Mikrotik DHCP server lease ip addresses to another router

cibi · April 13, 2025, 12:13pm

Hi everyone,
I have a basic home setup, picture bellow: ZTE F618 from ISP with 1 LAN port and hAP AX Lite connected on Eth 2.

ZTE and MT have different SSIDs and share the same LAN subnet 192.168.1.0/24 (i need both SSIDs). At this moment, dhcp pool from ZTE is 192.168.1.20-120 and pool from MT is 192.168.1.135-240, and MT has a default route to ZTE.
Everything works ok (openvpn, wireguard, connectivity between devices, dns …) and my goal is to use only one dhcp server, the one from MT (for better management purposes), but when i turn off ZTE’s dhcp, registered devices to ZTE don’t receive ip addresses from MT.
I think is something related to the ARP/bridge/broadcast, but i don’t know what and here i need your advice.
My last attempt was with proxy-arp on the bridge, like in config bellow but got no luck. I’ve tried also with LAN ip address 192.168.1.2 set on the interface, not the bridge.
I don’t see dropped packets on firewall logs regarding udp ports 67-68 and all rules with action=drop have log enabled.
My config:

# 2025-04-13 by RouterOS 7.18.2
# software id = 
#
# model = L41G-2axD
# serial number = 
/interface bridge
add admin-mac= arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge protocol-mode=none
/interface wireguard
add listen-port=63231 mtu=1420 name=wireguard_vpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi security
add authentication-types=wpa2-psk disable-pmkid=no disabled=no encryption=\
    ccmp group-encryption=ccmp group-key-update=1h management-protection=\
    disabled name=lan wps=disable
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-ax .frequency=2437 \
    .skip-dfs-channels=all .width=20/40mhz configuration.country=Romania \
    .mode=ap .multicast-enhance=enabled .qos-classifier=dscp-high-3-bits \
    .ssid= disabled=no name=wlan security=lan
/ip pool
add name=pool_bridge ranges=192.168.1.135-192.168.1.240
add name=pool_openvpn ranges=10.10.10.5-10.10.10.14
/ip dhcp-server
add address-pool=pool_bridge interface=bridge lease-time=12h name=dhcp_lan
/ppp profile
add local-address=10.10.10.1 name=profile_ovpn remote-address=pool_openvpn \
    use-encryption=yes use-ipv6=no
/system logging action
set 1 disk-file-count=10 disk-lines-per-file=3000
/disk settings
set auto-media-interface=bridge auto-media-sharing=no auto-smb-sharing=no
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan
/ip firewall connection tracking
set tcp-established-timeout=6h
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server

/interface wireguard peers

/ip address
add address=192.168.1.2/24 interface=bridge network=192.168.1.0
add address=10.100.10.1/28 interface=wireguard_vpn network=10.100.10.0
/ip dhcp-client
add comment=defconf default-route-tables=main disabled=yes interface=ether1 \
    use-peer-dns=no
/ip dhcp-server lease

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.2 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=
/ip dns static

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix=drop_invalid
add action=accept chain=input comment="defconf: accept ICMP" log=yes \
    log-prefix=ping protocol=icmp
add action=accept chain=input comment="cmc: accept wg adm" dst-address=\
    192.168.1.2 dst-port=58291 in-interface=wireguard_vpn log=yes log-prefix=\
    wg_adm protocol=tcp src-address=10.100.10.0/28
add action=accept chain=input comment="cmc: accept openvpn adm" dst-address=\
    192.168.1.2 dst-port=58291 in-interface=all-ppp log=yes log-prefix=\
    ovpn_adm protocol=tcp src-address=10.10.10.0/28
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes log-prefix=drop_not_lan
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=drop_invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="cmc: wireguard vpn" in-interface=\
    wireguard_vpn ipsec-policy=out,none
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    in-interface-list=WAN
add action=masquerade chain=srcnat comment="cmc: openvpn" in-interface=\
    all-ppp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes
/ip route
add check-gateway=arp disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.1.1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=58291
set api-ssl disabled=yes
/ipv6 firewall address-list

/ipv6 firewall filter

/ppp secret
add name= profile=profile_ovpn service=ovpn
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name=AX_Lite
/system logging
set 1 action=disk
set 2 action=disk
set 3 action=disk
add action=disk disabled=yes topics=wireguard
add action=disk topics=firewall
add action=disk topics=ovpn,info
add action=disk topics=system
add disabled=yes topics=wireless,debug
add disabled=yes topics=dhcp
add topics=bridge,debug
add disabled=yes topics=packet
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-port=bootps,bootpc memory-limit=1000KiB

If my network setup is wrong for what i want to achieve (to use only Mikrotik dhcp server for both SSIDs), please let me know what is the best solution.
Thank you for your time.

eltikpad · April 13, 2025, 5:52pm

A quick look didn’t see anything wildly wrong, but did notice pool_bridge only has 6 addresses in it. Any chance they are all used up?

When clients are connected to the ZTE device on SSID1 can they ping your Mikrotik address 192.168.1.2? This would show at least layer 3 connectivity works.

cibi · April 13, 2025, 7:39pm

Pool bridge range is from .135 to .240, so 106 addresses available . I have around 50 clients, so no issues here.
Yes, there is connectivity from ZTE clients to MT clients.
I’m thinking the ZTE don’t broadcast the dhcp discovery packets on LAN port, but i’m not sure about that.

eltikpad · April 13, 2025, 10:16pm

Sorry, not sure what I was looking at in that pool..

You should be able to see if there are any DHCP requests making it to you by sniffing the bridge interface with something like

/tool/sniffer/quick interface=bridge ip-protocol=udp port=67

Edit: use interface=ether2 or interface=all depending on what you want to catch. It wont be high traffic

aoakeley · April 14, 2025, 9:57am

Maybe.
You might just be trying to get the ZTE to do something it was not designed to do.

If the ZTE supports DHCP Relay you could try setting that up so that is uses DHCP relay to forward dhcp requests to the mikrotik. This would not normally be needed if everything was truly on the same L2 network, but might solve your problem.

End of the day here though… the issue I think is the ZTE not the mikrotik, so maybe try the ZTE forums?

cibi · April 15, 2025, 6:42am

Tried that with all interfaces and no packets matched the capture filter.

There is no dhcp relay option on ZTE.
Regarding L2 connectivity between devices, i see mac addresses from one device to the other, just the broadcast from ZTE is filtered somehow/somewhere.
I’m not sure if my config filters this out and this is why i asked here (i enjoy networking challenges from time to time but i’m not a MT expert, nor ZTE ).
I asked also my ISP about this and i’m waiting for their answer.

cibi · April 17, 2025, 7:26pm

Last update: i received a reply from my ISP that the issue was solved. I don’t know what they did but they broke my vpn access (openvpn and wireguard, both on UDP protocol) and now i have to go there.
The issue isn’t solved because in the meantime half of my IoT sensors from location (all registered to ZTE) stoped reporting data to the cloud, so they can’t renew their ip addresses. Now i’m looking for a way to get rid of that ZTE. Case closed.