Community discussions

MikroTik App
 
lw97
just joined
Topic Author
Posts: 8
Joined: Fri Jan 24, 2020 2:53 pm

Per-port DHCP with port isolation on a hardware accelerated bridge

Thu Oct 14, 2021 4:27 pm

Hello!

I tried posting this in "Beginner basics", but after some thought, this might be a bit more advanced topic.

I'm trying to set up 3 CRS326-24Gs (with a RB2011 as a router).

At first, I wanted for each port on the switches to get its own DHCP server, but with a single-address IP pool -- for easy client configuration with a quasi-static addressing. I tried using individual bridge VLANs. Then I thought about connecting ports that should get untagged packets, but should be accessible for all other clients (like a dumb, not tagging-capable networked printer, for example).

Right now my configuration is as follows:
  • Individual VLANs with each client bridge port as untagged, bridge as tagged
  • DHCP server with one-address pool on each said VLAN
  • A switch rule for each port to retag 67-68/UDP (DHCP) with said VLAN ID
  • A separate "main" VLAN
  • Port PVIDs are the same -- with the "main" VLAN ID
  • Switch "Port isolation" rules to isolate ports -- since they still share the same "main" VLAN

This thing I've created seems quite clunky and inelegant, and I thought to ask for advice, if there are better practices to achieving this.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Per-port DHCP with port isolation on a hardware accelerated bridge

Thu Oct 14, 2021 4:57 pm

If you want the ports to be isolated from each other then using one VLAN per port with corresponding DHCP server & pool on the router would be the cleanest approach.

If you didn't need the port isolation then a flat network with DHCP option 82 to indicate which physical port the request originates from would work, anything else is likely a hacky bodge. Whilst the Mikrotik DHCP snooping adds option 82 data the DHCP server can't make use of it, you would have to resort to an external RADIUS server to handle this.
 
lw97
just joined
Topic Author
Posts: 8
Joined: Fri Jan 24, 2020 2:53 pm

Re: Per-port DHCP with port isolation on a hardware accelerated bridge

Thu Oct 14, 2021 5:25 pm

If you want the ports to be isolated from each other then using one VLAN per port with corresponding DHCP server & pool on the router would be the cleanest approach.
That was the idea at first -- but there are some ports that need not be isolated and be untagged -- e.g. "dumb" (not tagging-capable) network printers.
If I add that port to every VLAN as an untagged port, it will receive packets from a "normal" (isolated, VLAN-per-port) port, but will be unable to send anything back -- because the PVID (possibly the default PVID = 1) on the "special" port would not match the "normal" port VLAN.
It's very possible that I'm missing something here, but that's the reason why I made that "ugly hack" I described.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Per-port DHCP with port isolation on a hardware accelerated bridge

Thu Oct 14, 2021 5:57 pm

The config doenst matter what are the requirements?
This should be stated in terms of defining users/devices, groups of users/devices and then defining what they should be able to do, and what they should not be able to do, WITHOUT any discussion of the config etc....
Network diagram helps sort that out visually!!
 
lw97
just joined
Topic Author
Posts: 8
Joined: Fri Jan 24, 2020 2:53 pm

Re: Per-port DHCP with port isolation on a hardware accelerated bridge

Thu Oct 14, 2021 6:30 pm

Network diagram helps sort that out visually!!
Alright, I'll post a diagram tomorrow!
If in writing: basically, I need:
  • Hardware acceleration = 1 bridge interface
  • Most connected devices get (by DHCP) fixed addresses (one switch port has the same address to be DHCP'd to the connected device)
  • These ports are isolated from each other
  • Some ports are reserved for devices that need to be accessible to every other "ordinary" port
  • Access to these devices should be possible from other connected switches
  • These devices are presumed to be "VLAN-dumb" (no support for tags)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Per-port DHCP with port isolation on a hardware accelerated bridge

Thu Oct 14, 2021 7:14 pm

Network diagram helps sort that out visually!!
Alright, I'll post a diagram tomorrow!
If in writing: basically, I need:
  • Hardware acceleration = 1 bridge interface
  • Most connected devices get (by DHCP) fixed addresses (one switch port has the same address to be DHCP'd to the connected device)
  • These ports are isolated from each other
  • Some ports are reserved for devices that need to be accessible to every other "ordinary" port
  • Access to these devices should be possible from other connected switches
  • These devices are presumed to be "VLAN-dumb" (no support for tags)
That is not what I asked at all!!!

Requirements need to be expressed without any mention of the config, or ports etc........... that is all solution space.
Ports do not have requirements, people and devices such as printers etc do........
Try again.
 
lw97
just joined
Topic Author
Posts: 8
Joined: Fri Jan 24, 2020 2:53 pm

Re: Per-port DHCP with port isolation on a hardware accelerated bridge

Wed Oct 20, 2021 2:17 pm

That is not what I asked at all!!!
Alright, no need to raise your voice.
It seems to me that I've described "the needs" as a part of what I wrote earlier:
  • "User" devices can't see each other
  • "Printer" devices are accessible by every "user"
  • "User" devices are configured automatically -- no configuration on the device side
  • Every "wall socket" for a "user" device has a fixed address
Is this list alright for you?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Per-port DHCP with port isolation on a hardware accelerated bridge

Wed Oct 20, 2021 2:49 pm

What you want can be achieved using standard switching capabilities (probably easier on an enterprise-grade switch than on a MikroTik, but it is possible).
Where you run into difficulty is with the desire to have a fixed address assigned to a specific port, rather than to a MAC address as is the usual method.
Other switches have the possibility to sniff DHCP requests and add a specific option to it, like a line ID, which is then seen by the DHCP server.
This is often used in carrier networks to identify a specific customer, whatever router they connect, and assign them a fixed IP or at least track their IP to their line.
But I think MikroTik still cannot do that.
 
lw97
just joined
Topic Author
Posts: 8
Joined: Fri Jan 24, 2020 2:53 pm

Re: Per-port DHCP with port isolation on a hardware accelerated bridge

Wed Oct 20, 2021 3:29 pm

What you want can be achieved using standard switching capabilities (probably easier on an enterprise-grade switch than on a MikroTik, but it is possible).
Where you run into difficulty is with the desire to have a fixed address assigned to a specific port, rather than to a MAC address as is the usual method.
Other switches have the possibility to sniff DHCP requests and add a specific option to it, like a line ID, which is then seen by the DHCP server.
This is often used in carrier networks to identify a specific customer, whatever router they connect, and assign them a fixed IP or at least track their IP to their line.
But I think MikroTik still cannot do that.
Yeah, also, I think option 82 was mentioned here, RouterOS can pass 82 along, but RouterOS' DHCP servers can't use 82.

Who is online

Users browsing this forum: Bing [Bot], mkx, mtkvvv, xstrid3rx and 85 guests