Router os some users can not access the Internet

kevin1986 · July 27, 2023, 3:46am

My LAN has only one Router Os as the main router to provide Internet access service, each customer computer access to the floor of the switch, the floor switch in the access to the Router Os, my unit has a total of four floors, that is to say, there are a total of four floor switches access to the Router Os, I will be in the four floor switches in Router Os all the configuration to Bridge1, but now the problem is that some users’ computers illegally provide dhcp server service, resulting in a large part of the users can not be normal Internet access. I have configured all four floor switches to Bridge1 in Router os, but now the problem is that some users’ computers illegally provide dhcp server service, which leads to a large portion of users can not access the Internet normally, may I ask how to solve this problem?

tangent · July 27, 2023, 4:07am

Disable “trusted” mode on the client ports. (a.k.a. DHCP snooping.)

Jotne · July 27, 2023, 5:46am

DHCP snooping is the way to go:
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#DHCP_Snooping_and_DHCP_Option_82
https://ixnfo.com/en/configuring-dhcp-snooping-on-mikrotik.html

You should also setup a block for IPv6 Router Advertisement as well
http://forum.mikrotik.com/t/ipv6-nd-ra-suppress-all-in-mikrotik/147643/1
If not setup, someone can setup an IPv6 router and hijack your IPv6 trafikk by telling the network that I am you IPv6, even if you do not have IPv6 on your MikroTik. Most os has dual stack to day and if your PC find an IPv6 router, it will use the router.

kevin1986 · July 27, 2023, 8:12am

Do I need to configure trusted" mode on the floor switch? Or do I need to configure it on the Router os

tangent · July 28, 2023, 2:34am

That will depend on what this “floor switch” is. If it has a DHCP snooping mode, then there you are. If not, you’ll have to leave it to the RouterOS box, which is presumably in between them all.

If you need more information, you’ll need to provide more for us to chew on. Model numbers, network diagrams, and so forth.

wiseroute · July 28, 2023, 6:09am

hmm, just to summarize all of the above suggestions:

dhcp snooping is mainly applied on switch level. so if anyone considering to get any manageable switch - they should look at this feature availability before they buy. it is really nice feature and important one.
if your 4 switches are manageable one - then apply dhcp snooping on those switches.
if your 4 switches are not manageable one (vlans will be unavailable for this kind of switch), then apply dhcp snooping on the router port connected to those switches - with the consequences are if there are any dhcp snooping violation on that router port, the whole clients on that particular switch will be blocked.