Howto Configure A Mikrotik As Central DHCP Server With Switches As DHCP Relays - Robert Penz Blog
Howto Configure A Mikrotik As Central DHCP Server With Switches As DHCP Relays - Robert Penz Blog
Howto Configure A Mikrotik As Central DHCP Server With Switches As DHCP Relays - Robert Penz Blog
April 27, 2013 Ive found many articles about how to configure a Mikrotik RouterOS as DHCP relay or as simple DHCP server, but I didnt find an article about following setup: central Mikrotik DHCP Server (e.g. in the data center) multiple VLANs/subnets for clients which are connected via a Layer3 Switch (or even more hops) to the central data center According to the Mikrotik Wiki and the described options it is possible but there is no example shown and everyone uses the setup wizard to configure a DHCP Server. Ill get most people dont know what happens in the background Ill show this the old fashioned way. Setup for this example/howto For this example we assume that weve 4 VLANs with following subnets: 10.88.0.0/24 (data center VLAN for the servers and the DHCP server) 10.88.10.0/24 (clients network location 1) 10.88.11.0/24 (clients network location 2) 10.88.12.0/24 (clients network location 3) The Mikrotik has the IP 10.88.0.100 and connected via ether1 to the data center VLAN. The Layer3 switches use always the .1 IP address in the clients networks. Layer3 Switches / DHCP Relay Most (if not all) switches which are able to perform at least simple layer 3 tasks (often also labeled as Layer2+ switches) are able to forward DHCP requests. Check the manual of the switch for this. One setting I came across sometimes leads to problems. It is called DHCP Relay delay and is sometimes set to 1 or 2 seconds in the the default configuration. This setting allows a local DHCP Server to answer faster, but sometimes (specially embedded clients) dont wait that long and run into an error. If there is no local DHCP server set this timer to 0 seconds. Youll need to set the DHCP Server IP on the switch to the IP of the Mikrotik. Mikrotik as DHCP Server First we configure our pools of the client networks, the mikrotik will give out IPs from this ranges:
/ip add add add pool name=poolClientsLocation1 ranges=10.88.10.10-10.88.10.250 name=poolClientsLocation1 ranges=10.88.11.10-10.88.11.250 name=poolClientsLocation1 ranges=10.88.12.10-10.88.12.250
Now we need to set the configuration the DHCP Server will handout the clients:
/ip add add add dhcp-server network address=10.88.10.0/24 dns-server=10.88.0.100 gateway=10.88.10.1 address=10.88.11.0/24 dns-server=10.88.0.100 gateway=10.88.11.1 address=10.88.11.0/24 dns-server=10.88.0.100 gateway=10.88.12.1
This is all
/ip address add interface=ether1 address=192.168.1.1/24 add interface=ether2 address=192.168.2.1/24 /ip pool add name=pool1 ranges=192.168.1.10-192.168.1.254 add name=pool2 ranges=192.168.2.10-192.168.2.254 /ip dhcp-server add disabled=no authoritative=yes bootp-support=none name=dhcp1 interface=ether1 addresspool=pool1 add disabled=no authoritative=yes bootp-support=none name=dhcp2 interface=ether2 addresspool=pool2 /ip dhcp-server network add address=192.168.1.0/24 gateway=192.168.1.1 add address=192.168.2.0/24 gateway=192.168.2.1 /ip dhcp-client add disabled=no interface=WAN use-peer-dns=yes add-default-route=yes /ip firewall connection tracking set enabled=yes /ip firewall filter add chain=forward action=accept connection-state=established add chain=forward action=accept connection-state=related add chain=forward action=drop connection-state=invalid add chain=forward action=drop out-interface=!WAN src-address=192.168.1.0/24 comment="Prevent inter-subnet communication" add chain=forward action=drop out-interface=!WAN src-address=192.168.2.0/24 comment="Prevent inter-subnet communication" /ip firewall nat add chain=srcnat action=masquerade out-interface=WAN
5 Port Router?
Since a Mikrotik (example being a 750GL) is a true 5 port router and not just a consumer-grade router (which is actually a router with 4 port switch), you can set them up to run multiple networks, use multiple ISPs for WAN failover, and more. Why you would want to do any of these things is beyond the scope of this post, but this will show you how to do it. Lets take an RB750GL and have it run 4 internal networks instead of one. Like this:
Master Port
Out of the box, the 750 is set up for ether1 to be the WAN port and ether2, ether3, ether4, and ether5 to be your LAN port. The reason these 4 ports all work together is because ether2 has all of the LAN settings and DHCP server, then ether3, 4, and 5 are all slaves of ether2. In Mikrotik terms, ether3, 4, and 5 have their Master Port set to ether2. The ports are even name as such, and there is an S in
settings and DHCP server, then ether3, 4, and 5 are all slaves of ether2. In Mikrotik terms, ether3, 4, and 5 have their Master Port set to ether2. The ports are even name as such, and there is an S in the left column showing which ports are slaves:
If we want ether3-5 to run separate networks, we need to set them to have NO Master Port. Its important to note that the Name of the interface will not change based on your settings. If you change ether3 from a Slave to a Master, the name will not update on its own. Its just a name. You could call it Port 3 or Fred or I have my NAS plugged in here. It doesnt really matter to the functionality of the router Dont get confused by the port names when you start making changes. Change the Master Port on ether3, 4, and 5 like this (and change the interfaces name if you like):
When youve set up ether3-5 to have no Master Port, none of the ports should show an S in the left column.
Now, for a port to run its own network, it needs a few things: IP Address DHCP Server Route
IP Addresses
To give each port its own IP address, go into IP, then Addresses. Click the +, type in the Address you want to give the port, type in the Network you want to assign to the port, and select the port from the Interface drop-down menu. To set up the 192.168.3.xyz subnet on ether3, it would look like this:
When all 4 subnets are set up, your Address List screen should look similar to this (ether3, 4, and 5 are in italics because there is nothing plugged into them):
Do this for each port and your Pool screen should look something like this (I have a VPN pool set up as well, and my default-dhcp was already set up and I didnt want to change it just for these screenshots):
At this point those IP Pools arent being used by anything. You have to set up new DHCP Servers to use them. Go to IP / DHCP Server / DHCP and click the +. Name the new server whatever you like, set the Interface to the port you want to have use this server, and set the Address Pool you want this Server to draw from. In other words
Do this for each port and your DHCP Server screen should look something like this:
Next you have to set up your DHCP Networks, so that each DHCP Client will receive the correct DHCP information like what its Gateway and DNS servers are. For example:
After you do this for all 3 new DHCP servers (not counting the one that was already set up on ether2), your DHCP Server / Networks screen should look like this:
At this point, if you plug your laptop into ether3, it will grab an IP address in the 192.168.3.xyz range. If you unplug it and plug it into ether5, it will grab an IP address in the 192.168.5.xyz range.
Routes
Last step, which isnt really a step but you need to know about it, is what Routes are set up for these new networks youve set up. Look at this screenshot.
I did NOT enter any of these myself. The D in the left column means that each Route was added Dynamically. When you set the IP Addresses for each port, as soon as you added a new Address, the router added a dynamically created Route for that network for you. In this simple scenario you just need to be aware of this, you dont need to do anything with it. Note the screenshot shows unreachable on the ports that dont have anything plugged into them. You now have 4 LAN networks running on your Mikrotik. Since they are all on different subnets, you will not get any broadcast traffic between them. You can, however, reach from one subnet to another by going to a specific IP. For example, with Control4, when you open their programming software it picks up a broadcast that the Control4 processor sends out. If you are on a different subnet you will not see it and the processor will never populate in the software. But, you can manually add the IP address of the processor and it will work fine, even if its on a different subnet. (this isnt a suggestion of how to do it, just an example). Same goes for things like Airplay and other streaming protocols. Many of them rely on broadcasting to tell everyone that they are there and waiting for you to send them a music stream. This can get rather complicated when you start trying to segment off different parts of your networks.
Scenario: Mikrotik dhcp server with 3 network cards (LAN,Wireless,WAN), WAN is connected to Internet, Wireless is connected to the 10.10.10.0/24 subnet and serve as dhcp server while LAN interface serve for 172.16.10.0/24 subnet. Connect to the Mikrotik RouterOS using winbox/ssh and check the ip address(es) of the interfaces: ip address print
Issue this command, in order to configure the dhcp server for LAN subnet: ip dhcp-server setup
Issue the same command for the dhcp server configuration on Wireless interface: ip dhcp-server setup