Community discussions

MikroTik App
 
marvin
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Mon Nov 15, 2004 9:56 pm

block dhcp for specific ip range?

Thu Jul 07, 2005 7:04 pm

We would like to setup dhcp for our internal network for ip ranges 192.168.50.0/24 but be able to block that particular ip range for dhcp from going out across the wireless connection.

Setup of primary wireless router:

Bridged eth1, wlan1, wlan2, wlan3, wlan4

We use a bandwidth management unit so we statically assign ip addresses 192.168.60.0/24 for our customers. Our hotspot uses 192.168.15.0/24 for our hotspot users.

I'm still learning how the firewall works I was thinking that I could possibly tag 192.168.50.0/24 ip's to block UDP port 67 in affect blocking the DHCP for that range of ip's.

Am I correct in thinking this would work? And if so how would I setup the firewall in Mikrotik to do this?
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Re: block dhcp for specific ip range?

Fri Jul 08, 2005 11:34 pm

We would like to setup dhcp for our internal network for ip ranges 192.168.50.0/24 but be able to block that particular ip range for dhcp from going out across the wireless connection.
So your LAN is bridged with your wireless segments?
If they are not bridged but seperated by routing, DHCP will not cross layer 3
network boundaries anyway.

I believe that you can not use the firewall to prohibit DHCP assignments based
on the IP address the DHCP server decided to hand out for a client, if that's
what you want to do?

Or am I misinterpreting you and you just want to prohibit IP communication on
layer 3 between 192.168.50.0/24 and your other networks?
That is very easy to do with the RouterOS firewall.

--Tom
 
marvin
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Mon Nov 15, 2004 9:56 pm

Sun Jul 10, 2005 6:03 pm

Tom, your right the latter is what I am wanting to do. Block layer 3 ip communication on that 192.168.50.x from the rest of the network. That particular ip only has to communicate with one file server which has it's own 192.168.50.x ip also so if you can explain to me how to block it with the RouterOS firewall I would appreciate it.

Thanks,
Marvin
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Sun Jul 10, 2005 8:33 pm

Ok, let's assume the wireless interface that your 192.168.50.0/24 network is running on is wlan3.

Just add a firewall filter rule to the forward chain that blocks everything coming in via wlan3 from
being forwarded through the MT to networks on other interfaces, like this (RouterOS 2.9 syntax)
/ip firewall filter
add chain=forward in-interface=wlan3 action=reject reject-with=icmp-admin-prohibited
Make sure to move this rule to an appropriate position if you already have other filter rules.

It's all documented at http://www.mikrotik.com/docs/ros/2.9/ip/filter

How is the server that is also in 192.168.50.0/24 that you mentioned connected to the network? Also wireless?

--Tom
 
marvin
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Mon Nov 15, 2004 9:56 pm

Sun Jul 10, 2005 10:04 pm

Thanks.. Actually the .50 are on the ethernet side just used for giving customer computers that are being worked on. So I'll just add that filter to the ethernet side. Thanks for the help.

Who is online

Users browsing this forum: forcecde, Google [Bot], igortrojak, rioven, RobWFS, scorptec, Yahoo [Bot] and 219 guests