How to counter fake gateway and rogue DHCP server?

I have a public Wi-Fi network spanning across multiple houses. I have a vision of the worst case scenario when someone set his own device's IP address to that of the gateway. The public Wi-Fi network is on its own VLAN, so it won't affect each family's network. It still disrupts the Internet access of all users on the public Wi-Fi, though.

Another potential issue is rogue DHCP server. They probably don't have the skills to even do that, but I must stay on the safe side.

A quick research shows me that DHCP snooping is the solution to both issues. Does OpenWrt support it? Or maybe there are other options which can help me mitigate these security risks?

More effective could be DHCP Option 82 (https://tools.ietf.org/html/rfc3046), not sure whether dnsmasq on the server side supports it, odhcpd appears not to.

Either way, it depends whether the switch device supports DHCP snopping | Option 82 in the first place.

With nftables, not sure if iptables provides that facility, it is possible to utilise hoplimit for DHCPv6 and likewise ttl for DHCPv4 on the respective interfaces.

specifies the maximum number of layer three hops that can be traversed on the path to their destination. Each time the packet arrives at a layer three network device (a hop) the value is reduced by one before it is routed onward. When the value eventually reaches one the packet is discarded by the device that receives it (as the value will be reduced to zero).


As for a rouge gateway it might be good practice to enable reverse path filtering Why is rp_filter disabled by default?

Enable bridge firewall and block the following traffic from the LAN clients:

  • ARP reply with sender IP matching the gateway IP
  • DHCPOFFER
1 Like

If I understand you correctly it is a firewall which operates at bridge level (layer 2). And to make this work I have to bridge (aka creating a virtual switch) multiple interfaces first, to force traffic to go through the CPU?