port “sfp”:
/interface bridge filter
add action=drop chain=forward disabled=no mac-protocol=ip ip-protocol=udp dst-port=68 in-bridge=bridge1 in-interface=!sfp
this is more cpu consuming and slower than using switch chip, but can work well if forwarding speed is not a concern. Anyway I don’t have any RB2011, but I think you can use switch only with five ports, not all ten. There is some possibility to make rules even in shitch chip properties, that should be wirespeed, but I didn’t try to use them.
hope this helps
Well, can you please provide some hints how to implement full and proper DHCP snooping with ROS? That is, to bind MAC, IP and port in regards to DHCP leases and prevent other DHCP server to be able to broadcast to other ports on mikrotik internal swith? I am actuyally quite confident that this is not possible, or is very complicated.
I am also interested.
Mikrotiks serve as bridging AP’s.
There is a central DHCP server for the whole network (assigning addresses is not a task for each AP).
I need to block traffic from addresses that are not given by DHCP server.
Not only it keeps address discipline, it also prevents all kinds of (mainly DDoS) attacks with spoofed addresses.
first of all, for petrik: I am not talking about “switch” feature, i normally don’t use it so I can’t give suggestions.
I am talking about a bridge of ports
I think that the first thing to do is isolation of hosts.
This can be done denying forwarding on access points and making a bridge rule that all that comes from bridge can’t be forwarded on same or other ports:
/interface bridge filter
add action=drop chain=forward in-bridge=mybridge out-bridge=mybridge
so there will be no comunication between hosts connected to the bridge, thei will only be forwarded to other interfaces (it depends on other rules you’ll have in firewall filter, and so on)
this in fact voids any dhcp coming from other hosts
then:
to bind ports and mac address you’ll use bridge and drop unwanted traffic,
or maybe (not tried, but I think it can work) put the bridge in arp=disabled and manually populate arp table.
to reserve addresses to mac address you’ll use dhcp reservations:
i think that using the internal dhcp server will be simpler, but if you want to allow a specific dhcp server connected to the same bridge to serve addresses, you’ll put it in a rule that will be evaluated before the dropping one, so your bridge filter will be (in the example your dhcp server will be on ether2)
/interface bridge filter
add chain=forward in-bridge=mybridge out-interface=ether2
add chain=forward in-interface=ether2 out-bridge=mybridge
add action=drop chain=forward in-bridge=mybridge out-bridge=mybridge
(or maybe a more fine-grained rule accepting only dhcp traffic: udp 67 and 68)
consider also hotspot capabilities if you want to be more “aggressive” on unwanted traffic (hotspot will send reset packets to all unauthenticated clients)