DHCP Relay VLANs on RB751U-2HnD

SSI · Tue Mar 08, 2016 3:05 pm

Hi,

we have a small network with an RB751U-2HnD as router.
eth4 is a has VLAN sub interfaces configured to it and it links to port 1 of the the first switch sw-core.
The servers are on VID 1000 (IP: 192.168.180.0/26). The workstations are on VID 1100 (IP: 192.168.181.0/24). And there's a management network VID 1001 (IP: 192.168.180.64/26).
The router is configured as DHCP relay on all VLANs but the server VLAN (VID 1000).
There's a Windows Server 2012 R2 is acting as DHCP server and so far hands out addresses to hosts connected to VID 1000.
DHCP requests from the other VLANs make it to the router but don't seem to get forwarded to the server.
The big question is: where did I go wrong? Is it because of the switch chip? Or is there something else that I've been missing.

The network L1/L2 diagram is attached.

relay config:

/ip dhcp-relay
add dhcp-server=192.168.180.3 disabled=no interface=vlManagement local-address=\
    192.168.180.126 name=relayManagement
add delay-threshold=3s dhcp-server=192.168.180.3 disabled=no interface=vlPCs \
    local-address=192.168.181.254 name=relayPCs

ip config:

/ip address
add address=192.168.180.62/26 interface=brServers network=192.168.180.0
add address=192.168.181.254/24 interface=vlPCs network=192.168.181.0
add address=192.168.180.126/26 interface=vlManagement network=192.168.180.64

VLAN interfaces:

add interface=eth4 l2mtu=1594 name=vlManagement vlan-id=1001
add interface=eth4 l2mtu=1594 name=vlPCs vlan-id=1100
add interface=eth4 l2mtu=1594 name=vlServers vlan-id=1000

Tue Mar 08, 2016 4:37 pm

Everything in your configuration looks pretty correct.
If you assign a static IP configuration to a host on that VLAN, does everything work properly?

If so, my only question is why the 3s delay threshold setting on the vlPCs network?

According to the manual:
If secs field in DHCP packet is smaller than delay-threshold, then this packet is ignored

Is it possible this is why the router is not forwarding these requests?

SSI · Wed Mar 09, 2016 8:40 pm

With static IPs assigned to hosts in vlPCs communication from and to the other VLANs works like a treat.

I'll try to unset the threshold later and report back.
I wondered if the problem is related to the switch-chip and it's CPU port.

Cheers
Stefan

SSI · Thu Mar 10, 2016 12:07 pm

I unset the delay-threshold but the problem persists.
I added a DHCP-client to the vlPCs interface. That client remains searching and doesn't get anything offered let alone assigned.

Any other ideas?

Thu Mar 10, 2016 4:14 pm

time to enhance the logging level for dhcp to debug and see if anything there pops out at you - that and/or a sniffer capture on the vlPCs interface to verify that the dhcp requests are indeed being received by the interface.

SSI · Fri Mar 11, 2016 1:32 am

The requests count goes up for that relay.

My firewall rule #0

add chain=input log=yes log-prefix="DHCP: " port=67-68 protocol=udp

and puts in the log

79:15:06, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328 
mar/11 12:17:04 firewall,info DHCP:  input: in:vlPCs out:(none), src-mac 00:15:5d:
79:15:06, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328 
mar/11 12:17:08 firewall,info DHCP:  input: in:vlPCs out:(none), src-mac 00:15:5d:
79:15:06, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328 
mar/11 12:17:13 firewall,info DHCP:  input: in:vlPCs out:(none), src-mac 00:15:5d:
79:15:06, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328 
mar/11 12:17:22 firewall,info DHCP:  input: in:vlPCs out:(none), src-mac 00:15:5d:
79:15:06, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328 
mar/11 12:17:38 firewall,info DHCP:  input: in:vlPCs out:(none), src-mac 00:15:5d:
79:15:06, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328 
mar/11 12:18:11 firewall,info DHCP:  input: in:vlPCs out:(none), src-mac 00:15:5d:
79:15:06, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328 
mar/11 12:18:15 firewall,info DHCP:  input: in:vlPCs out:(none), src-mac 00:15:5d:
79:15:06, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328 
mar/11 12:18:24 firewall,info DHCP:  input: in:vlPCs out:(none), src-mac 00:15:5d:
79:15:06, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328 
mar/11 12:18:41 firewall,info DHCP:  input: in:vlPCs out:(none), src-mac 00:15:5d:
79:15:06, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328 
mar/11 12:23:30 firewall,info DHCP:  input: in:brDMZ out:(none), src-mac 00:0d:b9:
3e:8a:ac, proto UDP, 192.168.182.157:68->192.168.180.254:67, len 328 
mar/11 12:24:15 firewall,info DHCP:  input: in:vlPCs out:(none), src-mac 00:15:5d:
79:15:06, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328 
mar/11 12:24:18 firewall,info DHCP:  input: in:vlPCs out:(none), src-mac 00:15:5d:
79:15:06, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328 
mar/11 12:24:22 firewall,info DHCP:  input: in:vlPCs out:(none), src-mac 00:15:5d:
79:15:06, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328 
mar/11 12:24:29 firewall,info DHCP:  input: in:vlPCs out:(none), src-mac 00:15:5d:
79:15:06, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328 
mar/11 12:24:46 firewall,info DHCP:  input: in:vlPCs out:(none), src-mac 00:15:5d:
79:15:06, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328 
mar/11 12:25:19 firewall,info DHCP:  input: in:vlPCs out:(none), src-mac 00:15:5d:
79:15:06, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328 
mar/11 12:25:23 firewall,info DHCP:  input: in:vlPCs out:(none), src-mac 00:15:5d:
79:15:06, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328 
mar/11 12:25:31 firewall,info DHCP:  input: in:vlPCs out:(none), src-mac 00:15:5d:
79:15:06, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328 
mar/11 12:25:48 firewall,info DHCP:  input: in:vlPCs out:(none), src-mac 00:15:5d:
79:15:06, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 32

Is that conclusive in any way?

SSI · Tue Mar 15, 2016 1:37 am

Anyone? Where did I go wrong?

scampbell · Thu Mar 17, 2016 9:59 pm

Hi SSI,

I would suggest following this example http://wiki.mikrotik.com/wiki/Manual:IP ... mple_setup

Also check your HP Switches support L2MTU 1594 ?

From what I can see your example is pretty much like the above except that you are using an MS server as primary DHCP.

Here is my interpreation of one leg of your relay........

DHCP Server (192.168..180.3)---------VLAN1000 ------(192.168.180.62/26) DHCP Relay RB751 (192.168.181.254/24)-----(VLAN1100)-------hosts

Your Mikrotik setup looks fine so I'm going with an MS problem.....
/ip dhcp-relay
add dhcp-server=192.168.180.3 disabled=no interface=vlPCs \
local-address=192.168.181.254 name=relayPCs

Your Mikrotik setup looks fine so I'm going with an MS problem..... for testing I would setup a Mikrotik as 192.168.180.3 with the necessary servers on it and get that working then try with MS Server

Regards,

Stuart

SSI · Fri Mar 18, 2016 12:36 pm

Hi Stuart,

Thanks for your valuable input.
Your interpretation of the addresses and VLANs is correct.
When I add a DHCP client to the vlPCs interface (VLAN 1100) it stays "searching" and wireshark running on 192.168.180.3 doesn't track any UDP/67 and UDP/68 traffic.
However, adding a DHCP client on brServers interface, I capture the foursome "DHCP discover" - "DHCP Offer" - "DHCP Request" - "DHCP Ack". The traffic in both cases goes out the RB via a trunk interface to a switch's trunk interface out the switch's access (VLAN 1000) port (LACP) to the server's LACP interface.

I'd like to progress with the DHCP on the RB itself once the DHCP client binds successfully to the MS. Before that, I'd like to see DHCP Discover packets leaving the RB and arriving at the server @ 192.168.180.3.

The HP switch 1820 series (J9983A) doesn;t seem to give me any epxalnation or option about the L2MTU. I need to give HP a call. But given the fact that DHCP on the Server VLAN 1000 passes, I suspect it's not a switch issue.

I setup a DHCP server on the vlPCs interface handing out 192.168.181/24 addresses works like expected.

Our top most firewall filter rules are:

/ip firewall filter
add chain=input log=yes log-prefix="DHCP: " port=67-68 protocol=udp
add chain=input comment="accept established connection packets" \
    connection-state=established
add chain=input comment="accept related connection packets" connection-state=\
    related
add action=drop chain=input comment="drop invalid packets" connection-state=\
    invalid

Cheers,
Stefan

SSI · Fri Mar 18, 2016 3:12 pm

I just found out, that the local DHCP client on vlPCs interface does not increase the request count on the DHCP Relay.
Does the request counter increment by receiving a "DHCP discover" packet or by a "DHCP Request" packet?

Cheers,
Stefan

SSI · Thu Mar 31, 2016 1:58 pm

I have changed the config slightly: in stead of having just a "vlPCs" virtual interface, I set up a bridge linking a physical interface (eth2) and the VLAN "vlPCs". I configured the IP address and the DHCP relay from vlPCs to be bound to the bridge "brWorkstations". I further disabled all reject, drop, tarpit, etc. rules on the firewall. Then I plugged a laptop into eth2. The DHCP requests were received by the DHCP relay, but no DHCP request packet left the RB571 for 192.168.180.3 (as configured in the relay).

I am about to swap the RB751 for a Huawei, to prove, that the fault is infact with the RB.
This would be the first time, that an RB didn't deliver (I deployed over 35 RBs in the past).

Does anyone still have a suggestion as in what to do to prevent the replacement?

Mikrotik Forum admins/tech, anything you can contribute to solve this case?

Cheers,
Stefan

emikrotik · Wed Aug 10, 2016 9:56 am

Hi,

Was there any solution to this issue?

I am having the same issue with using CRS226 as DHCP relay and having CRS125 as access switches.

DHCP Relay VLANs on RB751U-2HnD

DHCP Relay VLANs on RB751U-2HnD

Re: DHCP Relay VLANs on RB751U-2HnD

Re: DHCP Relay VLANs on RB751U-2HnD

Re: DHCP Relay VLANs on RB751U-2HnD

Re: DHCP Relay VLANs on RB751U-2HnD

Re: DHCP Relay VLANs on RB751U-2HnD

Re: DHCP Relay VLANs on RB751U-2HnD

Re: DHCP Relay VLANs on RB751U-2HnD

Re: DHCP Relay VLANs on RB751U-2HnD

Re: DHCP Relay VLANs on RB751U-2HnD

Re: DHCP Relay VLANs on RB751U-2HnD

Re: DHCP Relay VLANs on RB751U-2HnD