Page 1 of 1

How to block Second (Unknown) DHCP server on network

Posted: Thu Mar 08, 2007 2:26 am
by WirelessRudy
I have a network with Hotspot set up. Most works fine but at times have clients that play around with their ADSL routers from previous providers and they use only the LAN side to connect to my network and their PC. Usually by default most of these have DHCP server enabled. Off course does my network also have DCHP server enabled and on top of it does the Hotspot system also wants to assing ip adresses.
This (unknown for me) second DHCP server obstructs my network and legitimate client that re-associate get different network ip´s assigned and can´t log into the hotspot any more. It also creates at times network storms wich brings the whole network down.

It need hours to trace down where to find the illegal DHCP server. Is there no way to block illegal DHCP server in general?

Posted: Thu Mar 08, 2007 2:34 am
by Znuff
First of all you should set up your DHCP server as Authorative, most ADSL routers with dhcp obey that flag.

Posted: Thu Mar 08, 2007 12:32 pm
by WirelessRudy
Authoriative is on by default, with 2 secs delay. Still have that problem.
Actually, if I read up in the reference manual it explain the dhcp server will wait now for 2 secs for the client to come back with an ip request again. If it has been assigned an ip from another dhcp server it will not come back. So then the clients doesn´t get an ip from my server?
But actually the explanation in the ref. manual doesn´t make sense to me.

Any other suggestions?

Posted: Thu Mar 08, 2007 9:35 pm
by Znuff
Remove the 2seconds delay, there's no need for that.

Re: How to block Second (Unknown) DHCP server on network

Posted: Thu Jan 06, 2011 8:06 pm
by Mayssam961
was that problem fixed buy removing delay ? because i have the same problem ...
Thanks a lot i would really appreciate any help , thanks

Re: How to block Second (Unknown) DHCP server on network

Posted: Thu Jan 06, 2011 8:17 pm
by fewi
Implement CPE firewall rules that block customers from acting as DHCP servers on your network.

DHCP servers reply sourced from udp/67 to udp/68. Block that traffic on the customer facing port.

Re: How to block Second (Unknown) DHCP server on network

Posted: Sat Mar 19, 2011 6:18 pm
by Mayssam961
Implement CPE firewall rules that block customers from acting as DHCP servers on your network.

DHCP servers reply sourced from udp/67 to udp/68. Block that traffic on the customer facing port.
can you please post guide how to add that rule ?
or example ?
please any hints?

Re: How to block Second (Unknown) DHCP server on network

Posted: Sat Mar 19, 2011 7:12 pm
by fewi
http://en.wikipedia.org/wiki/Dynamic_Ho ... n_Protocol
That explains DHCP traffic flow. Block it where appropriate. For example, apply the following rule to the CPE interface facing your network:
/ip firewall filter
add chain=forward out-interface=WAN protocol=udp dst-port=68
Now the client cannot send DHCP offers through the CPE to your network.

Re: How to block Second (Unknown) DHCP server on network

Posted: Sun Mar 20, 2011 12:40 am
by sup5
Don't fight the caused problems.
Avoid the root of the cause.

ie.:
DonÄt do weird firewalling
Instead apply proper user isolation.

VLANs, EoIP/VPLS Tunnels and Horizon Bridging/Private VLAN Edge(PVE) are your friends.

A proper Port/User Isolation only allows the clients to communicate with your Hotspot.
A communication between the clients is NOT possible. Thus meaning a fraud DHCP-Server won't affect the other users.
This way you also will be able to supress MAC-Spoofing, which a user can abuse the steal another user's Hotspot session.
There is absolutely no need to do weird firewalling at the users site.

Re: How to block Second (Unknown) DHCP server on network

Posted: Wed Mar 13, 2013 10:50 pm
by sooli
Don't fight the caused problems.
Avoid the root of the cause.

ie.:
DonÄt do weird firewalling
Instead apply proper user isolation.

VLANs, EoIP/VPLS Tunnels and Horizon Bridging/Private VLAN Edge(PVE) are your friends.

A proper Port/User Isolation only allows the clients to communicate with your Hotspot.
A communication between the clients is NOT possible. Thus meaning a fraud DHCP-Server won't affect the other users.
This way you also will be able to supress MAC-Spoofing, which a user can abuse the steal another user's Hotspot session.
There is absolutely no need to do weird firewalling at the users site.
any example to isolate users on local area network using hotspot?