# Network A is running VPN server with DHCP server having ip pool 172.16.0.0/16 series.
# Network B is running PPPoE server with DHCP server having ip pool 10.0.0.0/xx series.
Now Network A wants to merge with Network B and the Operator A wants to use his own DHCP rather then usingNetwork B DHCP. As we all know that we cannot run two DHCP parallel in same network. Following is an workaround to accomplish the task.Create BRIDGE in mikrotik and block DHCP traffic. See the following rules. These are CLI commands , but you can use the GUI to do the same.
First Add bridge port.
[sourcecode]/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes disabled=no forward-delay=15s l2mtu=1522
max-message-age=20s mtu=1500 name=ds-bridge priority=0×8000 protocol-mode=none transmit-hold-count=6[/sourcecode]
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes disabled=no forward-delay=15s l2mtu=1522
max-message-age=20s mtu=1500 name=ds-bridge priority=0×8000 protocol-mode=none transmit-hold-count=6[/sourcecode]
Now Add Ethernet ports in bridge, For example we want to use Port No 2 and 3 for bridge.
[ Port 2 is connected with Network A and port 3 is connected with Network B ]
[ Port 2 is connected with Network A and port 3 is connected with Network B ]
[sourcecode]/interface bridge port
add bridge=ds-bridge disabled=no edge=auto external-fdb=auto horizon=none interface=ether2 path-cost=10 point-to-point=
auto priority=0×80
add bridge=ds-bridge disabled=no edge=auto external-fdb=auto horizon=none interface=ether3 path-cost=10 point-to-point=
auto priority=0×80[/sourcecode]
add bridge=ds-bridge disabled=no edge=auto external-fdb=auto horizon=none interface=ether2 path-cost=10 point-to-point=
auto priority=0×80
add bridge=ds-bridge disabled=no edge=auto external-fdb=auto horizon=none interface=ether3 path-cost=10 point-to-point=
auto priority=0×80[/sourcecode]
Now enable firewall filtering for this bridge.
[sourcecode]/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=n[/sourcecode]
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=n[/sourcecode]
Now your BRIDGE is ready to pass traffic to both networks.
Add firewall filter rules to block DHCP traffic, You can use the same topology to filter any traffic from passing by, For example common virus ports or any specific port you like to block , you can simply add it in filter rules.
[sourcecode]/ip firewall filter
add action=drop chain=forward disabled=no dst-port=67 protocol=udp
add action=drop chain=forward disabled=no dst-port=68 protocol=udp
add action=drop chain=forward disabled=no dst-port=68 protocol=udp
add action=drop chain=input disabled=no dst-port=67 protocol=udp
add action=drop chain=input disabled=no dst-port=68 protocol=udp
add action=drop chain=input disabled=no dst-port=68 protocol=udp
add action=drop chain=output disabled=no dst-port=67 protocol=udp
add action=drop chain=output disabled=no dst-port=68 protocol=udp[/sourcecode]
add action=drop chain=output disabled=no dst-port=68 protocol=udp[/sourcecode]
I dont remember exactly but I guess one or two rules in above are not necessary, i guess OUTPUT rules are not necessary. Just check the packets counting and remove un unnecessary rules.
No comments:
Post a Comment