Unlike bridge which allows you to use ip firewall, how can I have my mesh use firewall rules, for example i would like to have ether1 and wlan1 in my mesh, however I have want to filter any dhcp traffic from entering or exiting ether1.

What are you having trouble with?

I can see input chains and Mangle/prerouting chains etc all working on my Mesh. Create a rule but only "log" first, see if you are matching correctly, for yours, I would create the following on your Mesh Portal device:

ros code

/ip firewall mangle
add action=log chain=prerouting log-prefix=dhcp protocol=udp src-port=67
add action=log chain=prerouting log-prefix=dhcp protocol=udp dst-port=68

Open the log, renew a dynamic IP, see the packets in the log.
Then, you just change the "action=log" part to "action=drop" and no more DHCP on the mesh.. or anything.

Tested, DHCP requests appear in logs with this running.


I use something very similar to ensure DHCP request packets are tagged as high-priority and are not queued as harshly as other stuff.. even at high utilization, dhcp still works flawlessly.

ros code

/ip firewall mangle
add action=mark-connection chain=prerouting comment="DHCP Request" dst-port=68 \
    new-connection-mark=dhcp protocol=udp
add action=mark-connection chain=prerouting comment="DHCP Response" \
    new-connection-mark=dhcp protocol=udp src-port=67
add action=mark-packet chain=prerouting comment="High: DHCP" connection-mark=\
    dhcp new-packet-mark=high-priority passthrough=no

Then in the queue, simply setup a higher priority for the "high-priority" packets.

ros code

/queue tree
add name=queue1 parent=global queue=default
add name="Prioritize Stuff" packet-mark=high-priority parent=queue1 priority=1
add limit-at=128k max-limit=512k name=crappy-diem packet-mark=no-mark parent=queue1 priority=8

What are you having trouble with?

Ok, just realized this post was 2 years old.. in my defense, I'm recovering from surgery.