Hi all,
I’m having a strange issue with my RB 2011UiAS 2HnD on RouterOS 6.27. I’ve setup a DHCP server using the wizard. This as resulted in the following settings:
DHCP Server Settings.PNG
DHCP Network Settings.PNG
IP Pool Settings.PNG
Yet I can’t get most of my devices to accept DHCP offers from my RB device. Either the addresses are assigned only to be deassigned 10 seconds later or the DHCP offer expires.
Any thoughs on what this could be and how I should solve this?
Try this one, Bootp support: disabled.
try bump stronger DHCP logging level and check resulte logs.
and/or dump traffic and check content(by Wireshark or counterparts).
This sounds like the clients’ replies are not getting to the server.
Is there a firewall rule on the bridge interface which blocks traffic in the input chain, and would apply to traffic coming in from bridge-local interface?
The default IP is 192.168.88.1/24 on Mikrotiks, (or it was the last time I took one out of a box), and if you changed the IP more recently, there might be firewall rules left around which allow 192.168.88.x but not 188.x
Also - make sure the network=192.168.188.0 on the IP address setting - I don’t know if Mikrotik’s fixed this, but if you change the IP address to a different network and hit OK or Apply, it doesn’t update the network setting.
Yes i have a filter in bridge to prevent my network from software that scan mac, and there is slow in connect with my network , device taking time to obtain ip , can you help me ?
this is the filter :
/interface bridge filter
add action=drop chain=forward dst-port=10001 ip-protocol=udp mac-protocol=ip
add action=drop chain=input dst-port=10001 ip-protocol=udp mac-protocol=ip
add action=drop chain=output dst-port=10001 ip-protocol=udp mac-protocol=ip
/interface bridge filter
add action=drop chain=forward mac-protocol=arp in-interface=vlan100
add chain=forward mac-protocol=!arp out-interface=vlan100
add action=drop chain=forward mac-protocol=arp in-interface=vlan101
add chain=forward mac-protocol=!arp out-interface=vlan101
add action=drop chain=forward mac-protocol=arp in-interface=vlan102
add chain=forward mac-protocol=!arp out-interface=vlan102
add action=drop chain=forward mac-protocol=arp in-interface=vlan104
add chain=forward mac-protocol=!arp out-interface=vlan104
add action=drop chain=forward mac-protocol=arp in-interface=vlan105
add chain=forward mac-protocol=!arp out-interface=vlan105
add action=drop chain=forward mac-protocol=arp in-interface=vlan106
add chain=forward mac-protocol=!arp out-interface=vlan106
add action=drop chain=forward mac-protocol=arp in-interface=vlan107
add chain=forward mac-protocol=!arp out-interface=vlan107
add action=drop chain=forward mac-protocol=arp in-interface=vlan108
add chain=forward mac-protocol=!arp out-interface=vlan108
add action=drop chain=forward mac-protocol=arp in-interface=vlan109
add chain=forward mac-protocol=!arp out-interface=vlan109
add action=drop chain=forward mac-protocol=arp in-interface=vlan110
add chain=forward mac-protocol=!arp out-interface=vlan110
add action=drop chain=forward mac-protocol=arp in-interface=vlan111
add chain=forward mac-protocol=!arp out-interface=vlan111
This sounds more like you have a switch with spanning tree turned on, and the ports where users are connecting are doing the normal thing where they don’t forward traffic for about 30 seconds (if standard spanning tree)…
A filter rule would probably either block or not block always - not just cause slower responses.
thanks man, i have two switches connected , one connected to ether6 and the other connected to ether7.
i want you to take a look for my setting if you don’t mind, and tell me if there is wrong cause i have four problems :
1- devices take time till linked with AP
2- sometime couldn’t link, but saved
3- Interrupted the network, the device linked for time , after that network absent
4- i saw some ip with zero mac in arp list
this is my settings
and this is for settings for interface
when i have that problem always is a layer 2 connectivity issue between clients and dhcp server
SO WHAT IS THE SOLUTION ?
in wireless access network checking ccq, signal levels, interference and packet loss
in wired access network checking interface stats looking form some counter of errors or crc or something strange, check for negotiation problem on Ethernet connections, configuration of manageable switches, possible cabling issues etc.
another aspect is to seek if the problem is only on certain devices, can be a client device problem under certain specific circumstance
Your bridge firewall seems overly complicated for what you want to do - instead of enumerating each possible combination and blocking them all individually, you should just say “block arp” in the forward chain and have done, regardless of VLAN or in/out interface.
arps to/from the router don’t even go through forward chain - they go through input, which you always want to accept, so no need to block anything there.
one rule blocks all client-to-client arp.
sorry friend , i am not very good in network , how i can put block arp, would you mind writing it as rule plz ?
Backup your configuration before making this change (just in case):
Your bridge firewall forward chain only needs this one rule:
add action=drop chain=forward mac-protocol=arp
This will still let the Mikrotik itself send/receive ARP requests (those are received in the input chain, and sent through the output chain)
Or, you could be even simpler and just drop ALL forwarded traffic - because it looks like you’re trying to block client-to-client communications, right? If you’re blocking ARP traffic, then realistically, the clients can’t talk to each other using IP anyway… why not just block ALL communication?
(to do that, just remove the mac-protocol=arp)
or use the bridge horizon feature…
I like this feature quite a bit myself - for a simple client isolation configuration, it’s very useful.
as i understand you are trying to enforce security
but
you have to keep in mind some security measures needs to be done on access layer of the network, and another measures need to be done on core
looks like you are trying to compensate deficiency on access layer security, over enforcing it on the core
maybe configuring on interface arp=reply only can help you without the need of that rules on your bridge about arp
simple, useful, and very powerful 
Yes i am trying to block client to client communications, can you give the the one rule that can block all communication plz ?
can tell me how i can enable horizon feature ?