It will hit ether1 first. You want to apply the rule to ether1 as you're blocking DHCP server traffic from entering the bridge through that port.
If you apply it to the bridge then it would drop to packets entering the bridge through either member port (ether1 & wlan1). Blocking on wlan1 would dropping the DHCP Offers and Acknowledgements from the server to the client effectively prohibiting the client obtaining an IP. -- Blake Covarrubias On Nov 30, 2011, at 12:35 PM, Josh Luthman wrote: > Will this rule still work if ether1/wlan1 are in a bridge with WDS? I > would think the traffic would hit the bridge1 interface, wouldn't it? > > Josh Luthman > Office: 937-552-2340 > Direct: 937-552-2343 > 1100 Wayne St > Suite 1337 > Troy, OH 45373 > > > > On Wed, Nov 30, 2011 at 2:32 PM, Butch Evans <but...@butchevans.com> wrote: >> On Wed, 2011-11-30 at 08:13 -0500, Josh Luthman wrote: >>> Would that permit the customer to still have a dhcp client behind it? >>> In my case, the customer would have a wlan1/ether1 wds bridge. >> >> If we use the in-interface=ether1 in the rule, we are limiting DHCPOFFER >> coming from a DHCP server that exists on ether1. So it should not >> interfere with a server on the WAN side (wlan1). This rule will ONLY >> limit the DHCPOFFER packet, which is always src-port=67 and dst-port=68. >> This is detailed here: >> http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#Technical_details >> >> DHCP-client requests are src-port=68 and dst-port=67, server responses >> are the opposite. >> >>>> /interface bridge filter >>>> add action=drop chain=forward disabled=no \ >>>> dst-port=68 in-interface=ether1 \ >>>> ip-protocol=udp mac-protocol=ip src-port=67 >>>> >> >> -- >> ******************************************************************** >> * Butch Evans * Professional Network Consultation * >> * http://www.butchevans.com/ * Network Engineering * >> * http://store.wispgear.net/ * Wired or Wireless Networks * >> * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * >> * NOTE THE NEW PHONE NUMBER: 702-537-0979 * >> ******************************************************************** >> >> >> >> _______________________________________________ >> Mikrotik mailing list >> Mikrotik@mail.butchevans.com >> http://www.butchevans.com/mailman/listinfo/mikrotik >> >> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS > _______________________________________________ > Mikrotik mailing list > Mikrotik@mail.butchevans.com > http://www.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS _______________________________________________ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
