We have a combination scenario where for some clients I require DHCP functionality open and it has been configured correctly, we can use a DHCP server in the rest of the connections since we are using them as a bridge and DHCP works just fine. However we have a couple of connections where we don't want the users to see the DHCP server, and these two connections do need to see between them.
Example:
DHCP SERVER -> SM1 <--> AP <--> SM2 --> DHCP CLIENT
\
\--> SM3 --> DON'T WANT IT TO SEE DHCP SERVER BUT HAVE COMMUNICACION WITH SM4
\--> SM4 --> DON'T WANT IT TO SEE DHCP SERVER BUT HAVE COMMUNICACION WITH SM3
IMPORTANT NOTE: SM1 has to see some services in SM3 and SM4.
Please note that I have not specifically tried this out myself to verify it.
1. Block bootp: On the AP enable Layer 3 Firewall and deny Protocol UDP with Port 67 on the LAN as the first rule and deny Protocol UDP with Port 68 on the LAN as the second rule.
2. Block PPPoE: On the AP enable Layer 2 Firewall and deny EtherType 8863 on the LAN as the first rule and deny EtherType 8864 on the LAN as the second rule.
3. Block SMB: On the AP enable Layer 3 Firewall and deny Protocol TCP with Port 445 on the LAN as the first rule, deny Protocol TCP+UDP with Port 137 on the LAN as the second rule, deny Protocol UDP with Port 138 on the LAN as the third rule, and deny Protocol TCP with Port 139 on the LAN as the fourth rule.
4. Block SNMP: On the AP enable Layer 3 Firewall and deny Protocol UDP with Port 161 on the LAN as the first rule and deny Protocol TCP+UDP with Port 162 on the LAN as the second rule.