Community discussions

MikroTik App
 
nitrohydride
newbie
Topic Author
Posts: 29
Joined: Mon Oct 08, 2018 10:37 pm

ARP vs DHCP| Packs vs RBversion|PPPoE

Thu Jan 03, 2019 8:55 pm

Hello everyone,

To do not spam i decided to create one post with a few questions which really bothers me. I'd be really

1. What is the difference between this two options ? :
arpvsdhcp.jpg

How to set up dhcp server to always give specific MAC adress always the same IP adress (and never lease it to another MAC) ?

2. When i update my packages (system>packages) the version of routerboard (system>routerboard) doesnt change.I have to use Uprgarde button.
Why does it not update automatically ? Should i update it every time i update packages ?

3. What is a better aproach to prevent people to acces the Router ?

I know two ways, but have no idea which solution is better.

A) setting allowed IP addresses (in system>users) to an user and disabling services www etc. (ip>services)
B) setting firewall rule for dropping packets( in the nutshell - from selected ports-for example blocking 80 for browser etc, source list !support, destination address - Router)

4. I connected internet using PPPOE clinet in PPP submenu. Now i have 3 active interfaces - PPPOE client, ether1(where i physically connected ethernEt cable) and ether 2 (LAN).
Which port should i treat like a WAN ? The ether 1 or PPPOE interface ? I need this knowledge to set up essential Firewall rules (drop all from WAN etc)

Best Regards,
SB
You do not have the required permissions to view the files attached to this post.
 
User avatar
bramwittendorp
Member Candidate
Member Candidate
Posts: 101
Joined: Thu Jun 16, 2016 3:48 pm
Location: The Netherlands
Contact:

Re: ARP vs DHCP| Packs vs RBversion|PPPoE  [SOLVED]

Thu Jan 03, 2019 10:16 pm

Hi,

I am making an attempt to answer you as good as I can:
  1. This one is pretty easy. The ARP table is used for the lookup of MAC-Addresses (OSI Layer 2) based on IP-adresses (OSI-Layer 3). This is needed for the transport from the IP-packets towards an client. For more info on ARP you can look in the wiki (https://wiki.mikrotik.com/wiki/Manual:IP/ARP). If you use the option make static under IP > ARP you'll make the ARP entry static, this may result into trouble. Because a host can have a different IP-address than in the ARP table.

    For your purpose: go to IP > DHCP Server > Leases and select the client you want to give a fixed DHCP address based on MAC-address, and select Make Static there. This will reserve the IP-address for that client and MAC-address only. After selecting Make Static you may close the window and re-open the selected client to change the IP-address that will be assigned.
  2. The version of System > RouterBOARD is the firmware of the RouterBOARD itself. It's only necessary to update this when the changelog of the packages say so. Since RouterOS 6.42 there is an option to automatically update the RouterBOARD firmware after applying new packages. This requires a second reboot tough.
  3. There is a pretty good post on the MikroTik Wiki about securing your router: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router. I tend to follow these guidelines in order to secure the routerboards I manager
  4. Treat the PPPoE interface as WAN-interface.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: ARP vs DHCP| Packs vs RBversion|PPPoE

Thu Jan 03, 2019 10:25 pm

1. The left half of screenshot shows normal operation of an ethernet switch (RB bridge is very similar). In order to effectively forward ethernet packets, switch has to learn MAC addresses of connected devices on physical/VLAN port. It does so automatically by noting sender's MAC address and using this information for passing return packets.
The right part is DHCP server in operation. DHCP server identifies client by their MAC address, but that's about the common part between left and right part. After DHCP server dynamically assigns IP address to a client, you can make that assignment static by clicking "Make Static" button.

2. There are two parts of RouterOS: the OS itself (packages in /system packages) and bootloader (kind of BIOS, in /system routerboard) which loads ROS on device boot. Due to the way bootloader is installed it can't be done the same time as ROS upgrade (device has to run upgraded version of ROS to be able to load upgraded version of bootloader). What can be done is to set auto-upgrade=yes in /system routerboard settings ... so bootloader will be updated on first boot after ROS upgrade ... but additional reboot still has to be performed manually.

3. Combination of both. You can never be paranoid enough ... and don't believe those who claim differently :wink:

4. Your WAN is PPPoE ... ether1 is just transporter without L3 (=IP) configuration.
 
nitrohydride
newbie
Topic Author
Posts: 29
Joined: Mon Oct 08, 2018 10:37 pm

Re: ARP vs DHCP| Packs vs RBversion|PPPoE

Thu Jan 03, 2019 11:38 pm

Thank you for answers guys, it really helped me a lot.

Acording to question no 1:
Lets consider situation when i have dhcp pool containing only 10 addresses (for example from 10.10.10.50 to 10.10.10.59) and i set all of them static for some computers. After This dhcp server should not have any free addresses in the pool and any new client should not be able to connect via dhcp. Am i right ?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: ARP vs DHCP| Packs vs RBversion|PPPoE

Fri Jan 04, 2019 8:57 am

Most probably yes. I'm not sure if you want to have it like this though. Not handing out IP address is not a good method to control access to your LAN.

If you follow tutorial by @bramwittendorp above where he's mentioning second step of making DHCP lease static (changing IP address), then you can have static IP leases with IP addresses outside of "normal" DHCP address pool ... so you can have whole pool reserved for dynamic clients. If you do that, then you can actually play with FW filter rules to make difference in allowed connectivity between dynamic clients and "regulars". Not that this kind of setup enforces anything, knowledgeable user could set static IP address on a device to bypass the FW filters.
 
nitrohydride
newbie
Topic Author
Posts: 29
Joined: Mon Oct 08, 2018 10:37 pm

Re: ARP vs DHCP| Packs vs RBversion|PPPoE

Fri Jan 04, 2019 12:26 pm

Thank you mkx for good explanation.

Jut wanted to find out whether my understanding is proper. Changing Ip and redirectering Client to static pool is much better solution.
There is one more thing i am not sure though. If i make client static and set its IP other than in DHCP (outside dhcp pool), the other user which set this IP static will be able to reach it ? Can i set any protection for cases like that and disallow mikrotik to give adresses on clients demand ? (i know how to prohibit it in windows GP0, bit it's not the best solution).
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: ARP vs DHCP| Packs vs RBversion|PPPoE

Fri Jan 04, 2019 2:53 pm

The pool, set up for DHCP server, is defining addresses that DHCP server can assign to random clients. If you make some assignment static, then DHCP server will not care which IP address is bound to that particular client, it'll just serve the lease to client when client asks. The only thing you need to care about when typing in different IP address is that address actually belongs to the subnet you're running.

However, there is (per RFC) mechanism, which if followed, prevents DHCP server from assigning (and DHCP client from using) occupied IP address ... DHCP server is supposed to check availability of IP address prior to offering lease to client (by pinging the offered IP address) and DHCP client is supposed to do the same before applying the lease.
There's nothing you can do if some user manually sets IP address to their device, you can only try to find trespassers and prosecute them. Joke aside, if DHCP server will find out that statically assigned IP address is in use, it obviously won't offer it to the client. I don't know what happens next, perhaps it'll offer one from pool. In case of dynamic IP address, DHCP server will certainly try with another one from the pool if there are any unused addresses left ...

If you feel scripting, then you could make a script which checks active hosts in LAN, compares that to list of active leases (from RB's DHCP server) and creates firewall rules which denies any connectivity to those LAN hosts. Another script, run as part of DHCP lease chat (between server and client) could remove filter rule which is now void.
I don't think this kind of address enforcement is worth the trouble though. In small network (i.e. SOHO) I'd go with the search&prosecute way mentioned above :wink:

Who is online

Users browsing this forum: No registered users and 40 guests