I tried posting this in “Beginner basics”, but after some thought, this might be a bit more advanced topic.
I’m trying to set up 3 CRS326-24Gs (with a RB2011 as a router).
At first, I wanted for each port on the switches to get its own DHCP server, but with a single-address IP pool – for easy client configuration with a quasi-static addressing. I tried using individual bridge VLANs. Then I thought about connecting ports that should get untagged packets, but should be accessible for all other clients (like a dumb, not tagging-capable networked printer, for example).
Right now my configuration is as follows:
Individual VLANs with each client bridge port as untagged, bridge as tagged
DHCP server with one-address pool on each said VLAN
A switch rule for each port to retag 67-68/UDP (DHCP) with said VLAN ID
A separate “main” VLAN
Port PVIDs are the same – with the “main” VLAN ID
Switch “Port isolation” rules to isolate ports – since they still share the same “main” VLAN
This thing I’ve created seems quite clunky and inelegant, and I thought to ask for advice, if there are better practices to achieving this.
If you want the ports to be isolated from each other then using one VLAN per port with corresponding DHCP server & pool on the router would be the cleanest approach.
If you didn’t need the port isolation then a flat network with DHCP option 82 to indicate which physical port the request originates from would work, anything else is likely a hacky bodge. Whilst the Mikrotik DHCP snooping adds option 82 data the DHCP server can’t make use of it, you would have to resort to an external RADIUS server to handle this.
That was the idea at first – but there are some ports that need not be isolated and be untagged – e.g. “dumb” (not tagging-capable) network printers.
If I add that port to every VLAN as an untagged port, it will receive packets from a “normal” (isolated, VLAN-per-port) port, but will be unable to send anything back – because the PVID (possibly the default PVID = 1) on the “special” port would not match the “normal” port VLAN.
It’s very possible that I’m missing something here, but that’s the reason why I made that “ugly hack” I described.
The config doenst matter what are the requirements?
This should be stated in terms of defining users/devices, groups of users/devices and then defining what they should be able to do, and what they should not be able to do, WITHOUT any discussion of the config etc…
Network diagram helps sort that out visually!!
Requirements need to be expressed without any mention of the config, or ports etc… that is all solution space.
Ports do not have requirements, people and devices such as printers etc do…
Try again.
What you want can be achieved using standard switching capabilities (probably easier on an enterprise-grade switch than on a MikroTik, but it is possible).
Where you run into difficulty is with the desire to have a fixed address assigned to a specific port, rather than to a MAC address as is the usual method.
Other switches have the possibility to sniff DHCP requests and add a specific option to it, like a line ID, which is then seen by the DHCP server.
This is often used in carrier networks to identify a specific customer, whatever router they connect, and assign them a fixed IP or at least track their IP to their line.
But I think MikroTik still cannot do that.