Community discussions

MikroTik App
 
irobot
just joined
Topic Author
Posts: 11
Joined: Wed Sep 04, 2019 3:27 pm

CHR DHCP FIrewall bug?

Sun May 09, 2021 1:18 am

Hello

Deployed a CHR with GNS3 to test it alongside with few connected hosts (Ubuntu and GNS3 VPCS).
Updated to the latest long-term ROS

Trying to implement a simple firewall and everything is working except
* Input chain: DHCP filter is bypassing firewall
Capture.PNG
result, DHCP traffic is visible in log file and not filtered (hosts are getting answers. So, router receives DCHP discovery, DHCP request packets)
dhcp.PNG
Bug? Can someone give it a try please?
You do not have the required permissions to view the files attached to this post.
 
tdw
Forum Veteran
Forum Veteran
Posts: 858
Joined: Sat May 05, 2018 11:55 am

Re: CHR DHCP FIrewall bug?

Sun May 09, 2021 4:32 pm

It is expected behaviour - the DHCP server uses raw sockets which receive this traffic before it reaches the IP firewall
 
irobot
just joined
Topic Author
Posts: 11
Joined: Wed Sep 04, 2019 3:27 pm

Re: CHR DHCP FIrewall bug?

Sun May 09, 2021 10:08 pm

It is expected behaviour - the DHCP server uses raw sockets which receive this traffic before it reaches the IP firewall
Understood.
Could you point me to a document (if exists) about this behavior on Mikrotik's website?

Big thanks!
 
tdw
Forum Veteran
Forum Veteran
Posts: 858
Joined: Sat May 05, 2018 11:55 am

Re: CHR DHCP FIrewall bug?

Sun May 09, 2021 11:04 pm

It is not Mikrotik specific, it likely affects most linux-based systems.

With BOOTP, and subsequently DHCP, a client sends requests to UDP port 67 on a server, and the server sends responses to the client using UDP port 68 - AFAIK this methodology was to prevent messages being inappropriately rebroadcast. As this is not the usual behaviour for a typical UDP socket()/bind()/recvfrom()/sendto() it requires DHCP/BOOTP servers to utilise raw sockets and craft the necessary IP & UDP headers.

I can't recall if you can block traffic these packets reaching the Mikrotik DHCP server under /ip firewall raw or if you have to resort to putting the interface in a bridge and using /interface bridge filter rules.

Who is online

Users browsing this forum: No registered users and 4 guests