Hi,
I have two sites connected with a wireless link. Both sites are bridged and are on the same subnet 192.168.88.0/24. There is a DHCP server in site A.
Problem description: when the wireless link is down, the devices in site B cannot reach the DHCP server in site A. Could you please recommend a setup in site A and site B so that in each site is a DHCP server and both sites remain in the same subnet?
Thanks in advance.
Cluster the servers or use different pools.
Site A (192.168.88.1) - DHCP server pool 192.168.88.10-192.168.88.20
Site B (192.168.88.2) - DHCP server pool 192.168.88.21-192.168.88.30
is this what you are suggesting?
That is a good start.
And if you also drop the forwarding of UDP port 67 and 68 from network A to B and from B to A, it will ensure that systems connected to A will always use DHCP server A, and those from B, only server B.
docmarius, that’s what I was looking for, thank you.
could you please check if these rules will suffice?
on router in site A (192.168.88.1)
add action=drop chain=forward dst-address=192.168.88.2 protocol=udp src-address=192.168.88.1 src-port=67-68
on router in site B (192.168.88.2)
add action=drop chain=forward dst-address=192.168.88.1 protocol=udp src-address=192.168.88.2 src-port=67-68
I think those rules actually don’t work, but it depends on your exact network topology.
First of all, DHCP uses anycast, not assigned addresses.
Let’s analyze 2 use cases assuming the following topology:
clients A ---- Router A ----------Router B ---- clients B
1-st use case: You need all clients on the same broadcast domain. This is needed e.g. to be able to browse workgroups on windows networks, if you don’t want to set up a wins server.
In that case, you will need to set up 2 bridges, so that broadcasts from clients A could reach clients B (which I unterstand you did).
But the bridge traffic is not affected by forward rules in the router, only by bridge filter rules, so blocking udp ports 67 and 68 from the local port of each bridge to the link port has to be done by bridge filter rules.
Actually you need to do this only on one router, but block the specific traffic in both directions.
For these please check http://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Packet_Filter
2-nd use case: You are happy with just inter-networking between those segments, and then you sub-netting your internal network in 2 segments, each serviced by a DHCP server. In this case, you only need to route between those 2 LAN segments via the link (which can be part of a different network, or a third sub-net). Because anycasts and broadcasts can not traverse routers, there is no conflict between the 2 DHCP servers.
Now you need to decide what you need to do.
Hi.
You need something like this:
/interface bridge filter
add action=drop chain=input comment="Deny DHCP over Bridge" src-port=68 dst-port=67 in-interface=Bridge1 ip-protocol=udp mac-protocol=ip
Regards: Xen
barkas, docmarius, Xen - I got it working today. Many thanks for all your advice!