Community discussions

 
jorgb
just joined
Topic Author
Posts: 12
Joined: Wed Jun 18, 2014 12:33 am

blocking dhcp over eoip tunnel, but allow local dhcp

Mon May 02, 2016 9:41 pm

Hello,

I got two locations connected via a eoip tunnel.
I have the eoip tunnel bridged together with the local LAN on each side to provide a fully bridged LAN between both locations.
I would like to have a DHCP server running on each router:

Location A <-- eoip tunnel --> Location B
Local DHCP: 192.168.1.10-99 Local DHCP: 192.168.1.100-200
IP: 192.168.1.0/24 IP: 192.168.1.100/24

However, now I have two DHCP servers running on a bridged network... obviously not a good idea.
I would like to filter DHCP traffic between both locations in order to prevent a DHCP mess.

I have a little problem with the filter logic... since both routers have the eoip tunnel bridged with the LAN, I assume I can't use bridge filters on each side as it would probably also filter the local DHCP traffic.

Any ideas?

Thanks
JB
 
littlebill
Member Candidate
Member Candidate
Posts: 231
Joined: Sat Apr 30, 2011 3:11 am

Re: blocking dhcp over eoip tunnel, but allow local dhcp

Mon May 02, 2016 10:00 pm

this is a retarded config, having 2 dhcp servers is a recipe for disaster, why are you doing eoip in the first place? why not just use a different subnet and not worry about all the ip conflicts that will occur even if you block one of the dhcp servers from crossing the tunnel?
 
jorgb
just joined
Topic Author
Posts: 12
Joined: Wed Jun 18, 2014 12:33 am

Re: blocking dhcp over eoip tunnel, but allow local dhcp

Mon May 02, 2016 10:33 pm

this is a retarded config, having 2 dhcp servers is a recipe for disaster, why are you doing eoip in the first place? why not just use a different subnet and not worry about all the ip conflicts that will occur even if you block one of the dhcp servers from crossing the tunnel?
There are a few reasons why I have to maintain the broadcast domain between the 2 locations. There is also a reason why I would prefer to block dhcp traffic over the tunnel. So, I agree that under normal circumstances this is not a preferred config... however, it is what I have to work with (for now).
 
jarda
Forum Guru
Forum Guru
Posts: 7602
Joined: Mon Oct 22, 2012 4:46 pm

Tue May 03, 2016 9:56 am

Drop udp ports 67 and 68 both ways in bridge firewall.
 
jorgb
just joined
Topic Author
Posts: 12
Joined: Wed Jun 18, 2014 12:33 am

Re:

Tue May 03, 2016 5:14 pm

Drop udp ports 67 and 68 both ways in bridge firewall.
Thanks for your help...
I have done that previously (see filter rules below), however, that will also prevent the local dhcp server from functioning on each local side.

0 ;;; Block DHCP request
chain=forward action=drop in-bridge=Corp Network Bridge
out-bridge=Corp Network Bridge mac-protocol=ip dst-port=68 ip-protocol=udp
log=no log-prefix=""

1 chain=forward action=drop in-bridge=Corp Network Bridge
out-bridge=Corp Network Bridge mac-protocol=ip dst-port=67 ip-protocol=udp
log=no log-prefix="FORWARD: "

2 ;;; Block DHCP request
chain=output action=drop out-bridge=Corp Network Bridge mac-protocol=ip
dst-port=68 ip-protocol=udp log=no log-prefix=""

3 chain=output action=drop out-bridge=Corp Network Bridge mac-protocol=ip
dst-port=67 ip-protocol=udp log=no log-prefix="OUTPUT: "

4 ;;; Block DHCP request
chain=input action=drop in-bridge=Corp Network Bridge mac-protocol=ip
dst-port=68 ip-protocol=udp log=no log-prefix=""

5 chain=input action=drop in-bridge=Corp Network Bridge mac-protocol=ip
dst-port=67 ip-protocol=udp log=no log-prefix="INPUT: "

Any more ideas?

Thanks
JB
 
jarda
Forum Guru
Forum Guru
Posts: 7602
Joined: Mon Oct 22, 2012 4:46 pm

Tue May 03, 2016 6:26 pm

Are you using firewall filter or bridge firewall? You should make the drop between the ports of one bridge if you bridged the networks... Better on both sides of the link comming from the linked ports...
 
Sob
Forum Guru
Forum Guru
Posts: 4667
Joined: Mon Apr 20, 2009 9:11 pm

Re: blocking dhcp over eoip tunnel, but allow local dhcp

Tue May 03, 2016 6:31 pm

Bridge firewall has in-interface=<name> and out-interface=<name>.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
jorgb
just joined
Topic Author
Posts: 12
Joined: Wed Jun 18, 2014 12:33 am

Re:

Tue May 03, 2016 7:31 pm

Are you using firewall filter or bridge firewall? You should make the drop between the ports of one bridge if you bridged the networks... Better on both sides of the link comming from the linked ports...

Sorry, I should have specified that the rules are made in the Bridge firewall.

JB
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: blocking dhcp over eoip tunnel, but allow local dhcp

Tue May 03, 2016 7:44 pm

Sob has given the solution for you - limit the filter rules to the EoIP interface.
If the Mikrotiks themselves are acting as DHCP server, you'll also need to filter input of DHCP requests coming in the EoIP interface, and filter output chain out-interface=eoip as well.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

blocking dhcp over eoip tunnel, but allow local dhcp

Wed May 04, 2016 12:52 pm

Input is to the router and output is from the router. If you want to stop dhcp from
Goin through the bridge the forward chain would be where I place those rules on the bridge filter


Sent from my iPhone using Tapatalk
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: blocking dhcp over eoip tunnel, but allow local dhcp

Wed May 04, 2016 11:36 pm

Input is to the router and output is from the router. If you want to stop dhcp from
Goin through the bridge the forward chain would be where I place those rules on the bridge filter


Sent from my iPhone using Tapatalk
OP stated that he plans to run DHCP on the routers themselves. This requires using the input/output filters instead.
When given a spoon,
you should not cling to your fork.
The soup will get cold.

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 72 guests