Hello Folks!

The Dude today alerted me about high ratio of incoming syslog messages from one antenna.
CPU was at 78% hmmm..

Looking into the RB411 one can see that one client on inside sends hundreds of bootpc messages per minute. I had simply to disable DHCP because I do not know howto takle it.

It seems like DHCP server inside RouterOS do not handle it proper, it plays along and offers IP address over and over again and loads down the RB411.

Is there some mechanims that can help up here, I did try to add firewall rules and match on MAC adress, but they did not bite ?

Anyone who knows ?

The DHCP server RouterOS uses gets packets via raw sockets, completely bypassing the firewall. That means that you cannot filter DHCP in the firewall filter set of the DHCP server. It's impossible by design.

One solution would be to have a bridge with a bridge filter (or the ip firewall filter applied to the bridge) in front of the DHCP server. That bridge device should be able to filter the packets because it doesn't run a DHCP server itself that grabs the packet on a raw socket before firewall processing. Another solution would be to add a DHCP server on a bridged interface so the RB411 can do that inspection because it no longer is a DHCP server. Lastly, if you have control over the client device requesting DHCP (maybe it's a CPE that you manage?) you may be able to filter the packets in the output chain so they're never actually transmitted - I'm not sure if that would work, but it's worth a shot.

I haven't tried it, but you might set the dhcp-server bootp-support=none.

Can you create a static lease for that mac with a bogus IP address just so it completes the lease and stops requesting? Or disabling bootp support like SurferTim previously suggested.

Hello Folks!

Okey I understand.

I guess I will do the bridge and filter it there, eventually also do a script that kicks in and block/limit the flood attack.

But I was brute this time, it is an office landscape, I did put up a proxy redirecting all web traffic to a web page inside microtik saying "Please contact your local administrator and tell him/her check out PC w.x.y.z with <name>". Some hours later problem was gone, and we could disable the proxy rule.

Thank you all for your suggestions!

I think I am experiencing a similar problem. Strangely enough it seems to be caused by a Directv DVR on the network. In any case I'm hoping to find out more about how to "put a bridge in front of the dhcp server". I'm not too clear on what that means and what I interfaces I would actually be bridging.

Thanks!

So I think I figured this out and got it working by just adding the interface in question to it's own bridge and then creating some bridge filter rules like this:

http://wiki.mikrotik.com/wiki/Bridge_Fi ... CP_Traffic

So instead of just something like: interface_wlan
I now have: interface_wlan and bridge_wlan (with a sole port of interface_wlan)

Also looks like I need to update all of my existing IP Firewall rules to use bridge_wlan instead of interface_wlan when specifying the in or out interface.

Hoping to get some confirmation from someone more experienced that this is indeed the correct approach. One think I'm curious about is if I should also be specifying the in/out bridge port in my ip firewall rules or if that's just redundant.

Thanks!