Community discussions

 
czernekp
just joined
Topic Author
Posts: 2
Joined: Sat Nov 10, 2018 1:34 am

DHCP Server on guest network is invalid - why?

Sat Nov 10, 2018 2:14 am

Hello,
Can anybody help me investigate why my second DHCP server on virtual, guest WiFi does not work?
"dhcp_guest" gets invalid. Clients connect to the wireless network but do not get an IP address.

Attaching configuration dump:

Code: Select all

[PiC@MikroTik] > export
# nov/10/2018 01:05:34 by RouterOS 6.43.4
# software id = DMMJ-9EXT
#
# model = 951G-2HnD
# serial number = 5D6105175B23

/interface bridge
add fast-forward=no name=bridge-guest
add admin-mac=E4:8D:8C:82:37:D7 auto-mac=no fast-forward=no name=bridge-local

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master-local speed=100Mbps
set [ find default-name=ether3 ] name=ether3-slave-local speed=100Mbps
set [ find default-name=ether4 ] name=ether4-slave-local speed=100Mbps
set [ find default-name=ether5 ] name=ether5-slave-local speed=100Mbps

/interface l2tp-server
add name=DOM-vpn-l2tp user=PiC_vpn

/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
add

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=******** wpa2-pre-shared-key=********
add authentication-types=wpa2-psk mode=dynamic-keys name=WPA2+MAC radius-mac-authentication=yes supplicant-identity=MikroTik wpa-pre-shared-key=******** wpa2-pre-shared-key=********
add authentication-types=wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys name=WPA2-guest supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=******** wpa2-pre-shared-key=********

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-eC country=poland default-authentication=no disabled=no frequency=auto mode=ap-bridge security-profile=WPA2+MAC ssid=****** wireless-protocol=802.11
add default-ap-tx-limit=209712 default-client-tx-limit=52424 disabled=no mac-address=E6:8D:8C:82:37:DB master-interface=wlan1 name=wlan2 security-profile=WPA2-guest ssid=GuestNet

/ip ipsec proposal

set [ find default=yes ] enc-algorithms=aes-128-cbc

/ip pool
add name=IPpool_local ranges=192.168.0.50-192.168.0.99
add name=IPpool_vpn ranges=192.168.0.200-192.168.0.250
add name=IPpool_guest ranges=192.168.10.50-192.168.10.250

/ip dhcp-server
add address-pool=IPpool_local authoritative=after-2sec-delay disabled=no interface=bridge-local lease-time=12h name=dhcp_local
add address-pool=IPpool_guest disabled=no interface=bridge-guest name=dhcp_guest

/ppp profile
add bridge=bridge-guest change-tcp-mss=yes dns-server=192.168.10.1 local-address=IPpool_guest name=profile-guest remote-address=IPpool_guest use-encryption=yes
add bridge=bridge-local change-tcp-mss=yes dns-server=192.168.0.1 local-address=IPpool_vpn name=profile-local remote-address=IPpool_vpn use-encryption=yes
set *FFFFFFFE bridge=bridge-local dns-server=192.168.0.1 local-address=IPpool_vpn remote-address=IPpool_vpn

/snmp community
set [ find default=yes ] addresses=0.0.0.0/0

/interface bridge filter
add action=drop chain=forward in-interface=wlan2
add action=drop chain=forward out-interface=wlan2

/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether5-slave-local
add bridge=bridge-guest interface=wlan2

/ip neighbor discovery-settings
set discover-interface-list=discover

/interface l2tp-server server
set default-profile=profile-local enabled=yes ipsec-secret=******** use-ipsec=yes

/interface list member
add interface=ether2-master-local list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=wlan1 list=discover
add interface=bridge-local list=discover
add interface=wlan2 list=discover
add list=discover
add interface=DOM-vpn-l2tp list=discover
add interface=ether2-master-local list=mactel
add interface=wlan1 list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=wlan2 list=mactel
add interface=wlan1 list=mac-winbox
add interface=wlan2 list=mac-winbox
add interface=ether1-gateway list=WAN
add interface=bridge-local list=mactel

/interface pptp-server server
set default-profile=profile-local max-mru=1460 max-mtu=1460

/interface sstp-server server
set default-profile=default-encryption

/interface wireless access-list
add ap-tx-limit=2097152 client-tx-limit=524288 comment="Wszyscy goscie moga sie tu laczyc. Ograniczenie down=2Mbs up=512Kbs" interface=wlan2
add comment="Laptop HP Izabela " mac-address=20:10:7A:01:94:F8
add comment="Moja Nokia Lumia 735 " mac-address=48:50:73:0E:83:14
add comment="telefon Izabeli - Samsung Galaxy Trend Plus" mac-address=00:73:E0:A9:B6:A7
add comment="Tablet Izabelci" mac-address=08:D8:33:64:65:27
add comment="HTPC WiFi" mac-address=C4:E9:84:8D:F4:B6
add comment="Przemus Laptop - HP EliteBook 840" mac-address=AC:7B:A1:97:A1:8F vlan-mode=no-tag
add comment="Huawei Print Server" disabled=yes mac-address=00:24:D2:1A:5F:82 vlan-mode=no-tag
add comment="Telefon Mamy (Nokia Lumia 635)" disabled=yes mac-address=48:86:E8:15:F5:98 vlan-mode=no-tag
add comment="Drukarka Brother DCP-9015CDW" mac-address=70:77:81:A5:97:FC vlan-mode=no-tag
add comment="Telefon Izabeli LG Q6" mac-address=10:F1:F2:01:0B:0E vlan-mode=no-tag
add comment="Kamera IP Foscam C2" mac-address=AC:83:F3:59:F4:95 vlan-mode=no-tag
add comment="DELL Izabeli" mac-address=38:DE:AD:7C:FB:78 vlan-mode=no-tag

/ip address
add address=192.168.0.1/24 comment="default configuration" interface=ether2-master-local network=192.168.0.0

/ip cloud
set ddns-enabled=yes

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-gateway

/ip dhcp-server lease
add address=192.168.0.101 client-id=1:ac:83:f3:59:f4:95 comment="Foscam IP Camera - static IP" mac-address=AC:83:F3:59:F4:95
add address=192.168.0.100 client-id=1:C4:E9:84:8D:F4:B6 comment="HTPC - static IP" mac-address=C4:E9:84:8D:F4:B6
add address=192.168.0.102 client-id=1:70:77:81:A5:97:FC comment="Drukarka Brother DCP-9015CDW - Static IP" mac-address=70:77:81:A5:97:FC

/ip dhcp-server network
add address=192.168.0.0/24 comment="default configuration" dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24
add address=192.168.10.0/24 dns-server=192.168.0.1 gateway=192.168.10.1

/ip dns
set allow-remote-requests=yes

/ip dns static
add address=192.168.0.1 name=router

/ip firewall filter
add action=reject chain=input comment="PiC - disable acess to winbox from Internet" dst-port=8291 in-interface=ether1-gateway protocol=tcp reject-with=icmp-network-unreachable
add action=drop chain=forward comment="Block SSL Certificate issuer: pudelek" protocol=tcp tls-host=*.pudelek.pl
add action=drop chain=input comment="Rule to allow Web Proxy to block sites" dst-port=8080 in-interface=ether1-gateway protocol=tcp
add action=accept chain=forward comment="Access to printer from GuestNet" dst-address=192.168.0.102 src-address=192.168.10.0/24 src-address-list=""
add action=reject chain=forward comment="PiC - Disables connectivity of GuestNet to local resources" dst-address=192.168.0.0/24 reject-with=icmp-network-unreachable src-address=192.168.10.0/24 src-address-list=""
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="PiC - to allow vpn" protocol=gre
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=accept chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input comment=UDP protocol=udp

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes dst-address=192.168.0.0/24 src-address=192.168.1.0/24
add action=redirect chain=dstnat comment="Transparent Proxy to allow blocking sites" dst-port=80 protocol=tcp to-ports=8080
add action=dst-nat chain=dstnat comment=eMule disabled=yes dst-port=39311 protocol=tcp to-addresses=192.168.0.100 to-ports=39311
add action=src-nat chain=srcnat comment="VPN access to IP Camera" dst-address=192.168.0.101 src-address=192.168.0.0/24 to-addresses=192.168.0.1

/ip proxy
set cache-administrator="Zly Dziubang" enabled=yes parent-proxy=0.0.0.0 src-address=0.0.0.0

/ip proxy access
add action=deny dst-host=*.pudelek.pl
add action=deny dst-host=*.gemius.pl
add action=deny dst-host=*.facebook.com

/ip route
add disabled=yes distance=1 gateway=192.168.100.1

/ppp l2tp-secret
add address=192.168.0.0/24 comment=to_co_zawsze_cyfrowo_+_+_to_co_zawsze_cyfrowo secret=********
add address=192.168.10.0/24 secret=********

/ppp secret
add disabled=yes name=vpn password=********
add name=PiC_vpn password=******** profile=profile-local
add name=Guest_vpn password=******** profile=profile-guest

/system clock
set time-zone-name=Europe/Warsaw

/system leds
set 0 interface=wlan1

/system ntp client
set enabled=yes primary-ntp=149.156.4.11

/system routerboard settings
set auto-upgrade=yes silent-boot=no

/system script
add dont-require-permissions=no name="Fix Broken Wireless Following an Upgrade" owner=PiC policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/interface wireless\
\nreset-configuration 0\
\nreset-configuration 1\
\nset 0 name=\"wlan1\" mtu=1500 l2mtu=1600 mac-address=E4:8D:8C:82:37:DB \\\
\n arp=enabled mode=ap-bridge ssid=\"********\" \\\
\n frequency=auto band=2ghz-b/g/n channel-width=20/40mhz-eC \\\
\n scan-list=default wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1 \\\
\n wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no \\\
\n bridge-mode=enabled default-authentication=no default-forwarding=yes \\\
\n default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=yes \\\
\n security-profile=WPA2+MAC compression=no \
\n\
\nset 1 name=\"wlan2\" mtu=1500 l2mtu=1600 mac-address=E6:8D:8C:82:37:DB \\\
\n arp=enabled master-interface=wlan1 \\\
\n ssid=\"GuestNet\" vlan-mode=no-tag vlan-id=1 wds-mode=disabled \\\
\n wds-default-bridge=none wds-ignore-ssid=no bridge-mode=enabled \\\
\n default-authentication=yes default-forwarding=yes \\\
\n default-ap-tx-limit=2097152 default-client-tx-limit=524288 hide-ssid=no \\\
\n security-profile=WPA2-guest\
\n\
\n/interface wireless\
\nenable 0\
\nenable 1\
\n"

/tool mac-server
set allowed-interface-list=mactel

/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
Last edited by czernekp on Sat Nov 10, 2018 8:05 pm, edited 1 time in total.
 
tdw
just joined
Posts: 22
Joined: Sat May 05, 2018 11:55 am

Re: DHCP Server on guest network is invalid - why?  [SOLVED]

Sat Nov 10, 2018 6:19 pm

No IP address assigned to bridge-guest
/ip address
add address=192.168.10.1/24 interface=bridge-guest
That should fix DHCP leases, guest devices might be able to perform DNS lookups as you have specified dns=192.168.0.1 rather than 192.168.10.1 for /ip dhcp-server network and the bridge filter forwards apply to traffic being forwarded through the bridge rather than IP stack (wlan2 traffic will go through the bridge input/output chains, not forward, to the mikrotik itself).

You don't really need a bridge-guest if the only member will be wlan2 - you could apply the DHCP server and any firewall rules directly to wlan2, otherwise best practice would be to use a new-style VLAN aware bridge.

Also, the existing LAN IP address is on one of the bridge-local members rather than the bridge itself (address=192.168.0.1/24 interface=ether2-master-local should be address=192.168.0.1/24 interface=bridge-local), this may have been the automatic master-port to bridge update not completely working.
 
czernekp
just joined
Topic Author
Posts: 2
Joined: Sat Nov 10, 2018 1:34 am

Re: DHCP Server on guest network is invalid - why?

Sat Nov 10, 2018 8:50 pm

Thank you, thank you, thank you! Not only have you sent a prompt reply, it was also correct, valid and understandable. You brought me the faith in the communities' answers back.
1. Yes, adding "address=192.168.10.1/24 interface=bridge-guest" solved my problem. I wish I saw some relationships diagram between Router OS entities.
2. I presume I should change "dns=192.168.0.1" to "dns=192.168.10.1" - not really understood why, but I've changed it to 192.168.10.1 and still works OK (when trying to resole my problem myself, I just saw somewhere on this forum that someone had a shared dns IP over few networks - just gave it a try...).
3. I had to create bridge-guest because DHCP server would not get created on wlan2 directly - I get an error from Mikrotik "Couldn't change DHCP Server <dhcp_guest> - can not run on slave interface (6)".
4. I wish I knew (and understood) how new-style VLAN aware bridge could be setup. Is there a step-by-step instruction for newbies on Mikrotik's wiki for this?
5. And yes, you are 100% right about "address=192.168.0.1/24 interface=ether2-master-local" - it must had been an initial wizard's setup. I had corrected that to "address=192.168.0.1/24 interface=bridge-local".
Thank you again!

Who is online

Users browsing this forum: mkx, RizONE and 10 guests