Wifi getting wrong IP

Hello,

Please help me. I have an RB2011UiAS-2HnD act as my main router after my ISP modem (at my parents house) and a Newifi D2 router (dumb switch with AP) use at my house (200m apart from my parents house and used fiber to connect). In my RB2011UiAS-2HnD, I have 4 subnet, 192.168.1.x, 192.168.10.x, 192.168.20.x and 192.168.40.x.

The 192.168.10.x subnet is extended to my Newifi D2 router (dumb switch with AP). Issue is that a few wireless devices is getting the IP from subnet 192.168.1.x (subnet for my neighbor) and having wifi connectivity issue.

Can help how to mitigate this issue? Other devices is getting correct IP’s and other’s don’t.

Would greatly appreciate your technical expertise.

The 192.168.10.x subnet is extended to my Newifi D2 router

We’re going to need to see your configuration to know what you mean by vague statements like that. Use the /export command in RouterOS. In v7, it hides sensitive info by default, but if you’re still on v6, add “hide-sensitive”. You might want to hand-edit the result afterward, but beware editing out too much: if you knew what was relevant, you might have the problem solved already.

Wild guess until then: you’ve got a DHCP server on each subnet, and you haven’t used VLANs or routing boundaries to prevent these DHCP servers from responding to random broadcast queries on your flat LAN. If you don’t set up a separate broadcast domain per DHCP server, you create a race condition for which competing server responds first.

If your device is a dumb switch it should only be receiving one subnet??
A diagram would be helpful AND of course the config
/export hide-sensitive file=anynameyouwish

DHCP server on each subnet >>>>> this is what I did.

Not much knowledgeable on VLAN’s. I’m just a regular mikrotik user and I do apologize for this.

How am I going to do this “Separate broadcast domain”? could you please share some ideas on how to?

we have pointed the way for you to help us help you.

a. network diagram
b. /export hide-sensitive file=anynameyouwish

RouterOS does not reward the willfully ignorant. Here, being “regular” means being willing to learn.

I do apologize for this.

A display of willingness to learn and to help those spending their time helping you goes farther than apologies.

How am I going to do this “Separate broadcast domain”?

You didn’t read even the introduction section of that Wikipedia article, did you? If you had, you’d realize it’s a catch-all term for the main methods for achieving it: “…broadcast domains are only divided by layer 3 network devices such as routers or layer 3 switches. Separating VLANs divides broadcast domains as well.”

Referring to “separate broadcast domains” is a shorter way of saying what I wrote just before that: “…you haven’t used VLANs or routing boundaries to prevent these DHCP servers from responding to random broadcast queries on your flat LAN.”

There is no GUI checkbox you can click or wizard you can run to achieve this. We need your configuration and a network diagram to know how to advise you.

Or, better, start reading the RouterOS documentation on routing and VLAN fundamentals. Even if those articles (and those linked from them) fail to guide you to a working solution, the knowledge you gain will at least allow you to ask better questions.

For a good non-vendor specific background about vlans, (and networkiing fundamentais), I recommend Ed Harmoush’s Practical Networking site https://www.practicalnetworking.net since he has understandable but accurate descriptions.

While that does look useful, a search there for “broadcast domain” turns up one article on OSPF and another on a recommendation for someone else’s CCNA course. A search for DHCP doesn’t turn up much of relevance to this thread.

The closest article I found there is this one, which doesn’t explain the OP’s problem directly. It’s a good foundation for understanding the answer, but it won’t guide him to the solution.

@tangent, you are correct. I should have pruned the last line. I was talking specifically about vlans, and I think Ed’s explanation is very good. And for someone that doesn’t work in the networking profession, his Network Fundamentals youtube course is great. Oddly, he does not cover DHCP in that, and I don’t understand why, since it is a fundamental.

For broadcast domain, an google search will find many. This Kevin Barker MicroNuggets: Broadcast Domains Explained is pretty clear.

Here’s a old one DHCP: How Your PC Gets Its IP Address by PieterExplainsTech that is quite good and does not assume a lot of previous background. There are a few things that are stated as general fact that are not a requirement (Is a DHCP offer packet a broadcast or unicast?)

Good overview of DHCP What is DHCP and why is it important? - EfficientIP and video DHCP Demystified - short introduction (I recommend watching at 2x)

More detail in David Bombal’s video DHCP Explained - Step by Step Server Configuration with wireshark captures.

And for the definitive coverage, there is RFC2131 Dynamic Host Configuration Protocol, but it is not light reading.

Hello,

It has been a while. Kindly see below the requested my rb2011 config and simple network diagram. On the diagram. like I mentioned before, some of my wireless device is getting the other IP subnet which resulting to unable to browse the internet.

# may/25/2022 09:43:21 by RouterOS 6.44.5
# software id = TE08-U9EN
#
# model = 2011UAS-2HnD
# serial number = 402602AA55AB
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - WAN"
set [ find default-name=ether2 ] name="ether2 - Mykel" speed=100Mbps
set [ find default-name=ether3 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full name="ether3 - Ate Nora" speed=\
    100Mbps
set [ find default-name=ether4 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full name="ether4 - Edison"
set [ find default-name=ether5 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full name="ether5 - Management Port"
set [ find default-name=ether6 ] advertise=100M-half,100M-full name=\
    "ether6 -  CCTV"
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface ethernet switch port
set 6 vlan-mode=fallback
set 7 vlan-mode=fallback
set 8 vlan-mode=fallback
set 9 vlan-mode=fallback
set 10 vlan-mode=fallback
set 12 vlan-mode=fallback
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm \
    management-protection=allowed mode=dynamic-keys name="wifi madrona" \
    supplicant-identity="" unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=canas_wifi supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n basic-rates-a/g=54Mbps \
    basic-rates-b="" country="united states" disabled=no frequency=2427 \
    frequency-mode=superchannel installation=indoor mode=ap-bridge name=\
    "Wifi Madrona" security-profile="wifi madrona" ssid=Madrona_Wifi \
    supported-rates-a/g=54Mbps supported-rates-b="" wireless-protocol=802.11 \
    wmm-support=enabled wps-mode=disabled
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\
    D6:CA:6D:7C:A7:25 master-interface="Wifi Madrona" multicast-buffering=\
    disabled name=canas_wifi security-profile=canas_wifi ssid=canas_wifi \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name="DHCP - Mykel" ranges=192.168.10.10-192.168.10.254
add name="DHCP - Lilibeth" ranges=192.168.30.10-192.168.30.100
add name="DHCP - Ate Nora" ranges=192.168.1.10-192.168.1.100
add name="DHCP - Edison" ranges=192.168.20.10-192.168.20.100
add name="DHCP - Wifi Madrona" ranges=192.168.40.10-192.168.40.100
add name=canas_wifi ranges=192.168.50.2-192.168.50.10
add name="DHCP - CCTV" ranges=192.168.60.10-192.168.60.100
/ip dhcp-server
add address-pool="DHCP - Wifi Madrona" disabled=no interface="Wifi Madrona" \
    lease-time=1d name="Madrona Wifi"
add address-pool="DHCP - Edison" disabled=no interface="ether4 - Edison" \
    lease-time=4w2d10m name=Edison
add address-pool="DHCP - Ate Nora" disabled=no interface="ether3 - Ate Nora" \
    lease-time=4w2d10m name="Ate Nora"
add address-pool="DHCP - Lilibeth" disabled=no interface=\
    "ether5 - Management Port" lease-time=4w2d10m name=Lilibeth
add address-pool="DHCP - Mykel" disabled=no interface="ether2 - Mykel" \
    lease-time=8h name=Mykel
add address-pool=canas_wifi disabled=no interface=canas_wifi lease-time=1d \
    name=canas_wifi
add address-pool="DHCP - CCTV" disabled=no interface="ether6 -  CCTV" \
    lease-time=4w2d10m name="port 6"
/queue simple
add burst-limit=0/25M burst-time=0s/30s max-limit=2M/20M name=Edison target=\
    "ether4 - Edison"
add max-limit=512k/512k name=canas_wifi target=canas_wifi
add max-limit=1M/10M name=marlon_connection packet-marks=marlon_packet \
    target=192.168.10.8/32
add max-limit=1M/1M name=pelaez_wifi packet-marks=pelaez_packet target=\
    192.168.10.3/32
add max-limit=13M/100M name=Mykel queue=\
    pcq-upload-default/pcq-download-default target="ether2 - Mykel"
add burst-limit=0/7M burst-time=0s/30s max-limit=1M/5M name="Ate Nora" queue=\
    pcq-upload-default/pcq-download-default target="ether3 - Ate Nora"
add limit-at=1M/10M max-limit=2M/18M name="Wifi Madrona" queue=\
    pcq-upload-default/pcq-download-default target="Wifi Madrona"
/interface detect-internet
set detect-interface-list=all
/ip address
add address=192.168.1.1/24 interface="ether3 - Ate Nora" network=192.168.1.0
add address=192.168.10.1/24 interface="ether2 - Mykel" network=192.168.10.0
add address=192.168.20.1/24 interface="ether4 - Edison" network=192.168.20.0
add address=192.168.30.1/24 interface="ether5 - Management Port" network=\
    192.168.30.0
add address=192.168.40.1/24 interface="Wifi Madrona" network=192.168.40.0
add address=192.168.50.1/24 interface=canas_wifi network=192.168.50.0
add address=192.168.60.1/24 interface="ether6 -  CCTV" network=192.168.60.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface="ether1 - WAN" \
    use-peer-dns=no
/ip dhcp-server lease
add address=192.168.60.100 client-id=1:8:a1:89:10:77:ab mac-address=\
    08:A1:89:10:77:AB server="port 6"
add address=192.168.10.3 mac-address=20:76:93:53:02:31 server=Mykel
add address=192.168.10.8 client-id=1:d8:32:14:af:f0:8 mac-address=\
    D8:32:14:AF:F0:08 server=Mykel
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8 gateway=\
    192.168.1.1
add address=192.168.10.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8 gateway=\
    192.168.10.1
add address=192.168.20.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8 gateway=\
    192.168.20.1
add address=192.168.30.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8 gateway=\
    192.168.30.1
add address=192.168.40.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8 gateway=\
    192.168.40.1
add address=192.168.50.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.4.8 gateway=\
    192.168.50.1
add address=192.168.60.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.4.8 gateway=\
    192.168.60.1
/ip dns
set servers=1.1.1.1,1.0.0.1,8.8.8.8
/ip firewall filter
add action=reject chain=input comment="Block MAC address" disabled=yes \
    reject-with=icmp-network-unreachable src-mac-address=14:C1:4E:16:00:A3
add action=reject chain=forward disabled=yes reject-with=\
    icmp-network-unreachable src-mac-address=14:C1:4E:16:00:A3
add action=drop chain=input comment="drop winbox dude brute forcers" \
    dst-port=8291 protocol=tcp src-address-list=dude_blacklist
add action=add-src-to-address-list address-list=dude_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=8291 \
    protocol=tcp src-address-list=dude_stage3
add action=add-src-to-address-list address-list=dude_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
    protocol=tcp src-address-list=dude_stage2
add action=add-src-to-address-list address-list=dude_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
    protocol=tcp src-address-list=dude_stage1
add action=add-src-to-address-list address-list=dude_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
    protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward comment="Marlon Connection" \
    new-connection-mark=connection_marlon passthrough=yes src-mac-address=\
    D8:32:14:AF:F0:08
add action=mark-packet chain=forward connection-mark=connection_marlon \
    new-packet-mark=marlon_packet passthrough=no
add action=mark-connection chain=forward comment="Pelaez Connection" \
    new-connection-mark=connection_pelaez passthrough=yes src-mac-address=\
    20:76:93:53:02:31
add action=mark-packet chain=forward connection-mark=connection_pelaez \
    new-packet-mark=pelaez_packet passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 - WAN"
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.10.0/24,192.168.40.0/24 disabled=yes
set api disabled=yes
set winbox address=192.168.10.0/24,192.168.40.0/24
set api-ssl disabled=yes
/lcd
set enabled=no touch-screen=disabled
/system clock
set time-zone-name=Asia/Manila
/system ntp client
set enabled=yes primary-ntp=210.173.160.87 secondary-ntp=118.189.138.5
/system watchdog
set watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Well the picture says it all, how do you think you will get 192.168.1.x network on your laptop if ONLY the 192.168.10.0 network is being sent to the WIFI device??
What is the make and model of the AP/Switch that is feeding the mobile devices and laptop?

Given what was posted “Newifi D2”, I would assume this: https://fccid.io/2AO49-NEWIFID2/User-Manual/user-manual-3842539

Based on same chip as hEX but has wifi. Supposedly can be flashed with OpenWRT.

Did I ask you? He notes it on his diagram as a dumb switch, or did you do that?

No you did not ask me…

I will let you handle this without more kibitzing.

The OpenWRT project wiki corroborates that.

That then lets the OP set up VLANs with OpenWRT, which is the only way I can see for the OP to get the desired behavior with the network diagram shown. According to the sparse Newifi D2 manual, there is no factory-provided VLAN functionality.

If you’re willing to reflash your Newifi D2’s firmware, mykelm03, it will allow you to configure OpenWRT to assign a different VLAN tag to packets coming from that laptop in the lower right corner of the network diagram, which then lets you configure the RB2011 on the left to direct the DHCP client requests to a different DHCP server than serves the rest of the network.

The OpenWRT parts of this are quite beyond the scope for this forum. Once you have your packets VLAN-tagged as desired, if you have trouble configuring your RB2011 model to respond to them properly per the basic VLAN switching guide, you can come back with a new configuration and ask for more detailed help then.

Note that in that last link, I’ve directed you to the section of the docs covering devices like the RB2011. Don’t use the guides meant for other classes of device; they either won’t work, or they’ll devolve to software bridging, slowing things down.

Take special note of the warning at the bottom of that section about the RB2011 having a pair of switch chips inside. (See the product block diagram for details.) This affects VLAN configurations and other things. Splitting your VLANs across those internal switch chips can be helpful, or it can cause problems, depending on your goals.

I have some comments on what you’ve got so far, which you might want to consider while you’re redesigning this network.

/interface ethernet
set [ find default-name=ether2 ] name=“ether2 - Mykel” speed=100Mbps

If you want a fixed 100 Mbit/sec port, I’d put that in the second switch group, which is already limited to that speed. I wouldn’t burn one of your scant few gigabit ports like that.

Ditto for your WAN link if its speed is 100 Mbit/sec or less.

/interface wireless
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=
D6:CA:6D:7C:A7:25 master-interface=“Wifi Madrona” multicast-buffering=
disabled name=canas_wifi security-profile=canas_wifi ssid=canas_wifi
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled

It’s too bad “Laptop0” in your diagram can’t connect directly to the RB2011 instead, since then you could assign a VLAN to a separate SSID.

Another option is to replace the Newifi device with a second RouterOS device so you get this level of configurability. Then the matter would be on-topic here.