DHCP Option 82 / DHCP-Snooping

Hey Guys,

is it possible to get DHCP-Snooping Option 82 running on ROS?

We like to add interface-informations to a DHCP-Client-Request (DHCP Option 82).

We install Mikrotik Router-Boards in buildings to get more than just one customer connected. To know, which customer have requested a DHCP-Lease we need to know the port (ether1) oder the mac-address of that port where the request comes in.

We have all interfaces in a bridge-interface, because we are rate-limiting each customer on that device per port (firewalling enabled for bridge-interfaces).

So, how can we use Option 82?

Also it would be nice if you can script something so you can add bridge-filter to allow only that mac-address to communicate with the network. And also to ensure that just 1 or 2 ip-addresses are leased at same time.

Hi!

Any luck with this? Im looking for the same kind of solution.

Im considering one dhcp server per port right now, but that feels very unscalable.

/Mikael

As far as I’m aware this works as is in 6.38.5.

Do the following on the DHCP Relay

/ip dhcp-relay add add-relay-info=yes dhcp-server=10.1.1.1 disabled=no interface=br1 local-address=192.168.1.1 name=relay1 relay-info-remote-id=ether3

This tells the router to forward DHCP requests on the bridge interface br1 to the DHCP server at 10.1.1.1, reference the local address of the subnet, bridge, 192.168.1.1 and to include option 82 information of the client device MAC, the bridges MAC address and the relay information of ether3.

This can be viewed on the MikroTik DHCP server by

/ip dhcp-server lease print detail

Here is a dump of my lab in GNS3 for this

[admin@r1] > ip dhcp-server lease print detail
Flags: X - disabled, R - radius, D - dynamic, B - blocked
 0 D address=192.168.1.199 mac-address=00:50:79:66:68:00 client-id="1:0:50:79:66:68:0" address-lists="" server=br1
     dhcp-option="" status=bound expires-after=7m47s last-seen=2m13s active-address=192.168.1.199
     active-mac-address=00:50:79:66:68:00 active-client-id="1:0:50:79:66:68:0" active-server=br1 host-name="PC11"
     src-mac-address=00:0B:0B:CB:59:00 agent-circuit-id="11:11:11:22:22:22" agent-remote-id="ether3"

Now the problem here is that a MikroTik relay agent always sends the bridges MAC address and the same agent-remote-id value each time. So on the DHCP server side you can’t do much.

To be more specific I imagine you are looking for the relay information to contain the individual interface within the bridge that it was relayed from like Cisco does with DHCP Snooping. Alternatively you may find sanction in RFC3993 or the subscriber ID option. I also know MikroTik likes having an RFC to implement from. This would allow you set a value that is carried along in the DHCP process at the relay on a per-interface basis and would be separate from trying parse the agent-circuit-id field in any way.

https://tools.ietf.org/html/rfc3993

Thank you for the effort but this is only with dhcp relay and not per interface. Coupled with portable /32 requirement backed by radius its just so that routeros is too weak right now.

Think solving this before going into full TR0069 solution would have been better path.

Basically we would like to have a vlan from access switch to node router. We have MT3011 or HEX POE on the customer side in bridge mode since we have management network to it and can see both sides of the link. MT switch on access node connected to cloudcore router on central node.

The customer should be allowed to plugin their own equipment and get an address with dhcp (or more if allowed in radius). We would therefore like to set login credentials on the vlan assigned to each customer but as far as we can see microtik is not supporting, but its probably easy to implement for them. Since the customer is connecting their own equipment we cant control the MAC and making a login seems to complicated doing some kind of hotspot.

/Mikael

I feel ya there. Yup it’s a short coming in MikroTik. Like I stated you might find solace in them implementing the subscriber ID in DHCP relay. It would you identify each customer plugged in via a VLAN or Ethernet port and you could build RADIUS policies off of that value if it is supported in your backend solution not sure what you’re using for that component or if it is all RADIUS.

Just to be clear the point of my post was to illustrate that MikroTik does support delivering option 82 information in their DHCP relay software. It just sends the same MAC address of the bridge per DHCP relay instance, not the MAC address of the interface/VLAN that the request came in on which is what I’m pretty sure you’re looking for.

So, either MikroTik could add support for Subscriber ID or they could change the way the relay handles option 82 to reflect the actual interface the request came in on. The DHCP Relay RFC doesn’t make this a MUST for the spec so MikroTik is not in the wrong on this.

Guys,

This has been widely requested from Mikrotik and they have even solicited feedback about the feature in the past.

Please email through to support@mikrotik.com with a request for it, they take note of feature requests that come via the official channel.

Look this:
http://forum.mikrotik.com/t/swos-version-2-5-released/112263/1

meanwhile we are waiting for ROS, unfortunately.

So a new CRS326 running SWoS 2.5 against an RoS Router DHCP does send through the port info on first connect of a client device…

But if I pull the cable and then reconnect via a different port it does not always send through the Relay-Agent-Info through to the DHCP-Server.

So this feature works but only for first connection from my PC and first and sometimes other connections from a connected Mikrotik. Should it send the Relay-Agent-Info through every time a dhcp request is sent ? ( Any feedback from others welcome on this ? )

Next nice thing would be to be able to add static DHCP leases on the Mikrotik DHCP-Server based on Agent Circuit ID instead of MAC Address.

Likewise for PPPoE Authentication - use this instead of user/password

Hi, does someone use Option82 in production with Router OS?

I was playing a bit with Option 82 on RouterOS, it works fine, just doesn’t send the VLAN number.
I have a Router with Bridged ports with HW offload (acts as a switch). Relay is running on it. Ether1 is connected to DHCP server location.
Physical ports ether2-ether6 have VLANs and are linked to customers.

DHCP server receives two parameters :

Agent-Remote-Id = 0x500000140000
Agent-Circuit-Id = 0x500000020005

Remote-Id is a MAC/Identification of the DHCP Relay. This can be changed in Relay to some string for identification, for example MY_AP_1. When this is done, in Radius I receive HEX
Agent-Remote-Id = 0x4d595f41505f31 , Converting it to String I get : MY_AP_1

Ok, the Agent-Remote-Id is easy, now let’s check Agent-Circuit-id.

Comparing to Cisco :
Cisco Agent-Circuit-Id = 0x000403230001.
Cisco says first 4 bytes are internal values such as length etc., but last 6 bytes are useful. 0323-00-01 in our case represents 0323 - number of VLAN, 00 01 = Gigabitethernet 0/1

Mikrotik Values :
Mikrotik Agent-Circuit-Id = 0x500000020005
Here we see just single value 50:00:00:02:00:05 - it’s MAC address of port ether6 on Relay, where customer is physically connected.
Fine, someone was complaining tha RouterOS sends the same MAC always, no it doesn’t do it, it works in correct way as it should work, when I change the port where customer connects I get :

ether4, Agent-Circuit-Id= 50:00:00:02:00:03
ether5, Agent-Circuit-Id= 50:00:00:02:00:04

When I have one customer on port without VLANs, it’s fine.

The only problem is when we have many VLANs, for example VLAN per customer on one Physical interface.
Simple example is AP with WLAN interface and customers connected to it. Each customer can have his own VLAN. The VLAN number is not sent in Circuit-ID and the only option for me is to change MACs for each VLAN on Relay router to identify the customer in this scenario.

I can do it also, but it’s a bit hardcore setup. I need to add VLAN to a separate Bridge and set :
interface bridge set bridge1 admin-mac=aa:bb:aa:bb:aa:bb auto-mac=no

In this case I’m receiving instead of 50:00:00:02:00:05 in the Agent-Circuit-Id, ID of my VLAN803 : Agent-Circuit-Id = 0xaabbaabbaabb.

@alexcherry what is your configuration looking like? Please send me your configuration i will give a try on that.

Agent-Circuit-Id should be configurable with placeholders like
%m = MAC-Address of Interface
%n = Name of Interface (custom name)
%i = ID of Interface XX (eg 01, 02, 03…)

The information can have dynamic length.
https://tools.ietf.org/html/rfc3046

Did you find a way to get vlan_xxx number by any easy way?

Any config examples for such a setup?