Firewall rules to block unwanted DHCP servers?

So there are times you want to use the built-in switch to connect a few other things but don't want to dip your toes into VLAN waters, you have the router as the DHCP server providing the internet in the 192.168.1.x subnet, and also others connected to the LAN switch that communicate in another, say, 192.168.2.x, whose IPs are set manually.

Now one client from the 192.168.2.x subnet also answers to DHCP requests, which could assign unwanted IPs to other clients, I understand DHCP requests and answers are UDP packets sent on 67-68 ports, how do I make a firewall rule to block the 67-68 ports on a specific LAN port, or is this handled by openwrt by default?

No, it's not blocked by default, nor can it easily be blocked by an all-in-one router.

A rogue DHCP server on port 1 of your LAN will get the request packets from a host on port 2 of your LAN and return a response with all of those packets going through the switch hardware and never hitting the CPU. No CPU involvement, no firewall rules of any sort get triggered.

You could configure each of the LAN ports on its own VLAN, then do the bridging in the CPU. For most people, and most all-in-one routers, the loss in performance is not worth the configuration complexity.

Enterprise-grade switches often support DHCP snooping and management. Unfortunately, since the router SoCs are designed for home use, this feature isn't present in any of the hardware that I'm aware of.

5 Likes

Thank you Jeff, your explanation is easily understood:+1: . Hope this helps others too.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.