DHCP not working on DMZ interface

cmonty14 · April 29, 2022, 5:48pm

Hello,
I have configured multiple interfaces on my router Mikrotik eEX S:
WAN, LAN, DMZ

On LAN and DMZ interface I have setup a DHCP server.
WAN and LAN interface are working w/o major issues.

However, when I connect a client to DMZ interface, the client is not getting an IP.
I can connect the same client to LAN interface and there are no issues.

My understanding is that DHCP configuration of LAN and DMZ interface should be some.
But when I check the configuration in /etc/config/dhcp I can see this:

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dns_service '0'

config dhcp 'dmz'
        option interface 'dmz'
        option start '100'
        option limit '10'
        option leasetime '10m'
        list ra_flags 'none'

config domain
        option name 'homer'
        option ip '172.16.1.100'

config host
        option name 'homer'
        option dns '1'
        option mac '00:40:95:30:3F:96'
        option ip '172.16.1.100'

Questions:

What is causing the differences in config of interface LAN and DMZ? I cannot see a major difference in Luci.
What is the function of section config domain?
What is the function of option dns '1' in section config host?

In system log I have these entries:

Fri Apr 29 20:11:01 2022 daemon.info dnsmasq[28327]: Connected to system UBus
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq[28327]: started, version 2.85 cachesize 150
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq[28327]: DNS service limited to local subnets
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq[28327]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq[28327]: UBus support enabled: connected to system bus
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq[28327]: DNSSEC validation enabled
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq[28327]: configured with trust anchor for <root> keytag 20326
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq-dhcp[28327]: DHCP, IP range 172.16.9.100 -- 172.16.9.109, lease time 10m
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq-dhcp[28327]: DHCP, IP range 172.16.1.100 -- 172.16.1.249, lease time 12h
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq[28327]: using only locally-known addresses for domain test
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq[28327]: using only locally-known addresses for domain onion
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq[28327]: using only locally-known addresses for domain localhost
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq[28327]: using only locally-known addresses for domain local
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq[28327]: using only locally-known addresses for domain invalid
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq[28327]: using only locally-known addresses for domain bind
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq[28327]: using nameserver 127.0.0.1#5453
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq[28327]: using only locally-known addresses for domain lan
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq[28327]: read /etc/hosts - 4 addresses
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq[28327]: read /tmp/hosts/dhcp.cfg01411c - 4 addresses
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq-dhcp[28327]: read /etc/ethers - 0 addresses
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq[28327]: read /etc/hosts - 4 addresses
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq[28327]: read /tmp/hosts/dhcp.cfg01411c - 4 addresses
Fri Apr 29 20:11:01 2022 daemon.info dnsmasq-dhcp[28327]: read /etc/ethers - 0 addresses
Fri Apr 29 20:11:07 2022 daemon.info dnsmasq-dhcp[28327]: DHCPDISCOVER(lan4) dc:a6:32:8b:ca:11
Fri Apr 29 20:11:07 2022 daemon.info dnsmasq-dhcp[28327]: DHCPOFFER(lan4) 172.16.9.102 dc:a6:32:8b:ca:11
Fri Apr 29 20:11:07 2022 daemon.warn dnsmasq-dhcp[28327]: Error sending DHCP packet to 172.16.9.102: Operation not permitted
Fri Apr 29 20:11:13 2022 daemon.info dnsmasq-dhcp[28327]: DHCPDISCOVER(lan4) dc:a6:32:8b:ca:11
Fri Apr 29 20:11:13 2022 daemon.info dnsmasq-dhcp[28327]: DHCPOFFER(lan4) 172.16.9.102 dc:a6:32:8b:ca:11
Fri Apr 29 20:11:13 2022 daemon.warn dnsmasq-dhcp[28327]: Error sending DHCP packet to 172.16.9.102: Operation not permitted
Fri Apr 29 20:11:13 2022 daemon.err odhcpd[1993]: Failed to send to ff02::1%lan@lan3 (Permission denied)
Fri Apr 29 20:11:28 2022 daemon.info dnsmasq-dhcp[28327]: DHCPDISCOVER(lan4) dc:a6:32:8b:ca:11
Fri Apr 29 20:11:28 2022 daemon.info dnsmasq-dhcp[28327]: DHCPOFFER(lan4) 172.16.9.102 dc:a6:32:8b:ca:11
Fri Apr 29 20:11:28 2022 daemon.warn dnsmasq-dhcp[28327]: Error sending DHCP packet to 172.16.9.102: Operation not permitted
Fri Apr 29 20:11:29 2022 daemon.err odhcpd[1993]: Failed to send to ff02::1%lan@lan3 (Permission denied)
Fri Apr 29 20:11:29 2022 kern.warn kernel: [37293.691212] REJECT wan in: IN=wan OUT= MAC=ff:ff:ff:ff:ff:ff:c8:0e:14:de:97:70:08:00 SRC=192.168.1.1 DST=192.168.1.255 LEN=240 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=220 MARK=0x3f00
Fri Apr 29 20:11:45 2022 daemon.err odhcpd[1993]: Failed to send to ff02::1%lan@lan3 (Permission denied)
Fri Apr 29 20:12:01 2022 daemon.err odhcpd[1993]: Failed to send to ff02::1%lan@lan3 (Permission denied)
Fri Apr 29 20:12:03 2022 daemon.info dnsmasq-dhcp[28327]: DHCPDISCOVER(lan4) dc:a6:32:8b:ca:11
Fri Apr 29 20:12:03 2022 daemon.info dnsmasq-dhcp[28327]: DHCPOFFER(lan4) 172.16.9.102 dc:a6:32:8b:ca:11
Fri Apr 29 20:12:03 2022 daemon.warn dnsmasq-dhcp[28327]: Error sending DHCP packet to 172.16.9.102: Operation not permitted
Fri Apr 29 20:12:13 2022 kern.warn kernel: [37337.037391] REJECT wan in: IN=wan OUT= MAC=ff:ff:ff:ff:ff:ff:66:d5:ee:d4:d2:ad:08:00 SRC=192.168.1.74 DST=192.168.1.255 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=32501 DF PROTO=UDP SPT=57621 DPT=57621 LEN=48 MARK=0x3f00
Fri Apr 29 20:12:17 2022 daemon.err odhcpd[1993]: Failed to send to ff02::1%lan@lan3 (Permission denied)
Fri Apr 29 20:12:29 2022 kern.warn kernel: [37353.791202] REJECT wan in: IN=wan OUT= MAC=ff:ff:ff:ff:ff:ff:c8:0e:14:de:97:70:08:00 SRC=192.168.1.1 DST=192.168.1.255 LEN=240 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=220 MARK=0x3f00
Fri Apr 29 20:12:33 2022 daemon.err odhcpd[1993]: Failed to send to ff02::1%lan@lan3 (Permission denied)
Fri Apr 29 20:12:49 2022 daemon.err odhcpd[1993]: Failed to send to ff02::1%lan@lan3 (Permission denied)
Fri Apr 29 20:13:05 2022 daemon.err odhcpd[1993]: Failed to send to ff02::1%lan@lan3 (Permission denied)

THX

mk24 · April 29, 2022, 6:23pm

Make sure you have removed the lan4 port (that you're using for DMZ) from the lan bridge.

cmonty14 · April 29, 2022, 6:28pm

There's no LAN bridge configured on this router.

cmonty14 · May 1, 2022, 3:25pm

I have modified DHCP configuration for zone dmz:

config dhcp 'dmz'
	option interface 'dmz'
	option start '100'
	option limit '100'
	option leasetime '1h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

With no firewall rules enabled + this firewall zone config DHCP is working.

config zone
	option name 'dmz'
	option network 'dmz'
	option output 'ACCEPT'
	option log '1'
	option input 'ACCEPT'
	option forward 'ACCEPT'

system · May 11, 2022, 3:25pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.