Community discussions

MikroTik App
 
changeip
Forum Guru
Forum Guru
Topic Author
Posts: 3830
Joined: Fri May 28, 2004 5:22 pm

Blocking LLDP / Protocol 35020

Fri Apr 23, 2021 5:55 am

How come this doesnt work?

/ip firewall raw add chain=output protocol=35020 out-interface=vlan2-Any2Exchange action=drop
failure: ip protocol must be in range (0..255)

How can I block LLDP leaving the RouterOS?
 
changeip
Forum Guru
Forum Guru
Topic Author
Posts: 3830
Joined: Fri May 28, 2004 5:22 pm

Re: Blocking LLDP / Protocol 35020

Fri Apr 23, 2021 6:06 am

I know I can turn off discovery - just wondering why I cant firewall it.

Also - why does this not catch the outgoing packet? Counter never increments yet I see it in the packet capture.

/ip firewall raw
add action=drop chain=output comment="drop discovery out any2 exchange" dst-port=5678 out-interface=vlan2-Any2Exchange protocol=udp
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: Blocking LLDP / Protocol 35020

Sat Apr 24, 2021 9:19 pm

You can't "block" broadcast traffic, it doesn't get routed. If you don't want it on your network you need to filter it on your switches or disable LLDP on the source devices.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Blocking LLDP / Protocol 35020

Sat Apr 24, 2021 9:52 pm

@changeip, too many things work different than you expect.
The ip firewall only deals with IP packets, so the protocol matches on the payload protocols of IP, such as UDP, TCP, GRE...
MNDP is an application using UDP and port 5678, but RouterOS sends MNDP packes in such a way that they bypass the IP firewall.
LLDP and CDP do not use IP as transport, so only bridge filter rules can match them using mac-protocol=lldp and dst-mac-address=01:00:0C:CC:CC:CC, respectively. But also here, RouterOS sends these frames directly from the interfaces, so bridge filter cannot prevent them from being sent.
 
changeip
Forum Guru
Forum Guru
Topic Author
Posts: 3830
Joined: Fri May 28, 2004 5:22 pm

Re: Blocking LLDP / Protocol 35020

Mon Apr 26, 2021 7:23 am

Figures. Its probably generated in the kernel. Just seems weird you cannot block udp/5678 in the routers own firewall on the output chain. I remember a long time ago running into this with dhcp client requests as well. Makes a good case for double checking if your hardware is calling home because even if you think you have blocked it you really havent...

Who is online

Users browsing this forum: Amazon [Bot], patrikg, xristostsilis and 87 guests