vaheeD khoshnouD

Background

I’ve been working on implementing DHCP Relay throughout our network. However at times we have had problems with customer plugging their routers in backwards. They start handing out DHCP Leases to other customers, definitely annoying. I’m not taking credit for this idea, just putting it together what I found. I’m aware of setting the authoritative flag on the dhcp server.

This will put a stop to it:

Rule to block dhcp traffic originating from a 192.168.0.0/16 device, blocks normal router dhcp traffic from linksys or dlink products.

/interface bridge filter
add action=log chain=input comment="Block DHCP servers on 192.168.0.0/16" \
   disabled=no dst-address=255.255.255.255/32 ip-protocol=udp log-prefix=\
   "ALERT ROGUE DHCP (BLOCKED)" mac-protocol=ip src-address=192.168.0.0/16 \
   src-port=67-68
add action=drop chain=input comment="Block DHCP servers on 192.168.0.0/16" \
   disabled=no dst-address=255.255.255.255/32 ip-protocol=udp mac-protocol=\
   ip src-address=192.168.0.0/16 src-port=67-68

/interface bridge settings 
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=yes

You should also make sure that IP Firewall connection tracking is turned on. Add this rule to your core routers and access points where customers have the potential of plugging devices in backwards.