mac-address binding with dhcp

chintan1011 · January 4, 2016, 11:30am

i f i select stattic-only in dhcp server then client which mac-address is added in dhcp lease.
but can i connect to the network using static ip address from host pc?

and alongwith that i put “reply-only” in ARP for my LAN interface.
what will happen i cant connect to the network using static ip also?

how ARP feature works for any interface?

ZeroByte · January 4, 2016, 4:38pm

It works pretty much just the way it sounds, so maybe you should learn a little more about how ARP works.

Arp type:

disabled: the interface neither sends arp requests, nor replies to arp requests. In other words, all arp entries must be entered statically on the Mikrotik AND on the client devices, or else they won’t be able to use the router as a gateway.
enabled: this is the default, and is the normal arp behavior. send and reply to arp requests on the interface.
reply-only: mikrotik will answer arp requests for its IP, but it won’t send arp requests. This means that entries must be static in the Mikrotik but the devices can dynamically discover the Mikrotik as normal.
proxy-arp: the Mikrotik will reply to all arp requests for IP addresses the Mikrotik knows how to reach, and are on a different interface than the one where the arp request was received.

So in proxy arp, if a device on the LAN sent an ARP request for 8.8.8.8, then the Mikrotik will respond… This is useful in some situations, such as pppoe concentrators, VPN concentrators, and is also useful in some black voodoo wizardry solutions . . .

If you’re trying to disallow static-configured IP addresses on hosts - i.e. requiring them to be configured for dhcp, but only receiving an IP if provisioned as a static lease, then you will want to use arp type=reply only, and then in the dhcp server configuration, enable the option to create static ARP entry for leases. This way, no device can get gateway services from your router unless they request an address from DHCP. (note - they will still be able to put static IP addresses on devices and communicate peer-to-peer within your LAN.

chintan1011 · January 5, 2016, 5:52pm

Thanks for your reply…
So if I select ARP: reply-only and in the dhcp-server stattic -only ..client pc’s mac address must be added in the dhcp-server leases right! And this can’t be connected to the gateway using static IP address but can connect go other pc in the LAn m I right?

ZeroByte · January 5, 2016, 8:14pm

You are correct.

Also - don’t forget to set “Add ARP For Leases” to yes in the DHCP server configuration, or else the users won’t be able to use the Internet even if they do have a MAC address configured in leases.

chintan1011 · January 6, 2016, 3:37am

Okay thanj you so much..
And have u used hap lite?

I want to use two hap lite for pptp VPN setup ..also want to use these hap lite as WiFi router at both end ..
So I want to know how will be the performance of hap lite in this condition..
Is both pptp and wifi can be configured on same device?

bajodel · January 15, 2016, 7:52am

ZeroByte, only directly connected ip/subnet ..right?

ZeroByte · January 15, 2016, 2:28pm

No - any IP address in the routing table, no matter how generic the route, and no matter whether the destination is directly connected, or known via a static route or OSPF or BGP or whatever. Even the default GW route counts.

So if you have R1 → R2, where R1 has default GW just set to ether1 - the interface itself, then when someone behind R1 tries to ping google DNS 8.8.8.8, R1 won’t forward the packet to R2 as a next hop. It send an ARP request for 8.8.8.8 on interface ether1. Assuming that R2 has proxy arp enabled, if R2 has a route to 8.8.8.8 (and it will count the default GW) and if that route is out through some other interface than the one where it received the ARP, then it will respond to the ARP request for 8.8.8.8 with its own MAC address.

At that point, R1 will then forward the packet whose source/destination IP are the original host / 8.8.8.8 and on the ethernet frame, the source MAC will be R1 and the dst MAC will be R2. If there are switches and/or bridges between R1 and R2, they will simply forward the frame to R2 because at the ethernet layer, the destination MAC is R2… so when R2 receives the frame, its NIC will accept the frame and pass it up the stack to the IP layer, which will see that this IP packet is bound for 8.8.8.8 - and because IP routing is enabled, R2 will simply forward the packet based on the routing table.

Thus, R1 can ping 8.8.8.8 and anywhere else on the Internet. If you were to look in the ARP table on R1, you would see an entry for each and every IP address that has been communicated with recently, and all MAC addresses would be R2’s MAC address.

Now suppose there were some other IP subnet that R2 has a route for it that points through R1, but suppose R1 doesn’t have that route in its own routing table - then when a packet for that network comes through R1, R1 will arp on ether1 for this IP, but since R2’s route for the destination is back out the same interface, R2 will not reply to this ARP request.

bajodel · January 16, 2016, 2:27pm

superb, thank you very much!!
I’ve definitely learned something!

chintan1011 · May 5, 2016, 4:18pm

I have set ARP to reply-only for LAN interface and dhcp to static-only . one of my device’s Mac add. Is added in dhcp static leases.but this device is not taking IP from dhcp server and when I am adding static on device but device is not getting into network. I also made static ARP AMC entry for this device’s Mac add.
So please how to get this device in to network forcefully..