4/200+ dhcp leases are on the wrong bridge port

Moopers · September 7, 2023, 10:14pm

Hi,

I have a Mikrotik set up for a guest network, everything works perfectly except for the following: Imgur: The magic of the Internet
As pictured, there are always 2-4 out of 200 devices that consistently have sfp1 as their bridge port. They are the same devices every time, and they are connected to my wireless just like every other device, I can't figure out what I am doing wrong.

Here is the output of export hide-sensitive:

sep/07/2023 15:10:46 by RouterOS 7.8

software id = 9Y1A-D6AI

model = CCR2116-12G-4S+

serial number = HEG08JW6YBT

/interface bridge
add disabled=yes name=Backup_Bridge
add add-dhcp-option82=yes dhcp-snooping=yes name=LAN_Bridge
add name=WAN_Bridge
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
/interface list
add name=LAN
add name=WAN
add name=Backup
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/snmp community
set [ find default=yes ] disabled=yes
add addresses=::/0 name=gecko
/interface bridge port
add bridge=LAN_Bridge interface=LAN
add bridge=WAN_Bridge interface=WAN
add bridge=Backup_Bridge disabled=yes interface=Backup
/ip neighbor discovery-settings
set protocol=cdp,lldp
/ip settings
set icmp-rate-limit=1000
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether1 list=LAN
add interface=sfp-sfpplus1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether13 list=Backup
/ip address
add address=64.146.174.2/26 interface=WAN_Bridge network=64.146.174.0
add address=192.168.99.1/22 interface=LAN_Bridge network=192.168.96.0
add address=192.168.96.1/22 disabled=yes interface=Backup_Bridge network=
192.168.96.0
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool12 interface=LAN_Bridge lease-time=4h10m
name=dhcp1
/ip dhcp-server network
add address=192.168.96.0/22 dns-server=8.8.8.8,8.8.4.4,66.119.192.9 gateway=
192.168.99.1 netmask=22
/ip dns
set allow-remote-requests=yes max-concurrent-queries=150
max-concurrent-tcp-sessions=50 servers=8.8.8.8,8.8.4.4,66.119.192.9
/ip firewall filter
add action=accept chain=input in-interface=LAN_Bridge protocol=icmp
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,new,untracked dst-address=64.146.174.2 src-address=
66.119.222.66
add action=accept chain=input comment="defconf: accept ICMP" dst-address=
64.146.174.2 protocol=icmp src-address=66.119.222.66
add action=drop chain=input in-interface=WAN_Bridge protocol=udp src-port=68
add action=drop chain=input in-interface=WAN_Bridge src-address=192.168.96.0/22
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid log=yes
add action=drop chain=forward in-interface=WAN_Bridge src-address=
192.168.96.0/22
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=forward comment="allow internet traffic" dst-address=
0.0.0.0/0 in-interface=LAN_Bridge src-address=192.168.96.0/22
add action=drop chain=forward comment="drop all else"
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=
WAN_Bridge src-address=192.168.96.0/22
/ip pool
add name=dhcp_pool12 next-pool=dhcp_pool11 ranges=192.168.99.10-192.168.99.254
add name=dhcp_pool11 next-pool=dhcp_pool12 ranges=192.168.98.10-192.168.98.254
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=64.146.174.1 pref-src=
"" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/snmp
set contact=Fred enabled=yes
/system clock
set time-zone-name=US/Pacific
/system routerboard settings
set enter-setup-on=delete-key
/tool sniffer
set file-name=test filter-interface=WAN_Bridge filter-port=bootps,bootpc
streaming-server=64.146.180.19

loloski · September 7, 2023, 10:27pm

why multiple bridge? for the WAN connection you can straightly assign the ip address to the interface, please prepare a diagram so that others can help you

biomesh · September 7, 2023, 10:42pm

Without your layout it’s hard to tell - I have a feeling that there is a vlan issue with your switch where sfpplus1 is connected to.

Like was mentioned before, there is no reason to put sfpplus1 into a bridge for one interface.