Everything is fine - Next step, static IP for some equipment

So far I have implemented a few things.

DHCP 192.168.0.1/24
Basic Firewall Filters for Client protection.
Basic Firewall Filters for Router protection. Still being discussed a bit.
A working Port forward. Basic principle on how that is done documented.
Graphing - well only a bit. Could do with expansion.

(I will keep typing and posting because it also serves to complement my own documentation)

Next item is static addresses for some equipment, like servers and other tools.
This should probably be done on the Switch, following the principle on implementing things as close to the equipment as possible. I can assign static addresses from the Router DHCP range but they time out. I am also told that I should be prepared to define these static addresses on the devices as well. Trying to read up what it says under IP in the manual, but as far as I can see that topic is not addressed here: https://help.mikrotik.com/docs/display/ROS/IP and I am not getting the logic. Either you have a DHCP range and assign addresses dynamically via that, or… what? I am not really catching the assign fixed IP part. It can’t be enough to just set the IP on the equipment and expecting it to pop up on the Switch or the Router.
Also if I do it on the Switch I am guessing the Router might need some configuration to handle that…?

Anyone has a quick 1-2-3 on how to do this?

Since I know some will ask this is my Router Config. The Switch Config is default. Both running 7.1.1.

# feb/16/2022 09:24:15 by RouterOS 7.1.1
# software id = Y7E5-SEZ7
#
# model = RB1100x4
# serial number = D8580E4D7A72
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.0/24
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/queue simple
add comment="trying to keep at least 10MB to all clients at all times" \
    limit-at=10M/10M max-limit=100M/100M name=queuebw10 target=192.168.1.0/24
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add list=LAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip arp
add address=192.168.1.234 interface=bridge1 mac-address=2C:76:8A:AD:27:86
add address=192.168.1.10 interface=bridge1 mac-address=00:25:90:4B:6B:4B
add address=192.168.1.16 interface=bridge1 mac-address=00:15:5D:01:EA:01
add address=192.168.1.33 interface=bridge1 mac-address=00:15:5D:01:EA:08
add address=192.168.1.35 interface=bridge1 mac-address=00:15:5D:01:EA:09
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.1.5 client-id=1:8:55:31:c1:67:57 mac-address=\
    08:55:31:C1:67:57 server=dhcp1
add address=192.168.1.30 mac-address=58:9E:C6:19:81:1D server=dhcp1
add address=192.168.1.100 mac-address=10:BF:48:89:F3:3C server=dhcp1
add address=192.168.1.10 client-id=1:0:25:90:4b:6b:4b mac-address=\
    00:25:90:4B:6B:4B server=dhcp1
add address=192.168.1.40 mac-address=18:16:C9:D0:8B:B2 server=dhcp1
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall address-list
add address=192.168.1.2-192.168.1.245 list=allowed_to_router
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
    "fast-track for established,related" connection-state=established,related \
    hw-offload=yes log=yes log-prefix="fast-track for established,related"
add action=accept chain=forward comment=\
    "accept forward established,related, untracked" connection-state=\
    established,related,untracked log=yes
add action=drop chain=forward comment=invalid connection-state=invalid
add action=drop chain=forward comment=\
    "drop access to clients behind NAT form WAN" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log=yes log-prefix=\
    "drop access to clients behind NAT form WAN"
add action=accept chain=input comment=\
    "default configuration, input accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="allowed to router" log=yes \
    src-address-list=allowed_to_router
add action=accept chain=input comment="icmp allowed" log=yes protocol=icmp
add action=drop chain=input comment="drop access"
add action=drop chain=input comment="drop invalid" connection-state=invalid \
    log=yes
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN log=yes
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=22022 in-interface-list=WAN log=yes \
    log-prefix=sftp-inleed protocol=tcp src-address=5.150.195.195 \
    to-addresses=192.168.1.22
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=mt-ro-homered
/tool graphing interface
add allow-address=192.168.1.0/24 interface=bridge1
add allow-address=192.168.1.0/24
/tool graphing resource
add allow-address=192.168.1.0/24

Basic DHCP server setup is something like this:

/ip pool
add name=DHCP-pool ranges=192.168.88.20-192.168.88.144
/ip dhcp-server
add address-pool=DHCP-pool interface=bridge name=DHCP-server
/ip dhcp-server network
add address=192.168.88.1/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.88.1 ntp-server=192.168.88.1

With these settings, all devices will receive dynamic leases from the address pool configured.

If you want some device to have predefined address (a.k.a. static lease), then you can play with it in GUI, but essentially you’ll end up with configuration like this (in addition to the above):

/ip dhcp-server lease
add address=192.168.88.250 comment="my most important LAN server" mac-address="aa:bb:cc:dd:ee:ff" server=DHCP-server

The address given can syntactically be any address, but device won’t be able to use it if it doesn’t fit in subnet configured for that particular DHCP server (in /ip dhcp-server network section). Also make sure it’s not used by devices with truly static addressing (e.g. your main router or any other device which has static address configured directly on device).

So it is quite safe to assign address which otherwise falls into address pool configured for dynamic leases, but it’s also fine to assign address which is outside address pool.

Regarding doing it on switch: there should only be one DHCP server per ethernet subnet (VLAN). If all subnets converge to single router (different physical or VLAN interfaces), then you can run all the necessary DHCP servers on the router. If some subnets terminate on (L3) switches, then some entity inside such subnet has to provide DHCP service (or DHCP relay). However, if your network consists of multiple L2 switches, you should not run multiple DHCP servers, each serving “local” clients.
Besides, concept is central management (which means running DHCP server on central entity), DHCP handshakes don’t cause much traffic.

Unless you do something to prevent it (e.g. arp=reply-only on interface), it is enough.