DHCP-Client > Fake DHCP-Server filtering not working

111111 · Sat May 19, 2018 4:05 pm

Is there a way to drop fake dhcp server in operator network?
MikroTik is DHCP-Client
With firewall filter drop fake dhcp-server mac address not working
in RAW filter also not working
Actuarially with this rules all communication to fake dhcp is stopped,
but if I renew dhcp it take dhcp response without problem no meter that both rules count drooped packages.

nescafe2002 · Sat May 19, 2018 4:43 pm

You are correct. IP firewall filter does not apply to dhcp-client.
I have already requested to change this (Ticket#2018042422003031).
However, this is by design and will not be changed.

The work around is to create bridge for the WAN interface (if not already bridged) and apply bridge filter, e.g.

/interface bridge
add name=bridge-wan
/interface bridge port
add bridge=bridge-wan interface=ether1
/interface bridge filter
add action=log chain=input comment="rogue dhcp reply" dst-port=68 in-bridge=bridge-wan \
    ip-protocol=udp log-prefix="[Rogue DHCP]" mac-protocol=ip \
    src-address=!x.x.x.x/32 src-port=67

Where x.x.x.x is the IP address of your authoritative DHCP server.

Better, upgrade to 6.40.8, 6.42.2 or >=6.43rc7 in which the (unicast) dhcp renewal is fixed:

*) dhvpv4-client - fixed DHCP client stuck in renewing state;

111111 · Sat May 19, 2018 7:55 pm

ROS is latest
but we need trusted dhcp pool/server feature request

p.s.

src-address=!x.x.x.x/32

what is ip for?
setting are in dhcp response package

nescafe2002 · Tue May 22, 2018 11:12 pm

Where x.x.x.x is the IP address of your authoritative DHCP server.

DHCP-Client > Fake DHCP-Server filtering not working

DHCP-Client > Fake DHCP-Server filtering not working

Re: DHCP-Client > Fake DHCP-Server filtering not working

Re: DHCP-Client > Fake DHCP-Server filtering not working

Re: DHCP-Client > Fake DHCP-Server filtering not working

Who is online