Confused about DHCP server

atakacs · November 30, 2021, 7:58am

Hello

I’m seeing something unexpected with my DHCP server. I have two servers defined, bound to two different networks and adapters:

[mktadmin@mkt-sx-00] /ip/dhcp-server> print
Columns: NAME, INTERFACE, ADDRESS-POOL, LEASE-TIME
# NAME          INTERFACE      ADDRESS-POOL  LEASE-TIME
0 dhcp-Net1     bridgeNet1       dhcp-Net1     10m       
1 dhcp Net2     bridgeNet2       dhcp-Net2     10m

Yet for some reason a client physically attached to bridgeNet2 will get a IP from dhcp-Net1 range (item 6)

[mktadmin@mkt-sx-00] /ip/dhcp-server/lease> print
Flags: D, B - BLOCKED
Columns: ADDRESS, MAC-ADDRESS, HOST-NAME, SERVER, STATUS, LAST-SEEN
#   ADDRESS          MAC-ADDRESS        HOST-NAME      SERVER        STATUS  LAST-SEEN
0 D 192.168.192.197  3C:EC:EF:73:D2:69                 dhcp-Net1  bound   3m17s    
(...)
5 D 192.168.192.183  00:0C:29:57:FA:54  SRV-SX-01      dhcp-Net1  bound   43s      
6 D 192.168.192.178  00:0C:29:DC:FC:31  mgmt-fg-01     dhcp Net2  bound   5m14s

How is that possible ?

holvoetn · November 30, 2021, 8:06am

It’s possible … must be config related.

Post complete config please.
/export hide-sensitive file=anynameyouwish

And then post the contents of that file between [ Code] tags (3th block from the top, the most left one)

atakacs · November 30, 2021, 8:32am

Here we go - pretty basic IMHO

# nov/30/2021 09:21:18 by RouterOS 7.1rc7
# software id = 018C-7TFP
#
# model = CCR1009-8G-1S-1S+
# serial number = ****
/interface bridge
add name=bridgeNet2
add name=bridgeNet1
/interface ethernet
set [ find default-name=ether1 ] comment=WAN1
set [ find default-name=ether7 ] comment="OOB management 4G" disabled=yes
set [ find default-name=ether8 ] comment=WAN2
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=CompanyOfficee
/ip ipsec peer
add address=*.*.*.*/32 exchange-mode=ike2 local-address=*.*.68.154 \
    name=CompanyOfficee profile=CompanyOfficee
add address=85.195.218.239/32 exchange-mode=ike2 local-address=*.*.68.154 \
    name=Clover profile=CompanyOfficee
add address=51.154.30.61/32 disabled=yes exchange-mode=ike2 local-address=\
    *.*.68.154 name=Net1Office profile=CompanyOfficee
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=CompanyOfficee
/ip pool
add name=dhcp-Net1 ranges=192.168.192.101-192.168.192.199
add comment="Pool for OpenVPN" name=openvpnpool ranges=\
    10.99.99.50-10.99.99.99
add name=dhcp-Net2 ranges=192.168.0.101-192.198.0.199
add name="router vpn pool" ranges=172.16.254.5-172.16.254.100
/ip dhcp-server
add address-pool=dhcp-Net1 interface=bridgeNet1 name=dhcp-Net1
add address-pool=dhcp-Net2 interface=bridgeNet2 name="dhcp Net2"
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add local-address=openvpnpool name=openvpnprofile remote-address=openvpnpool
add local-address=172.16.254.1 name=remote-devices remote-address=\
    "router vpn pool" use-encryption=yes
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridgeNet1 ingress-filtering=no interface=ether2
add bridge=bridgeNet1 ingress-filtering=no interface=ether3
add bridge=bridgeNet1 ingress-filtering=no interface=ether4
add bridge=bridgeNet2 ingress-filtering=no interface=ether5
add bridge=bridgeNet2 ingress-filtering=no interface=ether6
add bridge=bridgeNet1 ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridgeNet1 ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface list member
add interface=ether1 list=WAN
add interface=bridgeNet1 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=cert_export_CertScan.crt_0 cipher=aes256 \
    default-profile=openvpnprofile enabled=yes
/interface sstp-server server
set authentication=mschap2 certificate=cert_export_CertScan.crt_0 \
    default-profile=remote-devices enabled=yes port=4435 tls-version=only-1.2
/ip address
add address=192.168.192.254/24 interface=bridgeNet1 network=192.168.192.0
add address=*.*.68.154/29 interface=ether1 network=*.*.68.152
add address=*.*.68.158/29 interface=ether8 network=*.*.68.152
add address=192.168.0.254/24 interface=bridgeNet2 network=192.168.0.0
add address=172.16.200.254/24 interface=bridgeNet1 network=172.16.200.0
add address=172.16.172.254/24 interface=bridgeNet1 network=172.16.172.0
add address=172.16.100.254/24 interface=bridgeNet1 network=172.16.100.0
add address=*.*.68.155/29 interface=ether1 network=*.*.68.152
add address=172.16.210.254/24 interface=bridgeNet1 network=172.16.210.0
add address=172.16.215.0/24 interface=bridgeNet2 network=172.16.215.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.192.195 client-id=1:0:c:29:84:d9:87 mac-address=\
    00:0C:29:84:D9:87 server=dhcp-Net1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=1.1.1.1,9.9.9.9 gateway=192.168.0.254 \
    netmask=24
add address=192.168.192.0/24 dns-server=1.1.1.1,9.9.9.9 gateway=\
    192.168.192.254 netmask=24
/ip dns
set servers=9.9.9.9,1.1.1.1
/ip firewall address-list
add address=172.104.139.66 list=DenyLIst
add address=112.78.133.35 list=DenyLIst
add address=218.56.65.232 list=DenyLIst
add address=171.251.224.131 list=DenyLIst
add address=121.5.234.116 list=DenyLIst
add address=14.229.62.167 list=DenyLIst
add address=190.6.38.79 list=DenyLIst
add address=49.144.231.138 list=DenyLIst
add address=148.0.235.46 list=DenyLIst
add address=134.236.16.53 list=DenyLIst
add address=181.61.248.12 list=DenyLIst
add address=*.*.*.* list=AdminAllow
add address=181.171.229.47 list=DenyLIst
add address=88.247.42.40 list=DenyLIst
add address=113.165.60.138 list=DenyLIst
add address=103.239.255.36 list=AdminAllow
add address=119.42.66.225 list=DenyLIst
add address=95.222.25.17 list=DenyLIst
add address=91.195.91.255 list=DenyLIst
add address=213.196.181.194 list=DTI
add address=213.196.181.195 list=DTI
add address=213.196.181.196 list=DTI
add address=213.196.181.197 list=DTI
add address=*.*.*.* list=DTI
/ip firewall filter
add action=drop chain=input comment="drop blacklisted" log-prefix=deny- \
    src-address-list=DenyLIst
add action=accept chain=forward log-prefix=fwsyn- src-address=*.*.*.*
add action=accept chain=forward comment="to Company Office from DC LAN" \
    dst-address=172.16.101.0/24 src-address=192.168.192.0/24
add action=accept chain=forward comment="to Company Office from 200 LAN" \
    dst-address=172.16.101.0/24 src-address=172.16.200.0/24
add action=accept chain=forward comment="to Clover Office from DC LAN" \
    dst-address=172.16.107.0/24 src-address=192.168.192.0/24
add action=accept chain=forward comment="to Clover Office from DC LAN" \
    dst-address=172.16.107.0/24 src-address=172.16.210.0/24
add action=accept chain=forward comment=\
    "to Clover Office from DC LAN 172.16.200.0/24" dst-address=\
    172.16.107.0/24 src-address=172.16.200.0/24
add action=accept chain=forward comment=\
    "to Clover Office from DC LAN 172.16.215.0/24" dst-address=\
    172.16.107.0/24 src-address=172.16.215.0/24
add action=accept chain=forward comment="Allow all IPSec OUT" ipsec-policy=\
    out,ipsec
add action=accept chain=forward comment="Allow all IPSec IN" ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment="All port 2221" connection-state=new \
    dst-port=2221 log=yes log-prefix=ftp- protocol=tcp
add action=accept chain=input protocol=icmp src-address-list=AdminAllow
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=accept chain=srcnat comment="IPSEC Traffic pass without NAT" \
    dst-address=172.16.101.0/24 src-address=172.16.200.0/24
add action=accept chain=srcnat comment="IPSEC Traffic pass without NAT" \
    dst-address=172.16.101.0/24 src-address=192.168.192.0/24
add action=accept chain=srcnat comment="IPSEC Traffic pass without NAT" \
    dst-address=172.16.101.0/24 src-address=172.16.172.0/24
add action=accept chain=srcnat comment="IPSEC Traffic pass without NAT" \
    dst-address=172.16.101.0/24 src-address=172.16.100.0/24
add action=accept chain=srcnat comment="IPSEC Traffic pass without NAT" \
    dst-address=172.16.101.0/24 src-address=192.168.0.0/24
add action=accept chain=srcnat comment=\
    "IPSEC Traffic pass without NAT to 172.16.107.0/24" dst-address=\
    172.16.107.0/24 src-address=172.16.210.0/24
add action=accept chain=srcnat comment=\
    "IPSEC Traffic pass without NAT to 172.16.107.0/24" dst-address=\
    172.16.107.0/24 src-address=192.168.192.0/24
add action=accept chain=srcnat comment=\
    "IPSEC Traffic pass without NAT to 172.16.107.0/24" dst-address=\
    172.16.107.0/24 src-address=172.16.200.0/24
add action=accept chain=srcnat comment=\
    "IPSEC Traffic pass without NAT to 172.16.107.0/24 from 172.16.215.0/24" \
    dst-address=172.16.107.0/24 src-address=172.16.215.0/24
add action=masquerade chain=srcnat comment="Masquerade for subnet 200" \
    src-address=172.16.200.0/24
add action=masquerade chain=srcnat comment="Masquerade for subnet 210" \
    src-address=172.16.210.0/24
add action=masquerade chain=srcnat comment="Masquerade for subnet 100" \
    log-prefix=msq- src-address=172.16.100.0/24
add action=masquerade chain=srcnat comment=\
    "Masquerade for subnet 192.168.192.0/24" src-address=192.168.192.0/24
add action=masquerade chain=srcnat comment=\
    "Masquerade for subnet 172.16.172.0/24" src-address=172.16.172.0/24
add action=masquerade chain=srcnat comment=\
    "Masquerade for subnet 192.168.192.0/24" src-address=172.16.215.0/24
add action=accept chain=srcnat disabled=yes dst-address=172.16.101.0/24 \
    src-address=172.16.200.0/24
add action=accept chain=srcnat disabled=yes dst-address=172.16.200.254 \
    src-address=192.168.192.0/24
add action=dst-nat chain=dstnat dst-address=*.*.68.154 dst-port=33334 \
    protocol=tcp to-addresses=172.16.200.202 to-ports=3389
add action=dst-nat chain=dstnat comment="RDweb to rd-sx-02" dst-address=\
    *.*.68.154 dst-port=3389 protocol=tcp to-addresses=172.16.200.202
add action=dst-nat chain=dstnat dst-address=*.*.68.154 dst-port=443 \
    log-prefix=rd-web443 protocol=tcp to-addresses=172.16.100.30
add action=dst-nat chain=dstnat comment="RD Gateway" dst-address=\
    *.*.68.154 dst-port=4433 log-prefix=rdweb-4444 protocol=tcp \
    to-addresses=172.16.200.202
add action=dst-nat chain=dstnat comment="Scan FTP" dst-address=*.*.68.154 \
    dst-port=990,2221 log-prefix=ftp-nat protocol=tcp to-addresses=\
    172.16.172.150
add action=dst-nat chain=dstnat comment="SQL RDP access" dst-address=\
    *.*.68.154 dst-port=33339 protocol=tcp to-addresses=172.16.200.110 \
    to-ports=3389
add action=dst-nat chain=dstnat comment="SQL Passive FTP" dst-address=\
    *.*.68.154 dst-port=51000-52000 protocol=tcp to-addresses=\
    172.16.172.150
add action=dst-nat chain=dstnat comment="Direct RDP for Company Office" \
    dst-address=*.*.68.154 dst-port=33389 log-prefix=rdpx- protocol=tcp \
    to-addresses=172.16.200.110 to-ports=3389
add action=dst-nat chain=dstnat dst-address=*.*.68.154 dst-port=3391 \
    protocol=udp to-addresses=172.16.200.202 to-ports=3391
add action=dst-nat chain=dstnat dst-address=*.*.68.158 to-addresses=\
    192.168.192.253
add action=dst-nat chain=dstnat comment="Scan admin" dst-address=\
    *.*.68.154 dst-port=20444 log-prefix=scanadmin- protocol=tcp \
    to-addresses=172.16.172.150
add action=dst-nat chain=dstnat dst-address=*.*.68.154 dst-port=22 log=yes \
    log-prefix=ssh- protocol=tcp src-address=*.*.*.* to-addresses=\
    192.168.192.187
add action=dst-nat chain=dstnat dst-address=*.*.68.155 dst-port=80,443 \
    protocol=tcp to-addresses=172.16.100.55
add action=dst-nat chain=dstnat comment="DTI direct" dst-address=\
    *.*.68.155 dst-port=3389 protocol=tcp src-address-list=DTI \
    to-addresses=172.16.200.204
/ip firewall service-port
set ftp ports=2221
set sip disabled=yes
/ip ipsec identity
add peer=CompanyOfficee
add peer=Clover
/ip ipsec policy
add dst-address=172.16.101.0/24 level=unique peer=CompanyOfficee proposal=\
    CompanyOfficee src-address=192.168.192.0/24 tunnel=yes
add dst-address=172.16.101.0/24 level=unique peer=CompanyOfficee proposal=\
    CompanyOfficee src-address=172.16.200.0/24 tunnel=yes
add dst-address=172.16.101.0/24 level=unique peer=CompanyOfficee proposal=\
    CompanyOfficee src-address=172.16.172.0/24 tunnel=yes
add dst-address=172.16.101.0/24 level=unique peer=CompanyOfficee proposal=\
    CompanyOfficee src-address=172.16.100.0/24 tunnel=yes
add dst-address=172.16.101.0/24 level=unique peer=CompanyOfficee proposal=\
    CompanyOfficee src-address=192.168.0.0/24 tunnel=yes
add dst-address=172.16.107.0/24 level=unique peer=Clover proposal=CompanyOfficee \
    src-address=192.168.192.0/24 tunnel=yes
add dst-address=172.16.107.0/24 level=unique peer=Clover proposal=CompanyOfficee \
    src-address=172.16.210.0/24 tunnel=yes
add dst-address=172.16.107.0/24 level=unique peer=Clover proposal=CompanyOfficee \
    src-address=192.168.0.0/24 tunnel=yes
add dst-address=172.16.107.0/24 peer=Clover proposal=CompanyOfficee src-address=\
    172.16.200.0/24 tunnel=yes
add dst-address=85.195.218.239/32 peer=Clover proposal=CompanyOfficee src-address=\
    *.*.68.154/32
/ip route
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=\
    *.*.68.153
/ip service
set telnet address=192.168.192.0/24,*.*.*.*/32,*.*.*.*/32
set ftp disabled=yes
set www disabled=yes
set ssh address="*.*.*.*" disabled=yes
set api address=*.*.*.*/32,51.154.30.61/32
set winbox address="*.*.*.*/32"
set api-ssl address=*.*.*.*/32
/ppp secret
add disabled=yes name=Hoster profile=remote-devices service=sstp
add name=scanvpn180 routes=172.16.180.0/24 service=ovpn
add name=scanvpn173 routes=172.16.173.0/24 service=ovpn
add name=scanvpn174 routes=172.16.174.0/24 service=ovpn
add name=scanvpn176 routes=172.16.176.0/24 service=ovpn
add name=scanvpn177 routes=172.16.177.0/24 service=ovpn
add name=scanvpn178 routes=172.16.178.0/24 service=ovpn
add name=scanvpn179 routes=172.16.179.0/24 service=ovpn
add name=scanvpn181 routes=172.16.181.0/24 service=ovpn
add name=scanvpn182 routes=172.16.182.0/24 service=ovpn
/system clock
set time-zone-name=Europe/Zurich
/system identity
set name=mkt-sx-00
/system logging
add disabled=yes topics=ppp
add disabled=yes topics=ovpn
add disabled=yes prefix=sstp- topics=sstp
add prefix=ipsec- topics=ipsec
/tool sniffer
set file-name=capture filter-ip-protocol=ipsec-esp

atakacs · November 30, 2021, 9:48am

Found my issue

add name=dhcp-Net2 ranges=192.168.0.101-192.198.0.199

Typo here (

That being said not sure the DHCP server should serve from another unrelated pool …

holvoetn · November 30, 2021, 10:16am

Good thing about finding the issue yourself is that you will never forget about it

It’s not unrelated if the request got there. But this was a config problem.
If that should not be possible at all, you may have to consider hard boundaries between those subnets (firewall rules, dropping DHCP requests coming from the “wrong” interface. That’s one option).

spynappels · November 30, 2021, 10:18am

VLANs would be another option, with everything on the same bridge but VLAN’ed off from each other.

atakacs · November 30, 2021, 10:23am

Yep - good idea.

Still not completely sure this isn’t some bug (or at minimum an “edge case”)

Guscht · November 30, 2021, 2:13pm

Please make sure, you havent somewhere in your network a cable, bridging your both LANs together.
It could be the case, because the “wrong” DHCP answers sometimes faster as the right DHCP…

anav · November 30, 2021, 2:23pm

(1) Your are missing one thing… Maybe?

/interface list member
add interface=ether1 list=WAN
add interface=bridgeNet1 list=LAN
add interface=bridgeNet2 list=LAN ???

(2) Confused about another part of the setup…
add address=172.16.200.254/24 interface=bridgeNet1 network=172.16.200.0
add address=172.16.172.254/24 interface=bridgeNet1 network=172.16.172.0
add address=172.16.100.254/24 interface=bridgeNet1 network=172.16.100.0
add address=172.16.210.254/24 interface=bridgeNet1 network=172.16.210.0
add address=172.16.215.0/24 interface=bridgeNet2 network=172.16.215.0

Since both bridges already have an IP address I am not sure.
a. if you can add other addresses like this
b. if you can add pptp and the like vpn to bridges as they are not technically complete interfaces …

(3) Your firewall rules are messy and hard to read as you should put all input together and all forward together so its legible and the order of rules seems off as well within a chain.
Not even sure why port 2221 is allowed from anywhere to anywhere in the forward chain…

(4) You source nat and masquerade the hell out of everything is this really required??

(5) You seem to port forward to networks/servers that dont exist… for example 172.16.200.202 has no such subnet or dhcp etc etc…

Clearly there is something I dont understand about how you are using the router…

holvoetn · November 30, 2021, 2:29pm

To be honest (and afterwards always easy to say): I was already wondering about that one as well.
WAN and LAN but what about ?

But I do not think this is related to the DHCP problem. Is it ?

anav · November 30, 2021, 3:17pm

With MT one never knows what is or isnt connected,…well Sindy and Sob know, but I dont.

Guscht · November 30, 2021, 8:08pm

MT (ROS in particular) is comparable to women in general.
If you think you understand them, they will show you, your knowledge about them is - maybe - 5%…

The MT Switch → VLAN menu (in particular from the CRS1/2xxx) is like my ex-GF Eva. I always though I understand her, but I knew NOTHING…
Both - ROS/VLANs and Eva gave me almost a depression.

atakacs · December 1, 2021, 6:24am

Hello

Many thanks for taking the time to review my config ! I am still obviously learning Mikrotik and any and all input is much appreciated !

Concretely what good would it do me ? Ie what is the purpose of the WAN and LAN lists… I know a newbee question

a. Well at least in seems to work - what would be the “proper” way to define multiple subnets on a single bridge ?
b. No PPTP involved but OpenVPN - also seems to work as is. What is the proper way to bridge OpenVPN without using bridges ?

Rules where defined in the GUI (winbox) and certainly no “clean”. That said I’m not sure about “all forward together” - in a single rule ?

Rule 10 was to open port 2211 to the external world (so source is indeed “anywhere”) and valid for all my public IP (so destinatin is indeed “any”). Is there a cleaner way to do this ?

I understand that I have to masquerade for all subnets so that they can reach out ? And sourcenat all IPsec site to site subnets ? Again if there is a cleaner / better way to do this I’m happy to learn !

Hmm there is a sunet 172.16.200.0/24 (see point 2 first entry) and a server at 202.

Again gratefull for any advice / suggestion to improve my config.

holvoetn · December 1, 2021, 6:45am

Every interface can be part of an interface list. The most common used are LAN and WAN. You can make others if you want.
Default firewall rules are mostly based on allowing traffic from LAN and blocking stuff from WAN.
If you got an interface without label, it’s certainly not LAN hence it might be blocked which might not be what you want.
At least give that interface a proper label so there is no misunderstanding on what it is supposed to do.

On the ordering of firewall rules:
it is not NEEDED but it makes it a lot easier when others need to review your rules.
Or for yourself when you look at it again some weeks or months from now when you want to change something and are not in the current mind set anymore (now you may have a lot of the things clear in your head, I assure you some time from now it will evaporate).
Just best practice.

3 chains:
Input
Forward
Output

Put your rules together within the chain PRESERVING the current order.
Everything from Input together.
Everything from Forward together.
Everything from Output together.

Example from rules on my mAP device:

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="accept from local network (Lab Environment)" src-address=192.168.2.0/24
add action=drop chain=input comment="drop all coming from WAN" in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=\
    new in-interface-list=WAN

anav · December 1, 2021, 8:34pm

I dont think its possible or wise to attach your VPN connections to bridges.
Simply make the firewall rules you need to allow connectivity from VPN access to LAN subnets and vice versa etc…
I think of VPNs a faux LANs, they are not real LANs but are parallel to them.
A VPN is a tunnel that with an entry/exit at the LAN level but is not a LAN subnet.

Seems like you have many tunnels.
So use firewall rules for VPN tunnel to LAN connectivity
So use firewall rules for VPN tunnel to VPN Tunnel connectivity (BUT I DO NOT KNOW if this is even possible/legal).

If the VPN tunnels require access to the Routers Internet then you need to ensure there is a route back to the right tunnel for that traffic

dst-address=subnetofVPN1 tunnel interface=associated vpninterface1
dst-address=subnetofVPN2 tunnel interface=associated vpninterface2
etc…

They may be created dynamically so check ip routes…

atakacs · December 2, 2021, 6:22am

Thanks for the suggestions. I see natting as a bit of a kludge - in my view router should… route. But happy to learn.