MikroTik

I have a problem with DHCP relay on some of my VLANs. It is working fine on one but not the others.

The DHCP server is 10.0.0.5/16 on a HP switch with VLAN interface into RB750
There are other local VLANs on that switch using DHCP relay on the RB750 without issue.

I have an IPSec VPN to a RB750GL, which is also running DHCP relay back to the 10.0.0.5 DHCP server.
10.5.0.0/16 DHCP relay is working fine.
10.6.0.0/16 DHCP relay (and some others) is not working.

I have used Wireshark from the client machine making DHCP requests and the DHCP server and can see:

Client machine sending repeated DHCP Discover packets, no response seen.
RB750GL logs requests seen by DHCP relay agent
DHCP server shows incoming DHCP Discover packet and return DHCP Offer packet destined for the IP address of the relay agent on RB750GL - 10.6.0.254
RB750GL relay agent showing 0 responses.
As far as I can see, no firewall (filter) rules are blocking this.
I had a rule src 10.0.0.0/8 dst 10.0.0.0/8 dst port 67-68 to accept but I noticed I had set this in error to TCP instead of UDP. I corrected this but still no joy.

Any suggestions on tracking down the source of the problem?

I've just spent some time looking at this again as I still haven't managed to get it resolved.

From the client machine sending the DHCP requests, all Wireshark shows up is a bunch of DHCP Discover packets.

The DHCP server is showing DHCP Discover packets and DHCP offer being returned.

However the DHCP Discover packet appears to come from the wrong source IP address, although the BOOTP detail in the packet shows the correct relay agent IP address.

i.e. DHCP Discover packet source 10.5.0.254 Destination 10.0.0.5
BOOTP Relay agent IP address: 10.6.0.254

The remote RB750GL is configured with 10.6.0.254 as the local address in DHCP relay and I cannot see any of my NAT rules causing an issue where the incorrect IP address should appear.

DHCP relay is working perfectly for the 10.5.0.0/16 subnet to DHCP server 10.0.0.5

But DHCP relay for 10.6.0.0/16, 10.7.0.0/16 and 10.8.0.0/16 to DHCP server 10.0.0.5 is not working. I have not re-tested 10.7.0.0/16 and 10.8.0.0/16 but presume these have the same issue as 10.6.0.0/16 with the discover packets incorrectly sourcing frrom 10.5.0.254. I can only assume that since packets are being sourced from 10.5.0.254 but returned to 10.6.0.254 they are being dropped by the remote RouterOS due to the IP mismatch?

Any suggestions? I've deleted and re-created that DHCP relay entry to no avail.

can you show the configuration for the vlans and the local ip applied on the vlan interface as well as the dhcp relay settings.

Try setting the "Admin. MAC Address" the same as the "MAC Address" on the Bridge. Also make sure STP is OFF on the Bridge too.

/interface vlan
add interface=ether2-master-local name=VLAN5 vlan-id=5
add interface=ether2-master-local name=VLAN10 vlan-id=10
add interface=ether2-master-local name=VLAN20 vlan-id=20
add interface=ether2-master-local name=VLAN40 vlan-id=40
add interface=ether2-master-local name=VLAN60 vlan-id=60
add interface=ether2-master-local name=VLAN80 vlan-id=80

/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
ether2-master-local network=192.168.88.0
add address=10.5.0.254/16 interface=VLAN10 network=10.5.0.0
add address=10.6.0.254/16 interface=VLAN20 network=10.6.0.0
add address=10.7.0.254/16 interface=VLAN40 network=10.7.0.0
add address=10.8.0.254/16 interface=VLAN60 network=10.8.0.0
add address=10.9.0.254/16 interface=VLAN80 network=10.9.0.0
add address=192.168.5.1/30 interface=VLAN5 network=192.168.5.0
add address=192.168.2.100/24 interface=ether1-gateway network=192.168.2.0

/ip dhcp-relay
add dhcp-server=10.0.0.5 disabled=no interface=VLAN40 local-address=\
10.7.0.254 name=VLAN40
add dhcp-server=10.0.0.5 disabled=no interface=VLAN60 local-address=\
10.8.0.254 name=VLAN60
add dhcp-server=10.0.0.5 disabled=no interface=VLAN80 local-address=\
10.9.0.254 name=VLAN80
add dhcp-server=10.0.0.5 disabled=no interface=VLAN20 local-address=\
10.6.0.254 name=VLAN20
add dhcp-server=10.0.0.5 disabled=no interface=VLAN10 local-address=\
10.5.0.254 name=VLAN10

There is also a srcnat rule for the 10.x.0.0/16 destination 10.0.0.0/16 as otherwise I found traffic over the IPSec tunnel was appearing the other end with the source as the WAN IP for some reason!

There are no NAT rules that explain why a DHCP packet that should be appearing from 10.6.0.254 is appearing at the remote end with a source of 10.5.0.254

I'm not using a bridge.

*bump* Any thoughts anyone? A bug or something in my config I'm missing?

In my experience there is no need to add local-address= to the dhcp relay. it works well without this. I am using a similar setup for all my vlans. Secondly there should be no reason for the mentioned srcnat rule. What are you trying to achieve with this.

Resurrecting an old thread here, folks. Apologies, it's been lower down my priority list for a while so hadn't got back to it.

I haven't tried removing the source address on the DHCP relay but I don't see that it should cause a problem?

The reason for the srcnat rule(s) is as per https://wiki.mikrotik.com/wiki/Manual:I ... ack_Bypass

What I don't quite understand is why one VLAN/subnet is working just fine yet the others are having issues...

OK, so I've worked through all my NAT rules and confirmed that it's the srcnat rule "fixing" the source IP for traffic passing over the IPSec tunnel that's causing the problem.

Traffic flow is:
DHCP Server (10.0.0.5/16) <--> Switch <--> Router A <--> IPSec <--> Router B <--> Switch <--> DHCP Client (supposed to be 10.6.0.0/16)

So I have a rule on "Router B"

Source: Public IP of PPPoE Client interface
Destination: 10.0.0.0/8
src-nat to 10.5.0.254

This means that any traffic arriving at the other end of the IPSec tunnel is always seen as 10.5.0.254, even when being sourced from 10.6.0.0/16

Therefore, DHCP Relay packets that should be going via 10.6.0.254 are actually seen as 10.5.0.254, therefore the return traffic being correctly sent by the DHCP server with a destination of 10.6.0.254 is being dropped/ignored.

The one subnet/VLAN that is working for DHCP Relay on Router B is 10.5.0.0/16, since that is covered by the src-nat rule above.

I do NOT have a corresponding rule on Router A. It has been a long time since I set up the IPSec and Firewall/NAT rules, so my memory on why exactly the rule exists on Router B is sketchy, but previous posts make reference to another forum post and wiki article detailing the same/similar issue.

Any thoughts on a fix (can I do the src-nat rule a better way that I'm missing) or will I have to live with it not working?

When I disable the rule of source (PPPoE Public IP) to destination 10.0.0.0/8, I can see (having added a passthrough rule) that counters for source public IP to destination 10.0.0.0/8 are increasing when DHCP requests are made. Therefore Router B is forwarding DHCP relay packets with a source of the public IP, therefore they are never picked up by the IPSec policy and the public internet clearly cannot route 10.0.0.0/8