Community discussions

MikroTik App
 
Raiders13
just joined
Topic Author
Posts: 4
Joined: Sat Aug 29, 2020 10:49 am

Wierd connection - WAN DHCP

Sat Jun 25, 2022 3:13 pm

I've been trying to figure this out and been running against walls.
I've got a RouterBOARD 962UiGS-5HacT2HnT
I have a ISP that gives me 50 Mb/s internet.
Using the default config, speed tests give me a max of about 25 Mb/s. Yea, I even reset the router to defaults.
So have to use fasttrack to get 50 Mb/s

My problem is, I have been pickup up traffic on the PPPoE connection, running in and out. Sometimes using max bandwidth.
Delving further, I pickup netgear equipment on the DHCP server. I don't have netgear equipment.
It appears that somehow, netgear equipment on the WAN fiber is connecting via the NTU, directing traffic through it. (I think)

I tried to isolate the DHCP from the port, only break my network or internet.
I tried to firewall rules, but that also failed.

I think it is a miss config but everything I tried, I run against a wall.
Bridge is all lan ports in a group. I still need to get to the NTU device to see fiber status.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Wierd connection - WAN DHCP

Sat Jun 25, 2022 4:51 pm

According to the product page, you should not need fasttracking to get 50 Mbit/s on a hAP ac. But I am totally lost in your description of the network - especially the role and even presence of the Netgear equipment. Can you provide a diagram of the network (a photo of a drawing on a paper is sufficient)? Also, would you mind to reveal your native language?
 
Raiders13
just joined
Topic Author
Posts: 4
Joined: Sat Aug 29, 2020 10:49 am

Re: Wierd connection - WAN DHCP

Sun Jun 26, 2022 4:24 pm

I think I got it to stop... But might not be the best option.
Put a few port filters on the 1st Eth port, that is connected to the Fiber NTU.
Image

As to what my network looks like...
It's just a fiber NTU (Huawei HG8045H) connected to the MikroTik RB962UiGS-5HacT2HnT.
I have no netgear equipment. Think they are coming in via the Fiber NTU. Which is concerning as that means the network is not secure on the ISP side. Not sure if this is normal...
Image
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Wierd connection - WAN DHCP

Sun Jun 26, 2022 6:39 pm

OK, now I finally start understanding - the NTU is in bridge mode, so the PPPoE client runs on the Mikrotik, but you can see a lot of DHCP traffic to arrive to the Mikrotik from the WAN side as the ISP's network allows IP traffic to pass between the core and the NTUs (which is indeed a security issue among other things).

What surprises me most us that the DHCP traffic makes it to the forward chain, i.e. it got routed somewhere else than to the hAP ac itself, but I admit I have no experience with this situation so maybe it is normal.

Also, it is clear to me now that everything you wrote regarding Netgear was related to analysis of that unexpected DHCP traffic.

It should be possible to prevent the DHCP traffic from reaching the CPU completely by means of switch chip rules, as they can match on protocol ports as well. Try /interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=ip dst-port=67 new-dst-ports="". I am not 100% sure whether it works also when ether1 is not a member of any bridge, but definitely worth trying.

If the NTU acts as a DHCP client so you need to run a DHCP server at your WAN in order to be able to access the NTU, you can use an exemption rule before this one to permit DHCP communication from the MAC address of the NTU.

Nevertheless, if your physical uplink bandwidth is close to your contract bandwidth, this DHCP traffic may cause your link to provide less download bandwidth than what you pay for, and even a switch chip filter rule doesn't change it, so it's worth talking to the ISP.

Other than that, since you've got no other rules in /ip firewall filter than those shown in the previous post, your router is exposed to attacks at least from the other customers of this ISP in the same network segment, and so is your LAN - NAT (or masquerade) does not prevent traffic coming in via WAN from being routed to LAN.

Who is online

Users browsing this forum: Ahrefs [Bot], bpwl, hatred, kolopeter, Michiganbroadband and 86 guests