DHCP Server Red after enabling NAT

Specialised · April 3, 2019, 10:53pm

Hi All,

Using a 960PGS
During initial config I added the desired settings and ticked the NAT option.
The router works in every other way except DHCP is red and nothing I have done so far will get it working.
I have tried multiple times defaulting the router but as soon as NAT is enabled DHCP dies.

Config is below. I can confirm all Ip details are valid, DHCP pool has been set up, DHCP assigned to bridge, DHCP IP details are valid.

Does anyone have any clue, this has driven me nutrs for some time.

# apr/04/2019 09:39:30 by RouterOS 6.44.1
# software id = VWEA-8241
#
# model = 960PGS
# serial number = SOMESERIAL
/interface lte
set [ find ] mac-address=XX:XX:XX:XX:XX:XX name=lte1
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] poe-out=off speed=100Mbps
set [ find default-name=ether3 ] poe-out=off speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=XXX.XXX.XXX.XXX-XXX.XXX.XXX.XXX
add name=dhcp_pool1 ranges=XXX.XXX.XXX.XXX-XXX.XXX.XXX.XXX
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface ovpn-client
add add-default-route=yes certificate=mycert.pem_0 cipher=aes256 \
    connect-to=some.url.com mac-address=XX:XX:XX:XX:XX:XX name=\
    ovpn-out1 port=XXXX profile=default-encryption user=myuser
/system logging action
add bsd-syslog=yes name=rsyslog remote=XXX.XXX.XXX.XXX remote-port=XXXX \
    syslog-severity=info target=remote
add name=debug target=memory
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=lte1 list=WAN
/ip address
add address=XXX.XXX.XXX.XXX/27 comment=defconf interface=ether1 network=\
    XXX.XXX.XXX.XXX
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=XXX.XXX.XXX.XXX/27 comment=defconf gateway=XXX.XXX.XXX.XXX netmask=27
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=XXX.XXX.XXX.XXX name=router.lan
/ip firewall filter
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=input protocol=icmp src-address=XXX.XXX.XXX.XXX/16
add action=accept chain=input protocol=udp src-address=XXX.XXX.XXX.XXX/16
add action=accept chain=input protocol=tcp src-address=XXX.XXX.XXX.XXX/16
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
    through_vpn passthrough=yes src-address=XXX.XXX.XXX.XXX/27
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=ovpn-out1 \
    src-address=XXX.XXX.XXX.XXX/27
/ip route
add disabled=yes distance=1 gateway=ovpn-out1 routing-mark=through_vpn
add distance=1 dst-address=XXX.XXX.XXX.XXX/27 gateway=bridge pref-src=\
    XXX.XXX.XXX.XXX scope=10
/snmp
set contact=me@my.com enabled=yes location=\
    ROUTER_ID
/system clock
set time-zone-name=Australia/Sydney
/system identity
set name=ROUTER_ID
/system logging
add action=rsyslog topics=warning
add action=rsyslog topics=info
add action=rsyslog topics=critical
add action=rsyslog topics=error
add disabled=yes prefix=--- topics=debug
/system ntp client
set enabled=yes primary-ntp=XXX.XXX.XXX.XXX secondary-ntp=XXX.XXX.XXX.XXX
/system scheduler
add interval=1d name="Reboot Daily" on-event="/system  reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=00:10:00
add interval=15m name="Reset USB if VPN Down" on-event="interface ovpn-client \
    monitor ovpn-out1 once do={:if (\$status != \"connected\") do= {:log warni\
    ng \"VPN Link Down, resetting USB\"; /system routerboard usb power-reset d\
    uration=20}}; :delay 120;" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=00:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

wise0tamas · April 4, 2019, 10:08am

Hello!

Specialised:

Hi All,

Using a 960PGS

# apr/04/2019 09:39:30 by RouterOS 6.44.1
/interface lte
set [ find ] mac-address=XX:XX:XX:XX:XX:XX name=lte1
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] poe-out=off speed=100Mbps
set [ find default-name=ether3 ] poe-out=off speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name=dhcp ranges=XXX.XXX.XXX.XXX-XXX.XXX.XXX.XXX
add name=dhcp_pool1 ranges=XXX.XXX.XXX.XXX-XXX.XXX.XXX.XXX
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface ovpn-client
add add-default-route=yes certificate=mycert.pem_0 cipher=aes256 \
    connect-to=some.url.com mac-address=XX:XX:XX:XX:XX:XX name=\
    ovpn-out1 port=XXXX profile=default-encryption user=myuser

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1

/interface list member
add comment=defconf interface=bridge list=LAN
add interface=lte1 list=WAN

/ip address
add address=XXX.XXX.XXX.XXX/27 comment=defconf interface=ether1 network=\
    XXX.XXX.XXX.XXX
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1

/ip dhcp-server network
add address=XXX.XXX.XXX.XXX/27 comment=defconf gateway=XXX.XXX.XXX.XXX netmask=27

/ip firewall filter
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=input protocol=icmp src-address=XXX.XXX.XXX.XXX/16
add action=accept chain=input protocol=udp src-address=XXX.XXX.XXX.XXX/16
add action=accept chain=input protocol=tcp src-address=XXX.XXX.XXX.XXX/16
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
    through_vpn passthrough=yes src-address=XXX.XXX.XXX.XXX/27
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=ovpn-out1 \
    src-address=XXX.XXX.XXX.XXX/27
/ip route
add disabled=yes distance=1 gateway=ovpn-out1 routing-mark=through_vpn
add distance=1 dst-address=XXX.XXX.XXX.XXX/27 gateway=bridge pref-src=\
    XXX.XXX.XXX.XXX scope=10
/system ntp client
set enabled=yes primary-ntp=XXX.XXX.XXX.XXX secondary-ntp=XXX.XXX.XXX.XXX

There might be several configuration errors, that I can see:

you have a fixed IPv4 address on “ether1” from the same subnet, as you have on “bridge”, that can cause dhcp-server to go nuts, afaik…;
you have two ip pools, but only the first one (which might be the wrong one!) is used in dhcp-server;
you have a fixed IPv4 address and a dhcp-client on “ether1”, which should be avoided, as well, however, this should not interfere with the dhcp-server on “bridge”;
probably, it should be best, you to include some bogus, but consecutive IPv4 addresses in the fields where you only inserted “XXX.XXX.XXX.XXX”, because, then we could see, which address is like the other, and which is not.

Regards,
Tamás from Hungary

Specialised · April 4, 2019, 11:49pm

Thankyou for the reply.

you have a fixed IPv4 address on “ether1” from the same subnet, as you have on “bridge”, that can cause dhcp-server to go nuts, afaik…;

This was the issue but I will explain how it cam about after

you have two ip pools, but only the first one (which might be the wrong one!) is used in dhcp-server;

I used the correct pool but there were 2 because I tried deleting and recreating the DHCP server.

you have a fixed IPv4 address and a dhcp-client on “ether1”, which should be avoided, as well, however, this should not interfere with the dhcp-server on “bridge”;

This was also part of the issue explained later

probably, it should be best, you to include some bogus, but consecutive IPv4 addresses in the fields where you only inserted “XXX.XXX.XXX.XXX”, because, then we could see, which address is like the other, and which is not.

I know these addresses were correct

After speaking with Mikrotik support they advised my bridge had no IP address.
This was confusing as my initial config definitely worked.
So I tried setting

/ip address add address=10.128.1.226/27 interface=bridge

This fixed the issue but I realised the bridge was not the address I desired so I removed it and found under IP>addresses that when the “NAT” option is checked on the initial config page it removed the bridge and replaced it with eth1 for the interface. This was an unexpected behavior. Mikrotik confirmed the command run when checking the NAT checkbox as

/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

I know everyone will now say “don’t touch the config page after initial config” but this was actually done during initial config and was also modified by another administrator who noticed something was different and changed the setting. I am wondering if the checkbox does not appear checked when it should - is this a small bug in the GUI?

Thanks to Mikrotik support for the quick response.