I tried to realize “ip unnumbered” with ROS 6.36 and DHCP relay enabled. All was fine while I tested with only one VLAN. When I created 3 VLANs the troubles begin.
My configuration:
[boris@MikroTik] /routing filter> /interface print detail where name=Loopback1
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name=“Loopback1” type=“bridge” mtu=auto actual-mtu=1500 l2mtu=65535
mac-address=00:00:00:00:00:00 fast-path=yes
last-link-down-time=sep/10/2016 10:57:01
last-link-up-time=sep/12/2016 20:44:00 link-downs=4
So, the client is trying to get address on VL1.64. I see the requests are coming on this interface, but responses are going out of VL1.46!!! So, what is wrong with my configuration or my understanding of ROS?
You cannot assign the same IP on multiple interfaces, when you do so, you’re creating a “Directly connected” route on ROS routing table, that’s why ROS sends the reply out the first interface (first ocurrence of the IP).
I try to repeat Cisco “ip unnumbered” feature. Where there is one supernet interface with ip address, and other interfaces without ip address. But routing is still possible,
One interface (named Loopback) holds /24 supernet. Other interfaces (misc vlans) stay without ip address, with only DHCP relay enabled on it. When there is DHCP Discover request, it must be relayed to our DHCP server. There is a script on our DHCP server, when the address is assigned to client (after the filnal ACK) it connectes to Mikrotik via API and installs the route: /ip route add dst-address=client_ip/32 pref-src=Loopback_IP gateway=client_vlan
So, in this scheme I can’t get dhcp relay work properly. So, I understand that same ips on interfaces is wrong, so I removed /32 ips from vlans and only supernet is active. There is no problem when I use static ip on client’s PC + /ip route on Mikrotik. But DHCP does not work.
Add the VLAN interfaces as ports of it, horizon=X (same numeric value) if you want them to be isolated from each other.
Assign the ip on top of that bridge
Setup DHCP Relay on top of that bridge.
I still don’t get why the need of setting it up the way you want, nor why are you using a public IP for that, the setup you’re insisting on using doesn’t make sense to me.
To advise on the best practice way of dealing with your situation, knowing the scenario with more detail, and what are the problem(s) you want to solve or features you want to implement, is the most important information to help.
Now my VLANs are children of Bonding LACP interface and I need they do. May I use this scheme with bonding or may I encapsulate bridge as child of bonding?
Why I need this scheme: we are an ISP with a small number of IPv4 addresses. For some reasons we can’t use NAT for our users. For security reasons our clients must be L2 isolated. So, the only way to do this in Cisco world is ip unnumbered + vlan per user scheme. But yes, this is Cisco way. As we never used Mikrotik before we doing things in Cisco way. Of course, may be we are wrong and there is another way with Mikrotik. Please share if there is another way.
From a management point of view, IMHO, that’s a mess… too much work , too many places to manage, for little or no advantage.
Common practice (not only in Mikrotik world) is deploying and using OSPF/MPLS on POPs routers. That way you can bring isolated L2 segments tunnelled inside L3 to an access concentrator, where PPPoE is usually deployed.
This way you’ll have a central point of management and could disconnect a user with a couple clics (to do changes while running DHCP you’ll depend on client); if the same router running PPPoE server is the PE router you’re done with routes to customers; if using an specific router for PPPoE, you can either set static routes between the PE and PPPoE router, or run OSPF between them (you’ll prefer OSPF between all routers as this makes deploying MPLS a breeze)
@pukkita, tried your receipt. Unfortunatelly, after adding vlans to bridge (no matter what horizon value used) traffic stop in this vlans. Removing them from bridge returns normal behaviour.
From a view of ISP - there are many disadvantages to use PPPoE or any other form of additional encapsulation. Yes, I agree, it’s very simple to admin and hard to solve problems, especcialy if they are on user side and if they are on user’s router. And sometimes users use their own tunnels which have troubles when encapsulated in pppoe or same. And again - PPP is not so easy as DHCP, where the user just plug and play. PPP needs some interaction with configuration on PC / router.
Using the same horizon value will prevent traffic between VLANs, isolating them from each other. If this is not what you want, do not specify the horizon value.
On WISPs the pppoe-client is usually run on the CPE (router mode) while the domestic “router” can be left in L2 mode as a simple Wired/wireless “switch”. This way you keep control, and users keep simplicity.
Nothing prevents you running DHCP on the MPLS “hub” however if you so desire.
And yes, @pukkita, thanks for presentation. I know what MPLS is, I know how to interact with it. But it can solve only one of my problem - client isolation. And this is a little evil in comparision of small IPv4 space which MPLS can’t solve. Am I still wrong?
To conserve address space the best tool is network design strategy, starting from not using any public addresses on the internal network.
In fact even private addresses are usually assigned by (W)ISPs on NOCs for transit, using a single /32 IP address on top of a loopback interface (empty bridge) just for the PE router: the goal is reserving all of them for the customers. And a whole (W)ISP can be designed like that: just one public IP address for the PE router, all the rest of public addresses for customers.
IPv6 is another possible option; and also not all customers need nor want public addresses.
We don’t use public IPs for equipment. We don’t use unnecessary subnetting. And to not to do unnecessary subnetting there is Cisco like “IP unnumbered”. We can implement it with static and can’t with DHCP. I want understand why - this is just a bug and it will be solved, or this is ROS6 limitation and it will be solved with ROS7, or it never be implemented in ROS and we should look more precisely on another technologies or even equipment (Linux + ppp-accel) for example.
Unless you purposedly changed it for the post, that’s a public IP AFAIK…
No bugs that I am aware of… but noticed you set a /24 as the netmask. Try the bridge with none, or /32 netmask (ip address == network address).
That’s how you can achieve an equivalent behaviour under ROS, by using empty bridges with /32 ip on top of them so that they aren’t directly connected to any interface (along with proper routing), or by assigning the interfaces to a bridge and the ip on top of the bridge.
@pukkita, I’m wondering, what ips you’re using on pppoe loopbacks? Private ip for loopback and public for users? Yes, this is possible, but violates internet routing policy. I mean - we not use public addresses for unnecessary reasons, for example for management reasons.
As I wrote before - assigning vlans to bridge stops any traffic there. I showed my configuration.
Misunderstood about empty bridges. Please explain.
I got working configuration with bridge and vlan. The only problem is that users are bound to bridge, not the unnumbered vlan, so Cisco like idea isn’t work.