Page 1 of 1

CHR DHCP FIrewall bug?

Posted: Sun May 09, 2021 1:18 am
by irobot
Hello

Deployed a CHR with GNS3 to test it alongside with few connected hosts (Ubuntu and GNS3 VPCS).
Updated to the latest long-term ROS

Trying to implement a simple firewall and everything is working except
* Input chain: DHCP filter is bypassing firewall
Capture.PNG
result, DHCP traffic is visible in log file and not filtered (hosts are getting answers. So, router receives DCHP discovery, DHCP request packets)
dhcp.PNG
Bug? Can someone give it a try please?

Re: CHR DHCP FIrewall bug?

Posted: Sun May 09, 2021 4:32 pm
by tdw
It is expected behaviour - the DHCP server uses raw sockets which receive this traffic before it reaches the IP firewall

Re: CHR DHCP FIrewall bug?

Posted: Sun May 09, 2021 10:08 pm
by irobot
It is expected behaviour - the DHCP server uses raw sockets which receive this traffic before it reaches the IP firewall
Understood.
Could you point me to a document (if exists) about this behavior on Mikrotik's website?

Big thanks!

Re: CHR DHCP FIrewall bug?

Posted: Sun May 09, 2021 11:04 pm
by tdw
It is not Mikrotik specific, it likely affects most linux-based systems.

With BOOTP, and subsequently DHCP, a client sends requests to UDP port 67 on a server, and the server sends responses to the client using UDP port 68 - AFAIK this methodology was to prevent messages being inappropriately rebroadcast. As this is not the usual behaviour for a typical UDP socket()/bind()/recvfrom()/sendto() it requires DHCP/BOOTP servers to utilise raw sockets and craft the necessary IP & UDP headers.

I can't recall if you can block traffic these packets reaching the Mikrotik DHCP server under /ip firewall raw or if you have to resort to putting the interface in a bridge and using /interface bridge filter rules.