Community discussions

MikroTik App
 
onlineuser
Member Candidate
Member Candidate
Topic Author
Posts: 225
Joined: Thu Aug 06, 2015 12:10 pm

firewall rules for WAN interface - DHCP firewall rules without effect

Thu Oct 18, 2018 3:20 pm

Hello,

in supplement to this thread (still unsolved) - viewtopic.php?f=2&t=101896 - I want to ask the same question again.

When my firewall rules on my testing router with ROS 6.40 dropped the whole WAN traffic, it was not possible that the WAN port got an IP address from the ISP. In ROS 6.42.9 and 6.43 for example I also tested it and there the WAN port can assign an IP address although my firewall rules block the whole traffic on this interface. I noticed this strange behavior because I have rules for the WAN port which also counts the DHCP renews. And in ROS 6.42 I noticed that the counter stays on zero but the IP could be assigned. The UDP connections were also shown on the connections list.

How can this happen that the WAN port can assign an IP from ISP although the whole traffic is blocked (will be firewall service be loaded too late while starting)?

Are there hidden rules or even more hidden rules implemented on newer firmware releases?

Thanks, a lot.
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 958
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: firewall rules for WAN interface - DHCP firewall rules without effect

Thu Oct 18, 2018 3:37 pm

Well, the firewall is L3, DHCP happens on L2 until the lease is ack'ed by the DHCP server.

dhcp discover goes from your WAN-facing MACaddress to ff:ff:ff:ff:ff:ff, that's a L2 broadcast.
dhcp offer is L2 unicast from DHCP-server's MAC to your WAN-facing MAC
dhcp request is L2 unicast from your WAN-facing MAC to DHCP-server's MAC
dhcp ack is still L2 unicast, from DHCP-server's MAC to your WAN-facing MAC.

And here's the point your firewall starts to work.

I'm rather surprised that it 'worked' in 6.40.

-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
nescafe2002
Long time Member
Long time Member
Posts: 674
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: firewall rules for WAN interface - DHCP firewall rules without effect

Thu Oct 18, 2018 3:42 pm

I have no explanation, but had the same issue and resolved it by creating a bridge for WAN and applying bridge filtering.

/interface bridge filter
add action=drop chain=input comment="Rogue DHCP" dst-port=68 in-bridge=bridge-wan ip-protocol=udp \
    log=yes log-prefix="[Rogue DHCP]" mac-protocol=ip src-address=!1.2.3.4/32 src-port=67

MT supports response to the IP (filter/raw) firewall not blocking DHCP packets:

This is made on purpose. Behaviour will not be changed.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1797
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: firewall rules for WAN interface - DHCP firewall rules without effect

Tue Jan 22, 2019 5:11 pm

Well, the firewall is L3, DHCP happens on L2 until the lease is ack'ed by the DHCP server.
-Chris
DHCP is over UDP, and CAN be firewalled and NEEDS to be allowed or it won't work...
See https://en.wikipedia.org/wiki/Dynamic_H ... n_Protocol for protocol details


In context of the original question, MT allows initial dhcp request from port 68 to 67 on UDP, and "allow established / related" takes care of the response.

Edit: corrected to current reality
Last edited by sebastia on Tue Jan 22, 2019 11:51 pm, edited 1 time in total.
 
nescafe2002
Long time Member
Long time Member
Posts: 674
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: firewall rules for WAN interface - DHCP firewall rules without effect

Tue Jan 22, 2019 10:19 pm

DHCP is over UDP, and CAN be firewalled and NEEDS to be allowed or it won't work...
See https://en.wikipedia.org/wiki/Dynamic_H ... n_Protocol for protocol details

Again, dhcp client cannot be firewalled using ip firewall.

2019-01-22_21-14-15.gif

Only bridge firewall.

2019-01-22_21-18-51.gif
You do not have the required permissions to view the files attached to this post.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1797
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: firewall rules for WAN interface - DHCP firewall rules without effect

Tue Jan 22, 2019 11:58 pm

Unfortunately you are correct.
And I say "unfortunately" because it doesn't make any sense, and goes against logic, as the protocol is using UDP on top of IP, both normally handled by IP firewall.

Further, in the past it had to be explicitly allowed. I run into it in ROS 2, 3 and still (I think) 4. Later on I just took standard config over and so don't know when the change occurred.

Wondering why MT made an exception here?

And thank you for your very thorough response ;-).
 
nescafe2002
Long time Member
Long time Member
Posts: 674
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: firewall rules for WAN interface - DHCP firewall rules without effect

Wed Jan 23, 2019 11:19 am

There's another discussion on the topic: viewtopic.php?t=36035

I don't understand why, but the behavior is reported, confirmed by MT and there is an acceptable workaround (use bridge filer).

Perhaps some documentation on this specific limitation would be nice.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1797
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: firewall rules for WAN interface - DHCP firewall rules without effect

Wed Jan 23, 2019 8:41 pm

There's another discussion on the topic: viewtopic.php?t=36035

I don't understand why, but the behavior is reported, confirmed by MT and there is an acceptable workaround (use bridge filer).

Perhaps some documentation on this specific limitation would be nice.
Thx, indeed doc would be nice.

For fun of it, tried dropping in RAW table, but "no such luck" ;-)
 
onlineuser
Member Candidate
Member Candidate
Topic Author
Posts: 225
Joined: Thu Aug 06, 2015 12:10 pm

Re: firewall rules for WAN interface - DHCP firewall rules without effect

Sun Mar 24, 2019 8:40 am

Up to 6.40.1 it worked to filter DHCP requests on the WAN port.

On later releases I tried to enable the "use-ip-firewall" feature and added a rouge DHCP rule.
/interface bridge settings set use-ip-firewall yes/no
[admin@Client] > /interface bridge settings print
              use-ip-firewall: yes
     use-ip-firewall-for-vlan: no
    use-ip-firewall-for-pppoe: no
              allow-fast-path: yes
      bridge-fast-path-active: no
     bridge-fast-path-packets: 0
       bridge-fast-path-bytes: 0
  bridge-fast-forward-packets: 0
    bridge-fast-forward-bytes: 0
rougeDHCP: input,udp,src67,dst68,wan,log
This works partially.

But why did Mikrotik change this behavior.
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: anav, perduahau, YaCy [Bot], zkwvmnur and 133 guests