Hi all,
I have been experimenting with the RB750 for the last two days. We want to connect remote clients on customer sites through IPSec tunnels to our core network. The RB750 should terminate the IPSec connection and act as DHCP relay. I have the following setup.
Clients ------ RB750 --- Gateway ---- Internet ----- IPSecGW ---- DHCP Server
^---------------------------------------------^
IPSec Tunnel
^--------------------------------------------------------------^
DHCP Relay
Client IP Range: 10.79.32.0/29
RB750 Client Interface IP: 10.79.32.1
IPSecGW: g.g.g.g
DHCPServer: d.d.d.d
The RB750 acquires an IP from the Gateway through DHCP and establishes an IPSec Tunnel to the IPSecGW.
Clients acquire IP addresses from the remote DHCP server. The requests are forwarded by the RB750 through the tunnel to the DHCP Server. RB750 acts as a DHCP relay here. So far everything works fine, but the client devices we use (no we cannot change them 
) need the GIAddr header set in the DHCP OFFER / DHCP ACK which are sent by the RB750 down to the client. However, the RB750 Relay Agent sets this field to 0.0.0.0 . We need it to set the GIAddr to 10.79.32.1.
Ho can this be done? I already tried the "Local Address" setting in the dhcp relay setting dialog, but this does not have any impact on the client facing interface. I suppose this is relevant for the communication with the upstream DHCP server. We similar setups running with Cisco CPEs. The Cisco routers set the GIAddr field to the interface address the relay works on.
Any ideas?
Thanks!
Here is my config:
[admin@MikroTik] > export compact
jan/02/1970 01:36:41 by RouterOS 6.10
software id = PCLW-8CR9
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-192-cbc pfs-group=modp768
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/ip address
add address=10.79.32.1/29 interface=ether2-master-local network=10.79.32.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-relay
add add-relay-info=yes dhcp-server=d.d.d.d disabled=no interface=ether2-master-local local-address=10.79.32.1 name=dsrv
relay-info-remote-id=""
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input in-interface=ether2-master-local src-address=10.79.32.0/29
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" disabled=yes in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add chain=forward dst-address=d.d.d.0/24 src-address=10.79.32.0/29
add chain=forward dst-address=10.79.32.0/29 src-address=d.d.d.0/24
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall nat
add action=src-nat chain=srcnat dst-address=d.d.d.d to-addresses=10.79.32.1
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
/ip ipsec peer
add address=g.g.g.g/32 dh-group=modp768 enc-algorithm=aes-192 nat-traversal=yes secret=XXXXXXXX
/ip ipsec policy
add sa-dst-address=g.g.g.g sa-src-address=10.79.32.1 src-address=10.79.32.0/29 tunnel=yes
/ip proxy
set parent-proxy=0.0.0.0
/ip service
set api disabled=yes
/ip upnp
set allow-disable-external-interface=no
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
/tool sniffer
set filter-interface=ether2-master-local filter-stream=yes
[admin@MikroTik] >