Community discussions

MikroTik App
 
OldGuy
just joined
Topic Author
Posts: 10
Joined: Wed Dec 07, 2022 10:38 pm

Cannot ping DHCP clients

Thu May 25, 2023 8:26 pm

Hello,

I have set up multiple DHCP servers to insure that anything plugged into that specific port obtains a known IP address. I now need to be able to communicate to those addresses. I am able to ping their gateway but cannot ping to the DHCP issued addresses. I am running the default config on ports 1-6 then 7-10 each have their own DHCP server and IP range of 1. Config file below:
Would appreciate any help in letting me know what I am missing/doing wrong. Thanks!
# may/24/2023 11:46:09 by RouterOS 6.48.6
# software id = 52YK-F3F9
#
# model = RB3011UiAS
# serial number = XXX
/interface bridge
add admin-mac=48:A9:8A:08:00:66 auto-mac=no comment=defconf name=bridge
add name=bridge7
add name=bridge8
add name=bridge9
add name=bridge10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.19
add name=pool9 ranges=192.168.9.10
add name=pool10 ranges=192.168.10.10
add name=pool8 ranges=192.168.8.10
add name=pool7 ranges=192.168.7.10
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add add-arp=yes address-pool=pool9 disabled=no interface=bridge9 lease-time=\
    1m name="DHCP server9"
add add-arp=yes address-pool=pool10 disabled=no interface=bridge10 \
    lease-time=1m name=server10
add add-arp=yes address-pool=pool8 disabled=no interface=bridge8 lease-time=\
    1m name=server8
add add-arp=yes address-pool=pool7 disabled=no interface=bridge7 lease-time=\
    1m name=server7
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge7 comment=defconf interface=ether7
add bridge=bridge8 comment=defconf interface=ether8
add bridge=bridge9 comment=defconf interface=ether9
add bridge=bridge10 comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.9.1/24 interface=bridge9 network=192.168.9.0
add address=192.168.10.1/24 interface=bridge10 network=192.168.10.0
add address=192.168.8.1/24 interface=bridge8 network=192.168.8.0
add address=192.168.7.1/24 interface=bridge7 network=192.168.7.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.7.0/24 dns-server=192.168.7.1 gateway=192.168.7.1 \
    netmask=24
add address=192.168.8.0/24 dns-server=192.168.8.1 domain=test gateway=\
    192.168.8.1 netmask=24
add address=192.168.9.0/24 dns-server=192.168.9.1 domain=test gateway=\
    192.168.9.1 netmask=24 wins-server=192.168.9.1
add address=192.168.10.0/24 dns-server=192.168.10.1 domain=Test2 gateway=\
    192.168.10.1 netmask=24 wins-server=192.168.10.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.9.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.10.1 name="10 Lan"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Cannot ping DHCP clients

Thu May 25, 2023 8:35 pm

What kind of client devices are they? Many devices which include any kind of firewall, by default block anything coming from outside of their IP subnet.
 
OldGuy
just joined
Topic Author
Posts: 10
Joined: Wed Dec 07, 2022 10:38 pm

Re: Cannot ping DHCP clients

Thu May 25, 2023 8:45 pm

What kind of client devices are they? Many devices which include any kind of firewall, by default block anything coming from outside of their IP subnet.
Right now im just using my PC and laptop. Yesterday I was connected to the intended devices which are basically just networked power inverter controllers that provide data through a network card. They are wide open, and should not have any firewall embedded. Is the gateway of the other subnets not "outside of the subnet"? I ask only because those pings are successful.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Cannot ping DHCP clients  [SOLVED]

Thu May 25, 2023 9:06 pm

When a packet arrives at mikrotik, it checks dst address. If it matches any of router's own addresses, that packet is then processed by firewall chain=input regardless the ingress interface. So chain=forward is not involved. And unless firewall rules are specific about in-interface/dst-address combination, all such packets are treated the same.
If dst address doesn't match router's own address, then it's processed by chain=forward and is eventually routed via best matching egress interface.

Which means that if you can ping gateway address of "non-local" subnet it doesn't mean anything about reachability of devices in that subnet beyond the router.

There are two things that likely break connectivity across different subnets. One is already mentioned firewall on client devices. Another one is possibility that devices ignore gateway setting (received from DHCP server) and can thus not reply via gateway.

In both cases a src-nat (performed by router on those egress interfaces) would help. Something like this:

/interface list
add name=wiredIoT
/interface list member
add list=wiredIoT interface=bridge7
add list=wiredIoT interface=bridge8
add list=wiredIoT interface=bridge9
add list=wiredIoT interface=bridge10
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=wiredIoT
 
OldGuy
just joined
Topic Author
Posts: 10
Joined: Wed Dec 07, 2022 10:38 pm

Re: Cannot ping DHCP clients

Thu May 25, 2023 10:45 pm

Thanks,that did it!

Who is online

Users browsing this forum: inna, normis and 34 guests