Community discussions

MikroTik App
  4. RouterOS
  5. General

DHCP relay over IPSec VPN

Post Reply
 
Beelze
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Tue Mar 04, 2014 12:21 pm

DHCP relay over IPSec VPN

Tue Oct 25, 2016 6:07 pm

Hi all,

I've been trying to relay DHCP requests from one LAN to remote LAN over IPSec. I'm trying to build the same network as a customer of ours currently has, but this time with Mikrotiks. This is the setup I have built:

laptop <--> LOCAL_MIK <---> internet mikrotik <---> MAIN_MIK <--> dhcp-server mikrotik

LOCAL_MIK (relay):
bridge: 192.168.1.1/24
WAN: 1.1.1.1/30
relay: 192.168.10.30

MAIN_MIK:
bridge: 192.168.10.1/24
WAN: 2.2.2.1/30

dhcp-server mikrotik:
192.168.10.30/24
pool: 192.168.1.10 - 192.168.1.254

The IPSec VPN is set up between LOCAL_MIK and MAIN_MIK which is working perfectly. The laptop sends a DHCP discover to LOCAL_MIK, which has a dhcp-relay pointing towards dhcp server mikrotik (192.168.10.30) on the other LAN where the DHCP server resides.
From the dhcp-server mikrotik I can perfectly ping bridge on LOCAL_MIK, so the tunnel works. I can't however get this relaying thing working. Neither MAIN_MIK or dhcp-server mikrotik seems to receive any dhcp discovers.

NAT on LOCAL_MIK:
Code: Select all
/ip firewall nat
add chain=srcnat dst-address=192.168.10.0/24 log=yes out-interface=ether1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
NAT on MAIN_MIK:
Code: Select all
/ip firewall nat
add chain=srcnat dst-address=192.168.1.0/24 log=yes out-interface=ether1 src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
I have no idea how to continue and make this work. Any other things I need to check? I have checked this post http://forum.mikrotik.com/viewtopic.php?t=41036, but there was no full config export :-)
Top
 
Beelze
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Tue Mar 04, 2014 12:21 pm

Re: DHCP relay over IPSec VPN

Wed Oct 26, 2016 10:43 am

Some debugging showed me this firewall action:
Code: Select all
09:29:17 firewall,info srcnat: in:(none) out:ether1, proto UDP, 1.1.1.1:67->192.168.10.30:67, len 328
Shouldn't the WAN IP 1.1.1.1 be 192.168.1.1? That is the local LAN IP I set up on the DHCP relay. The IPSec policy is set on src-address=192.168.1.0 and not the WAN IP, so I think this is the place where things go wrong.

Also in the logs:
Code: Select all
14:33:18 dhcp,debug,packet DHCP_relay sending discover with id 2509416026 to 192.168.10.30 
14:33:18 dhcp,debug,packet     hops = 1 
14:33:18 dhcp,debug,packet     ciaddr = 0.0.0.0 
14:33:18 dhcp,debug,packet     giaddr = 192.168.1.1 
14:33:18 dhcp,debug,packet     chaddr = 00:0E:C6:C7:F5:04 
14:33:18 dhcp,debug,packet     Msg-Type = discover 
14:33:18 dhcp,debug,packet     Parameter-List = Subnet-Mask,Classless-Route,Router,Domain-Server,Domain-Name,Domain-Search,Auto-Proxy-Config,Unknown(95),NETBIOS-Name-Server,NETBIOS-Node-Type 
14:33:18 dhcp,debug,packet     Max-DHCP-Message-Size = 1500 
14:33:18 dhcp,debug,packet     Client-Id = 01-00-0E-C6-C7-F5-04 
14:33:18 dhcp,debug,packet     Address-Time = 7776000 
14:33:18 dhcp,debug,packet     Host-Name = "My-MacBook"
Giving the internet router routes to both LANs (192.168.1.0/24 and 192.168.10.0/24) makes the DHCP-relay work. This means the DHCP request is not being sent into the tunnel.
Top
Post Reply

Who is online

Users browsing this forum: foegra, S8T8, smirgo and 86 guests
  4. RouterOS
  5. General