Assigning devices with IP addresses from different subnets.

RouterOS Beginner Basics
1

Hello everyone,

New to networking in general but have brute forced myself through many of the concepts to get things done so while I have a good grasp on it, there’s probably basic things that I’m unaware of. I have a home setup with a RB2011. Here’s the physical topology of my network:

  • Internet
    • Modem (ETH1)
      • RB2011
        • Computer A (ETH2)
        • Computer B (ETH3)
        • Ubiquity AP (ETH4)
          • 20x Clients
        • 24-port unmanaged switch (ETH5)
          • 20x Computers

I’ve been using the RB2011 for about 18 months now, tinkering with things here and there, setting up features like VPN access, DNS server, scripting, and VLANs. I mostly use WinBox, but have followed many tutorials/guides through the command line. In my home network, I was eventually hoping make fancy with better IP address organization, but cannot figure out how to do it. What I specifically am looking to do is to dynamically assign IP addresses in different subnets, and have them successfully connect to the internet.

There’s some topics that seem to be exactly what I need, but I always seem to be missing something:

At a high level, I would like to organize my network’s addresses and have the potential to control communication between the groups. Ideally I would do this with VLANs, but the unmanaged switch doesn’t help me at all, yet has the most connections that I want to organize. Here’s the network topology I am trying to achieve:

  • Personal Computers (IP Address within 192.168.0.0/24)
  • Wireless Clients (IP Address within 192.168.1.0/24)
  • Wireless Non-Moving Clients (IP Address within 192.168.2.0/24)
  • Guest Wireless (IP Address within 192.168.100.0/24)
  • Homelab Space (IP Address within 10.0.0.0/24)

Since the devices are mixed between the various RB2011 interfaces, it’s not possible to simply assign a VLAN to one interface as devices tied to it aren’t necessarily going to be part of the same VLAN. I’ve achieved the Guest Wireless grouping through a VLAN tagged separate SSID, so that’s out of the way. So my question is:

Is it possible to achieve the network scheme I want with the RB2011? If so, can it be done without a managed switch (and only 5 gigabit interfaces of the RB2011) and how?

Currently, all of the devices (excluding the VLANed guest wireless) live in one subnet. I’d like to learn how to allocate (defined by me, distributed by DHCP) my devices with an IP address based on where I would like to organize them.





Hopefully I have given enough information to provide my intent. It is very frustrating as I feel like in each thread I read, I’m missing one tiny piece.

2

Hi

I think you should be able to do everything with vlans, assuming support from devices .

  • Personal Computers (IP Address within 192.168.0.0/24)
    → trunk on eth2, 3 & 5
  • Wireless Clients (IP Address within 192.168.1.0/24)
    → trunk on eth4 only, main SSID bridged with trunk
  • Wireless Non-Moving Clients (IP Address within 192.168.2.0/24)
    → tagged vlan, on eth4 only, assuming Ubiquity supports vlans and multiple SSID, fixed SSID bridged with vlan
    → (but a “lot of work”, can’t these sit on “main” wireless???)
  • Guest Wireless (IP Address within 192.168.100.0/24)
    → tagged vlan, on eth4 only, assuming Ubiquity supports vlans and multiple SSID, guest SSID bridged with vlan
  • Homelab Space (IP Address within 10.0.0.0/24)
    → tagged vlan on any interface you need, you control all pc’s there, so can define vlan to join

ubiquity needs to run in AP mode and support vlans, multiple SSIDs and selective bridging

3

Hi Sebastia,

Thank you for the reply, I’ll interlace my comments below:

\

Ideally, this would be too easy with a managed switch or administrative access to all devices. I’m hoping to find a solution that I can implement at the RB2011 that’s invisible to my users (or at least not requiring manual setup per device).

\

The complexity lies in the unmanaged switch I have tied to ETH5. If I could tag each device with the desired VLAN, this would be no problem. For devices that I have administrative access to, no problem, but the problem is in the rest (~50%).

\

As I mentioned, I have this successfully implemented VLAN tagging on the wireless AP (separate SSIDs), so I have no problems there. See next for my dilemma…

\

I have no problem with these sitting on the “main” wireless, but would like to assign IP addresses to specific clients that aren’t necessarily on the same subnet. An example here would be a wireless printer or media home device (connected via DNS or just IP address) - I don’t mind it being on the “main” wireless SSID, but would prefer to assign it an IP address that happens to be in another subnet. I’d say this is where my main intent lies - how do I connect devices in subnets different than the gateway subnet to each other and to the WAN.

Perhaps an example may help explain what I am trying to accomplish. I have a new device I am connecting to my network. My RB2011’s address is 192.168.0.1 and the DHCP pool is 192.168.0.100-110.

  1. Device obtains new IP address lease for 192.168.0.100
  2. Through WinBox, I set the new device’s address to 192.168.1.10
  3. I reset the device so it can obtain the new “static” address
  4. The new device has successfully obtained the “static” address
  5. The new device cannot access the internet nor ping the RB2011

If I could just get this to work purely from the RB2011, this would serve me well.

\

Just learned that I could set VLAN IDs via the NIC from your comment, thank you for pushing me in the right direction!

4

This is probably not as difficult as you think, or as difficult as you are making it.

First, the switch issue. I got a Cisco 2960 48 port 10/100 switch with 2 gigabit uplinks (that I’m using with LACP to the MikroTik router) for $45 shipped to my door. This is a fully managed Cisco switch that can do vlans. I also bought a 24 port Juniper gigabit switch with PoE on all ports for $100 shipped to my door. You can’t get official support on those but they work great. Alternately you can buy a MikroTik switch. They aren’t so straightforward to configure for trunking and vlans, but it can be done and you’ll learn a lot about bridging and tagging along the way.

Break this down into very simple tasks to start out.

If you want 2 DHCP subnets on the router, simply configure 2 ports with IP addresses in that subnet (usually with .1 for the gateway), and then set up a DHCP server for each port. Don’t forget to remove the interfaces from a master/slave relationship or a bridge so they can operate separately (router interfaces vs. switch/bridge interfaces).

(This is just an example, not using your setup to make this)

  1. ip address add 192.168.1.1/24 interface=eth2
  2. ip address add 192.168.2.1/24 interface=eth3
  3. ip dhcp-server add interface=eth2 (look at default config for the rest of the setup, but you will have to make a new pool)
  4. ip dhcp-server add interface=eth3 (same notes as above)

And that’s it. You have 2 subnets that will work with NAT (given you’re using the default NAT setup). And they will talk to each other due to the notion of connected routes. Study that. If you want to block access between them, you have to set up firewalling.

With this setup you would just attach unmanaged switches to ports 2 and 3 and everything would “just work”. You should probably do this just as an exercise to understand how this stuff works.

Another thing you might have missed is it’s OK to put 2 addresses on a single interface and each can be the gateway for the subnet they are in.

For example:

  1. ip address add 192.168.1.1/24 interface=eth2
  2. ip address add 192.168.2.1/24 interface=eth2

And you can have machines in each subnet on the same unmanaged switch. And everything will “just work” as I outlined above (except DHCP setup is different and a bit difficult). You can even make the subnets not talk to each other with firewall rules (since all communication between subnets requires the router), but machines will be able to dump traffic and see broadcast traffic from both subnets. This may or may not be a big deal.

If you want to trunk an interface down to a managed switch, this isn’t so difficult but the setup would take quite a few steps to accomplish (so I won’t type it all out right now). If you need to learn about using multiple subnets, you shouldn’t start there though, do something like what I said above just to get your head around it.

I read so many posts on this forum that make a mountain out of a molehill and I can’t single handedly make it go away but I try once in a while.

Study basic networking. I chose to follow the Cisco path but any network education will go through these basics and it will make a lot more sense. It’s not stuff you learn by setting up a home wifi router.

5

I appreciate the comments and even though you come off as extremely condescending, thanks to your reply, I believe I figured it out. Based on my last post, everything that you suggested had already been completed and was successful, but in the details I found something perhaps you can explain.

The three components I’ve found to the solution of my problem:

  • IP Address (local address definition, I assume is the gateway tied to an interface/bridge)
  • DHCP Server + Pool (self explainatory)
  • DHCP Network (gives the DHCP server info on gateway/dns to distribute to the devices)

While helpful, your instruction wasn’t complete because the last is necessary and after more research, I found that the key to my problem was in how I defined an address. In the IP Address, I have the defined address as 192.168.0.1/24, but in the DHCP Network’s address I also followed suit and set it as 192.168.0.1/24. The error I found was that in the DHCP Network, it needs to start at 0 (192.168.0.0/24).


Why is this the case? Is defining a IP Address actually the definition of the gateway (which would require a specific address like .1) while the DHCP Network needs to capture the whole subnet (which can be described from .0 and includes .1)?

6

Yeah, didn’t mean to sound condescending but it probably happened. Sorry about that.

I’m probably not going to explain this sufficiently, hopefully the documentation plus a few key points will get you there. You’re mostly there anyway.

When you set up a DHCP server, it sends a few key pieces of information to clients so that they can work:

  1. Gateway address
  2. Netmask
  3. DNS servers
  4. Whatever else you want to configure (with DHCP options)

So when you’re intending to set up a network that will hand out DHCP addresses, the DHCP server needs to know what the gateway is and what the netmask is. You’re the human, you can set the gateway to whatever you want it to be within the subnet range. So if it’s a /24, usually it’s .1 or .254 (the first or last address in the subnet). But it could be .38. It’s up to you. The DHCP server just needs to know what it is, which you set in the DHCP setup.

Digression:
When you tell the DHCP server what the “network” is, you always send it the “network number” (network identifier?) and mask, which is the first address in the range (not addressable to a machine, because it’s the network number). In your case it’s 192.168.0.0/24. The last 0 is the network number. And to be academic, .255 is the “broadcast” address (another thing to study for a minute when you get a chance) and it’s also not usable by a machine. Once you specify 192.168.0.0/24 as the network, the device already knows .0 is the network number and .255 is the broadcast. For example, in 192.168.0.0/26 0 is the network number and 63 is the broadcast address. In some rare circumstances some “dumber” devices actually need you to manually type in the broadcast address, but I digress.

Ok, we’re back. Configure the DHCP server with what the gateway is, what the “network is” (192.168.0.0/24, this gives it the netmask), and what range you want to allow it to hand out. Give it the DNS servers. I think MikroTik by default just uses itself as the DNS server because it proxies requests to the upstream DNS server so you might not need to set that.

And you should be good to go.

Another tip: It’s not a bad idea to choose something fairly random to be your DHCP network. Like 10.22.33.0/24. Or 192.168.250.0/25. When troubleshooting issues, it makes it easier to see if some “common” subnet (192.168.0.0/24 for example) starts showing up which is obviously wrong.

The point I was trying to make with that last comment is there’s a large (but simple to cross) gap between configuring a static IP address and actually understanding what all those numbers mean. Once you (you being anyone) start understanding that, this network stuff starts to get a whole lot easier. Then you can spend time on the harder stuff. And there is plenty of it.

7

I’m just surprised that one oversight in the specified address breaks everything. Your explanation of the network number/identifier is good enough for me however and provides me a way to understand the documentation that (https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server#Networks) states that the address is…

address > (IP/netmask; Default: ) the network DHCP server(s) will lease addresses from

Separate from the original thread, but related into CIDR, if I put 192.168.0.0**/30** (netmask for 4 addresses), would this indicate that only addresses 192.168.0.1 - 192.168.0.3 would successfully connect to the network? Would addresses 4-254 be excluded from that network?

8

Almost correct.

192.168.0.0/30 leaves 2 bits to use, and 2 bits is 0 to 3. This means that 0 is the network number and 3 is the broadcast address. You only get to use 1 and 2 for interfaces. It’s effectively a point to point network.

Just to continue this discussion, 192.168.0.4/30 is the “next” /30 network. 4 and 7 are the network and broadcast, 5 and 6 can be used. And so on.

/29 leaves 3 bits to use, which is 0 to 7 (8 addresses). And so on. There are some subnet calcuators online, you should play with it. Subnetting is fun.

From your comments:

address (IP/netmask; Default: ) the > network > DHCP server(s) will lease addresses from

“Network” in this case means “the first address in that network (the network number) and netmask”. So 192.168.0.0/24 is what they want. It’s probably not clear enough for the casual user, but now you’re an expert :slight_smile: