DHCP Relay Configuration

DHCP Relay Configuration

Version Info

RouterOS 7.16 | Min: v6.0+ | Verified | 15 minutes | Intermediate

Tested on: 7.16 7.14

Version-specific notes

• v7.15: Added ‘dhcp-server-vrf’ parameter for VRF support
• v6.x: Same commands work on RouterOS 6.x without VRF support

TL;DR (Quick Start)

Forward DHCP requests from clients to a central server on a different network.

# Ensure interface has an IP (this becomes the client gateway)
/ip address add address=192.168.2.1/24 interface=ether2

# Create the DHCP relay
/ip dhcp-relay add name=relay1 interface=ether2 dhcp-server=192.168.1.1 local-address=192.168.2.1

# Allow DHCP traffic through firewall
/ip firewall filter add chain=forward action=accept protocol=udp dst-port=67,68

On the DHCP server, add a network entry for the relay subnet:

/ip dhcp-server network add address=192.168.2.0/24 gateway=192.168.2.1 dns-server=8.8.8.8

Overview

DHCP Relay acts as a proxy between DHCP clients and a DHCP server when they are not on the same broadcast domain. The relay forwards DHCP Discover packets from clients to a specified DHCP server and returns the server’s responses to the clients.

Use DHCP Relay when you have:

• A centralized DHCP server serving multiple network segments
• Remote sites connected via VPN that need DHCP from a central server
• VLAN-segmented networks with a single DHCP server

Prerequisites

• A MikroTik router running RouterOS 6.x or later (7.15+ for VRF support)
• The relay interface must have an IP address in the client network
• A route to the DHCP server must exist
• The DHCP server must have network entries matching the relay’s local-address subnet
• Firewall must permit UDP 67/68 traffic on the forward chain

Note: You cannot run both a DHCP server and DHCP relay on the same interface.

Network Topology

[DHCP Clients] --- [Relay Router] --- [Network/VPN] --- [DHCP Server]
  192.168.2.x         ether2                              192.168.1.1
                  local-address:
                   192.168.2.1

Configuration Steps

Step 1: Ensure the Interface Has an IP Address

The relay interface needs an IP address that will be used as the gateway for clients and as the local-address for the relay.

/ip address add address=192.168.2.1/24 interface=ether2 comment="Client Network Gateway"

Step 2: Verify Routing to DHCP Server

Ensure you have a route to the DHCP server. The server must also be able to route back to your local-address network.

/ping 192.168.1.1 count=3

If the server is not reachable, add a route or configure your network appropriately.

Step 3: Create the DHCP Relay

Configure the relay to listen on the client-facing interface and forward requests to the DHCP server.

/ip dhcp-relay add name=relay1 interface=ether2 dhcp-server=192.168.1.1 local-address=192.168.2.1 disabled=no

Key parameters:

• interface: The interface where clients send DHCP requests
• dhcp-server: IP address of the DHCP server (can specify multiple comma-separated)
• local-address: The router’s IP on the client network; the server uses this (giaddr) to determine which pool to assign

Step 4: Configure Firewall Rules

DHCP relay traffic must be allowed through the forward chain. Add these rules before any drop rules.

/ip firewall filter add chain=forward action=accept protocol=udp dst-port=67,68 comment="Allow DHCP relay"
/ip firewall filter add chain=forward action=accept protocol=udp src-port=67,68 comment="Allow DHCP relay responses"

Step 5: Configure the DHCP Server (on the server router)

The DHCP server must have a network entry matching the relay’s client subnet.

/ip pool add name=pool-relay-clients ranges=192.168.2.100-192.168.2.200
/ip dhcp-server network add address=192.168.2.0/24 gateway=192.168.2.1 dns-server=8.8.8.8

The server uses the giaddr (local-address from relay) to match the correct network entry.

Verification

Check 1: Verify Relay Configuration

/ip dhcp-relay print

Expected Output:

Flags: X - disabled, I - invalid
 #   NAME    INTERFACE  DHCP-SERVER   LOCAL-ADDRESS
 0   relay1  ether2     192.168.1.1   192.168.2.1

The relay should appear without the “X” (disabled) or “I” (invalid) flags.

Check 2: Verify Routing to DHCP Server

/ping 192.168.1.1 count=3

Expected Output:

SEQ HOST                                     SIZE TTL TIME  STATUS
  0 192.168.1.1                                56  64 1ms
  1 192.168.1.1                                56  64 1ms
  2 192.168.1.1                                56  64 1ms
    sent=3 received=3 packet-loss=0%

Check 3: Verify Firewall Allows DHCP Traffic

/ip firewall filter print where protocol=udp dst-port~"67"

Expected Output:

Flags: X - disabled, I - invalid
 #   CHAIN    ACTION   PROTOCOL  DST-PORT
 0   forward  accept   udp       67,68

Check 4: Check DHCP Logs

Enable DHCP logging and check for relay activity:

/system logging add topics=dhcp action=memory
/log print where topics~"dhcp"

Expected Output (when client requests):

dhcp,info dhcp-relay relay1 received discover from AA:BB:CC:DD:EE:FF
dhcp,info dhcp-relay relay1 sending offer to AA:BB:CC:DD:EE:FF

Advanced Configuration

Option 82 (RFC 3046) for Subscriber Identification

For ISP or enterprise environments requiring client identification:

/ip dhcp-relay set [find name=relay1] add-relay-info=yes

Optionally set a custom remote-id to identify the relay location:

/ip dhcp-relay set [find name=relay1] relay-info-remote-id="branch-office-01"

Multiple DHCP Servers

Configure the relay to forward to multiple servers (client selects from received offers):

/ip dhcp-relay set [find name=relay1] dhcp-server=192.168.1.1,192.168.1.2

DHCP Relay with VRF (RouterOS 7.15+)

When the DHCP server is in a different VRF:

/ip dhcp-relay set [find name=relay1] dhcp-server-vrf=server-vrf

Ensure inter-VRF routes are configured:

/ip route add dst-address=192.168.1.0/24 gateway=ether1@server-vrf routing-table=client-vrf

Multi-VLAN Configuration

Create a separate relay for each VLAN with unique local-address:

/ip dhcp-relay add name=vlan10-relay interface=vlan10 dhcp-server=192.168.1.1 local-address=192.168.10.1
/ip dhcp-relay add name=vlan20-relay interface=vlan20 dhcp-server=192.168.1.1 local-address=192.168.20.1
/ip dhcp-relay add name=vlan30-relay interface=vlan30 dhcp-server=192.168.1.1 local-address=192.168.30.1

The DHCP server needs corresponding network entries for each subnet.

Troubleshooting

Problem: DHCP relay shows “invalid” status

Solution:

1. Verify the interface exists and is active
2. Check that no DHCP server is configured on the same interface
3. Ensure the interface has an IP address assigned

Problem: Clients not receiving IP addresses

Solution:

1. Verify routing between relay and DHCP server (/ping <dhcp-server-ip>)
2. Check firewall rules allow UDP 67/68 on forward chain
3. Verify the DHCP server has a network entry matching the local-address subnet
4. Check DHCP logs on both relay and server

Problem: DHCP Discover reaches server but Offer never returns

Solution:

1. Firewall rules blocking return traffic - add UDP 67/68 allow rules for src-port as well
2. Verify the server can route back to the relay’s local-address network
3. Check for NAT rules masquerading DHCP traffic

Problem: DHCP works for one VLAN but not others

Solution:

1. Check for srcnat/masquerade rules modifying DHCP packet source addresses
2. Verify each relay has a unique local-address in its respective subnet
3. Confirm DHCP server has network entries for all client subnets

Problem: Server logs show “unknown giaddr 0.0.0.0”

Solution:

1. NAT rules are modifying DHCP packets in transit
2. Review srcnat rules and exclude DHCP traffic:

   /ip firewall nat add chain=srcnat action=accept protocol=udp dst-port=67,68

3. Check for intermediate devices modifying packets

Problem: Clients get IP but cannot access the internet

Solution:

1. Verify the gateway address in the DHCP server network entry matches the relay router’s IP
2. Ensure NAT masquerade is configured for client traffic
3. Check that DNS servers provided by DHCP are reachable

How DHCP Relay Works

Understanding the relay process helps with troubleshooting:

1. Client broadcasts DHCPDISCOVER - Client sends broadcast on local segment
2. Relay receives broadcast - Relay agent intercepts the broadcast
3. Relay unicasts to server(s) - Relay forwards request to all configured DHCP servers with giaddr set to local-address
4. Server processes request - Server uses giaddr to determine which pool to use
5. Server responds to relay - Server sends DHCPOFFER back to relay’s IP
6. Relay forwards to client - Relay forwards response to the original client

Important: The relay forwards to ALL configured servers; it does not choose which server to use.

DHCPv6 Relay

RouterOS also supports IPv6 DHCPv6 relay at /ipv6 dhcp-relay:

/ipv6 dhcp-relay add name=ipv6-relay interface=bridge dhcp-server=2001:db8::1%ether1

Warning: DHCPv6 relay has limited documentation and may have reliability issues in some scenarios. Consider using a local DHCPv6 server instead when possible.

Properties Reference

Property	Type	Default	Description
name	string	-	Descriptive name for the relay
interface	string	(required)	Interface listening for DHCP requests
dhcp-server	IP list	(required)	DHCP server IP(s) to forward requests to
local-address	IP	-	Source IP for relay; server uses this (giaddr) to select pool
disabled	yes/no	no	Disable this relay
add-relay-info	yes/no	no	Add Option 82 relay agent information (RFC 3046)
delay-threshold	time	none	Ignore packets with secs field below threshold
relay-info-remote-id	string	-	Custom string for Option 82 remote-id
dhcp-server-vrf	string	-	VRF where DHCP server is located (v7.15+)

Related Topics

Prerequisites

• IP Address Configuration - the relay interface must have a static IP address
• Static Routes - routing must exist between relay and DHCP server
• Firewall Basics - firewall must allow UDP 67/68 traffic

Required on Server Side

• DHCP Server - the central server that responds to relay requests
• IP Pools - address pools for each relay subnet

Related Topics

• VLAN Configuration - VLANs commonly use DHCP relay for centralized IP distribution
• VRF - advanced relay with VRF isolation (RouterOS 7.15+)
• Bridge Configuration - bridged networks and DHCP considerations

IPv6 Alternative

• DHCPv6 Relay - IPv6 DHCP relay configuration

Reference

• MikroTik DHCP Documentation
• RFC 3046 - DHCP Relay Agent Information Option

Command Reference

Command	Description
/ip dhcp-relay add	Create a new DHCP relay
/ip dhcp-relay print	List all DHCP relays with status
/ip dhcp-relay set	Modify existing relay configuration
/ip dhcp-relay remove	Delete a DHCP relay
/ipv6 dhcp-relay add	Create DHCPv6 relay
/ipv6 dhcp-relay print	List DHCPv6 relays

Summary

DHCP Relay forwards DHCP requests from clients to a central server across different network segments:

1. Configure interface with an IP address in the client network (becomes gateway)
2. Create relay pointing to DHCP server with matching local-address
3. Allow firewall traffic for UDP 67/68 on forward chain
4. Configure server with network entry matching relay’s local-address subnet

Key points:

• The relay forwards to ALL configured servers; clients select from received offers
• local-address (giaddr) determines which pool the server assigns from
• Cannot run DHCP server and relay on the same interface
• Firewall must allow UDP 67/68 in both directions on forward chain
• NAT/masquerade rules can break relay by modifying giaddr
• VRF support requires RouterOS 7.15+ with dhcp-server-vrf parameter
• DHCPv6 relay has limited documentation; prefer local DHCPv6 server when possible