MikroTik

Hi all,

I'm having a strange issue with my RB 2011UiAS 2HnD on RouterOS 6.27. I've setup a DHCP server using the wizard. This as resulted in the following settings:
Yet I can't get most of my devices to accept DHCP offers from my RB device. Either the addresses are assigned only to be deassigned 10 seconds later or the DHCP offer expires.

Any thoughs on what this could be and how I should solve this?

Try this one, Bootp support: disabled.

try bump stronger DHCP logging level and check resulte logs.
and/or dump traffic and check content(by Wireshark or counterparts).

This sounds like the clients' replies are not getting to the server.
Is there a firewall rule on the bridge interface which blocks traffic in the input chain, and would apply to traffic coming in from bridge-local interface?

The default IP is 192.168.88.1/24 on Mikrotiks, (or it was the last time I took one out of a box), and if you changed the IP more recently, there might be firewall rules left around which allow 192.168.88.x but not 188.x

Also - make sure the network=192.168.188.0 on the IP address setting - I don't know if Mikrotik's fixed this, but if you change the IP address to a different network and hit OK or Apply, it doesn't update the network setting.

This sounds like the clients' replies are not getting to the server.
Is there a firewall rule on the bridge interface which blocks traffic in the input chain, and would apply to traffic coming in from bridge-local interface?

The default IP is 192.168.88.1/24 on Mikrotiks, (or it was the last time I took one out of a box), and if you changed the IP more recently, there might be firewall rules left around which allow 192.168.88.x but not 188.x

Also - make sure the network=192.168.188.0 on the IP address setting - I don't know if Mikrotik's fixed this, but if you change the IP address to a different network and hit OK or Apply, it doesn't update the network setting.

Yes i have a filter in bridge to prevent my network from software that scan mac, and there is slow in connect with my network , device taking time to obtain ip , can you help me ?

this is the filter :


/interface bridge filter
add action=drop chain=forward dst-port=10001 ip-protocol=udp mac-protocol=ip
add action=drop chain=input dst-port=10001 ip-protocol=udp mac-protocol=ip
add action=drop chain=output dst-port=10001 ip-protocol=udp mac-protocol=ip

/interface bridge filter
add action=drop chain=forward mac-protocol=arp in-interface=vlan100
add chain=forward mac-protocol=!arp out-interface=vlan100
add action=drop chain=forward mac-protocol=arp in-interface=vlan101
add chain=forward mac-protocol=!arp out-interface=vlan101
add action=drop chain=forward mac-protocol=arp in-interface=vlan102
add chain=forward mac-protocol=!arp out-interface=vlan102
add action=drop chain=forward mac-protocol=arp in-interface=vlan104
add chain=forward mac-protocol=!arp out-interface=vlan104
add action=drop chain=forward mac-protocol=arp in-interface=vlan105
add chain=forward mac-protocol=!arp out-interface=vlan105
add action=drop chain=forward mac-protocol=arp in-interface=vlan106
add chain=forward mac-protocol=!arp out-interface=vlan106
add action=drop chain=forward mac-protocol=arp in-interface=vlan107
add chain=forward mac-protocol=!arp out-interface=vlan107
add action=drop chain=forward mac-protocol=arp in-interface=vlan108
add chain=forward mac-protocol=!arp out-interface=vlan108
add action=drop chain=forward mac-protocol=arp in-interface=vlan109
add chain=forward mac-protocol=!arp out-interface=vlan109
add action=drop chain=forward mac-protocol=arp in-interface=vlan110
add chain=forward mac-protocol=!arp out-interface=vlan110
add action=drop chain=forward mac-protocol=arp in-interface=vlan111
add chain=forward mac-protocol=!arp out-interface=vlan111

Yes i have a filter in bridge to prevent my network from software that scan mac, and there is slow in connect with my network , device taking time to obtain ip , can you help me ?

This sounds more like you have a switch with spanning tree turned on, and the ports where users are connecting are doing the normal thing where they don't forward traffic for about 30 seconds (if standard spanning tree)....

A filter rule would probably either block or not block always - not just cause slower responses.

Yes i have a filter in bridge to prevent my network from software that scan mac, and there is slow in connect with my network , device taking time to obtain ip , can you help me ?

This sounds more like you have a switch with spanning tree turned on, and the ports where users are connecting are doing the normal thing where they don't forward traffic for about 30 seconds (if standard spanning tree)....

A filter rule would probably either block or not block always - not just cause slower responses.

thanks man, i have two switches connected , one connected to ether6 and the other connected to ether7.

i want you to take a look for my setting if you don't mind, and tell me if there is wrong cause i have four problems :

1- devices take time till linked with AP

2- sometime couldn't link, but saved

3- Interrupted the network, the device linked for time , after that network absent

4- i saw some ip with zero mac in arp list

-----------------------------------------

this is my settings

and this is for settings for interface

when i have that problem always is a layer 2 connectivity issue between clients and dhcp server

when i have that problem always is a layer 2 connectivity issue between clients and dhcp server

SO WHAT IS THE SOLUTION ?

in wireless access network checking ccq, signal levels, interference and packet loss

in wired access network checking interface stats looking form some counter of errors or crc or something strange, check for negotiation problem on Ethernet connections, configuration of manageable switches, possible cabling issues etc.

another aspect is to seek if the problem is only on certain devices, can be a client device problem under certain specific circumstance

Your bridge firewall seems overly complicated for what you want to do - instead of enumerating each possible combination and blocking them all individually, you should just say "block arp" in the forward chain and have done, regardless of VLAN or in/out interface.

arps to/from the router don't even go through forward chain - they go through input, which you always want to accept, so no need to block anything there.

one rule blocks all client-to-client arp.

Your bridge firewall seems overly complicated for what you want to do - instead of enumerating each possible combination and blocking them all individually, you should just say "block arp" in the forward chain and have done, regardless of VLAN or in/out interface.

arps to/from the router don't even go through forward chain - they go through input, which you always want to accept, so no need to block anything there.

one rule blocks all client-to-client arp.

sorry friend , i am not very good in network , how i can put block arp, would you mind writing it as rule plz ?

Backup your configuration before making this change (just in case):

Your bridge firewall forward chain only needs this one rule:
add action=drop chain=forward mac-protocol=arp

This will still let the Mikrotik itself send/receive ARP requests (those are received in the input chain, and sent through the output chain)

Or, you could be even simpler and just drop ALL forwarded traffic - because it looks like you're trying to block client-to-client communications, right? If you're blocking ARP traffic, then realistically, the clients can't talk to each other using IP anyway.... why not just block ALL communication?

(to do that, just remove the mac-protocol=arp)

or use the bridge horizon feature...

or use the bridge horizon feature...

I like this feature quite a bit myself - for a simple client isolation configuration, it's very useful.

as i understand you are trying to enforce security

but

you have to keep in mind some security measures needs to be done on access layer of the network, and another measures need to be done on core

looks like you are trying to compensate deficiency on access layer security, over enforcing it on the core

maybe configuring on interface arp=reply only can help you without the need of that rules on your bridge about arp

or use the bridge horizon feature...

I like this feature quite a bit myself - for a simple client isolation configuration, it's very useful.

simple, useful, and very powerful

Backup your configuration before making this change (just in case):

Your bridge firewall forward chain only needs this one rule:
add action=drop chain=forward mac-protocol=arp

This will still let the Mikrotik itself send/receive ARP requests (those are received in the input chain, and sent through the output chain)

Or, you could be even simpler and just drop ALL forwarded traffic - because it looks like you're trying to block client-to-client communications, right? If you're blocking ARP traffic, then realistically, the clients can't talk to each other using IP anyway.... why not just block ALL communication?

(to do that, just remove the mac-protocol=arp)

Yes i am trying to block client to client communications, can you give the the one rule that can block all communication plz ?

or use the bridge horizon feature...

can tell me how i can enable horizon feature ?

or use the bridge horizon feature...

I like this feature quite a bit myself - for a simple client isolation configuration, it's very useful.

how i can enable horizon feature plz ?

how i can enable horizon feature plz ?

This only works on ports of the cpu-based bridge (not hardware-switched ports).
Go into bridge > ports, and edit each interface you want split horizon on, and set some value there (pretty much any number will work).
e.g. horizon=1

What this does is prevent any two ports from communicating with each other if they have the same horizon value.
No pings, no arps, no nothing, but only within the same horizon.

Of course if you have a switch connected to a port, then hosts on that switch can talk to each other all day long, regardless of the split horizon in the Mikrotik.

how i can enable horizon feature plz ?

This only works on ports of the cpu-based bridge (not hardware-switched ports).
Go into bridge > ports, and edit each interface you want split horizon on, and set some value there (pretty much any number will work).
e.g. horizon=1

What this does is prevent any two ports from communicating with each other if they have the same horizon value.
No pings, no arps, no nothing, but only within the same horizon.

Of course if you have a switch connected to a port, then hosts on that switch can talk to each other all day long, regardless of the split horizon in the Mikrotik.

thank you very much for all your helps