That sounds like a perfect solution, better than mine by far, if it'll hit ether1 and not bridge1/wlan1!!! Thank you!
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Wed, Nov 30, 2011 at 3:14 PM, Blake Covarrubias <[email protected]> wrote: > It will hit ether1 first. You want to apply the rule to ether1 as you're > blocking DHCP server traffic from entering the bridge through that port. > > If you apply it to the bridge then it would drop to packets entering the > bridge through either member port (ether1 & wlan1). Blocking on wlan1 would > dropping the DHCP Offers and Acknowledgements from the server to the client > effectively prohibiting the client obtaining an IP. > > -- > Blake Covarrubias > > On Nov 30, 2011, at 12:35 PM, Josh Luthman wrote: > >> Will this rule still work if ether1/wlan1 are in a bridge with WDS? I >> would think the traffic would hit the bridge1 interface, wouldn't it? >> >> Josh Luthman >> Office: 937-552-2340 >> Direct: 937-552-2343 >> 1100 Wayne St >> Suite 1337 >> Troy, OH 45373 >> >> >> >> On Wed, Nov 30, 2011 at 2:32 PM, Butch Evans <[email protected]> wrote: >>> On Wed, 2011-11-30 at 08:13 -0500, Josh Luthman wrote: >>>> Would that permit the customer to still have a dhcp client behind it? >>>> In my case, the customer would have a wlan1/ether1 wds bridge. >>> >>> If we use the in-interface=ether1 in the rule, we are limiting DHCPOFFER >>> coming from a DHCP server that exists on ether1. So it should not >>> interfere with a server on the WAN side (wlan1). This rule will ONLY >>> limit the DHCPOFFER packet, which is always src-port=67 and dst-port=68. >>> This is detailed here: >>> http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#Technical_details >>> >>> DHCP-client requests are src-port=68 and dst-port=67, server responses >>> are the opposite. >>> >>>>> /interface bridge filter >>>>> add action=drop chain=forward disabled=no \ >>>>> dst-port=68 in-interface=ether1 \ >>>>> ip-protocol=udp mac-protocol=ip src-port=67 >>>>> >>> >>> -- >>> ******************************************************************** >>> * Butch Evans * Professional Network Consultation * >>> * http://www.butchevans.com/ * Network Engineering * >>> * http://store.wispgear.net/ * Wired or Wireless Networks * >>> * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * >>> * NOTE THE NEW PHONE NUMBER: 702-537-0979 * >>> ******************************************************************** >>> >>> >>> >>> _______________________________________________ >>> Mikrotik mailing list >>> [email protected] >>> http://www.butchevans.com/mailman/listinfo/mikrotik >>> >>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS >> _______________________________________________ >> Mikrotik mailing list >> [email protected] >> http://www.butchevans.com/mailman/listinfo/mikrotik >> >> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS > > _______________________________________________ > Mikrotik mailing list > [email protected] > http://www.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS _______________________________________________ Mikrotik mailing list [email protected] http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
