DHCP and STATIC IP on the same interface

dmn44 · August 1, 2017, 9:02am

Hi All,

I have a “CRS125-24G-1S-2HnD” with port 24 connected to my internet connection. Currently on the internet port I have an IP address that is received from my ISP’s DHCP server as well as a static address that I have assigned to the interface.

I was all web browsing to occur via the dynamic address and allow for incoming internal services via the static address.

Initially this works fine, if I browse to a website like https://whatismyipaddress.com/ my public address is displayed, however when the DHCP lease refreshes and I browse to https://whatismyipaddress.com/ it then displays my static ip address. Each time this happens, I disable the static address on the interface and re-enable to make the DHCP address take priority again.

My question, how do I get the DHCP address to permanently take priority over the interface? I want the static address to only be used incomming connections to internally hosted services.

Thanks

Van9018 · August 1, 2017, 9:28am

Do both your 0.0.0.0/0 routes have the same distance? Set the static route distance to 2, in IP > DHCP Client, set distance to 1.

dmn44 · August 1, 2017, 1:40pm

I think I explained myself badly. The following depicts my config with regards to IP addresses and routes. There is a dynamic route and IP address (xxx.xxx.164.216) obtained from the ISP DHCP. There is also a statically assigned IP address (xxx.xxx.164.221) to the same interface. Looking at the routes, you notice that the dynamic route does not have a PREF-SRC and it seems that this cannot be set manually.

When initially visiting the https://whatismyipaddress.com website, it reports back that my public IP address is xxx.xxx.164.216. If I then renew the DHCP lease and revisit the https://whatismyipaddress.com website, it reports my public IP address as xxx.xxx.164.221.

I do not want my users to browse the internet as xxx.xxx.164.221, instead I want xxx.xxx.164.221 to be used only for incoming connections that I make available via NAT rules.

Any advice would be greatly appreciated.

[admin@1000_MTIK_CRS-1-24Port] /ip address> pri
 #   ADDRESS            NETWORK         INTERFACE
 0   10.11.0.250/24     10.11.0.0       PORT2 - LAN
 1 XI 192.168.10.200/24  192.168.10.0    PORT1 - Internet
 2   10.11.3.251/24     10.11.3.0       PORT23-WAN-1003
 3   10.10.0.1/30       10.10.0.0       PORT24-WAN-1001
 4   192.168.0.250/24   192.168.0.0     PORT2 - LAN
 5   10.11.100.205/30   10.11.100.204   VLAN1000
 6   xxx.xxx.164.221/24 xxx.xxx.164.0   PORT21-INTERNET-FIBRE
 7   10.11.100.221/30   10.11.100.220   VLAN3000
 8 D xxx.xxx.164.216/24 xxx.xxx.164.0   PORT21-INTERNET-FIBRE
[admin@1000_MTIK_CRS-1-24Port] /ip address>

[admin@1000_MTIK_CRS-1-24Port] /ip route> print 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          197.234.164.1           150
 1 ADC  10.10.0.0/30       10.10.0.1       xxxx.WAN.Bridge           0
 2 A S  10.11.0.0/16       10.11.3.251     10.11.3.244             125
 3   S  10.11.0.0/16                       10.11.100.206           130
 4 ADC  10.11.0.0/24       10.11.0.250     xxxx.LAN.Bridge           0
 5 A S  10.11.1.0/24                       10.11.3.250             120
 6 ADC  10.11.3.0/24       10.11.3.251     xxxx.WAN.Bridge           0
 7 A S  10.11.4.0/24                       10.11.3.245             120
 8 A S  10.11.7.0/24                       10.11.3.246             120
 9 A S  10.11.10.0/24                      10.11.100.206           120
10 A S  10.11.15.0/24                      10.11.3.250             120
11 A S  10.11.17.0/24      10.11.0.250     10.11.100.206           120
12 A S  10.11.20.0/24      10.11.0.250     10.11.100.206           120
13 A S  10.11.24.0/24                      10.11.0.208             120
14 A S  10.11.25.0/24      10.11.0.250     10.11.100.206           120
15 A S  10.11.100.0/24                     10.11.100.206           120
16 ADC  10.11.100.204/30   10.11.100.205   VLAN1000                  0
17 ADC  10.11.100.220/30   10.11.100.221   VLAN3000                  0
18 A S  172.16.0.0/12                      10.11.100.206           130
19 A S  192.168.0.0/16                     10.11.100.206           130
20 ADC  192.168.0.0/24     192.168.0.250   xxxx.LAN.Bridge           0
21 A S  192.168.1.50/32                    10.11.100.206             1
22 A S  192.168.2.0/24                     10.11.100.206           120
23 ADC  xxx.xxx.164.0/24   xxx.xxx.164.216 PORT21-INTERNET...        0

Thank you.

ZeroByte · August 1, 2017, 2:52pm

I think you are going to have to script your way out of this to get it to work the way you want 100% of the time.

Basically, you’re going to have to use action=src-nat instead of action=masquerade because masquerade is just going to use whatever it thinks the correct source IP address will be.

Set up src-nat rule(s) for host(s) that should be mapped to the static IP and then you’ll need a script that is triggered whenever the dhcp-client obtains a lease, which modifies the to-addresses=x.x.x.x option on the dynamic src-nat rule. You can use a comment as the way to select the “dynamic src-nat” rule.

Van9018 · August 1, 2017, 3:28pm

Ohhh.. Your dynamic IP and Static IP both have the same subnet. You’ll have to use a script like ZeroByte says.

See the following link. A script can be called when a lease is added/changed/removed. You need atleast v6.39rc33
https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Client

pe1chl · August 1, 2017, 3:57pm

It is also possible to put the default route for the fixed IP address in a different route table (type something in the “route mark” field, e.g. “static”)
and the under IP->route->rules add a rule with that static IP as the source address and a lookup in that table.

That way, the default route will not be available to any other traffic than the replies to traffic to that fixed address. All other traffic (including outgoing masquerade traffic)
will use only the main table, which is initialized by the DHCP client.