Force Wifi users only get ip from its AP DHCP server

nbctcp · February 21, 2019, 1:53am

AP DHCP.png
Hi,
I have 3 Mikrotik AP (AP1 AP2 AP3)
Each AP DHCP Server has same subnet 192.168.88.0/24 but different range i.e
AP1=192.168.88.101-150
AP2=192.168.88.151-175
AP3=192.168.88.176-200

GOALS:

I want user in each AP only get Wifi ip from its own AP DHCP server, can’t from other AP DHCP server

QUESTIONS:

I am thinking create a DHCP server on each AP with different range, but how to make sure wifi user in AP1 can’t get ip from AP2 and vice versa

tq

nbctcp · February 21, 2019, 2:59am

PARTIALLY SOLVED
Answered by my friend. Using Bridge Filter
http://www.mikrotik.co.id/artikel_lihat.php?id=252

I can achieve what I want using
/interface bridge filter
add action=accept chain=forward dst-port=67 ip-protocol=udp mac-protocol=ip
out-interface=wlan1 src-port=68
add action=drop chain=forward dst-port=67 ip-protocol=udp mac-protocol=ip
src-port=68

But I have another questions

Let say user in AP3 install illegal DHCP server in his pc
How to set Mikrotik to only authorize its DHCP server

tq

pcunite · February 21, 2019, 3:33am

My understanding is that sure, if the MikroTik bridge is in the middle, you can use bridge filter. However, all on the same switch, you’ll need to use the new DHCP Snooping feature.

mkx · February 21, 2019, 7:24am

Are all APs configured with the same SSID? If yes, then clients will roam between APs and won’t renew DHCP leased addresses … at the end there will be clients with any of leased address on all 3 APs and if you filter (on bridges) too much, it’ll break their connectivity.