I have a pair of SXT G-5HPacD z2 Microtik units set up as a bridge between 2 buildings. Most traffic seems to function just fine, including ARP. However, DHCP requests do not appear to traverse from one side of the bridge to the other.
The network topology is roughly: firewall <-LAN-> microtik PTP Bridge AP ↔ microtik PTP Bridge CPE <-LAN-> clients
The DHCP server is the firewall, and clients at the right (the far side of the bridge from the firewall) cannot obtain addresses via DHCP. If I assign manual addresses and routes they have perfect IP connectivity.
If I run a tcpdump on the firewall and also on a laptop client, the client will see normal traffic including ARP and DHCP. The firewall will see normal traffic and ARP but not the DHCP requests. I mention ARP because it uses broadcast ethernet packets like DHCP does.
Is there something basic I should be examining to see why this might be?
There are no firewall rules or DHCP setup on the Microtiks.
Quick read of your post and one thing that stands out is that if you have to add routes, then your bridge config is not correct and you will have issues with DHCP
You need to change your wireless settings to AP Bridge and Station WDS. Using just Station all MAC addresses get translated to the MAC of the station. The DHCP server will only assign 1 IP per MAC. This is why statically assigning IP’s work and DHCP doesn’t.
2frogs, apologies, I am not a wireless expert but I do not agree with that link, in there they are using technology for extending an AP (WDS) for a point to point link which I personally think is fundamentally wrong.
If you read the first paragraph of the link you provided it states there are several ways to accomplish a PtP. Your solution only works for PtP, where as mine would work also for PtMP where there are multiple device at each endpoint. Plus I have not seen a definition of station-bridge, it not in https://wiki.mikrotik.com/wiki/Manual:Interface/Wireless and I have never used it.
Fair enough, but reading that you see they are “Fundamentally” the same. They serve the same purpose, check the same boxes, and have the same outcome. And I would almost guarantee that at the core the are the same and use the same WDS protocols, but just done more transparently using the bridge/ station-bridge. And contrary to the last sentence on that wiki, station-WDS has more benefits which in my opinion would be best. And I still stand by my solution!
None the less, the OP has 2 viable solutions and can choose either.
All the hosts on this bridge’s LAN are on the same IP network (172.16.3.0/24) - no routes are required between each side and ordinary IP traffic works perfectly, both to local addresses on both sides of the bridges and to external hosts routed via the firewall. Only DHCP seems to be swallowed, not traversing the bridge.
Just to your “add routes” comment, which I didn’t consider closely: the only route added to a client was to the firewall as the default gateway to the internet. The whole thing is one LAN with the same IP network - no routes are used to get to local hosts.
The issue I’m observing is not that each “right hand” client receives the same IP, as would be the case if MAC addresses were being translated. The issue is that DHCP Request packets that issue from a client on the right hand side DO NOT SHOW UP at the firewall on the left side. Other ethernet broadcast traffic, such as ARP, does cross happily from the right to the left and is seen at the firewall with the correct untranslated original source MAC address.
The right hand Microtik was already “mode=station-wds”. After reading:
I’ve changed this to “mode=station-bridge”, though from the descriptions on that page I would expect either to work. But lo, now DHCP gets across the bridge.
Can someone explain to me why “station-wds” and “station-bridge” behave differently in this situation?
Having not seen your AP’s configuration while you were running the ****
station-wds
mode on the client, I can only speculate.
According to the manual, the difference between the modes is that when a station is running the ****
station-bridge
mode, at AP side it is still reachable via the common interface which is used to talk to all stations except those running the
station-wds
mode. Each station running the
station-wds
mode causes the AP side to dynamically create an dedicated interface for itself. So the question would be which of the two interfaces (the common one which exists always or the dynamic one which only exists while the
station-wds
client is associated) was made a member of the bridge with the LAN port?