Question regarding IP pools

rko4all · July 17, 2023, 11:04pm

Hello Guys ,

I have set up L2TP server with IP pool 10.8.0.2-10.8.0.254 . I see that when users connect , it starts assigning them IPs starting from 10.8.0.254 , 10.8.0.253 and etc…

My question is what happens after all the IPs are used ? I understand that when L2TP user disconnects , that IP is not used anymore . Imagine a user has IP of 10.8.0.50 . when he disconnects , the next user doesn’t get this freed IP . Router continues allocating IPs one by one as it was doing .

Also can I set the next-pool option as the same IP pool ? If I do so , does this mean that when the router finishes assigning 10.8.0.2-10.8.0.254 , it will start from beginning again ?

Sorry I’m new to Mikrotik so the questions might seem stupid

gigabyte091 · July 18, 2023, 2:55am

I presume that in case there are no more IP address to lease clients will be unable to connect until IP address became available.

Also I don’t think that you can put same IP address range into next pool… How can you lease same IP address twice ?

k6ccc · July 18, 2023, 4:10pm

Correct. Mikrotik DHCP server starts at the high end of the range.

If all the IPs in the pool are assigned, then a new connection will not get a DHCP address.
Simply disconnecting the L2TP user may or may not release the address (I don’t use L2TP), but once the lease times out, it will become available. If you have a lot of transient users, a good reason not to have R E A L L Y L O N G lease times.

mkx · July 18, 2023, 4:27pm

No, it doesn’t. While DHCP protocol does define way for client to release the address, it’s seldomly (if ever) used. Most clients have volatile connectivity to L2 network which can break without prior notice (network cable is disconnected, wireless link drops, …), so it’s normal for leases to get freed due to expiry of DHCP lease time. As @k6ccc mentioned, if you expect many transient clients, set lease time lower (a few tens of minutes is perfectly fine). This will make sure that “abandoned” addresses get returned to pool quickly enough.

rko4all · July 18, 2023, 4:32pm

So by default when L2TP “user1” connects and gets assigned 10.8.0.254 , even when he is disconnected , he still owns that IP and a new connected client can’t use that IP ? If yes , for how long is that IP reserved by default ? How can I change it in a way that IP 10.8.0.254 is released 5 minutes after the L2TP client “user1” disconnects ?

I don’t have many simultaneous online users but still I’m running out of IPs for L2TP clients . I end up rebooting the router so that the assigning starts from 10.8.0.254 again .

k6ccc · July 18, 2023, 4:36pm

Simply set a fairly short lease time in the DHCP server setting.

rko4all · July 18, 2023, 4:37pm

@mkx I just saw your post . I don’t have winbox access to that router at the moment and I’m not familiar with the terminal commands of mikrotik yet . can you help me with a command to set lease time correctly ? also is it ok if we set lease time as 60 minutes ? based on what you said , if I set it too low that might cause issues .

k6ccc · July 18, 2023, 4:40pm

Some (a few) devices will initiate a release - I have observed some devices do so on my network. Trying to remember which devices will release a DHCP lease when shut down. Not sure, but it may be the RaspBerry Pis.

But yes, the large majority of devices simply go away and the lease is held by the DHCP server until the lease time expires.

k6ccc · July 18, 2023, 4:42pm

Here’s one of mine. Lease time on this one is 3 hours.

/ip dhcp-server
add address-pool=".101 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=E02-pB4_101 lease-time=3h name=".101 DHCP server"

holvoetn · July 18, 2023, 4:56pm

Use /23 pool ?

rko4all · July 18, 2023, 5:22pm

I use this routeros as L2TP and OpenVPN server . At first , I assigned an IP pool of 10.10.0.2-10.10.1.254 to OpenVPN clients but there was this issue that users from range of 10.10.0.2-10.10.0.254 had internet access after connecting to VPN server but users from range of 10.10.1.0 to 10.10.1.254 didn’t have internet access after connecting .

I think the issue was that the local ip address in PPP profile that was created for openvpn had IP of 10.10.0.1 as the following picture :

https://ibb.co/qk9nF4r

I didn’t know how to fix that issue so I just decided to limit the range to 10.10.0.2-10.10.0.254 so all users had internet access after connecting to openvpn server .

I’m new to mikrotik and networking in general so please excuse me being such a noob

holvoetn · July 18, 2023, 7:12pm

If some devices are unable to use the other services, it’s probably some config issue further down but then we should have a look at your config.
terminal: /export file=anynameyouwish
Obfuscate serial number and any private info and/or public wan ip.
Then post between [__code ] quotes for easier readability.

rko4all · July 18, 2023, 7:47pm

This is router1 which is L2TP and OpenVPN server . After users connect , their traffic is sent to router2 via IPIPv6 tunnel and there is a masquerade NAT rule in the second router which sends traffic to the internet .

Here is router1 config :

[admin@MikroTik] > export
# 2023-07-18 19:42:18 by RouterOS 7.10.1
# software id = 
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface ipipv6
add local-address=2001:470:1f12:1e9::2 mtu=1440 name=ipipv6-tunnel1 \
    remote-address=2001:470:1f12:a12::2
/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive local-address=\
    PUBLIC IP mtu=1480 name=sit1 remote-address=216.66.84.42
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=l2tp ranges=10.8.0.2-10.8.0.254
add name=openvpn ranges=10.10.0.2-10.10.0.254
/port
set 0 name=serial0
/ppp profile
add dns-server=8.8.8.8 local-address=10.8.0.1 name=l2tp remote-address=l2tp \
    wins-server=1.1.1.1
add change-tcp-mss=yes dns-server=8.8.8.8,1.1.1.1 local-address=10.10.0.1 name=\
    openvpn remote-address=openvpn
/interface l2tp-server server
set default-profile=l2tp enabled=yes use-ipsec=required
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes128-cbc,aes192-cbc,aes256-cbc \
    default-profile=openvpn enabled=yes redirect-gateway=def1
/ip address
/ip dhcp-client
add interface=ether1
/ip firewall filter
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input dst-port=500 protocol=udp
/ipv6 route
add disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:1f12:1e9::1 \
    scope=30 target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=2222
set api-ssl disabled=yes
/ipv6 address
add address=2001:470:1f12:1e9::2 advertise=no interface=sit1
/ppp aaa
set interim-update=30s use-circuit-id-in-nas-port-id=yes use-radius=yes
/radius
add address=RADIUSIP service=ppp,hotspot
/radius incoming
set accept=yes
/system note
set show-at-login=no
/system scheduler
add interval=1d name="Reboot Router Daily" on-event="/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=1970-01-01 start-time=01:00:00

in the config : add name=openvpn ranges=10.10.0.2-10.10.0.254 , if I set range as 10.10.0.2-10.10.1.254 , those openvpn users that get IP from range 10.10.1.0-10.10.1.254 won’t have internet access after connecting but those from 10.10.0.2-10.10.0.254 have internet access .

and this is also router 2 configuration :

[admin@MikroTik] > export
# 2023-07-18 20:10:11 by RouterOS 7.10.1
# software id = 
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface ipipv6
add local-address=2001:470:1f12:a12::2 mtu=1440 name=ipipv6-tunnel1 \
    remote-address=2001:470:1f12:1e9::2
/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive local-address=\
    PUBLIC IP mtu=1480 name=sit1 remote-address=216.66.84.42
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/ip address
add address=11.11.11.1/29 interface=ipipv6-tunnel1 network=11.11.11.0
/ip dhcp-client
add interface=ether1
/ip firewall filter
add action=drop chain=forward dst-address=141.101.78.0/23
add action=drop chain=forward dst-address=173.245.48.0/20
add action=drop chain=output dst-address=141.101.78.0/23
add action=drop chain=output dst-address=173.245.48.0/20
/ipv6 route
add disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:1f12:a12::1 \
    scope=30 target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=2222
set api-ssl disabled=yes
/ipv6 address
add address=2001:470:1f12:a12::2 advertise=no interface=sit1
/system note
set show-at-login=no
[admin@MikroTik] >

rko4all · July 19, 2023, 10:10am

right now I had to set a script to reboot the router so that IP assigning starts from beginning . If anyone has another opinion to help me please let me know .

rko4all · July 19, 2023, 10:52am

Also I want to use 10.10.0.2-10.0.1.254 IP pool for openvpn instead of 10.10.0.2-10.10.0.254 but the problem is that I can only set one local address in PPP profile for openvpn . with 10.10.0.2-10.10.1.254 IP pool , if I enter local address as 10.10.0.1 , those users who are assigned IPs between 10.10.1.0-10.10.1.254 don’t have internet access after connecting .

If I enter local address in PPP profile for openvpn as 10.10.1.1 , those users who are assigned IPs between 10.10.0.1-10.10.0.254 don’t have access to internet after connecting .

I want to know what I should do that all users getting IPs from /23 ( 10.10.0.2-10.10.1.254 ) would have internet after connecting to openvpn server .

holvoetn · July 19, 2023, 11:01am

On a client (I assume WIndows device or Linux or … ?)
What does routing table look like ?

On windows, cmd, route print

rko4all · July 19, 2023, 11:44am

This is for when OpenVPN ip pool is set as 10.10.0.2-10.10.1.254 and the local address in PPP profile is set as 10.10.0.1 and when I connect to openvpn server , I’m assigned 10.10.1.254 and don’t have internet access after connecting :

C:\Users\MY SYSTEM>route print
===========================================================================
Interface List
  3...00 ff 0f 35 67 43 ......TAP-Windows Adapter V9 for OpenVPN Connect
 17...00 ff 91 81 a0 9a ......TAP-Windows Adapter V9
  6...2c fd a1 6d 71 92 ......Intel(R) Ethernet Connection (2) I219-V
 14...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
 13...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.1    192.168.2.253    300
          0.0.0.0        128.0.0.0        10.10.0.1      10.10.1.254    257
    MY ROUTER PUBLIC IP  255.255.255.255      192.168.2.1    192.168.2.253    406
        10.10.1.0    255.255.255.0         On-link       10.10.1.254    257
      10.10.1.254  255.255.255.255         On-link       10.10.1.254    257
      10.10.1.255  255.255.255.255         On-link       10.10.1.254    257
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        128.0.0.0        128.0.0.0        10.10.0.1      10.10.1.254    257
      192.168.2.0    255.255.255.0         On-link     192.168.2.253    406
    192.168.2.253  255.255.255.255         On-link     192.168.2.253    406
    192.168.2.255  255.255.255.255         On-link     192.168.2.253    406
    192.168.140.0    255.255.255.0         On-link     192.168.140.1    291
    192.168.140.1  255.255.255.255         On-link     192.168.140.1    291
  192.168.140.255  255.255.255.255         On-link     192.168.140.1    291
    192.168.186.0    255.255.255.0         On-link     192.168.186.1    291
    192.168.186.1  255.255.255.255         On-link     192.168.186.1    291
  192.168.186.255  255.255.255.255         On-link     192.168.186.1    291
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.140.1    291
        224.0.0.0        240.0.0.0         On-link     192.168.186.1    291
        224.0.0.0        240.0.0.0         On-link       10.10.1.254    257
        224.0.0.0        240.0.0.0         On-link     192.168.2.253    406
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.140.1    291
  255.255.255.255  255.255.255.255         On-link     192.168.186.1    291
  255.255.255.255  255.255.255.255         On-link       10.10.1.254    257
  255.255.255.255  255.255.255.255         On-link     192.168.2.253    406
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
 14    291 fe80::/64                On-link
 13    291 fe80::/64                On-link
  3    281 fe80::/64                On-link
  6    291 fe80::/64                On-link
  3    281 fe80::516a:e83e:3aeb:51ad/128
                                    On-link
 14    291 fe80::919c:f684:2be2:e147/128
                                    On-link
 13    291 fe80::a011:40ff:73ae:978f/128
                                    On-link
  6    291 fe80::b1fc:e238:6eb0:be65/128
                                    On-link
  1    331 ff00::/8                 On-link
 14    291 ff00::/8                 On-link
 13    291 ff00::/8                 On-link
  3    281 ff00::/8                 On-link
  6    291 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

This is for when OpenVPN ip pool is set as 10.10.0.2-10.10.0.254 and the local address in PPP profile is set as 10.10.0.1 and when I connect to openvpn server , I’m assigned 10.10.0.254 and have internet access after connecting :

C:\Users\MY SYSTEM>route print
===========================================================================
Interface List
  3...00 ff 0f 35 67 43 ......TAP-Windows Adapter V9 for OpenVPN Connect
 17...00 ff 91 81 a0 9a ......TAP-Windows Adapter V9
  6...2c fd a1 6d 71 92 ......Intel(R) Ethernet Connection (2) I219-V
 14...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
 13...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.1    192.168.2.253    300
          0.0.0.0        128.0.0.0        10.10.0.1      10.10.0.254    257
    MY ROUTER PUBLIC IP  255.255.255.255      192.168.2.1    192.168.2.253    406
        10.10.0.0    255.255.255.0         On-link       10.10.0.254    257
      10.10.0.254  255.255.255.255         On-link       10.10.0.254    257
      10.10.0.255  255.255.255.255         On-link       10.10.0.254    257
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        128.0.0.0        128.0.0.0        10.10.0.1      10.10.0.254    257
      192.168.2.0    255.255.255.0         On-link     192.168.2.253    406
    192.168.2.253  255.255.255.255         On-link     192.168.2.253    406
    192.168.2.255  255.255.255.255         On-link     192.168.2.253    406
    192.168.140.0    255.255.255.0         On-link     192.168.140.1    291
    192.168.140.1  255.255.255.255         On-link     192.168.140.1    291
  192.168.140.255  255.255.255.255         On-link     192.168.140.1    291
    192.168.186.0    255.255.255.0         On-link     192.168.186.1    291
    192.168.186.1  255.255.255.255         On-link     192.168.186.1    291
  192.168.186.255  255.255.255.255         On-link     192.168.186.1    291
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.140.1    291
        224.0.0.0        240.0.0.0         On-link     192.168.186.1    291
        224.0.0.0        240.0.0.0         On-link       10.10.0.254    257
        224.0.0.0        240.0.0.0         On-link     192.168.2.253    406
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.140.1    291
  255.255.255.255  255.255.255.255         On-link     192.168.186.1    291
  255.255.255.255  255.255.255.255         On-link       10.10.0.254    257
  255.255.255.255  255.255.255.255         On-link     192.168.2.253    406
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
 14    291 fe80::/64                On-link
 13    291 fe80::/64                On-link
  3    281 fe80::/64                On-link
  6    291 fe80::/64                On-link
  3    281 fe80::516a:e83e:3aeb:51ad/128
                                    On-link
 14    291 fe80::919c:f684:2be2:e147/128
                                    On-link
 13    291 fe80::a011:40ff:73ae:978f/128
                                    On-link
  6    291 fe80::b1fc:e238:6eb0:be65/128
                                    On-link
  1    331 ff00::/8                 On-link
 14    291 ff00::/8                 On-link
 13    291 ff00::/8                 On-link
  3    281 ff00::/8                 On-link
  6    291 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

holvoetn · July 19, 2023, 11:49am

In the first case, where does that interface address 10.10.1.254 come from ? Should have been 10.10.0.254 as well, I suppose.

Can you provide config from the OVPN server in that situation ?

tdw · July 19, 2023, 12:12pm

DHCP has absolutely nothing to do with L2TP and other PPP-based point-to-point connection address assignment, it is handled by IPCP.

RouterOS address assignments are somewhat sticky - each new connection is assigned an address from the pool and this is reused if a user disconnects and reconnects, when there are no unused addresses left any ‘previously used but currently inactive’ will be reused.

rko4all · July 19, 2023, 12:24pm

well what you are saying is exactly my problem .

simply speaking , I want to use a broader IP pool with openvpn (10.10.0.2-10.10.1.254 ) but since the local address of PPP profile is set as 10.10.0.1, users getting IPs between 10.10.1.0 to 10.10.1.254 don’t have internet access because as you can see in my windows route output , the client is assigned 10.10.1.254 but the gateway ( PPP profile local address ) is 10.10.0.1 which causes issues . Because of this problem , I had to limit IP pool to 10.10.0.2-10.10.0.254 but this is also causing issues for me because I’m running out of IPs for users .

For some weird reason , when clients disconnect , their IPs not freed and mikrotik keeps assigning other free IPs to clients until it runs out of them . Even when it runs out of IPs to assign , it doesn’t use those freed IPs and keeps reserving them for a client that might not connect !

For this I had to set a schedule to reboot router every 24hours so the IP assignment is started from beginning ( 10.10.0.254 , 10.10.0.253 … )

And here is what you wanted . The config of server when openvpn IP pool is 10.10.0.2-10.10.1.254 :

[admin@MikroTik] > export
# jul/19/2023 16:42:51 by RouterOS 7.6
# software id =
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface ipipv6
add local-address=2001:470:1f0a:aa::2 mtu=1440 name=ipipv6-tunnel1 \
    remote-address=2001:470:1f0a:bc::2
/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive local-address=\
    Public IP mtu=1480 name=sit1 remote-address=216.66.80.30
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=l2tp ranges=10.8.0.2-10.8.0.254
add name=openvpn ranges=10.10.0.2-10.10.1.254
/ppp profile
add dns-server=8.8.8.8,1.1.1.1 local-address=10.8.0.1 name=l2tp remote-address=\
    l2tp
add change-tcp-mss=yes dns-server=8.8.8.8,1.1.1.1 local-address=10.10.0.1 name=\
    openvpn remote-address=openvpn
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/ip neighbor discovery-settings
set discover-interface-list=none protocol=""
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface l2tp-server server
set caller-id-type=number default-profile=l2tp enabled=yes use-ipsec=required
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes128,aes192,aes256 default-profile=\
    openvpn enabled=yes
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN
 protocol instead
set authentication=pap,chap,mschap1,mschap2 default-profile=default
/ip address
add address=Public IP/24 interface=ether1 network=Gateway IP
/ip dns
set servers=8.8.8.8,1.1.1.1,9.9.9.9
/ip firewall filter
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input dst-port=1194 protocol=tcp
add action=accept chain=input dst-port=500 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=191.101.91.1
add disabled=no dst-address=0.0.0.0/0 gateway=191.101.91.1
add gateway=GatewayIP
/ipv6 route
add disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:1f0a:aa::1 \
    scope=30 target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=2222
set api-ssl disabled=yes
/ipv6 address
add address=2001:470:1f0a:aa::2 advertise=no interface=sit1
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/ppp aaa
set interim-update=30s use-circuit-id-in-nas-port-id=yes use-radius=yes
/radius
add address=RadiusIP service=ppp,hotspot
/radius incoming
set accept=yes
/system clock
set time-zone-name=Asia/Beijing
/system ntp client
set enabled=yes
/system ntp server
set manycast=yes
/system ntp client servers
add address=45.129.39.118
/system scheduler
add interval=1d name="Reboot Router Daily" on-event="/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=00:10:00