I have a network with Hotspot set up. Most works fine but at times have clients that play around with their ADSL routers from previous providers and they use only the LAN side to connect to my network and their PC. Usually by default most of these have DHCP server enabled. Off course does my network also have DCHP server enabled and on top of it does the Hotspot system also wants to assing ip adresses.
This (unknown for me) second DHCP server obstructs my network and legitimate client that re-associate get different network ip´s assigned and can´t log into the hotspot any more. It also creates at times network storms wich brings the whole network down.
It need hours to trace down where to find the illegal DHCP server. Is there no way to block illegal DHCP server in general?
-
-
WirelessRudy
Forum Guru
- Posts: 3119
- Joined:
- Location: Spain
-
-
WirelessRudy
Forum Guru
- Posts: 3119
- Joined:
- Location: Spain
Authoriative is on by default, with 2 secs delay. Still have that problem.
Actually, if I read up in the reference manual it explain the dhcp server will wait now for 2 secs for the client to come back with an ip request again. If it has been assigned an ip from another dhcp server it will not come back. So then the clients doesn´t get an ip from my server?
But actually the explanation in the ref. manual doesn´t make sense to me.
Any other suggestions?
Actually, if I read up in the reference manual it explain the dhcp server will wait now for 2 secs for the client to come back with an ip request again. If it has been assigned an ip from another dhcp server it will not come back. So then the clients doesn´t get an ip from my server?
But actually the explanation in the ref. manual doesn´t make sense to me.
Any other suggestions?
-
-
Mayssam961
Frequent Visitor
- Posts: 77
- Joined:
Re: How to block Second (Unknown) DHCP server on network
was that problem fixed buy removing delay ? because i have the same problem ...
Thanks a lot i would really appreciate any help , thanks
Thanks a lot i would really appreciate any help , thanks
Re: How to block Second (Unknown) DHCP server on network
Implement CPE firewall rules that block customers from acting as DHCP servers on your network.
DHCP servers reply sourced from udp/67 to udp/68. Block that traffic on the customer facing port.
DHCP servers reply sourced from udp/67 to udp/68. Block that traffic on the customer facing port.
-
-
Mayssam961
Frequent Visitor
- Posts: 77
- Joined:
Re: How to block Second (Unknown) DHCP server on network
can you please post guide how to add that rule ?Implement CPE firewall rules that block customers from acting as DHCP servers on your network.
DHCP servers reply sourced from udp/67 to udp/68. Block that traffic on the customer facing port.
or example ?
please any hints?
Re: How to block Second (Unknown) DHCP server on network
http://en.wikipedia.org/wiki/Dynamic_Ho ... n_Protocol
That explains DHCP traffic flow. Block it where appropriate. For example, apply the following rule to the CPE interface facing your network:
Now the client cannot send DHCP offers through the CPE to your network.
That explains DHCP traffic flow. Block it where appropriate. For example, apply the following rule to the CPE interface facing your network:
Code: Select all
/ip firewall filter
add chain=forward out-interface=WAN protocol=udp dst-port=68
Re: How to block Second (Unknown) DHCP server on network
Don't fight the caused problems.
Avoid the root of the cause.
ie.:
DonÄt do weird firewalling
Instead apply proper user isolation.
VLANs, EoIP/VPLS Tunnels and Horizon Bridging/Private VLAN Edge(PVE) are your friends.
A proper Port/User Isolation only allows the clients to communicate with your Hotspot.
A communication between the clients is NOT possible. Thus meaning a fraud DHCP-Server won't affect the other users.
This way you also will be able to supress MAC-Spoofing, which a user can abuse the steal another user's Hotspot session.
There is absolutely no need to do weird firewalling at the users site.
Avoid the root of the cause.
ie.:
DonÄt do weird firewalling
Instead apply proper user isolation.
VLANs, EoIP/VPLS Tunnels and Horizon Bridging/Private VLAN Edge(PVE) are your friends.
A proper Port/User Isolation only allows the clients to communicate with your Hotspot.
A communication between the clients is NOT possible. Thus meaning a fraud DHCP-Server won't affect the other users.
This way you also will be able to supress MAC-Spoofing, which a user can abuse the steal another user's Hotspot session.
There is absolutely no need to do weird firewalling at the users site.
Re: How to block Second (Unknown) DHCP server on network
any example to isolate users on local area network using hotspot?Don't fight the caused problems.
Avoid the root of the cause.
ie.:
DonÄt do weird firewalling
Instead apply proper user isolation.
VLANs, EoIP/VPLS Tunnels and Horizon Bridging/Private VLAN Edge(PVE) are your friends.
A proper Port/User Isolation only allows the clients to communicate with your Hotspot.
A communication between the clients is NOT possible. Thus meaning a fraud DHCP-Server won't affect the other users.
This way you also will be able to supress MAC-Spoofing, which a user can abuse the steal another user's Hotspot session.
There is absolutely no need to do weird firewalling at the users site.