The rule I posted was to see if I could catch the DHCP server traffic FROM the router. It was exploratory only. I was curious if a rule like:
add action=drop chain=forward disabled=no protocol=udp src-port=67 would catch traffic FROM the DHCP server on the router. I didn't think it would but I was curious. That got me to thinking about where exactly that traffic CAN be managed and when I didn't see it with a filter rule in the Output chain I was curious. -Ty On Fri, Jan 24, 2014 at 10:10 AM, Sam Tetherow <[email protected]> wrote: > If you are trying to catch traffic not originating on the MT, wouldn't the > chain need to be forward and not output? > > > On 01/24/2014 08:54 AM, Ty Featherling wrote: > >> Chupaka and Butch. This rule is on a router that has a bridge for LAN >> ports >> and the DHCP server is run on that bridge. Use IP Filter is enabled for >> the >> bridge as well. I am glad you are seeing the same lack of result I did >> Butch. In my case I want to act on DHCP server traffic that does NOT >> originate from the router, ie Rogue DHCP traffic. To that end I don't >> really need to catch the legit server traffic but I was trying to prove >> where it was or wasn't so I could write my rules accordingly. >> >> "For others that answered, the rule that Ty posted IS the right format and >> in the right chain." >> - Wel I did learn from the best... ;) >> >> -Ty >> >> >> On Fri, Jan 24, 2014 at 3:00 AM, Chupaka <[email protected]> wrote: >> >> Afair, DHCP uses something like RAW_SOCKET or even more low-level >>> functions, so the only way to catch its packets is to create a bridge >>> (with >>> a single port - necessary interface) and use bridge filter (or enable >>> 'use-ip-firewall'). >>> >>> -- >>> Подпись: >>> (добавляется в конце всех исходящих писем) >>> >>> >>> 2014/1/24 Butch Evans <[email protected]> >>> >>> On 01/23/2014 11:13 AM, Ty Featherling wrote: >>>> >>>> Can someone confirm that you CANNOT manage traffic FROM the DHCP Server >>>>> >>>> on >>> >>>> a Mikrotik with IP Firewall? >>>>> >>>>> To test this I added the rule: >>>>> >>>>> add action=log chain=output disabled=no protocol=udp src-port=67 >>>>> >>>>> DHCP Conversation looks like this: >>>> >>>> DHCPDISCOVER >>>> client: UDP src-addr 0.0.0.0 sport=68 >>>> dst-addr 255.255.255.255 dport=67 >>>> >>>> DHCPOFFER >>>> DHCP server: >>>> UDP src-addr server.ip.addr sport=67 >>>> dst-addr 255.255.255.255 dport=68 >>>> >>>> DHCPREQUEST - >>>> From client, just like discover >>>> >>>> DHCPACK - >>>> From server, just like offer >>>> >>>> SO, your rule should show the DHCPOFFER and the DHCPACK traffic. My >>>> >>> first >>> >>>> guess about why it isn't showing up would be if the interface in >>>> question >>>> is on a bridge and the "use-ip-firewall" option isn't on for the bridge. >>>> Barring that, I suspect you should be able to see the traffic in the >>>> >>> logs. >>> >>>> I just did a test on a router here and it didn't show up there, >>>> either. >>>> Very odd. Perhaps a bit more research on my part is in order. Maybe, >>>> because the traffic is all broadcast type, the IP firewall isn't seeing >>>> >>> the >>> >>>> traffic? I don't know. I'll play with this a bit more and see what I >>>> >>> can >>> >>>> discover. >>>> >>>> For others that answered, the rule that Ty posted IS the right format >>>> and >>>> in the right chain. >>>> >>>> >>>> -- >>>> Butch Evans >>>> 702-537-0979 >>>> Network Support and Engineering >>>> http://store.wispgear.net/ >>>> http://www.butchevans.com/ >>>> >>>> _______________________________________________ >>>> Mikrotik mailing list >>>> [email protected] >>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>> >>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>> RouterOS >>>> >>>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: < >>> http://mail.butchevans.com/pipermail/mikrotik/ >>> attachments/20140124/14c5f2ff/attachment.html >>> _______________________________________________ >>> Mikrotik mailing list >>> [email protected] >>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>> >>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>> RouterOS >>> >>> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: <http://mail.butchevans.com/pipermail/mikrotik/ >> attachments/20140124/84ce8634/attachment.html> >> >> _______________________________________________ >> Mikrotik mailing list >> [email protected] >> http://mail.butchevans.com/mailman/listinfo/mikrotik >> >> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >> RouterOS >> > > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140124/07c5561f/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
