Syed Jahanzaib Personal Blog to Share Knowledge !

February 22, 2013

Howto block DHCP traffic via Mirkotik BRIDGE

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 7:44 PM

Howto filter traffic via BRIDGE in Mikrotik RouterOS / RB

network-zaib

Scenario # 1

# Network A is running VPN server with DHCP server having ip pool 172.16.0.0/16 series.

# Network B is running PPPoE server with DHCP server having ip pool 10.0.0.0/xx series.

Now Network A wants to merge with Network B and the Operator A wants to use his own DHCP rather then using Network B DHCP. As we all know that we cannot run two DHCP parallel in same network. Following is an workaround to accomplish the task.Create BRIDGE in mikrotik and block DHCP traffic. See the following rules. These are CLI commands , but you can use the GUI to do the same.

First Add bridge port.

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes disabled=no forward-delay=15s l2mtu=1522 \
max-message-age=20s mtu=1500 name=ds-bridge priority=0x8000 protocol-mode=none transmit-hold-count=6

Now Add Ethernet ports in bridge, For example we want to use Port No 2 and 3 for bridge.
[ Port 2 is connected with Network A and port 3 is connected with Network B ]

/interface bridge port
add bridge=ds-bridge disabled=no edge=auto external-fdb=auto horizon=none interface=ether2 path-cost=10 point-to-point=\
auto priority=0x80
add bridge=ds-bridge disabled=no edge=auto external-fdb=auto horizon=none interface=ether3 path-cost=10 point-to-point=\
auto priority=0x80

Now enable firewall filtering for this bridge.

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=n

Now your BRIDGE is ready to pass traffic to both networks.

Add firewall filter rules to block DHCP traffic, You can use the same topology to filter any traffic from passing by, For example common virus ports or any specific port you like to block , you can simply add it in filter rules.

/ip firewall filter

add action=drop chain=forward disabled=no dst-port=67 protocol=udp
add action=drop chain=forward disabled=no dst-port=68 protocol=udp

add action=drop chain=input disabled=no dst-port=67 protocol=udp
add action=drop chain=input disabled=no dst-port=68 protocol=udp

add action=drop chain=output disabled=no dst-port=67 protocol=udp
add action=drop chain=output disabled=no dst-port=68 protocol=udp

I dont remember exactly but I guess one or two rules in above are not necessary, i guess OUTPUT rules are not necessary. Just check the packets counting and remove un unnecessary rules.

 

Regard’s
Syed Jahanzaib

%d bloggers like this: