Page 1 of 1
DhCP server for each port
Posted: Wed May 08, 2019 4:54 pm
by kiwina
I'm lost need some help.
i got a CRS125 24 port
so
port 1 = ISP 192.168.1.2/24 (default config)
port 2 = main 192.168.88.1 on bridge / dhcp 192.168.88.0/24 (default config)
my goal is to have
port 3 = dhcp 192.168.3.0/24
port 4 = dhcp 192.168.4.0/24
and so on up to port 24
so far i tried each port with its own bridge / own dhcp and it works fine but
i need full communication between 192.168.88.0/24 and subnets 192.168.x.0/24
i need full communication between 192.168.24.0/24 and subnets 192.168.x.0/24
Any help is greatly apriciated
Re: DhCP server for each port
Posted: Wed May 08, 2019 5:15 pm
by pe1chl
That cannot be done. You cannot have a separate DHCP server on different ports of a bridged network.
That configuration provides only full routing, not bridiging, between those subnets, but of course that isn't "full communication" as you seem to need.
Re: DhCP server for each port
Posted: Wed May 08, 2019 5:25 pm
by k6ccc
Let's see if I have this right. Every single port will be a separate LAN with it's own DHCP server. So the router is being used exclusively as a router and not as a switch. If this is the case, why are you creating bridges? This is the way I use my routers. I have managed switches connected to the router ports to provide the switch functionality.
As for getting one LAN to communicate with all the others, but none of the others able to communicate with each other, that is easy. Add a firewall rule that allows the desired communication, and then block everything else. Here are a couple extr4acts from one of my routers. The first allows established and related and then specifically allows my .101 LAN to access my cable internet.
add action=accept chain=forward comment=\
"Accept established and related packets" connection-state=\
established,related
add action=accept chain=forward comment=\
"Allow outbound traffic from .101 to Cable internet" in-interface=\
E2-p4_101 out-interface=E1-p2_Cable_Internet
This one is at the end of the forward chain and drops anything else.
add action=drop chain=forward comment=\
"Drop any forward packets that get this far"
Re: DhCP server for each port
Posted: Wed May 08, 2019 11:13 pm
by kiwina
Humm. Ok let's see if someone can suggest if and how it can get done. Bridges I only used because the slaves cannot have dhcp server assigned. Each port will have switches connected to it. I like to have just as above each physical port assign a range of ips from a specific subnet with basically let's me know where the devices are connected to in case of errors. If the whole network can communicate with each other doesn't really matter as long as it does. There must be some sort of way of doing this?!. I thought if each port dhcp server has its ip address pool to use but the network is a lower mask? So each dhcp pool is 24 and the network is 16. Then I just reconfigure the ISP coming from another router to 10.10.x.x
Re: DhCP server for each port
Posted: Wed May 08, 2019 11:51 pm
by mkx
The problem with the idea about different pool sizes and subnet masks is the following: IP subnet mask generally has to overlap 100% with L2 (ethernet) broadcast domain ... which allows members of such IP network to communicate with each other (and that includes gateway to other subnets) directly without help of an L3 device (IP gateway). Generally it is not possible to have one IP subnet spanning more than one L2 broadcast domain.
At the same time DHCP protocol is bound to broadcast domain as well. Generally there can be only one DHCP server per L2 domain.
Your solution demands several L2 domains (to utilize many DHCP servers) and at the same time demands single L2 domain (to accomodate single IP subnet).
What I wrote above is not the whole truth, things can be stretched ... but that means deploying some (possibly CPU-bound) mechanizms.
But then: network can communicate via router ... not all of services though, some rely on broadcast traffic. So you may want to consider running your network segmented. Mind that you'd need a decent router as centre device (CRS is a decent switch and shitty router).
Re: DhCP server for each port
Posted: Thu May 09, 2019 12:01 am
by k6ccc
I see mkx beat me to the L2 vs L3 parts, so I'm not going to repeat that.
You do not need to use bridges to create a DHCP server. However as noted above, IF an interface is a member of a bridge, then the DHCP server must be assigned to the Bridge - not the member interfaces. At least that's the way I understand it (remember, I don't use any bridges). Since you have only one port on each LAN, there is no need for bridges. This is how both my routers are configured. Yes, that means that all inter LAN traffic goes through the CPU, So be it. That way I have complete control of what can communicate with what.
Here is another extract from my config.
/interface ethernet
set [ find default-name=ether1 ] comment="Spectrum cable internet" name=\
E1-p2_Cable_Internet speed=100Mbps
set [ find default-name=ether2 ] comment="Main cable home LAN" name=E2-p4_101 \
speed=100Mbps
set [ find default-name=ether3 ] comment="Cable Private WiFi" name=E3-p6_103 \
speed=100Mbps
set [ find default-name=ether4 ] comment="802.1Q trunk" name=E4-p8_802.1Q \
speed=100Mbps
set [ find default-name=ether5 ] comment="Router to Router tie" name=\
"E5 to Router 2" speed=100Mbps
/interface vlan
add comment="AREDN WAN" interface=E4-p8_802.1Q name=VLAN_001 vlan-id=1
add comment="AREDN LAN" interface=E4-p8_802.1Q name=VLAN_005 vlan-id=5
add comment="Cable Public WiFi" interface=E4-p8_802.1Q name=VLAN_102 vlan-id=\
102
add comment="Redacted" interface=E4-p8_802.1Q name=VLAN_104 vlan-id=\
104
add comment="Scanner feed" interface=E4-p8_802.1Q name=VLAN_105 vlan-id=105
add comment="Wyze cameras" interface=E4-p8_802.1Q name=VLAN_106 vlan-id=106
add comment="DSL / Cable protected LAN" interface=E4-p8_802.1Q name=VLAN_151 \
vlan-id=151
/ip pool
add name=".001 DHCP pool" ranges=192.168.1.100-192.168.1.109
add name=".101 DHCP pool" ranges=192.168.101.100-192.168.101.119
add name=".102 DHCP pool" ranges=192.168.102.100-192.168.102.119
add name=".103 DHCP pool" ranges=192.168.103.100-192.168.103.119
add name=".104 DHCP pool" ranges=192.168.104.100-192.168.104.109
add name=".105 DHCP pool" ranges=192.168.105.100-192.168.105.109
add name=".106 DHCP pool" ranges=192.168.106.100-192.168.106.109
add name=".151 DHCP pool" ranges=192.168.151.100-192.168.151.119
/ip dhcp-server
add address-pool=".001 DHCP pool" disabled=no interface=VLAN_001 lease-time=\
3h name=".001 DHCP server"
add address-pool=".101 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=E2-p4_101 lease-time=3h name=".101 DHCP server"
add address-pool=".102 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_102 lease-time=3h name=".102 DHCP server"
add address-pool=".103 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=E3-p6_103 lease-time=3h name=".103 DHCP server"
add address-pool=".104 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_104 lease-time=3h name=".104 DHCP server"
add address-pool=".105 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_105 lease-time=3h name=".105 DHCP server"
add address-pool=".106 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_106 lease-time=3h name=".106 DHCP server"
add address-pool=".151 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_151 lease-time=3h name=".151 DHCP server"
Re: DhCP server for each port
Posted: Thu May 09, 2019 4:28 am
by anav
Much easier to assign vlans to a bridge, dhcp to vlans and retain all the flexibility where the vlans go (subnets and to which ports) and which vlans can talk to each other (need firewall rules to allow it).
Re: DhCP server for each port
Posted: Thu May 09, 2019 6:44 am
by kiwina
Much easier to assign vlans to a bridge, dhcp to vlans and retain all the flexibility where the vlans go (subnets and to which ports) and which vlans can talk to each other (need firewall rules to allow it).
Thinking more about it i thought vlans may be the way to do it. Anyone got some example on it especially the firewall rules to do it? i did try just briefly to setup vlans but got lost in the million configuration options these routers provide.
Re: DhCP server for each port
Posted: Thu May 09, 2019 9:26 am
by mkx
VLANs won't make any difference in the dilemma how to segment network (to have many IP ranges depending on device's location) while not segmenting it (to have transparent networking between all connected devices).
V in VLAN stands for Virtual ... and that refers to the physical infrastructure (i.e. instead of having two wires, two switches and having device plugged into appropriate switch ... there's only one wire and one switch with access ports configured on demand ... meaning when device needs to be relocated from one LAN to another one, it is not necessary to unplug its ethernet cable from one switch and plug it to another one, enough is to reconfigure VLAN membership of used access port).
But when it comes to (V)LAN logical topology, things don't change ... apart from using different interface names (e.g. use "vlan100" instead of "ether13") things are exactly the same.
Seems like VLANs are answer to all @anav's questions ... I wonder if that's the answer for him when he's deciding between Irish and Scottish whisky as well (pun intended
)
Re: DhCP server for each port
Posted: Thu May 09, 2019 9:30 am
by kiwina
what about putting a router in from the switch that handles the internet connectivity and the communication between the lans?
Re: DhCP server for each port
Posted: Thu May 09, 2019 10:34 am
by rbnewfan
Why not just separate the ports 3-24 from the main bridge, let them be alone without bridges and just assign a DHCP to each one of these ports (along with addresses and corespodning Networks of course)? Simple and to the point. Then the necessary firewall rules as appropriate.
Re: DhCP server for each port
Posted: Thu May 09, 2019 8:39 pm
by anav
I have never understood a scotsman and thus have concluded their whiskey is too strong, and I am not keen on being intelligible.
As for Irish, I prefer to count on skill not luck and besides they drink because they have nothing to eat, and thus I avoid their heavy caloric brew.
The only true whisky is Canadian Rye Whisky thank you very much!!
As for vlans, yes its magical and I can fix almost every IT issue with them!!
@op, read this excellent document on Vlans.......... it will put you well on your way. After you have config going come back and post it and will help you iron out any difficulties.
viewtopic.php?f=13&t=143620