DHCP Relay Option 82 Deep Dive
DHCP Relay Option 82 Deep Dive
Section titled “DHCP Relay Option 82 Deep Dive”DHCP Option 82 (Relay Agent Information) is a DHCP extension defined in RFC 3046 that allows relay agents to insert identifying information into DHCP requests. This is essential for ISP wholesale/retail architectures, cable DOCSIS networks, and any scenario where a DHCP server needs to identify the physical location or network segment of a client.
How Option 82 Works
Section titled “How Option 82 Works”When a DHCP relay agent intercepts a client’s broadcast DHCP request, it can append Option 82 to the packet before forwarding it to the DHCP server. This option contains two sub-options:
| Sub-option | Name | Purpose |
|---|---|---|
| 1 | Agent Circuit ID | Identifies the circuit/interface the client is connected to |
| 2 | Agent Remote ID | Identifies the remote client (typically MAC address) |
The DHCP server can use this information to:
- Assign IP addresses from the correct pool based on client location
- Implement per-customer or per-location policies
- Track which network segment a client belongs to
- Enable carrier-grade NAT scenarios
MikroTik Implementation
Section titled “MikroTik Implementation”RouterOS implements Option 82 through two relay properties:
add-relay-info
Section titled “add-relay-info”Enables insertion of Relay Agent Information into DHCP packets per RFC 3046.
/ip dhcp-relay add name=relay1 interface=ether2 dhcp-server=10.0.0.1 add-relay-info=yesWhen enabled, RouterOS adds:
- Circuit ID (Sub-option 1): Interface name where the request was received
- Remote ID (Sub-option 2): Client’s MAC address
relay-info-remote-id
Section titled “relay-info-remote-id”Allows custom Remote ID string instead of default client MAC address. Useful for:
# Use router's MAC as Remote ID instead of client MAC/ip dhcp-relay add name=relay1 interface=ether2 dhcp-server=10.0.0.1 \ add-relay-info=yes relay-info-remote-id=00:11:22:33:44:55Or use a descriptive string:
/ip dhcp-relay add name=relay1 interface=ether2 dhcp-server=10.0.0.1 \ add-relay-info=yes relay-info-remote-id="POP-Coimbatore-01"ISP Wholesale/Retail Scenario
Section titled “ISP Wholesale/Retail Scenario”This is the most common use case for Option 82. Here’s how it works:
┌─────────────┐ ┌─────────────┐ ┌─────────────┐│ Client │ ───▶ │ MikroTik │ ───▶ │ ISP ││ (Retail) │ │ Relay │ │ DHCP ││ │ │ (Option 82) │ │ Server │└─────────────┘ └─────────────┘ └─────────────┘ │ │ ┌────┴────┐ ┌────┴────┐ │Wholesale│ │ Retail │ │ Pool │ │ Pool │ └─────────┘ └─────────┘Configuration Example
Section titled “Configuration Example”ISP Router (Relay):
# Configure relay with Option 82 on multiple interfaces/ip dhcp-relay add name=wholesale-relay interface=ether1 \ dhcp-server=10.0.0.100 add-relay-info=yes
/ip dhcp-relay add name=retail-relay interface=ether2 \ dhcp-server=10.0.0.100 add-relay-info=yesISP DHCP Server:
The server uses the Circuit ID to determine which pool to assign from:
# Server sees Option 82 in the request and selects appropriate pool# Circuit ID "ether1" → Wholesale pool# Circuit ID "ether2" → Retail poolUsing Option 82 in Lease Scripts
Section titled “Using Option 82 in Lease Scripts”When Option 82 is present, you can access it in DHCP server lease scripts through these variables:
| Variable | Description |
|---|---|
lease-agent-circuit-id | The Circuit ID from Option 82 |
lease-agent-remote-id | The Remote ID from Option 82 |
Example: Log Option 82 Information
Section titled “Example: Log Option 82 Information”/ip dhcp-server add name=dhcp1 interface=bridge-local address-pool=pool1 \ lease-script={ :if ($bound = 1) do={ :log info "DHCP Lease: IP=$leaseActIP MAC=$leaseActMAC Circuit ID=$lease-agent-circuit-id Remote ID=$lease-agent-remote-id" } }Example: Add Firewall Address List Based on Circuit ID
Section titled “Example: Add Firewall Address List Based on Circuit ID”/ip dhcp-server add name=dhcp1 interface=bridge-local address-pool=pool1 \ lease-script={ :if ($bound = 1) do={ :if ($lease-agent-circuit-id ~ "vlan10") do={ /ip firewall address-list add list=DHCP-VLAN10 address=$leaseActIP } :if ($lease-agent-circuit-id ~ "vlan20") do={ /ip firewall address-list add list=DHCP-VLAN20 address=$leaseActIP } } else={ # Clean up on lease release /ip firewall address-list remove [find list~"DHCP-VLAN" address=$leaseActIP] } }Example: CGNAT Mapping
Section titled “Example: CGNAT Mapping”For carrier-grade NAT scenarios, use the Circuit ID to create per-customer NAT mappings:
/ip dhcp-server add name=dhcp1 interface=bridge-local address-pool=cgnat-pool \ lease-script={ :if ($bound = 1) do={ :local cgnat-ip ($leaseActIP) :local customer-id ($lease-agent-circuit-id) :log info "CGNAT: Customer $customer-id assigned $cgnat-ip" # Log mapping for CGNAT tracking (update your mapping table as needed) /ip firewall address-list add list=CGNAT-customers address=$cgnat-ip comment=$customer-id } }Viewing Option 82 Information
Section titled “Viewing Option 82 Information”On the Relay
Section titled “On the Relay”# View relay configuration/ip dhcp-relay print detail
# Monitor relay traffic/tool sniffer start filter-ip-protocol=udp filter-port=67,68On the DHCP Server
Section titled “On the DHCP Server”When Option 82 is present, it appears in lease details:
# View leases with Option 82 data/ip dhcp-server lease print detail
# Filter leases by circuit ID/ip dhcp-server lease print where agent-circuit-id~"vlan10"Troubleshooting
Section titled “Troubleshooting”Option 82 Not Being Added
Section titled “Option 82 Not Being Added”- Verify
add-relay-info=yesis set on the relay - Check that the interface name is correct
- Ensure DHCP server is reachable from the relay
DHCP Server Not Responding
Section titled “DHCP Server Not Responding”- NAT Issue: If masquerade is applied to relay traffic, Option 82 gets stripped. Exclude DHCP traffic:
/ip firewall nat add chain=srcnat protocol=udp dst-port=67-68 action=accept/ip firewall nat add chain=srcnat out-interface=wan action=masquerade- Firewall Blocking: Ensure firewall allows DHCP between relay and server:
/ip firewall filter add chain=forward protocol=udp dst-port=67-68 action=acceptOption 82 Data Not Reaching Server
Section titled “Option 82 Data Not Reaching Server”Use packet capture to verify Option 82 is being inserted:
/tool sniffer start filter-ip-protocol=udp filter-port=67,68 file-name=sniff.pcapThen analyze with Wireshark - look for DHCP Option 82 (Agent Circuit ID / Agent Remote ID).
Configuration Reference
Section titled “Configuration Reference”Relay Properties Summary
Section titled “Relay Properties Summary”| Property | Default | Description |
|---|---|---|
add-relay-info | no | Enable RFC 3046 relay agent info |
relay-info-remote-id | (client MAC) | Custom Remote ID string |
local-address | (auto) | IP used as giaddr |
dhcp-server | - | Target DHCP server(s) |
interface | - | Interface to listen on |
Lease Script Variables
Section titled “Lease Script Variables”| Variable | Description |
|---|---|
lease-agent-circuit-id | Circuit ID from Option 82 |
lease-agent-remote-id | Remote ID from Option 82 |
leaseBound | 1 if bound, 0 if released |
leaseActIP | Assigned IP address |
leaseActMAC | Client MAC address |
Best Practices
Section titled “Best Practices”- Use descriptive circuit IDs: Name interfaces clearly (e.g., “vlan10-POP1”, “ether1-BuildingA”)
- Document your addressing scheme: Map Circuit IDs to pools in documentation
- Test with packet capture: Verify Option 82 is being added before deploying
- Handle lease releases: Clean up address lists and mappings when leases expire
- Watch for MTU issues: Option 82 adds ~32 bytes; ensure path MTU handles this
See Also
Section titled “See Also”- DHCP Relay: Forwarding Requests Across Subnets and VLANs — base relay setup, multi-VLAN configuration, and firewall requirements
- DHCP Server and Client — full DHCP server, lease scripts, and DHCPv6 reference