DHCP Relay

rednetwifi · February 21, 2010, 6:54pm

Can someone point me in the the right direction

I have a split network and i want to have 1 dhcp server to handle all the leases for the lot.

Gateway is on 192.168.0.0/24 - Where DHCP server will be on
Local Machines addresses - 192.168.0.0/24
1st Access Point is 10.10.2.0/24
2nd Access Point is 10.10.4.0/24
3rd Access Point is 10.10.5.0/24

I thought using DHCP relay, but i must be missing something as i cant get it to work, I have looked at the wiki and could not get it working..

Can anyone give me a pointer.

Thanks.

fewi · February 21, 2010, 7:52pm

Did you follow the wiki link below?
http://wiki.mikrotik.com/wiki/DHCP_Relay

If that doesn’t work for you, post the configuration you applied on the router running the DHCP server and on one of the access points. Include a quick drawing of your network.

nz_monkey · February 21, 2010, 10:12pm

DHCP relay is a bit cumbersome on RouterOS.

Do you have a firewall in between, e.g. on the destination networks router/firewall ? RouterOS will use the IP address of the egress interface for the DHCP relay request. e.g. if the network the relay is listening on is 192.168.5.254/24 but the uplink to the DHCP server network is 10.8.9.77/24 the packet will come from 10.8.9.77 rather than 192.168.5.254.

This means you will need to ensure packets from 10.8.9.77 are allowed to traverse the far end gateway to the DHCP server.

This is the opposite behavior to say Cisco, Netscreen and Fortinet who use the IP address of the interface the DHCP relay is listening on to send the request (this is tick box option on Netscreen).

If any of the RouterOS dev’s are wtaching, It would be nice if there was a tick box to allow this behavior

rednetwifi · February 22, 2010, 1:36am

Dont know what i am doing wrong, but here is my network plan and a copy of the dhcp config.

add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=
static disabled=no interface=ether1 lease-time=3d name=dhcp1
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=10.10.2.0/24 comment=“” dns-server=80.58.0.33,208.67.220.220
gateway=10.10.2.1
add address=192.168.0.0/24 comment=“” gateway=192.168.0.1

fewi · February 22, 2010, 1:57am

The DHCP server you configured doesn’t have the relay option set like the wiki link above outlines, you also didn’t show the configuration on an AP and how you relay to the server. Is ether1 on the DHCP server the interface that connects to the APs?

HumanDamned · November 3, 2015, 6:30pm

Hi everyone! There are so many topics with relay problems and so few answers =(
Maybe someone will help me with this one…

I have set the DHCP relay on my mikrotik (10.254.43.2). The DHCP server is on Windows machine (10.254.255.16) and not administrated by me.
Windows server serves many subnets, my subnet is 10.254.43.0/24. I’m getting the right IP (pool 10.254.43.0/24) from the Windows server but cannot acces the internet and cannot ping mikrotik.
Please help! What am I doing wrong? Shoud I add some firewall rules?
The STUDENTS interface is a BRIDGE

[root@MikroTik] > /ip dhcp-relay print
 #   NAME                INTERFACE                DHCP-SERVER     LOCAL-ADDRESS 
 0   edu.lan             STUDENTS                 10.254.255.16   10.254.43.2

[root@MikroTik] > /ip address print
 #   ADDRESS            NETWORK         INTERFACE                               
 1   ;;; WAN
     10.254.43.2/24     10.254.43.0     ether1-gateway                                                        
 7   ;;; students
     10.254.43.5/24     10.254.43.0      STUDENTS

[root@MikroTik] > /ip route print
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0    		10.254.43.1               1
 3 ADC  10.254.43.0/24     10.254.43.2     ether1-gateway, STUDENTS            0

HumanDamned · November 5, 2015, 4:20pm

Got a reply from official support:

xx.yy.zz.0/24 is the network address. xx.yy.zz.255 is the broadcast address of
this network. Usable range for IP addresses is from 1 to 254 This is for /24
networks, or 255.255.255.0 netmask.
So it is appropriate that other network devices refuse to communicate with you.

…but this unfortunately did not help.

troffasky · November 5, 2015, 8:48pm

I think you really need to start a new thread for this as your issue doesn’t seem to have anything to do with this thread, but I’ll bite anyway…

The most obvious problem I can see here is that you have two interfaces on your router in overlapping subnets. This is a fundamental obstacle to getting anything working, and until you resolve this, nothing will work how you expect it to.

What are you trying to achieve here? Did you choose either of these subnets yourself?

HumanDamned · November 6, 2015, 6:52pm

Hi, I’m trying to forward the dhcp that I receive from main server to other switches and AP which are connected to mikrotik.

main DHCP server—> Mikrotik WAN 10.254.43.2/24 → forward to interface STUDENTS this pool (10.254.43.0/24) from main server

[root@MikroTik] > /ip address print
 #   ADDRESS            NETWORK         INTERFACE                              
 1   ;;; WAN
     10.254.43.2/24     10.254.43.0     ether1-gateway                                                      
 7   ;;; students
     10.254.43.5/24     10.254.43.0     STUDENTS

…but as far as I can see this is not possible.

UPD, found an interesting post about bridging WAN, will try it…
http://forum.mikrotik.com/t/solved-wan-bridging-nat-depending-on-vlan-id/33828/1

troffasky · November 6, 2015, 11:25pm

Do you intend your Routerboard to actually do anything at L3? From your description it just sounds like you want to use it as an L2 device [ie a basic switch/AP].

HumanDamned · November 7, 2015, 7:41am

I would also like to add VLANs to the STUDENTS interface and forward them to other switches and AP’s (restrict traffic with firewall), but do not know if it’s possible. Mikrotik really lacks of examples and documentation.

My theoretical config is similar to this:
current-rb750g-setup.png

troffasky · November 7, 2015, 10:13am

Are you still intending to use the same subnet on all these VLANs? If you want to firewall traffic at L2, check out ‘/interface bridge filter’.

The diagram would be more useful if you actually edited it to reflect what you’re intending to do.

It might be that there aren’t examples of what you’re trying to do because it’s impossible

HumanDamned · November 7, 2015, 2:38pm

This is what I would like to do… the problem is the blue line. Is it possible?
Dhcp-relay-3.jpg

troffasky · November 7, 2015, 5:03pm

Yes, it’s possible to do what you’ve asked.

thenoob · June 9, 2016, 10:00pm

i would say just create a vlan and a bridge interface for the wan segment create 2 other vlan for vlan1 and 2

then just “trunk” vlan- and vlan 2 to your AP with 2 ssid. one for each .

you can also trunk the switch ports so that they also have these vlans available…

you can then add dhcp servers for vlan 1 and 2 and a bridge interface if you want those to be natted going tru the wan.

ZeroByte · June 10, 2016, 5:41am

Move the 43.2/24 address to the students bridge and remove DHCP relay.
Add the current “wan” Ethernet interface to the bridge in the ‘ports’ sub-menu. Also add any Ethernet interfaces to this bridge where you will connect PCs for the students network.

Next create your own private LAN bridges with the 192.168.x.x space, and configure the Mikrotik as the DHCP server for these ranges. Connect the desired Ethernet interfaces to these private bridges as ports as you did with the students bridge.

In the firewall NAT table, be sure there’s a masquerade rule for out-interface=students in the srcnat chain.

Filter traffic between your LAN segments using firewall filter rules.

If you want firewall filters for your students-network-attached host(s) then enable the “use IP firewall” option on that bridge.

If your networks are high speed, be sure to use fast-track rules for established and related connections for maximum performance.