Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Firewall rules for DHCP (v4)  [SOLVED]

Post Reply
 
User avatar
Kentzo
Long time Member
Long time Member
Topic Author
Posts: 528
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Firewall rules for DHCP (v4)

Tue Jan 11, 2022 10:21 am

In Building Advanced Firewall there is the following rule:
;;; accept DHCP discovery - most of the DHCP packets are not seen by an IP firewall, but some of them are, so make sure that they are accepted;
/ip firewall raw add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
Do I understand correctly that "most of the DHCP packets are not seen by an IP firewall" because they will most likely hit the server running in the same LAN segment and won't need routing?
Top
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 989
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Firewall rules for DHCP (v4)

Tue Jan 11, 2022 10:34 am

Sure thing, unless you are doing specific filtering on certain physical LAN-ports on which a device is attached directly.
I do not have such rules and running a "classic" home-network (single "flat" LAN with 1 "bridge" instance/interface) and never had any issues
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19321
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Firewall rules for DHCP (v4)  [SOLVED]

Tue Jan 11, 2022 1:50 pm

Correct DHCP packets and the like are not affected mostly.
Tis why even though you will have two vlans 10 and 20 and no devices can exchange data or see each other one can still ping the gateway of the other vlan.
Top
 
User avatar
Kentzo
Long time Member
Long time Member
Topic Author
Posts: 528
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: Firewall rules for DHCP (v4)

Tue Jan 11, 2022 8:37 pm

If you look further into the rules you will find that a unicast DHCP request (when a client knows IP of the DHCP server) is dropped. Is there a good reasoning behind only allowing broadcasted DHCP requests?
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11582
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall rules for DHCP (v4)

Tue Jan 11, 2022 9:51 pm

Raw prerouting comes before ROS determines whether packet is targeting router itself or not. So these rules affect both routed traffic and traffic consumed by router. See packet flow manual.

I fail to see where unicast DHCP packets are dropped though ...
Top
 
User avatar
Kentzo
Long time Member
Long time Member
Topic Author
Posts: 528
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: Firewall rules for DHCP (v4)

Tue Jan 11, 2022 10:05 pm

I fail to see where unicast DHCP packets are dropped though ...

You're right, I misread:
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19321
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Firewall rules for DHCP (v4)

Tue Jan 11, 2022 10:14 pm

Just in time,,,,,,,,,,
Here is something I whipped up......
Although what is missing is how DHCP gets requested and assigned regardless of firewall rules and how one can ping another vlans gateway despite both L2 and L3 supposedly preventing ANY crosstalk (at least data is blocked ;-) )

viewtopic.php?t=180838
Top
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], helpfulunderneath, UkRainUa and 36 guests
  4. RouterOS
  5. Beginner Basics