Hi
i am an isp and i have about 100 customers, all their address are from 192.168.2.3 to 192.168.2.249.
Part of them have fixed ip stored in their cpe, part of them need dynamic ip via dhcp.
I want to know how to set mikrotik to give dynamic adress via dhcp only from 192.168.2.3 to 192.168.2.80 so i can use other adresses for fixed ip.
Thank you
Just create a pool with that particular IP range. The DHCP server will then in turn only distribute IPs based on that pool.
i did it but it doesn’t work, initially dhcp assign proper ip but after some days it assigns ip out of range.
I have to set proper pool only in dhcp server or also in user profile server page or other sections?
Post your config so we can take a look.
What version of RouterOS are you running?
dhcp pool2 is my desired range:
[admin@MikroTik] /ip> export
/ip hotspot profile
set default dns-name=“” hotspot-address=0.0.0.0 html-directory=hotspot
http-cookie-lifetime=2d http-proxy=0.0.0.0:0 login-by=
mac,cookie,http-chap,http-pap mac-auth-password=“” name=default
rate-limit=“” smtp-server=0.0.0.0 split-user-domain=no use-radius=no
add dns-name=login.mesagnenet.it hotspot-address=192.168.2.2 html-directory=
hotspot http-cookie-lifetime=3h http-proxy=0.0.0.0:0 login-by=
mac,cookie,http-chap,http-pap mac-auth-password=“” name=hsprof1
nas-port-type=wireless-802.11 radius-accounting=yes
radius-default-domain=“” radius-interim-update=received
radius-location-id=“” radius-location-name=“” radius-mac-format=
XX:XX:XX:XX:XX:XX rate-limit=“” smtp-server=0.0.0.0 split-user-domain=no
use-radius=yes
/ip ipsec manual-sa
add ah-algorithm=null ah-key=“” ah-spi=0x100 disabled=no esp-auth-algorithm=
null esp-auth-key=“” esp-enc-algorithm=null esp-enc-key=“” esp-spi=0x100
lifetime=0s name=sa1
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m
name=default pfs-group=modp1024
/ip pool
add name=hs-pool-4 ranges=192.168.2.1,192.168.2.3-192.168.2.254
add name=dhcp_pool1 ranges=192.168.2.1,192.168.2.210-192.168.2.240
add name=dhcp_pool2 ranges=
192.168.2.220-192.168.2.240,192.168.2.1,192.168.2.3-192.168.2.70
add name=pooldhcp ranges=192.168.2.210-192.168.2.240
/ip dhcp-server
add address-pool=dhcp_pool2 authoritative=after-2sec-delay bootp-support=
static disabled=no interface=ether1 lease-time=6m name=dhcp1
add address-pool=dhcp_pool2 authoritative=after-2sec-delay bootp-support=
static disabled=no interface=ether2 lease-time=6m name=dhcp2
/ip hotspot
add address-pool=hs-pool-4 addresses-per-mac=2 disabled=no idle-timeout=30m
interface=ether2 keepalive-timeout=none name=hotspot1 profile=hsprof1
/ip hotspot user profile
set default address-pool=hs-pool-4 advertise=no idle-timeout=40m
keepalive-timeout=2m name=default open-status-page=always rate-limit=
170k/15000k shared-users=unlimited status-autorefresh=30m
transparent-proxy=yes
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=192.168.1.2/24 broadcast=192.168.1.255 comment=“” disabled=no
interface=ether1 network=192.168.1.0
add address=192.168.2.2/24 broadcast=192.168.2.255 comment=“” disabled=no
interface=ether2 network=192.168.2.0
add address=192.168.4.2/24 broadcast=192.168.4.255 comment=“” disabled=yes
network=192.168.4.0
add address=192.168.3.2/24 broadcast=192.168.3.255 comment=“” disabled=yes
network=192.168.3.0
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.2.0/24 comment=“hotspot network” gateway=192.168.2.2
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB
max-udp-packet-size=512 primary-dns=208.67.222.222 secondary-dns=
208.67.220.220
/ip dns static
add address=192.168.2.2 disabled=no name=login.mesagnenet.it ttl=5m
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=log chain=forward comment=“” disabled=no log-prefix=FW_LOG
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=accept chain=forward comment=“” disabled=no
add action=drop chain=input comment=“DROP INVALID CONNECTIONS”
connection-state=invalid disabled=yes
add action=accept chain=input comment=“Allow established connections”
connection-state=established disabled=yes
add action=accept chain=input comment=“Allow udp dns” disabled=yes protocol=
udp src-port=53
add action=accept chain=input comment=“allow icmp” disabled=yes protocol=icmp
add action=accept chain=input comment=“allow ibound ssh” disabled=yes
dst-port=22 protocol=tcp
add action=accept chain=forward comment=emule disabled=yes dst-port=4662
in-interface=“(unknown)” protocol=tcp
add action=accept chain=forward comment=“emule udp” disabled=yes dst-port=
4672 in-interface=“(unknown)” protocol=udp
add action=accept chain=forward comment=mstsc disabled=yes dst-port=7777
in-interface=“(unknown)” protocol=tcp
add action=drop chain=input comment=“” disabled=yes in-interface=“(unknown)”
add action=drop chain=forward comment=“drop invalid connections”
connection-state=invalid disabled=yes protocol=tcp
add action=accept chain=forward comment=“allow already estab connections”
connection-state=established disabled=yes
add action=accept chain=forward comment=“allow related connections”
connection-state=related disabled=yes
add action=drop chain=forward comment=“” disabled=yes in-interface=
“(unknown)”
add action=accept chain=forward comment=“” disabled=no dst-address=
192.168.2.106 dst-port=3478 in-interface=“(unknown)” out-interface=
“(unknown)” p2p=all-p2p protocol=tcp src-address=192.168.2.106 src-port=
3478
add action=accept chain=forward comment=“” disabled=no dst-address=
192.168.2.106 dst-port=3478 in-interface=“(unknown)” out-interface=
“(unknown)” p2p=all-p2p protocol=udp src-address=192.168.2.106 src-port=
3478
/ip firewall mangle
add action=mark-routing chain=prerouting comment=“adsl1 load balance”
disabled=yes new-routing-mark=adsl1 passthrough=no src-address=
192.168.2.0-192.168.2.154
add action=mark-routing chain=prerouting comment=“adsl2 load balance”
disabled=yes new-routing-mark=adsl2 passthrough=no src-address=
192.168.2.155-192.168.2.255
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
disabled=no src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
disabled=no src-address=192.168.2.0/24
add action=dst-nat chain=dstnat comment=“emule tcp” disabled=yes dst-port=
4662 in-interface=“(unknown)” protocol=tcp to-addresses=
192.168.2.0-192.168.2.255 to-ports=4662
add action=dst-nat chain=dstnat comment=“emule udp” disabled=yes dst-port=
4672 in-interface=“(unknown)” protocol=udp to-addresses=
192.168.2.0-192.168.2.255 to-ports=4672
add action=dst-nat chain=dstnat comment=MSTSC disabled=yes dst-port=7777
in-interface=“(unknown)” protocol=tcp to-addresses=
192.168.2.0-192.168.2.255 to-ports=3389
add action=dst-nat chain=dstnat comment=“videosorveglianza accesso da fuori”
disabled=yes dst-port=9988 in-interface=“(unknown)” protocol=tcp
to-addresses=192.168.2.210 to-ports=9988
add action=dst-nat chain=dstnat comment=“” disabled=yes dst-address=
212.199.212.5 dst-port=9988 protocol=tcp to-addresses=192.168.2.210
to-ports=9988
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
/ip hotspot ip-binding
add address=192.168.2.250 comment=“” disabled=no mac-address=
00:92:58:00:63:3A server=hotspot1 type=bypassed
add comment=“” disabled=no mac-address=00:13:D4:C9:F7:94 server=hotspot1
type=bypassed
add comment=“” disabled=no mac-address=00:17:BD:00:55:40 server=hotspot1
type=bypassed
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
add comment=“” disabled=no name=admin password=******* profile=default
add comment=“” disabled=yes mac-address=02:00:54:55:4E:01 name=user1
password=*** profile=default
add comment=“” disabled=yes mac-address=00:1E:68:69:E6:A6 name=***
password=“” profile=default
add comment=“” disabled=yes name=00:E0:18:06:D6:AF password=“” profile=
default server=hotspot1
add comment=“” disabled=yes name=00:90:FB:11:F0:65 password=“” profile=
default server=hotspot1
add comment=“” disabled=yes mac-address=00:90:FB:11:F0:65 name=***
password=“” profile=default
/ip hotspot walled-garden
add action=allow comment=“place hotspot rules here” disabled=yes
add action=allow comment=“” disabled=yes dst-host=www.cicileo.it server=
hotspot1
add action=allow comment=“” disabled=yes method=“” server=hotspot1
src-address=192.168.2.210
/ip hotspot walled-garden ip
add action=accept comment=“” disabled=yes dst-address=192.168.1.2 dst-port=
0-65535 server=hotspot1 src-address=192.168.2.210
add action=accept comment=“” disabled=yes dst-address=192.168.1.254 dst-port=
0-65535 protocol=udp server=hotspot1 src-address=192.168.2.85
/ip neighbor discovery
set pppoe1 discover=no
set pppoe2 discover=no
set ether1 discover=yes
set ether2 discover=yes
set ether3 discover=yes
set ether4 discover=yes
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4
cache-on-disk=no enabled=no max-cache-size=unlimited
max-client-connections=600 max-fresh-time=3d max-server-connections=600
parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=
no src-address=0.0.0.0
/ip route
add comment=“” disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=
192.168.4.254 routing-mark=adsl2 scope=30 target-scope=10
add comment=“” disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=
192.168.4.254 scope=255 target-scope=10
add comment=“” disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=
192.168.1.254 routing-mark=adsl1 scope=30 target-scope=10
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
192.168.1.254 scope=255 target-scope=10
/ip service
set telnet address=0.0.0.0/0 disabled=yes port=23
set ftp address=0.0.0.0/0 disabled=yes port=21
set www address=0.0.0.0/0 disabled=no port=80
set ssh address=0.0.0.0/0 disabled=no port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=no port=443
set api address=0.0.0.0/0 disabled=no port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no
inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
[admin@MikroTik] /ip> hotspot
[admin@MikroTik] /ip hotspot> print
Flags: X - disabled, I - invalid, S - HTTPS
0 hotspot1 ether2 hs-pool-4 hsprof1 30m
[admin@MikroTik] /ip hotspot> export
/ip hotspot profile
set default dns-name=“” hotspot-address=0.0.0.0 html-directory=hotspot
http-cookie-lifetime=2d http-proxy=0.0.0.0:0 login-by=
mac,cookie,http-chap,http-pap mac-auth-password=“” name=default
rate-limit=“” smtp-server=0.0.0.0 split-user-domain=no use-radius=no
add dns-name=login.mesagnenet.it hotspot-address=192.168.2.2 html-directory=
hotspot http-cookie-lifetime=3h http-proxy=0.0.0.0:0 login-by=
mac,cookie,http-chap,http-pap mac-auth-password=“” name=hsprof1
nas-port-type=wireless-802.11 radius-accounting=yes
radius-default-domain=“” radius-interim-update=received
radius-location-id=“” radius-location-name=“” radius-mac-format=
XX:XX:XX:XX:XX:XX rate-limit=“” smtp-server=0.0.0.0 split-user-domain=no
use-radius=yes
/ip hotspot
add address-pool=hs-pool-4 addresses-per-mac=2 disabled=no idle-timeout=30m
interface=ether2 keepalive-timeout=none name=hotspot1 profile=hsprof1
/ip hotspot user profile
set default address-pool=hs-pool-4 advertise=no idle-timeout=40m
keepalive-timeout=2m name=default open-status-page=always rate-limit=
170k/15000k shared-users=unlimited status-autorefresh=30m
transparent-proxy=yes
/ip hotspot ip-binding
add address=192.168.2.250 comment=“” disabled=no mac-address=
00:92:58:00:63:3A server=hotspot1 type=bypassed
add comment=“” disabled=no mac-address=00:13:D4:C9:F7:94 server=hotspot1
type=bypassed
add comment=“” disabled=no mac-address=00:17:BD:00:55:40 server=hotspot1
type=bypassed
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
add comment=“” disabled=no name=admin password=**** profile=default
add comment=“” disabled=yes mac-address=02:00:54:55:4E:01 name=user1
password=**** profile=default
add comment=“” disabled=yes mac-address=00:1E:68:69:E6:A6 name=***
password=“” profile=default
add comment=“” disabled=yes name=00:E0:18:06:D6:AF password=“” profile=
default server=hotspot1
add comment=“” disabled=yes name=00:90:FB:11:F0:65 password=“” profile=
default server=hotspot1
add comment=“” disabled=yes mac-address=00:90:FB:11:F0:65 name=***
password=“” profile=default
/ip hotspot walled-garden
add action=allow comment=“place hotspot rules here” disabled=yes
add action=allow comment=“” disabled=yes dst-host=www.cicileo.it server=
hotspot1
add action=allow comment=“” disabled=yes method=“” server=hotspot1
src-address=192.168.2.210
/ip hotspot walled-garden ip
add action=accept comment=“” disabled=yes dst-address=192.168.1.2 dst-port=
0-65535 server=hotspot1 src-address=192.168.2.210
add action=accept comment=“” disabled=yes dst-address=192.168.1.254 dst-port=
0-65535 protocol=udp server=hotspot1 src-address=192.168.2.85
[admin@MikroTik] /ip hotspot>
/ip pool
add name=hs-pool-4 ranges=192.168.2.1,192.168.2.3-192.168.2.254
add name=dhcp_pool1 ranges=192.168.2.1,192.168.2.210-192.168.2.240
add name=dhcp_pool2 ranges=
192.168.2.220-192.168.2.240,192.168.2.1,192.168.2.3-192.168.2.70
add name=pooldhcp ranges=192.168.2.210-192.168.2.240
I’m not following this. There appears to be overlapping address ranges. Why don’t you just have one subnet for pool1 and another for pool2?
i am using only hs-pool4 for all users ip in hotspot “users profile” and “servers”
and dhcp-pool2 for users in dhcp mode (ip dhcp server).
do not consider other pool.
have i to use dhcp_pool2 only in ip/dhcp server or also in other sections?
thak you for your help.
What I mean is use a contiguous IP pool.
Ok, but tell me: in hotspot “users profile” and “servers” i have to insert a pool with all possible ip of my users or only of users with dhcp?
Sorry but I haven’t used hotspot before.
enjoy, let’s start afresh - clear your ip pool list.
I assume you’ve assigned an ip to your hotspot interface (ether2= 192.168.2.2/24).
Now create a dhcp server using setup - ensure the ether2 interface and the 192.168.2.2/24 address space are specified.
Automatically an ip pool will be created using the 192.168.2.2/24 address space. Now go to address pool list and edit that list to contain only the ip range you want available for the hotspot (e.g instead of 192.168.2.1,192.168.2.3-192.168.2.254 you can edit it to 192.168.2.200-192.168.2.254).
Now create a hotspot server using setup - confirm the ether2 interface, confirm the interface address (192.168.2.2) and importantly, confirm the address pool to use for the hotspot (ie the one you edited previously).
That’s it - dhcp clients will automatically get ip addresses from the pool and other clients will use the static ip you assign, outside the pool.
Cheers.
thank you very much!
can you explain me the difference between the address pool in “servers” and “user profiles” of hotspot ?
thanks again
The address-pool in hotspot server refers to the pools we have just created and is the primary pool used for one-to-one nat (translates any client ip address to an address within our pool).
As far as i know the address-pool in hotspot user profile is largely redundant for most configurations. But it can be used to perform another layer of nat if a different ip pool (from server address-pool) is specified. I haven’t had cause to use it so mine is set to the default - none.
Cheers.
you can read from this http://mikrotik.unimedcenter.org/mikrotik-as-dhcp-server