Solved: Re: Remote DHCP issues

Brett S · ‎08-07-2021

Greetings all. Upfront, I'm a beginner at best with a homelab, so you know where my skillset is at. I've been around networks for a while, just never worked on them beyond the off the shelf stuff. I started to take my CCNA a few years ago, passed the first test, but never went back (life, work, family, etc). So I'm not unfamiliar with them, and I think I understand fundamentals (maybe).

The issue I'm having right now is trying to get IP leases from remote DHCP's.

My equipment

MikroTik RB4011 router (where I want the DHCP servers)

Cisco 3560X 48 PoE+ w/ the 10Gig module

A Unifi AP AC Pro

Dell R630 running some VM's

The SFP+ port on the MikrotTik and 3560X are in a routed, no switchport, non-trunk mode

I had originally thought my issue was on the RB4011. The Cisco is setup to do Inner VLan routing, and it's doing it perfectly (a network buddy of mine helped me set it all up, teaching me a few things along the way). The RB's only job is to connect ether 1 to my modem/internet and the SFP+ to one of the 10G uplinks on the switch. Works great. We did not do RoaS as I wanted the switch to do all the heavy lifting for inner routing, leaving the router to worry about firewall, passing traffic to the internet, and DHCP services for the VLans. Everything in my house is connected to the 3560X. With the exception of a couple items, we currently have everything in VLan 1 just to keep it simple until I get the DHCP issue sorted. My gear (eg; the Dell R630, the AP, my desktop) are all in another VLan (150) and all working perfectly.

VLan 1 and 150 are using the Cisco as their DHCP. VLan 165 is my "test bed", a laptop. I will end up with 5 VLans when all is done.

My intent had been to use the MikroTik as a DHCP, and even though everyone on VLan 1 and 150 could ping each other, get out to the internet, etc., I couldn't pull IP's on VLan 165 (ip helper-address was pointing to the IP on the MT, and packet sniffer could see traffic). I static assigned an IP to the test laptop in VLan 165 and it worked great, so it's not a routing issue. After researching for the last week, I finally gave up on the MT and decided I would go ahead and use my Unifi controller as the DHCP server. I configured it, pointed the ip helper at it and wha la - nothing.

Same issue. Can talk to it all day, can talk from it, but no IP's are being issued.

None of the DHCP's are on the same subnet, but from what I gather, that doesn't matter so long as the ip helper is pointing to the correct IP that's running the DHCP?

Is there a possibility the request is being blocked? Is there a config setting I need to turn on? I checked the Cisco documentation for relays and found nothing other than the ip helper, which again, seems to do it's job of sending out (every time I did an ipconfig /renew on the laptop, packet sniffer on the MT count would go up, then stop when the laptop would give up).

I'm attaching my config, vlan, and ip route. I believe I redacted all the important stuff.

If anyone can give me any clues. At this point I don't know if I need to be looking at the MikroTik, the Unifi Controller, the Cisco, or all three. My buddy tries to help where he can, but he's a seriously busy man with young young'ns, so I try very hard not to bother him. I'm at a total loss.

One last note, I'm definitely not asking anyone to spoon feed me answers, but I know so little that at this point, I don't know if what I'm trying to do will even work. If someone could tell me that I'm banging my head on the wall for nothing, I'll stop, give in, and go the RoaS route (no pun). And if it can be done, just tell me what I need to read up on/look at, the key points to watch for.

If you made it here, thank you for taking the time to listen to my plea lol. If you offer up any answers/suggestions, right, wrong, whatever, I thank you for trying to help.

Brett "Swany" S.

**edited for clarification**

**edited to add a screen shot of the MikroTik config for DHCP in case anyone also speaks MT**

Brett S · ‎08-11-2021

Ok, paid a little more attention to the logs on the Mikrotik - It doesn't transmit the IP when under dynamic because it receives a message from the Cisco saying, I believe, that that IP is in it's ARP table. The listings in the ARP table are all listed as "Incomplete".

It assigns the IP when I reserve it because it never "pings" the IP, so it never receives the message from the Cisco regarding the ARP table. I'm not sure if there is a way to tell the Mikrotik to ignore the ARP or to get Cisco to not send the message

**edit**
It all comes down to that ARP. If I let it assign by reservation, then remove the reservation, it will request the same IP again, so the message goes through, no ping/ARP look up. Flush it from the laptop and we're back at the dynamic ping/ARP

As a "band-aid" I can get it to work dynamically if, on the Mikrotik side, I turn off "Conflict Detection". While this can be used, temporarily, as a work around, I would think this is a bad thing, especially if in larger environments.

I am still going to work towards a better solution.

View solution in original post

Brett S · ‎08-13-2021

I now have a 95% satisfactory resolution.

Configure all VLan's and VLan SVI's on the Cisco

On the Cisco, set the ip helper-address to the router interface on the SFP+ link

On the MikroTik build a DHCP server for each VLan you want to pull an IP

In the Relay option within the DHCP server options, set it to the gateway IP of the VLan on the Cisco. When the Cisco forwards the dhcp broadcast request, it sends it with the VLan gateway IP as the return. Which, if you only have one VLan/Network, you can actually set it to the broadcast, 255.255.255.255. If you have 2 or more, you need to use the gateway IP (I hope I'm explaining this well)

The important part (at least for me), and why it's only 95% and not 100% - You need to uncheck the Conflict Detection option. For me, it's what was causing the pools to exhaust because it was thinking the IP/APR was in use. Once I did that, it would hand out IP's. This can lead to issues down the road when needing to troubleshoot because if a system has an ip of 192.168.1.10 for whatever reason (static set, assigned by DHCP) and your DHCP isn't tracking it (reserve the IP on the DHCP server, DHCP server reboots, loses all track of IPs assigned, etc), it will just gladly hand out the same IP address again.

Until I can figured out what exactly is going on with the ARP messages, this will suffice for now. It gives me my GUI so I can see everything easily at a glance, will allow me to plug in new devices and let them be discovered, etc. For my use case, this solution is an acceptable temporary solution as most of my devices will end up with statics (but not all) and I can reserve those off to the side in DHCP or just not allow them into the pool again.

Again, not a 100%, but a good enough for now (especially given all the time I've already put in to this issue and ignored other things going on that need my focus, both network and home)

Thank you guys for trying to help. It honestly was and is appreciated.

View solution in original post

Georg Pauwen · ‎08-07-2021

Hello,

looking at the config, the first thing I would try is set the helper address to the actual directly connected IP address of the MikroTik:

interface Vlan165
ip address 172.23.165.25 255.255.255.248
--> ip helper-address 172.23.151.2

Brett S · ‎08-07-2021

With the idea that I'll end up with multiple DHCP servers on the Mikrotik, all with different IP's;

(current setup on the MT)

DHCP is 172.23.1.165 (the others will be 172.23.1.(vland id)

wouldn't I then, if pointed to the router interface, have to move away from a routed port to trunk port (realizing I didn't make that clear in the OP - editing it to add that)? Causing it to move to RoaS? Or am I not understanding (HIGHLY likely lol).

kubn2 · ‎08-07-2021

Hello,

I think you are not really aware of how ip-helper works for dhcp requests so let me give you an example. When you connect the device to vlan 165 it will send dhcp request, when it reaches the switch then it changes the source IP address to IP address of Vlan 165 interface and sends this request to DHCP server. When DHCP server receives DHCP request it sees that the request came from IP 172.23.165.X and he knows that he needs to hand out IP address from that pool. So DHCP server IP address doesn't have to match the IP subnet address and it doesn't have to be different for each subnet one IP dhcp server address can hand out multiple IP addresses for multiple subnets.

Georg Pauwen · ‎08-07-2021

Hello,

the helper-address does not need to have to match the actual pool address, as explained below. It is just the IP address of the device where the pools are configured.

So what happens when you change the address as I suggested ?

Brett S · ‎08-07-2021

Same result, no IP handed out. I'm going to attach a screen shot of my MikroTik setup in the OP (through it's WinBox gui) in case someone speaks MT as well as Cisco

Brett S · ‎08-07-2021

So, if I'm following what you are saying kubn2, is that if I point my ip helper to the router interface (172.23.151.2) the DHCP on the MT would see the request and respond accordingly, providing the appropriate IP address to the corresponding VLan?

**edit**

I tried it and it did not work.

kubn2 · ‎08-07-2021

Yes, exactly

EDIT: If it didn't work then your configuration is incorrect, can you share mikrotik config?

Brett S · ‎08-07-2021

Absolutely. I've attached it to the original post

Brett S · ‎08-07-2021

So I believe it has something to do with the giaddr

https://forum.mikrotik.com/viewtopic.php?p=116638

So it seems I need to find a way to tell the MikroTik how to accept the request/ignore the giaddr. Still working that one out

So, by adding the 255.255.255.255 to the Mikrotik relay, it finally started handing out IP's, but I'm not sure where they are going, the attached image repeats over and over in the log on the MT, but the laptop never receives an IP, and per the DHCP server on the MT, the addresses are all assigned to a MAC of all 0's.

So, progress! Now to figure out what's happening with the IP's/where they are going

**edit**

When checking the ARP table/cache on the Cisco, I see lines for each of the IP's, listed as incomplete. I flush the ARP table, they go away. As soon as the laptop starts trying to ask for IP's again, the 4 in the vlan get used up on the MT side, and the incomplete in the arp table on the Cisco comes back

Brett S · ‎08-08-2021

A little more progress

If I go into the DHCP server, set the MAC from the laptop to a predefined IP address (guess you call it static by DHCP?) it gets to the laptop without issue. I can ipconfig /release, then /flushdns, then /renew and it pulls it again, no problems. If I go back to dynamic, it fails to get through again.

It has something to do with the DHCP server pinging the next avail IP. As soon as it does that, the ARP table on the Cisco 3560X puts an entry in for that IP, listed as "Incomplete". I base this assumption on the error in the 4011 log stating

ping <next ip>
"Detected conflict by ARP response for <next ip> from <MAC of requesting gateway>
ping done <next ip>

Brett S · ‎08-10-2021

Still working the issue. Pretty convinced it has something to do with the MikroTik router, not the Cisco conifg.

Georg Pauwen · ‎08-11-2021

Hello,

can you for the sake of testing disable all DHCP config on the Cisco and just leave the MikroTik as the DHCP server (or configure all pools on the MikroTik) ? The thought behind my suggestion is that broadcasts from your Vlan 165 clients get messed up because there is a local DHCP server, and then there is a remote one...

Brett S · ‎08-11-2021

Thank you for the suggestion. I tried that this evening with no change/no luck.

One person on the Mikrotik forum suggested this

"Your last post indicates that there might be a device in your network (the cisco switch) configured to perform proxy ARP? That function can kill DHCP and its check if IP address is unused."

I have not intentionally setup anything to do with ARP. Is there possibly some configuration I should check/test?

I'm still, at this point, convinced, that the issue is on the MT side. Everything works perfect if I reserve an IP on the Mikrotik DCHP with my test laptops MAC that is attached to the Cisco. It broadcasts a request, the DHCP replies, they do their back and forth (DORA?) and then it assigns the IP I reserved. The problem only exists when I go back to dynamic.

Brett S · ‎08-11-2021

Ok, paid a little more attention to the logs on the Mikrotik - It doesn't transmit the IP when under dynamic because it receives a message from the Cisco saying, I believe, that that IP is in it's ARP table. The listings in the ARP table are all listed as "Incomplete".

It assigns the IP when I reserve it because it never "pings" the IP, so it never receives the message from the Cisco regarding the ARP table. I'm not sure if there is a way to tell the Mikrotik to ignore the ARP or to get Cisco to not send the message

**edit**
It all comes down to that ARP. If I let it assign by reservation, then remove the reservation, it will request the same IP again, so the message goes through, no ping/ARP look up. Flush it from the laptop and we're back at the dynamic ping/ARP

As a "band-aid" I can get it to work dynamically if, on the Mikrotik side, I turn off "Conflict Detection". While this can be used, temporarily, as a work around, I would think this is a bad thing, especially if in larger environments.

I am still going to work towards a better solution.