Mikrotik Bridge Filter to Block Rogue DHCP Servers
Mikrotik has introduces a LOT of great features in their switching line CRS100, CRS200, and CRS300. One thing of note is DHCP snooping which blocks rogue DHCP servers on your network. This feature works a treat in the CRS300 series switches as it also allows hardware offloading. Unfortunately if it is enabled on the CRS 100 or CRS 200 series switches, hardware offloading is disable, and spoiler alert, this is very bad.
If, however, you use bridge filtering to block rogue DHCP servers, hardware offloading remains enabled. Having said that, here’s some simple steps you can take to put a bridge filter in place to block rogues.
In this example, ether1 is the uplink port where the DHCP server lives, so no filtering is done here.
First create an interface list for all user/customer interfaces:
1 2 3 | #this creates a customer list /interface list add name=customers |
Next add all of the customer interfaces to the interface list:
1 2 3 4 | #**add all customer interfaces to this list** /interface list member add interface=ether2 list=customers add interface=ether3 list=customers |
Here’s a script that will auto add ports ether1 – ether24 to the Cust interface list
1 | :for num from=1 to=24 do={/interface list member add interface=[:put "ether$num"] list=Cust} |
Last, apply the bridge filter to the forward train to catch traffic moving through the bridge.
1 2 3 | #this filter rule will block DHCP servers /interface bridge filter add action=drop chain=forward in-interface-list=customers ip-protocol=udp mac-protocol=ip src-port=67 |
Go forth and happy non-rogue-dhcping 😉
In addition to this, if the router where you are doing this filtering is the only legitimate DHCP server in this network, then the only valid DHCP traffic would be on the input and output chains.
In this case you can drop all srcport 67-68 udp forward regardless of the interface.