Hi all.
Please help in understanding the purpose of Networks tab in DHCP server settings.
Is that just handy shortcut for specifying the most common options?
Thanks in advance.
WBR, KP
If you know how to configure DHCP in windows that’s the equivalent of scope
There is very comprehensive documentation:
https://help.mikrotik.com/docs/spaces/ROS/pages/24805500/DHCP#DHCP-Network
Address pool is part of DHCP scope in Windows, so the relation is clear.
Where in Winbox do I define the link between the pool and the network?
I have been trying to comprehend where the Network entity fits and documentation did not help much 
The subnet mask used in your network will correspond to a certain pool.
That’s how it matches then it can determine the gateway to be used and the needed DNS servers etc etc.
What if two pools are setup and both match the network?
Say, I have 172.16.0.31-172.16.0.40 for VPN clients (specified in PPP-Profiles) and 172.16.0.41-172.16.0.90 for LAN clients. Which pool ROS will use for network 172.16.0.0/24?
You need to adjust your netmask and/or pool then.
It’s the admin responsibility that there are no overlaps.
Why use same IP subnet scheme for VPN users as regular LAN clients ?
You have the complete range from 172.16.0.0 – 172.31.255.255 available.
Why make it yourself difficult ?
So, if I specify network 172.16.0.128/27 for LAN DHCP clients, I would need to assign IP address in that subnet to the router and then setup routing between VPN and LAN clients?
You’re going into the wrong direction for me.
Again … why would you want to have VPN and LAN clients use the SAME subnet/DHCP settings ?
Make them separate and make sure there is no overlap, nowhere.
Easiest example:
Use 172.16.x.y for your LAN
Use 172.17.v.w for VPN
2 DHCP pools
2 network settings
Or if you want to make it difficult:
172.16.0.1/27 = 172.16.0.1-172.16.0.31
172.16.0.32/27 = 172.16.0.33 - 172.16.0.62
But it doesn’t make sense to do this. Way too easy to get confused.
Having them in the same subnet kinda simplifies things.
What are the benefits of having them in separate subnets?
Yeah, I was waiting for this one to come as an answer.
Convenience (“because it is easier”) is always the wrong answer when security is concerned.
Security.
Much easier to keep things segregated where needed. You do not have to but it can be done in a more efficient way when needed.
Do you 1100% trust all VPN users the same way you trust you LAN clients ?
I don’t.
I even have different types of LAN users. Some can do everything, most can not.
Also, it will be a lot more clear for you in the future what happens where. If both LAN and VPN use the same subnet, you can’t see it that easily if something goes wrong.
You are asking questions without attempting basic network knowledge learning.
Phrasing questions can I do this or that are clear clues.
Requirements in the future should be based on what traffic your users and devices required and questions should be posed in that regard.
I have two groups of users, a local group that will use my router for internet.
Second, An external group that I require to VPN into the router, and access…?? my local subnet ?? my local server ?? use my internet etc.
I need VPN users to have the same access as LAN users even if I do not trust them the same.
Also, it will be a lot more clear for you in the future what happens where. If both LAN and VPN use the same subnet, you can’t see it that easily if something goes wrong.
Simply answering “Mikrotik cant easily do what you want it to do” is more honest answer.
You are arrogant
Your question makes no sense here, because if you look at the available parameters when editing/adding a DHCP Server instance, you’ll see that you are able to explicitly choose the Pool, but has no parameter to select which DHCP Server Network to be used. “Which pool ROS will use for network 172.16.0.0/24?” is nonsense, you already choose the pool. In this situation, it’s the DHCP Server Network entry that is automatically chosen for you (one whose address range contains the address range of the pool). You configure the DHCP Server with the pool 172.16.0.41-172.16.0.90 then the DHCP Server Network entry with “address” 172.16.0.0/24 will be used for that DHCP Server instance.
Regardless, the way you are configuring the DHCP Server Network with “address” 172.16.0.0/24 and then give both your DHCP clients and VPN clients addresses in the same 172.16.0.0/24 range is wrong and will completely break communication between the DHCP client and VPN client devices. Because the DHCP client devices get the information from the DHCP server that the subnet is 172.16.0.0/24, which means they will consider any destination address in that range to be “on-link”, and will try to communicate with the destination directly on layer 2, using ARP and MAC address, and bypass the router completely. The DHCP client devices won’t be able to send packets to the VPN client devices. That’s why your network mask should be correct and should only include devices that can really be reached on the same link layer.
So, one Network entry can be applied to several pools. I could not comprehend that until your clarification. Thank you very much.
This setup was working fine for about 20 years with Windows/ISA and is working fine for 3 years with Mikrotik (albeit with Windows DHCP) - VPN clients receive addresses in the range 172.6.0.31-40, LAN clients receive addresses in the range 172.6.0.1-254 (with the exclusion of 31-40) and can communicate freely with each other.
Apparently, both Windows and ROS can perform L2 bridging between VPN and LAN hosts.
This can work … if VPN server performs proxy ARP on behalf of its VPN clients. Mikrtotik (if used as VPN server) doesn’t do it by default, some other (Windows/ISA) might do it by default. In any case you (as network admin) have to understand what your servers do to make everything work together nicely.
Yes, ARP mode needs to be set to proxy-arp on the LAN interface where the DHCP server instance is running. MikroTik has an example in this video https://www.youtube.com/watch?v=z3QYRc-ga0U&t=96s (where the prefix length is announced as /16).