Hello, how to block roque DHCP-servers
http://www.wirelessinfo.be/index.php/mikrotik/pages/dhcp-alerte
I know how detect them but i want to block them.
Anybody can help me?
You would need to block communication between the client devices on switches or implement firewall rules on bridging routers that would block the dhcp messages going in the “wrong” way. It’s hard. Maybe partly impossible, depending on your network structure. You can also cut such device from your network manually when informed by your detection mechanism.
Moving from bridged to routed network will also help a lot…
Thanks Jarda from reply
Can you expliane more?
DHCP traffic doesn’t traverse routers without assistance. Splitting a L2 broadcast domain into smaller networks limits the damage that can be done by rogue DHCP servers [and other L2 annoyances, eg netcut]. Once you’ve divided your network into as many networks as is sensible [1], you can further restrict DHCP on switches, eg:
http://wiki.mikrotik.com/wiki/Manual:CRS_examples#Protocol_Level_Isolation [2]
and if you want to be really sure that clients can’t see each other, scroll up and look at the “Port Level Isolation” section.
[1] Don’t know how many this is
[2] Haven’t tested this
I would like to but what part I should explain more?
Moving from bridged to routed network will also help a lot…
How to do this
the bridge has a IP-range 192.168.100.0/24
With DHSP-server on this bridge.
What must be routed?
Draw your network layout and put here.
Here is quite good example you can get inspired by. http://community.ubnt.com/t5/The-Lounge/General-idea-of-our-Bridged-to-Routed-Network-w-Mikrotik-Newbie/td-p/686033
It generally means that you will cut smaller parts of your network and give them different ip address subnet. Then you will set the routes for all your subnet destinations to the routers in order to be able to send packets in the right way.
“You can also cut such device from your network manually when informed by your detection mechanism”.
Can that automatic with script ore something?