Community discussions

 
ebenswanepoel
just joined
Topic Author
Posts: 4
Joined: Thu Nov 30, 2017 11:44 am

Help with blocking DHCP on WAN1 and ether1 and only allow WAN2 to receive

Fri Dec 01, 2017 9:12 am

Morning all
I have a Mikrotik 411 with firmware 3.41. It has only one ethernet port. My setup is with no vlans. I have a bridge setup with all the interfaces on it. Wan1 will for employees and wan2 for guests.
WAN1 and Ether1 172.16.0.0 range
WAN2 192.168.1.0 range
I have a DHCP server on the lan and mikrotik. The problem is I want to block the LAN DHCP from giving out IP's to WAN2 and block the Mikrotik DHCP from LAN and WAN1.
I have these firewall rules but they nare not working
chain=forward action=drop protocol=udp dst-port=67 log-prefix=""
chain=forward action=drop protocol=udp dst-port=68 log-prefix=""

Any help will be appriciated
Thank you
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: Help with blocking DHCP on WAN1 and ether1 and only allow WAN2 to receive

Fri Dec 01, 2017 11:13 am

First of all I guess it's not WAN1 and WAN2 but wlan1 and wlan2, because you are talking about wireless, aren't you?
Second, please post your settings here, by executing below command:
/export hide sensitive
Third, does it mean you have one DHCP in your network on server, and second one on RB411 and you don't want the first to give addresses to your clients connected to wlan1 and ether1?
 
ebenswanepoel
just joined
Topic Author
Posts: 4
Joined: Thu Nov 30, 2017 11:44 am

Re: Help with blocking DHCP on WAN1 and ether1 and only allow WAN2 to receive

Fri Dec 01, 2017 12:48 pm

Thank you for the reply Yes you right it is wlan1 and wlan2

Here is the export info

# dec/01/2017 11:47:11 by RouterOS 6.40.5
# software id = I01R-LMJT
#
# model = 433L
# serial number = 37DD012E4495
/interface bridge
add fast-forward=no mtu=1500 name=bridge1 protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="south africa" \
disabled=no distance=indoors frequency=2412 mode=ap-bridge rx-chains=0,1 \
ssid=FKMSA tx-chains=0,1 wireless-protocol=802.11
/ip neighbor discovery
set wlan1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
tkip,aes-ccm mode=dynamic-keys name=guest supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
/interface wireless
add disabled=no mac-address=D6:CA:6D:11:D4:20 master-interface=wlan1 name=\
wlan2 security-profile=guest ssid=FKMSA_Guest wds-cost-range=0 \
wds-default-cost=0
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name="Guest Pool" ranges=192.168.1.33-192.168.1.150
add name=dhcp_pool1 ranges=\
192.168.1.40-192.168.1.90,192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool="Guest Pool" authoritative=after-2sec-delay disabled=no \
interface=bridge1 lease-time=3d name=Guest_DHCP
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge filter
add action=drop chain=input dst-address=255.255.255.255/32 ip-protocol=udp \
mac-protocol=ip src-address=192.168.1.0/24 src-port=67-68
add action=drop chain=input dst-port=68 in-interface=wlan2 ip-protocol=udp \
mac-protocol=ip src-port=67
add action=drop chain=filter comment="Block DHCP servers on 192.168.0.0/24" \
dst-address=255.255.255.255/32 ip-protocol=udp log-prefix=\
"ALERT ROGUE DHCP (BLOCKED)" mac-protocol=ip src-address=192.168.1.0/24 \
src-port=67-68
add action=drop chain=input comment="Block DHCP servers on 192.168.0.0/24" \
dst-address=255.255.255.255/32 ip-protocol=udp mac-protocol=ip \
src-address=192.168.1.0/24 src-port=67-68
add action=drop chain=forward comment="Drop all from wan2 to wan1" \
in-interface=wlan1 out-interface=wlan2
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan2
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
use-ip-firewall-for-vlan=yes
/ip address
add address=10.194.1.20/19 interface=wlan1 network=10.194.0.0
add address=192.168.1.11/24 interface=wlan2 network=192.168.1.0
add address=10.194.1.19 interface=ether1 network=10.194.0.0
/ip dhcp-server config
set store-leases-disk=5h
/ip dhcp-server lease
add block-access=yes mac-address=00:50:56:AB:26:EB
add block-access=yes mac-address=00:50:56:AB:42:1D
add block-access=yes mac-address=00:50:56:AB:34:2D
add block-access=yes mac-address=00:50:56:AB:32:11
add block-access=yes mac-address=E0:DB:55:8E:E3:1F
add address=192.168.1.121 always-broadcast=yes client-id=1:58:7f:57:d5:43:35 \
mac-address=58:7F:57:D5:43:35
add block-access=yes client-id=1:64:27:37:fd:f6:d7 mac-address=\
64:27:37:FD:F6:D7 server=Guest_DHCP
add address=192.168.1.149 block-access=yes client-id=1:2c:6e:85:fc:de:8d \
mac-address=2C:6E:85:FC:DE:8D server=Guest_DHCP
add client-id=1:40:b8:9a:f2:cd:1b mac-address=40:B8:9A:F2:CD:1B server=\
Guest_DHCP
add address=192.168.1.87 block-access=yes client-id=1:f8:16:54:5f:fa:73 \
mac-address=F8:16:54:5F:FA:73 server=Guest_DHCP
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.10 netmask=24
/ip dns
set servers=10.194.1.30
/ip firewall address-list
add address=192.168.1.0/24 list=FKMSA_Guest
add address=10.194.0.0/19 list=bodene
add address=10.194.0.0/19 list=FKMSA
/ip firewall filter
add action=drop chain=forward dst-port=67 protocol=udp
add action=drop chain=forward dst-port=68 protocol=udp
add action=drop chain=forward dst-address=192.168.1.11 src-address=\
192.168.1.20
/ip proxy
set cache-path=web-proxy1 parent-proxy=0.0.0.0
/ip route
add distance=1 gateway=10.194.1.1
add check-gateway=arp distance=1 dst-address=192.168.0.0/24 gateway=\
10.194.1.10
/ip service
set api disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Africa/Johannesburg
/system clock manual
set time-zone=+02:00
/system identity
set name=PE_IT_AP
/system ntp client
set enabled=yes primary-ntp=10.194.1.32 secondary-ntp=196.4.160.4
/tool sniffer
set filter-interface=wlan2 filter-stream=yes
 
ebenswanepoel
just joined
Topic Author
Posts: 4
Joined: Thu Nov 30, 2017 11:44 am

Re: Help with blocking DHCP on WAN1 and ether1 and only allow WAN2 to receive

Fri Dec 01, 2017 1:40 pm

Yes I have one LAN DHCP server on lan that must only give address to wlan1. Wlan2 must get only from the DHCP server on the RB411 and not from LAN DHCP
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: Help with blocking DHCP on WAN1 and ether1 and only allow WAN2 to receive

Fri Dec 01, 2017 2:02 pm

I don't think that having two DHCP servers on two different devices in the same network is good idea. Where is the main DHCP server located - is it MikroTik too? If so, I would consider creating CAPsMAN and manage RB411 wlans from there. Otherwise, maybe you should use RB411 as a router, create another network for wlan2 users. That will separate wlan2 users from the main network and let you configure DHCP on RB411 only for port wlan2.
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: Help with blocking DHCP on WAN1 and ether1 and only allow WAN2 to receive

Fri Dec 01, 2017 2:20 pm

I don't think that having two DHCP servers on two different devices in the same network is a good idea. Where do you have 1st DHCP server, is that another MikroTik? If it is on MikroTik, maybe you should consider creating CAPsMAN on it and manage RB411 wlans from there? If not, maybe it would be better idea to make RB411 as a router, create another network with DHCP etc. for wlan2 and let these users to get IPs from RB411 only while wlan1 and ether1 will be getting them from your main DHCP.
 
ebenswanepoel
just joined
Topic Author
Posts: 4
Joined: Thu Nov 30, 2017 11:44 am

Re: Help with blocking DHCP on WAN1 and ether1 and only allow WAN2 to receive

Fri Dec 01, 2017 2:36 pm

Hi
No it is not a MikroTik. I will try doing it the router way and let you know if I get stuck.
Thank you again..
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: Help with blocking DHCP on WAN1 and ether1 and only allow WAN2 to receive

Fri Dec 01, 2017 2:55 pm

There is also something like DHCP relay on MikroTik, but honestly, I have never tried how it works and if it would fit in your conditions.

Who is online

Users browsing this forum: No registered users and 33 guests