Skip to content
Jun 19 / Greg

Mikrotik Bridge Filter to Block Rogue DHCP Servers

Mikrotik has introduces a LOT of great features in their switching line CRS100, CRS200, and CRS300. One thing of note is DHCP snooping which blocks rogue DHCP servers on your network. This feature works a treat in the CRS300 series switches as it also allows hardware offloading. Unfortunately if it is enabled on the CRS 100 or CRS 200 series switches, hardware offloading is disable, and spoiler alert, this is very bad.

If, however, you use bridge filtering to block rogue DHCP servers, hardware offloading remains enabled. Having said that, here’s some simple steps you can take to put a bridge filter in place to block rogues.

In this example, ether1 is the uplink port where the DHCP server lives, so no filtering is done here.

First create an interface list for all user/customer interfaces:

1
2
3
#this creates a customer list
/interface list
add name=customers

Next add all of the customer interfaces to the interface list:

1
2
3
4
#**add all customer interfaces to this list**
/interface list member
add interface=ether2 list=customers
add interface=ether3 list=customers

Here’s a script that will auto add ports ether1 – ether24 to the Cust interface list

1
:for num from=1 to=24 do={/interface list member add interface=[:put "ether$num"] list=Cust}

Last, apply the bridge filter to the forward train to catch traffic moving through the bridge.

1
2
3
#this filter rule will block DHCP servers
/interface bridge filter
add action=drop chain=forward in-interface-list=customers ip-protocol=udp mac-protocol=ip src-port=67

Go forth and happy non-rogue-dhcping 😉

One Comment

leave a comment
  1. carmageddon / Apr 26 2020

    In addition to this, if the router where you are doing this filtering is the only legitimate DHCP server in this network, then the only valid DHCP traffic would be on the input and output chains.
    In this case you can drop all srcport 67-68 udp forward regardless of the interface.

Leave a Comment

 

*