Howto filter traffic via BRIDGE in Mikrotik RouterOS / RB
Scenario # 1
# Network A is running VPN server with DHCP server having ip pool 172.16.0.0/16 series.
# Network B is running PPPoE server with DHCP server having ip pool 10.0.0.0/xx series.
Now Network A wants to merge with Network B and the Operator A wants to use his own DHCP rather then using Network B DHCP. As we all know that we cannot run two DHCP parallel in same network. Following is an workaround to accomplish the task.Create BRIDGE in mikrotik and block DHCP traffic. See the following rules. These are CLI commands , but you can use the GUI to do the same.
First Add bridge port.
/interface bridge add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes disabled=no forward-delay=15s l2mtu=1522 \ max-message-age=20s mtu=1500 name=ds-bridge priority=0x8000 protocol-mode=none transmit-hold-count=6
Now Add Ethernet ports in bridge, For example we want to use Port No 2 and 3 for bridge.
[ Port 2 is connected with Network A and port 3 is connected with Network B ]
/interface bridge port add bridge=ds-bridge disabled=no edge=auto external-fdb=auto horizon=none interface=ether2 path-cost=10 point-to-point=\ auto priority=0x80 add bridge=ds-bridge disabled=no edge=auto external-fdb=auto horizon=none interface=ether3 path-cost=10 point-to-point=\ auto priority=0x80
Now enable firewall filtering for this bridge.
/interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=n
Now your BRIDGE is ready to pass traffic to both networks.
Add firewall filter rules to block DHCP traffic, You can use the same topology to filter any traffic from passing by, For example common virus ports or any specific port you like to block , you can simply add it in filter rules.
/ip firewall filter add action=drop chain=forward disabled=no dst-port=67 protocol=udp add action=drop chain=forward disabled=no dst-port=68 protocol=udp add action=drop chain=input disabled=no dst-port=67 protocol=udp add action=drop chain=input disabled=no dst-port=68 protocol=udp add action=drop chain=output disabled=no dst-port=67 protocol=udp add action=drop chain=output disabled=no dst-port=68 protocol=udp
I dont remember exactly but I guess one or two rules in above are not necessary, i guess OUTPUT rules are not necessary. Just check the packets counting and remove un unnecessary rules.
Regard’s
Syed Jahanzaib
Syed Jahanzaib - Personal Blog to Share Knowledge ! 
Gr8
LikeLiked by 1 person
Comment by Soul — February 22, 2013 @ 7:47 PM
once again a very nice article…looking forward for more
LikeLike
Comment by adeelkml — February 22, 2013 @ 10:14 PM
Good work, add one more thing, if you want to block dhcp server on only pppoe interface then what rule should be apply.
LikeLike
Comment by Mohammad Shakir — February 23, 2013 @ 9:54 AM
You can use inverter to select interface
e.g: !LAN , !WAN_INTERFACE etc
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — February 25, 2013 @ 10:25 AM
Great work Jahanzaib bhai 🙂
LikeLike
Comment by faizan — February 23, 2013 @ 2:51 PM
Only block DHCP reply… action=drop chain=forward comment=”Block DHCP reply” disabled=no \
in-interface=enlace ip-protocol=udp mac-protocol=ip src-port=67
LikeLike
Comment by Garomba — February 23, 2013 @ 4:39 PM
AOA jahanzaib bhai, nice article once again
jahanzaib bhai is it possible to use another dhcp in lan network by assigining dhcp to interface vlan?
LikeLike
Comment by Hammad Ahmed Khan — February 26, 2013 @ 3:15 PM
yes
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — February 27, 2013 @ 9:08 AM
wow its great but i still want to know how to block Netcut specilly HotSpot hacking ??? Still want the solution ?
LikeLike
Comment by faisal — March 1, 2013 @ 11:51 PM
Very Nice Work Sir Jahanzaib.
LikeLike
Comment by Syed Azhar Hussain — March 6, 2013 @ 3:23 AM
Assalam-o-aliekum sir brigde bana k bad leonet to dialer se connect horaha he magar mera pppoe ka dialer connect nhi horaha he dialing Fair.net per ruk jatahe or thori der bad ye error arha he 678 the remote computer did not respond. or Brigde ko disable kardo tu connect hojatas he kia problem hoskti he.
LikeLike
Comment by Syed Azhar Hussain — March 6, 2013 @ 7:54 PM
Sorry, didnt work on ROS 6.0rc11, only makes delay to find dhcp server
LikeLike
Comment by InguX — March 22, 2013 @ 11:58 PM
sir. client swich kis port pe lagana ha…..
LikeLike
Comment by shoaib — September 23, 2013 @ 1:42 PM
Sir, how can we go about implementing it in a network.. What will be the out interface.. how it should be configured.. Do we configure a Lan interface with a different subnet and dhcp enabled.. For instance network A 10.0.0.0/8 and network B 172.16.0.0/16 are merged and Lan interface subnet is 192.168.0.0/24 ???
will we have to define routes ??? can you please suggest as I am in dire need of this solution.. Regards
LikeLike
Comment by Abu Hashim — April 6, 2014 @ 11:58 AM
hi folks would you like to share bridge filtering to filter loop causing between two bridge ?
what protocol or port usually causing loop ?
LikeLike
Comment by Saman Supriadi — January 22, 2015 @ 4:46 AM
DHCP 67,68 In The Swtich ,how not go to route !
LikeLike
Comment by ouo — December 26, 2015 @ 8:38 AM
thanks..
LikeLiked by 1 person
Comment by samsul — January 6, 2016 @ 6:43 AM
Salam Brother
i m using block dhcp with this rule in RB750GL its fine , thanks u
but now i want RB750 with vlan cisco 3550 for more port but i cant it please help me
RB750 ehter5 with 5 or more vlans and cisco 3550 5 or more ports with vlan
LikeLike
Comment by M Azam Ghouri — October 9, 2016 @ 1:18 PM
I have an Internet network and I have a server ccr main link and remote areas small servers gr3 when the loop occurs moving to all parts of the network in all areas Is there a way to work VLAN in small servers to prevent the broadcast from accessing all parts of the network
LikeLike
Comment by Basel waleed — October 30, 2018 @ 2:28 AM