Community discussions

MikroTik App
 
westley
just joined
Topic Author
Posts: 12
Joined: Fri Aug 19, 2016 6:18 pm

DHCP issue

Thu Nov 08, 2018 6:24 pm

Hi,

I have an office building with a shared internet connection. Since one of the tenants also processes credit cards, for them to be PCI compliant, we put them behind a second router board.

So, in the building I have ISP->Routerboard1 (192.168.2.0)->Switch->Routerboard2 (192.168.88.0)

The issue I am having, and it started a while back, I'm just getting now getting tired of fighting on my own, is that both Routerboards are answering DHCP requests regardless of which Routerboard the client is connected to.

Example: Client is hard wired to R1, they still get an IP address from R2 or client is hard wired to R2 and they get an IP address from R1.

It also doesn't matter if they are connected using WiFi.

I double checked to be sure DHCP relaying is turned off but I'm still at a loss.

I can confirm that R1 is a 951G-2HnD with Firmware Type ar9344, Factory FW 3.12, Current FW 3.33, and OS Version 6.43.2.

R2 should be the same, but I'm not on site and can't verify.

Any help appreciated.

Thanks,
Westley
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: DHCP issue

Fri Nov 09, 2018 12:05 am

This sounds as either very wrong configuration or just incorrect wiring. Whatever reason it is, I am pretty sure that both LAN interfaces are somehow on same L2 segment (this is practically certain as your devices are getting IP randomly from one or second DHCP, even if they are connected directly to RB1)

I would guess that you connected RB2 LAN side to the same switch as RB1 LAN side.

To make this clear, could you explain your network map a bit better (add interface names, so it is clear which port is connected to which device, how are clients connected etc...)? Also, could you post config of your RB2? Use /export hide sensitive and find/replace every personal detail you don't want to share.
 
Van9018
Long time Member
Long time Member
Posts: 558
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: DHCP issue

Fri Nov 09, 2018 6:08 am

The default config of an 951G-2HnD is:
Port 1 = WAN
Port 2-5 & WIFI = LAN

So to accomplish what you're doing, you should plug cables in like this..

R1 Port 1 -> Internet
R1 Port 2 -> Client 1 LAN
R1 Port 3 -> R2 Port 1 (You probably have this going to a different port?)
R2 Port 2 -> Client 2 LAN

Then DHCP packets won't cross over. However, Client 2 LAN can still access Client 1 LAN and you won't be PCI Compliant. You could add firewall rules on R2, deny outbound packets with dest IP in R1 subnet (Except for the IP of R1)

Alternatively, you can accomplish your goal with 1 router.

1. Edit interface ether4, set master port to none
2. Edit interface ether5, set master port to ether 3
-- At this point ports 2,3 and wifi are on client 1 LAN and ports 4 & 5 are client 2 LAN
-- Assuming you want additional WIFIs, you can add them on the router.
3. Rename wifi name to wifi-LAN1
4. Add virtual Wifi, set SSID and passphrase and name it wifi-LAN2
4. Rename bridge-local to bridge-LAN1
5. Add another bridge, name=bridge-LAN2 and add port 4 and wifi-LAN2
-- Now you have two LANs on the same router, but they can talk to each other. Add a firewall
6. Add forwarding rules. Default deny rule and then permit bridge-lan1 to go through to the internet, same with bridge-lan2, but not each other
-- DHCP Servers: you already have a DHCP server on bridge-LAN1.
7. Add a 2nd DHCP Server and apply it to bridge-LAN2 with desired settings.

PCI Compliance has a lot of rules, I usually put a payment terminal on it's own subnet so half the compliance stuff doesn't apply.
 
westley
just joined
Topic Author
Posts: 12
Joined: Fri Aug 19, 2016 6:18 pm

Re: DHCP issue

Fri Nov 09, 2018 6:51 am

I am going to have to go into the office to actually grab the config for R2. I tried to remote into it a couple of different ways and it just didn't work.

I do have R1 Port 3 plugged into R2 Port 1. That was one of the first things I checked, but I will go double check all of that again.

The tenant using R2 has a printer, a couple of desktops, and a bunch of laptops that connect thru WiFi. Couple that with the fact that they occupy the entire first floor while the TELCO closet and everyone else is on the second floor, it just made more sense to put a separate unit downstairs for them.

Hopefully I can get there tomorrow morning before they leave for the day. They shut down at Noon on Friday's.
 
westley
just joined
Topic Author
Posts: 12
Joined: Fri Aug 19, 2016 6:18 pm

Re: DHCP issue

Tue Nov 13, 2018 11:12 pm

Finally had a chance to come into the office.

Here are the configs for both routers.
Router A
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2018.11.13 14:47:55 =~=~=~=~=~=~=~=~=~=~=~=
# nov/13/2018 14:47:51 by RouterOS 6.43.2
# software id = A1CR-6TEN
#
# model = 951G-2HnD
# serial number = 4F45045C6476
/interface bridge
add admin-mac=4C:5E:0C:5F:0B:A7 auto-mac=no fast-forward=no mtu=1500 name=\
bridge-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country="united states" disabled=no distance=indoors mode=ap-bridge ssid=\
"5043 6164" wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master-local speed=100Mbps
set [ find default-name=ether3 ] name=ether3-slave-local speed=100Mbps
set [ find default-name=ether4 ] name=ether4-slave-local speed=100Mbps
set [ find default-name=ether5 ] name=ether5-slave-local speed=100Mbps
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.199
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
bridge-local lease-time=3d name=default
/queue simple
add name=VoIP packet-marks=VoIP priority=2/2 target=""
add max-limit=30M/30M name="Internal Network" packet-marks=no-mark priority=\
3/3 target=bridge-local
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether5-slave-local
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether1-gateway list=discover
add interface=ether2-master-local list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=bridge-local list=discover
add interface=ether2-master-local list=mactel
add interface=ether3-slave-local list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether4-slave-local list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=wlan1 list=mactel
add interface=ether5-slave-local list=mac-winbox
add interface=bridge-local list=mactel
add interface=wlan1 list=mac-winbox
add interface=bridge-local list=mac-winbox
/ip address
add address=192.168.2.254/24 comment="default configuration" interface=\
ether2-master-local network=192.168.2.0
add address=a.b.c.d/29 interface=ether1-gateway network=a.b.c.d
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
ether1-gateway
/ip dhcp-server network
add address=192.168.2.0/24 comment="default configuration" dns-server=\
192.168.2.254,8.8.8.8,8.8.4.4 gateway=192.168.2.254 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.2.254 name=router
/ip firewall address-list
add address=122.0.0.0/8 list=blocklist
add address=62.0.0.0/8 list=blocklist
add address=85.114.128.78 list=blocklist
add address=163.172.121.92 list=blocklist
add address=37.49.231.132 list=blocklist
add address=51.75.12.173 list=blocklist
add address=64.2.142.26 list=whitelist
add address=64.2.142.187 list=whitelist
add address=64.2.142.190 list=whitelist
add address=64.2.142.9 list=whitelist
add address=64.2.142.87 list=whitelist
add address=64.2.142.17 list=whitelist
add address=64.2.142.189 list=whitelist
add address=64.2.142.109 list=whitelist
add address=64.2.142.188 list=whitelist
add address=64.2.142.215 list=whitelist
add address=64.2.142.107 list=whitelist
add address=64.2.142.216 list=whitelist
add address=64.2.142.111 list=whitelist
add address=64.2.142.106 list=whitelist
add address=36.0.0.0/8 list=blocklist
add address=191.13.112.89 list=blocklist
add address=174.57.160.29 list=blocklist
add address=138.121.130.12 list=blocklist
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=drop chain=input dst-port=53 protocol=udp
add action=drop chain=input src-address=1.0.0.0/8
add action=drop chain=input src-address=60.0.0.0/7
add action=drop chain=forward disabled=yes src-address=80.0.0.0/4
add action=drop chain=input src-address=112.0.0.0/5
add action=drop chain=input src-address=124.0.0.0/7
add action=drop chain=input src-address=186.0.0.0/7
add action=drop chain=input src-address=189.0.0.0/8
add action=drop chain=input src-address=222.0.0.0/7
add action=drop chain=input comment="Blocklist on input" src-address-list=\
blocklist
add action=drop chain=forward comment="Block on forward" src-address-list=\
blocklist
add action=drop chain=forward comment=DHCP dst-port=67-68 protocol=udp \
src-port=67-68
add action=accept chain=input comment="default configuration" \
connection-state=established
add action=accept chain=input comment="default configuration" \
connection-state=related
add action=drop chain=input comment="default configuration" disabled=yes \
in-interface=ether1-gateway
add action=accept chain=forward comment="default configuration" \
connection-state=established
add action=accept chain=forward comment="default configuration" \
connection-state=related
add action=drop chain=forward comment="default configuration" \
connection-state=invalid disabled=yes
/ip firewall mangle
add action=mark-packet chain=prerouting dst-port=10000-20000 new-packet-mark=\
VoIP passthrough=no protocol=udp src-port=10000-20000
add action=mark-packet chain=forward disabled=yes dst-address=a.b.c.d \
new-packet-mark=VoIP passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment=PrivateVPN dst-port=1194 \
in-interface=ether1-gateway protocol=udp to-addresses=192.168.2.252 \
to-ports=1194
add action=dst-nat chain=dstnat comment=SIP-UDP dst-port=5060-5061 \
in-interface=ether1-gateway protocol=udp src-address-list=whitelist \
to-addresses=192.168.2.251 to-ports=5060-5061
add action=dst-nat chain=dstnat comment=SIP dst-port=5060-5061 in-interface=\
ether1-gateway protocol=tcp src-address-list=whitelist to-addresses=\
192.168.2.251 to-ports=5060-5061
add action=dst-nat chain=dstnat comment=RTP dst-port=10000-20000 \
in-interface=ether1-gateway protocol=udp src-address-list=whitelist \
to-addresses=192.168.2.251 to-ports=10000-20000
add action=dst-nat chain=dstnat comment=SSH-Private dst-port=4444 \
in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.252 \
to-ports=22
add action=dst-nat chain=dstnat comment=SSH-Phone dst-port=22222 \
in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.251 \
to-ports=22
add action=dst-nat chain=dstnat comment=PrivateVPNTCP dst-port=943 \
in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.252 \
to-ports=943
add action=dst-nat chain=dstnat comment=PrivateVPNHTTPS dst-port=443 \
in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.252 \
to-ports=443
add action=dst-nat chain=dstnat comment="Voicemail Portal" dst-port=8086 \
protocol=tcp to-addresses=192.168.2.251 to-ports=80
add action=dst-nat chain=dstnat comment=PrivateVPNWebServer dst-port=81 \
in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.252 \
to-ports=80
add action=dst-nat chain=dstnat comment=PBX dst-port=82 in-interface=\
ether1-gateway protocol=tcp to-addresses=192.168.2.251 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=6060-6061 protocol=tcp \
to-addresses=192.168.2.252 to-ports=6060-6061
add action=dst-nat chain=dstnat disabled=yes dst-port=4040-4041 protocol=tcp \
to-addresses=192.168.2.252 to-ports=4040-4041
add action=dst-nat chain=dstnat disabled=yes dst-port=82 protocol=tcp \
to-addresses=192.168.2.103 to-ports=80
add action=dst-nat chain=dstnat comment="Private BDR" dst-port=4040-4041 \
protocol=tcp to-addresses=192.168.2.252 to-ports=4040-4041
add action=dst-nat chain=dstnat comment="Private Web Access" dst-port=8080 \
protocol=tcp to-addresses=192.168.2.252 to-ports=8080
add action=dst-nat chain=dstnat dst-port=83 protocol=tcp to-addresses=\
192.168.88.1 to-ports=80
/ip proxy
set cache-path=web-proxy1 parent-proxy=0.0.0.0
/ip route
add distance=1 gateway=a.b.c.d
add distance=1 dst-address=192.168.88.0/24 gateway=192.168.2.253
set api disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name=StayOut!
/system leds
set 0 interface=wlan1
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

Router B
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2018.11.13 14:42:11 =~=~=~=~=~=~=~=~=~=~=~=
# nov/13/2018 14:42:01 by RouterOS 6.43.2
# software id = QHUC-EV22
#
# model = 951G-2HnD
# serial number = 4F4504CD03FF
/interface bridge
add admin-mac=4C:5E:0C:5C:C2:B9 auto-mac=no fast-forward=no mtu=1500 name=\
bridge-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country="united states" disabled=no distance=indoors frequency=2422 mode=\
ap-bridge ssid=5CC2BD wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master-local speed=100Mbps
set [ find default-name=ether3 ] name=ether3-slave-local speed=100Mbps
set [ find default-name=ether4 ] name=ether4-slave-local speed=100Mbps
set [ find default-name=ether5 ] name=ether5-slave-local speed=100Mbps
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.199
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
bridge-local lease-time=2w name=default
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether5-slave-local
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether1-gateway list=discover
add interface=ether2-master-local list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=bridge-local list=discover
add interface=ether2-master-local list=mactel
add interface=ether3-slave-local list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=wlan1 list=mactel
add interface=ether5-slave-local list=mac-winbox
add interface=bridge-local list=mactel
add interface=wlan1 list=mac-winbox
add interface=bridge-local list=mac-winbox
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
ether2-master-local network=192.168.88.0
add address=192.168.2.253/24 interface=ether1-gateway network=192.168.2.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
ether1-gateway
/ip dhcp-server lease
add address=192.168.88.253 client-id=1:0:1b:a9:bd:1b:69 mac-address=\
00:1B:A9:BD:1B:69 server=default
add address=192.168.88.141 lease-time=14h mac-address=84:38:35:53:35:FE \
use-src-mac=yes
add address=192.168.88.138 mac-address=9C:F3:87:AE:8C:48
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
192.168.88.1 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=drop chain=forward dst-port=67-68 in-interface=ether1-gateway \
out-interface=ether1-gateway protocol=udp src-port=67-68
add action=accept chain=input comment="default configuration" \
connection-state=established
add action=accept chain=input comment="default configuration" \
connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
ether1-gateway
add action=accept chain=forward comment="default configuration" \
connection-state=established
add action=accept chain=forward comment="default configuration" \
connection-state=related
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
/ip route
add distance=1 gateway=192.168.2.254
/ip service
set api disabled=yes
/system clock
set time-zone-name=America/Chicago
/system leds
set 0 interface=wlan1
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox


Thanks,
Westley

Who is online

Users browsing this forum: baragoon, GoogleOther [Bot] and 81 guests