fsebugoutzone.org:9999

       Post AYcKA5fcAgDQ8spDrk by lamp@kitty.haus
 (DIR) More posts by lamp@kitty.haus
 (DIR) Post #AYb9mSKp3lP6mmEPXE by lamp@kitty.haus
       2023-08-10T20:08:05.160678Z
       
       0 likes, 0 repeats
       
       Bridging works fine...THE PROBLEM IS...There&#39;s two gateways on one LAN, and computers can only be configured to use one gateway. And of course whichever one DHCP server I have enabled is gonna tell everyone to use that router to access the internet.Is it possible to make the #DHCP server a bit smarter and conditionally provide a gateway address according to the interface it&#39;s on? On #mikrotik?Or is this stupid and I should just have separate LANs with routes to each-other?
       
 (DIR) Post #AYbDEzeD658M4ebCtc by stanford@firefish.tech
       2023-08-10T20:15:15.271Z
       
       0 likes, 0 repeats
       
       @lamp@kitty.haus Not sure how they are connected to each other, but my first idea would be to block DHCP traffic between the routers in the firewall.But that will only work if the segments are connected through the router.And also not sure if Mikrotik can do that kind of firewall actions on a bridge 🤔
       
 (DIR) Post #AYbDF0cpShch6excNk by lamp@kitty.haus
       2023-08-10T20:46:51.700882Z
       
       0 likes, 0 repeats
       
       @stanford Yea, can&#39;t do anything if they&#39;re bridged, cause it&#39;s low-level and bypasses all of that...I think they simply have to not be bridged, but if I still want them to function like one LAN, I have to use #ARP proxy for #IPv4 and #NDP proxy for #IPv6.And I don&#39;t know about broadcasts...
       
 (DIR) Post #AYbEvxYYqbYRzk0acy by Jarek@infosec.exchange
       2023-08-10T21:03:17Z
       
       0 likes, 0 repeats
       
       @lamp As for the DHCP server providing different information depending on the port the client is, then sure, that&#39;s what the option 82 is for. No idea about Mikrotik though.As for your specific problem of connecting LANs, why not standard routing?There are also other possibilities, like ebtables (again, no idea about Mikrotik) or some virtual IP or MAC addresses (depending on your topology) pointing at the nearest gateway.
       
 (DIR) Post #AYbEvyK3zzYIN4EWfY by lamp@kitty.haus
       2023-08-10T21:05:50.979878Z
       
       0 likes, 0 repeats
       
       @Jarek Wi-Fi roaming...to have the same ssid for auto switching they have to be the same network...so I think I need layer 3 bridging with stuff like proxy ARP
       
 (DIR) Post #AYc09XLLnd3Mb1nzwO by Jarek@infosec.exchange
       2023-08-11T00:05:51Z
       
       0 likes, 0 repeats
       
       @lamp Note that upon roaming the client won&#39;t refresh the DHCP lease and get new default gateway. More important, it won&#39;t refresh IP address, so your routers will keep routing packets to the old network.If you want to let clients roam, I&#39;d stick to bridging and consistent DHCP. If they should reach the closest gateway, set the default gateway in DHCP responses to some single virtual IP address and assign it to both routers (either directly or ARP-proxy just the single IP). Make sure ARP conflicts won&#39;t arise by preventing ARPs for this single IP from crossing from one network to the other with something like ebtables. Consider using same virtual MAC as well (if you don&#39;t, traffic might keep flowing to the old gateway for some time after roaming). For IPv6 just filter RA packets (or ND with virtual MAC).Keep in mind that&#39;s going to work nicely with simple routing, but if you implement some stateful firewall or NAT on those routers you can expect broken connections.
       
 (DIR) Post #AYc09Y553bdIsrCWDg by lamp@kitty.haus
       2023-08-11T05:54:56.277901Z
       
       0 likes, 0 repeats
       
       @Jarek it turns out the bridge has the ability to sniff and block ip traffic so I bridged and blocked dhcp and it works great with two dhcp servers assigning from separate regions of the same subnet.unfortunately it does not have any abilities for ipv6 so i can only block it all.but yes traffic flowing to the old gateway is what I want, so clients can switch aps without breaking connections. then when it reconnects or renews dhcp it can pick up the closer one. it&#39;s only a 4ms difference but yeah since the isp will give me two internet addresses i would rather let it optimize.
       
 (DIR) Post #AYcKA4tP3vePjMGiie by Jarek@infosec.exchange
       2023-08-11T09:29:47Z
       
       0 likes, 0 repeats
       
       @lamp 4ms is quite high for a LAN.For IPv6, maybe there is a separate feature like RA guard (RFC 7113)? It&#39;s such a basic security feature its lack would disqualify the device from any serious use with end clients, it&#39;s the one IPv6 security feature that has to be enabled even in IPv4-only networks.With DHCP changing gateways the way you described the connection will break anyway, just upon DHCP renewal rather than roaming. You still need to make the routers forward the foreign traffic to the other one, then it can be transparent to the end clients. Also, let clients keep their original addresses rather than declining and forcing another pool (by having a single DHCP server or letting the two servers coordinate with some failover configuration), that would also break established connections.
       
 (DIR) Post #AYcKA5fcAgDQ8spDrk by lamp@kitty.haus
       2023-08-11T09:39:06.788019Z
       
       0 likes, 0 repeats
       
       @Jarek ye it&#39;s MoCA, flippin slower than wifi!maybe i will try this https://forum.mikrotik.com/viewtopic.php?p=962576#p962576
       
 (DIR) Post #AYcKpeHyMfVpNoaEIC by lamp@kitty.haus
       2023-08-11T09:46:38.763130Z
       
       0 likes, 0 repeats
       
       @Jarek well the mobile devices, probably sleep and frequently reconnect their wifi anyway; and my dhcp lease time is long, i dont really need to have it renew arbitrarily. so i like how it is