How to filter rogue DHCP servers either in the AP or in the SM when in bridged mode?
L2 firewall cannot filter by UDP port, but is L3 firewall able to filter when in bridged mode?
Alex,
Currently we only support fitlering of UDP, TCP, ICMP, and IP protocols with the Layer 2 and Layer 3 firewall. You could specify special rules to combine IP and UDP/TCP port numbers to filter out special DHCP messages.
As for your other question regarding the L3 firewall, it is a known issue of it not working in Bridge mode, see issue #3301.
Question - how do i “see issue #3301”? I know it’s listed in the release notes as a known issue with release 1.1.6, but is there somewhere publicly accessible to view a bugtracker or something to find status of bugs, without having to page back and forth through ‘resolved issues’ and ‘known limitations’ in the release notes comparing issue numbers in various releases?
Is there a plan for getting L3 firewalling rules working in Bridge mode? We, too, depend on the ability to block customer’s mis-wired routers from handing out DHCP to the rest of the sector/tower, continued absence of that could prove a deal-killer for us with the ePMP gear.
Assuming that L3 will begin to work with an upcoming update, am I correct in understanding the way rules are applied, that creating a rule on WLAN interface blocking UDP port 67 will ONLY block packets inbound on wireless with UDP destination port 67? If that is accurate, then a single L3 rule blocking UDP port 67 with dest IP 255.255.255.255 from entering WLAN side should prevent rogue DHCP while still allowing clients to get DHCP from the real gateway.
j
What special rules do we apply to the CPE to block rogue DHCP broadcast from customer routers.
Blocking UTP port 67 at the source (CPE) should do the trick.It does on UBNT.
Seems like on the layer 2 firewall setting on ePMP only the Destination UTP port is can be blocked and that’s not helping.