Routing over subnet split (port based DHCP workaround)

vwout · February 3, 2024, 9:56am

For an equipment test setup I’m trying to implement a configuration to mimic port based DHCP.
I tried to implement this by splitting a /24 subnet into multiple /30 subnets using an RB2011UiAS. The issue: I can’t get any traffic to go from one subnet to any of the other.

Why am I doing this?
I have a test setup where up to 5 devices are connected to a network for automatic testing using ‘docks’. The devices require DHCP to receive a network address.
In order to access the devices, you need to know the IP address, so a normal large pool does not work.

The configuration:
The main network that contains the equipment is 172.16.0.0/24; the RB2011UiAS has IP 172.16.0.2.
I created 5 bridges with /30 subnets, each with 2 usable addresses.
Each of the /30 subnets has a DHCP server with a pool with 1 ip, using a very short lease time.

The (shortened) code:

# RouterOS 7.12
# model = RB2011UiAS
/interface bridge
add name=DUT
add name=DUT-DOCK1

/interface ethernet
set [ find default-name=ether6 ] name=ether6-dock-1

/interface bridge port
add bridge=DUT interface=ether2
add bridge=DUT-DOCK1 interface=ether6-dock-1

/interface bridge settings
set use-ip-firewall=yes

/ip address
add address=172.16.0.2/25 comment=\
    "Subnet to test-pc" interface=DUT \
    network=172.16.0.0
add address=172.16.0.102/30 comment=\
    "DUT 1; address 172.16.0.101, gw DUT 1: address 172.16.0.102" interface=\
    DUT-DOCK1 network=172.16.0.100

/ip pool
add name=dock1 ranges=172.16.0.101

/ip dhcp-server
add address-pool=dock1 bootp-support=none interface=DUT-DOCK1 lease-time=30s \
    name=dock1

/ip dhcp-server network
add address=172.16.0.101/32 gateway=172.16.0.102 netmask=30

The DHCP configuration works perfectly; each connected test device is receiving the predefined IP address, based on the dock it connects to.
I however cannot reach and of the /30 subnets from the main network or vice versa.

When I add a static default gateway, it is listed as unreachable

/ip route
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=172.16.0.2 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10

> ip route print
Flags: D - DYNAMIC; I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#      DST-ADDRESS      GATEWAY     DISTANCE
0  IsH 0.0.0.0/0        172.16.0.2        10
  DAc  172.16.0.0/24    DUT                0
  DAc  172.16.0.100/30  DUT-DOCK1          0
  DAc  172.16.0.104/30  DUT-DOCK2          0
  DAc  172.16.0.108/30  DUT-DOCK3          0
  DAc  172.16.0.112/30  DUT-DOCK4          0
  DAc  172.16.0.116/30  DUT-DOCK5          0
  DAc  172.16.1.0/24    FT                 0

I tried disabling use of IP Firewall on the bridges, I tried explicitly adding allow firewall rules, no luck.

I’m quite sure I’m missing something trivial. But what is it?

baragoon · February 3, 2024, 10:18am

WHY? Did you read a VLAN segmentation topic?

vwout · February 3, 2024, 10:35am

The use of a bridge is not strictly required. You can also read the configuration as individual interfaces; each of the physical ethernet ports 6-10 will in that case have their own subnet and dhcp server. I tested that as well - didn’t work.

I do know about VLANs, I did consider that, but I fail to see how that would fundamentally change the situation. My main issue is that I need to isolate networks in order to run a DHCP server independently on each segment. But maybe I’m missing your point.

mkx · February 3, 2024, 10:55am

Basic problem: how are devices in DUT network (with IP addresses 172.16.0.X/24) supposed to know that IP addresses of your docks are behind a router (docks’ addreses are 172.16.0.Y/30). From DUT device point of view these IP addresses are in same /24 subnet and are supposed to be accessible directly.

There are two ways out of the hole you dug:

configure proxy-arp on router’s ether2 interface (be careful, if you do it wrongly, it can interfere with traffic between DUT devices)
for dock devices use addresses outside DUT address space and configure DUT network with proper routes (either add static route on default gateway or add static route on DUT devices which have to access dock devices)

Note that the first approach won’t help if dock devices limit communication to within own subnet because their subnet is /30. So if dock devices are picky, you’ll have to configure SRC NAT anyway.

The arguments in this post are about L3, so they are true regardless how you tackle L2 setup (multiple bridges vs. VLANs).

And, BTW, for all those “single bridge purists”: if VLAN only spans CPU and single physical port, then none of traffic can be handled by switch chip alone, so performance will be the same in both implementations. The decission on how to configure router is then more about readability of config and skills of administrator … and these categories are subjective.

vwout · February 3, 2024, 8:20pm

Thanks a lot for the feedback @mkx.

I tried proxy-arp, but could not get it to work. I gave your second suggestion a spin and got it to work:

I changed the /30 subnets to use unique addresses outside of the 172.16.0.0/24 network
I multihomed eth2 by assigning 5 additional ip addresses (172.16.0.10, 172.16.0.11, …)*
I created a dstnat rule for each of these ip addresses to the assigned dock address (172.16.0.10 → 172.16.x.101, 172.16.0.11 → 172.16.x.105, ..)
I created srcnat rules in opposite direction

*Alternatively I could have created nat rules from 172.16.0.2, but the testing application requires different IP addresses, not different ports.

The result is that the ip address in the 172.16.0.0/24 network can be used as if it is the device connected to the dock, completely hiding the intermediate DHCP subnet.