Bridge/Bond VLANs no DHCP

Firstly, I just wanted to mention that I know there are a lot of threads about this subject already, so apologies for creating another one. However, I have read through a lot of others, and unfortunately, I still haven't been able to get this working... I've hit a wall, hence the reason for this post.

I have a bridge (eth 4+5+6+7+8) with various VLANs configured (ID 10,20,30,40,50,200), along with a bond (eth 7+8) for connecting to the switch (which has the VLANs + tagging configured). For the life of me, I cannot figure out 'why' I cannot obtain a DHCP address.

Results:

• If I connect a device to any of the bridge ports (exc. 7+8), I do not obtain an address.
• If I connect a device to an untagged port on my switch (e.g., port 23/VLAN20), I do not obtain an address.
• As a test, I configured a bridge port for eth2 with PVID 20, and if I plug a device directly to it, it successfully obtains an address (from the configured pool for VLAN20).

(Note: I have tried setting the bridge port PVIDs to one of my configured VLANs (e.g., 200), as well as tried keeping them as 1 + setting VLAN ID 1 as untagged on the switch, but get the same outcome.)

Router Config:
(Important: I have removed ALL firewall-related rules/settings from the below, as they are currently disabled while I troubleshoot.)

# RouterOS 6.49.17
# model = CCR1009-8G-1S
/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=eth1-wan
set [ find default-name=ether2 ] name=eth2
set [ find default-name=ether3 ] name=eth3-backup
set [ find default-name=ether4 ] name=eth4
set [ find default-name=ether5 ] name=eth5
set [ find default-name=ether6 ] name=eth6
set [ find default-name=ether7 ] name=eth7
set [ find default-name=ether8 ] name=eth8
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge1 name=vlan10-main vlan-id=10
add interface=bridge1 name=vlan20-guest vlan-id=20
add interface=bridge1 name=vlan30-lab vlan-id=30
add interface=bridge1 name=vlan40-iot vlan-id=40
add interface=bridge1 name=vlan50-cctv vlan-id=50
add interface=bridge1 name=vlan200-mgmt vlan-id=200
/interface bonding
add mode=802.3ad name=bond-sw1 slaves=eth7,eth8 transmit-hash-policy=layer-2-and-3
/interface list
add name=WAN
add name=LAN
/ip pool
add name=pool10-main ranges=10.10.10.11-10.10.10.254
add name=pool30-lab ranges=10.10.30.2-10.10.30.127
add name=pool200-mgmt ranges=10.10.200.2-10.10.200.254
add name=pool20-guest ranges=10.10.20.10-10.10.20.150
add name=pool40-iot ranges=10.10.40.10-10.10.40.254
add name=pool50-cctv ranges=10.10.50.10-10.10.50.254
/ip dhcp-server
add add-arp=yes address-pool=pool10-main disabled=no interface=vlan10-main lease-time=1d name=dhcp10-main
add add-arp=yes address-pool=pool30-lab disabled=no interface=vlan30-lab name=dhcp30-lab
add add-arp=yes address-pool=pool200-mgmt disabled=no interface=vlan200-mgmt name=dhcp200-mgmt
add add-arp=yes address-pool=pool20-guest disabled=no interface=vlan20-guest lease-time=8h name=dhcp20-guest
add add-arp=yes address-pool=pool40-iot disabled=no interface=vlan40-iot name=dhcp40-iot
add add-arp=yes address-pool=pool50-cctv disabled=no interface=vlan50-cctv name=dhcp50-cctv
/interface bridge port
add bridge=bridge1 interface=eth5
add bridge=bridge1 interface=eth6
add bridge=bridge1 interface=bond-sw1
add bridge=bridge1 interface=eth4
add bridge=bridge1 comment=testVLAN20 interface=eth2 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,bond-sw1,eth4,eth5,eth6 vlan-ids=10
add bridge=bridge1 tagged=bridge1,bond-sw1,eth4,eth5,eth6 vlan-ids=20
add bridge=bridge1 tagged=bridge1,bond-sw1,eth4,eth5,eth6 vlan-ids=30
add bridge=bridge1 tagged=bridge1,bond-sw1,eth4,eth5,eth6 vlan-ids=40
add bridge=bridge1 tagged=bridge1,bond-sw1,eth4,eth5,eth6 vlan-ids=50
add bridge=bridge1 tagged=bridge1,bond-sw1,eth4,eth5,eth6 vlan-ids=200
/interface list member
add interface=eth1-wan list=WAN
add interface=eth2 list=LAN
add interface=bridge1 list=LAN
add interface=bond-sw1 list=LAN
add interface=vlan10-main list=LAN
add interface=vlan20-guest list=LAN
add interface=vlan30-lab list=LAN
add interface=vlan40-iot list=LAN
add interface=vlan50-cctv list=LAN
add interface=vlan200-mgmt list=LAN
/ip address
add address=10.255.255.1/24 interface=eth3-backup network=10.255.255.0
add address=10.10.10.1/24 interface=vlan10-main network=10.10.10.0
add address=10.10.30.1/23 interface=vlan30-lab network=10.10.30.0
add address=10.10.40.1/24 interface=vlan40-iot network=10.10.40.0
add address=10.10.20.1/24 interface=vlan20-guest network=10.10.20.0
add address=10.10.50.1/24 interface=vlan50-cctv network=10.10.50.0
add address=10.10.200.1/24 interface=vlan200-mgmt network=10.10.200.0
/ip dhcp-client
add disabled=no interface=eth1-wan
/ip dhcp-server network
add address=10.10.10.0/24 comment=main dns-server=10.10.30.253 gateway=10.10.10.1
add address=10.10.20.0/24 comment=guest dns-server=1.1.1.1 gateway=10.10.20.1
add address=10.10.30.0/23 comment=lab dns-server=10.10.30.253 gateway=10.10.30.1
add address=10.10.40.0/24 comment=iot dns-server=10.10.30.253 gateway=10.10.40.1
add address=10.10.50.0/24 comment=cctv dns-server=10.10.30.253 gateway=10.10.50.1
add address=10.10.200.0/24 comment=mgmt dns-server=10.10.30.253,1.1.1.1 gateway=10.10.200.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1

Network Diagram:

image2127×1526 429 KB

Switch VLAN Config:

image922×1200 11.1 KB

Any help is greatly appreciated - and thank you in advance! Also, if any further info is required, please let me know.

because
eth 4,5,6 are trunk ports in your config,
all of vlans are tagged
and your PC want access port (untagged vlan)

for ex:

/interface bridge port add bridge="br1" interface="eth1" pvid=200
/interface bridge port add bridge="br1" interface="eth2" pvid=200

/interface bridge vlan add bridge="br1" tagged="br1,eth16,eth18" untagged="eth1,eth2" vlan-ids=200

this will put tagged (trunk) vlan200 frames on eth 16,18
untagged (access) vlan200 on eth 1,2

modify eth 1,2,16,18 according your needs

Your diagram is confusing, how many ether8s can you have LOL.
Also you do not clarify what is connected to ports 2,4,5,6 ??? 7,8 are known as being bonded to the switch.
You have a management subnet 10.10.10 but then you use weird 10.255.255. stuff ????
I will assume using port 2,4 for MAIN, port 5 for guest, port 6 for IOT

Okay I see you are using ether3 to dedicate to a PC to connect to and config router safely.
I do the same but dont use a dedicated machine, I would use that port as a dedicated port like so.

Take ether3 off the bridge, give it an IP address and then from your computer plug into ether3 and change the iPV4 settings to 192.168.3.2 and with username and password you should be good.

Also you have a management network.......you need to follow through.

Too vague on what you mean my permissions, the only thing clear is cctv is only internet.
Will assume that main has access to servers iot and cctv
Will assume guest and iot only has access to internet

/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes frame-types=admit-only-vlan-tagged
/interface ethernet
set [ find default-name=ether1 ] name=eth1-wan
set [ find default-name=ether2 ] name=eth2
set [ find default-name=ether3 ] name=eth3-backup
set [ find default-name=ether4 ] name=eth4
set [ find default-name=ether5 ] name=eth5
set [ find default-name=ether6 ] name=eth6
set [ find default-name=ether7 ] name=eth7
set [ find default-name=ether8 ] name=eth8
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge1 name=vlan10-main vlan-id=10
add interface=bridge1 name=vlan20-guest vlan-id=20
add interface=bridge1 name=vlan30-lab vlan-id=30
add interface=bridge1 name=vlan40-iot vlan-id=40
add interface=bridge1 name=vlan50-cctv vlan-id=50
add interface=bridge1 name=vlan200-mgmt vlan-id=200
/interface bonding
add mode=802.3ad name=bond-sw1 slaves=eth7,eth8 transmit-hash-policy=layer-2-and-3
/interface list
add name=WAN
add name=LAN
add name=PERMIT comment="identifies what main can access"
add name=MGMT
/ip pool
add name=pool10-main ranges=10.10.10.11-10.10.10.254
add name=pool30-lab ranges=10.10.30.2-10.10.30.127
add name=pool200-mgmt ranges=10.10.200.2-10.10.200.254
add name=pool20-guest ranges=10.10.20.10-10.10.20.150
add name=pool40-iot ranges=10.10.40.10-10.10.40.254
add name=pool50-cctv ranges=10.10.50.10-10.10.50.254
/ip dhcp-server
add add-arp=yes address-pool=pool10-main disabled=no interface=vlan10-main lease-time=1d name=dhcp10-main
add add-arp=yes address-pool=pool30-lab disabled=no interface=vlan30-lab name=dhcp30-lab
add add-arp=yes address-pool=pool200-mgmt disabled=no interface=vlan200-mgmt name=dhcp200-mgmt
add add-arp=yes address-pool=pool20-guest disabled=no interface=vlan20-guest lease-time=8h name=dhcp20-guest
add add-arp=yes address-pool=pool40-iot disabled=no interface=vlan40-iot name=dhcp40-iot
add add-arp=yes address-pool=pool50-cctv disabled=no interface=vlan50-cctv name=dhcp50-cctv
/interface bridge port
add bridge=bridge1  frame-types=admit-priority-and-untagged interface=eth2 pvid=10
add bridge=bridge1 frame-types=admit-priority-and-untagged interface=eth4 pvid=10
add bridge=bridge1  frame-types=admit-priority-and-untagged interface=eth5 pvid=20
add bridge=bridge1  frame-types=admit-priority-and-untagged interface=eth6 pvid=40
add bridge=bridge1  frame-types-admin-only-vlan-tagged interface=bond-sw1
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,bond-sw1  untagged=eth2,eth4 vlan-ids=10
add bridge=bridge1 tagged=bridge1,bond-sw1  untagged=eth5 vlan-ids=20
add bridge=bridge1 tagged=bridge1,bond-sw1  untagged=ether6 vlan-ids=40
add bridge=bridge1 tagged=bridge1,bond-sw1  vlan-ids=30,50,200
/interface list member
add interface=eth1-wan list=WAN
add interface=vlan10-main list=LAN
add interface=vlan20-guest list=LAN
add interface=vlan30-lab list=LAN
add interface=vlan40-iot list=LAN
add interface=vlan50-cctv list=LAN
add interface=vlan200-mgmt list=LAN
add interface=ether3-backup list=LAN
add interface=vlan200-mgmt list=MGMT
add interface=vlan10-main list=MGMT
add interface=ether3-backup list=MGMT
add interface=vlan30-lab list=PERMIT
add interfac=vlan40-iot list=PERMIT
add interface=vlan50-cctv list=PERMIT
/ip address
add address=192.168.3.1/30  interface=eth3-backup network=192.168.3.0
add address=10.10.10.1/24 interface=vlan10-main network=10.10.10.0
add address=10.10.30.1/23 interface=vlan30-lab network=10.10.30.0
add address=10.10.40.1/24 interface=vlan40-iot network=10.10.40.0
add address=10.10.20.1/24 interface=vlan20-guest network=10.10.20.0
add address=10.10.50.1/24 interface=vlan50-cctv network=10.10.50.0
add address=10.10.200.1/24 interface=vlan200-mgmt network=10.10.200.0
/ip dhcp-client
add disabled=no interface=eth1-wan
/ip dhcp-server network
add address=10.10.10.0/24 comment=main dns-server=10.10.30.253 gateway=10.10.10.1
add address=10.10.20.0/24 comment=guest dns-server=1.1.1.1 gateway=10.10.20.1
add address=10.10.30.0/23 comment=lab dns-server=10.10.30.253 gateway=10.10.30.1
add address=10.10.40.0/24 comment=iot dns-server=10.10.30.253 gateway=10.10.40.1
add address=10.10.50.0/24 comment=cctv dns-server=10.10.30.253 gateway=10.10.50.1
add address=10.10.200.0/24 comment=mgmt dns-server=10.10.30.253,1.1.1.1 gateway=10.10.200.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1

+++++++++++++++++++++++++++

Also will need in config.

/firewall address-list
add address=10.10.200.X/32  list=Authorized  comment="admin on mgmt network"
add address=10.10.10.10/32  list=Authorized comment="admin on main network"
add address=192.168.3.2/32  list=Authorized comment="admin on ether3 - off bridge"
add as required....
/input chain
..............
add chain=input action=accept in-interface-list=MGMT src-address-list=Authorized
add chain=input action=accept in-interface-list=LAN  dst-port=53,123 protocol=udp
add chain=input action=accept in-interface-list=LAN  dst-port=53 protocol=tcp
add chain=input action=drop comment="drop all else"

/forward chain
............
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN
add chain=forward action=accept in-interface=vlan10-main out-interface-list=PERMIT
add chain=forward action=accept in-interface-list=MGMT src-address-list=Authorized\
 out-interface-list=LAN
add chain=forward action=accept comment="port forwarding" connection-nat-state=dstnat\
 { enable if required or remove }
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

On switch GUI, ensure vlan200 is noted as the management vlan and enter in 10.10.200.2 as the switch IP address.

Your diagram is confusing, how many ether8s can you have LOL.

Whoops... I moved some things around in the rack and forgot to update the diagram. eth8 used to be the backup port, but that has since been moved to eth3. eth8 is currently part of the bond (with eth7) that connects to the switch (on ports 1+2).

Also you do not clarify what is connected to ports 2,4,5,6 ??? 7,8 are known as being bonded to the switch.

eth2 is a (temporary) test port, and 4+5+6 are unused but are part of the bridge (in case needed in future). Should they be removed whilst not in use (as well as the corresponding bridge ports)?

Also will need in config.

Thanks for sending this through. As mentioned, I currently have all rules disabled whilst troubleshooting, but there are a couple in here I can use (once I re-enable).

On switch GUI, ensure vlan200 is noted as the management vlan and enter in 10.10.200.2 as the switch IP address.

Confirming this is already the case.

So far, I have made the following changes (removed/replaced previous settings, where applicable):

/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes frame-types=admit-only-vlan-tagged
/interface list
add name=WAN
add name=LAN
add name=PERMIT comment="identifies what main can access"
add name=MGMT
/interface bridge port
add bridge=bridge1  frame-types-admin-only-vlan-tagged interface=bond-sw1
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,bond-sw1,eth4,eth5,eth6 vlan-ids=10,20,30,40,50,200
/interface list member
add interface=eth1-wan list=WAN
add interface=vlan10-main list=LAN
add interface=vlan20-guest list=LAN
add interface=vlan30-lab list=LAN
add interface=vlan40-iot list=LAN
add interface=vlan50-cctv list=LAN
add interface=vlan200-mgmt list=LAN
add interface=eth3-backup list=LAN
add interface=vlan200-mgmt list=MGMT
add interface=vlan10-main list=MGMT
add interface=eth3-backup list=MGMT
add interface=vlan30-lab list=PERMIT
add interface=vlan40-iot list=PERMIT
add interface=vlan50-cctv list=PERMIT

My expectation, from the current configuration, is that devices plugged into the switch will get IP addresses based on the untagged VLANs and their networks/ranges. However, this is not occurring... For example, if I plug a device into port 23 on the switch (untagged VLAN20), I do not connect/obtain an address at all (let alone from the 10.10.20.x subnet).

without evidence full config, unable to assist further.

Thanks for your responses so far, @anav. See latest config below:

# RouterOS 6.49.17
# model = CCR1009-8G-1S
/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes frame-types=admit-only-vlan-tagged
/interface ethernet
set [ find default-name=ether1 ] name=eth1-wan
set [ find default-name=ether2 ] name=eth2
set [ find default-name=ether3 ] name=eth3-backup
set [ find default-name=ether4 ] name=eth4
set [ find default-name=ether5 ] name=eth5
set [ find default-name=ether6 ] name=eth6
set [ find default-name=ether7 ] name=eth7
set [ find default-name=ether8 ] name=eth8
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge1 name=vlan10-main vlan-id=10
add interface=bridge1 name=vlan20-guest vlan-id=20
add interface=bridge1 name=vlan30-lab vlan-id=30
add interface=bridge1 name=vlan40-iot vlan-id=40
add interface=bridge1 name=vlan50-cctv vlan-id=50
add interface=bridge1 name=vlan200-mgmt vlan-id=200
/interface bonding
add mode=802.3ad name=bond-sw1 slaves=eth7,eth8 transmit-hash-policy=layer-2-and-3
/interface list
add name=WAN
add name=LAN
add name=PERMIT comment="identifies what main can access"
add name=MGMT
/ip pool
add name=pool10-main ranges=10.10.10.11-10.10.10.254
add name=pool30-lab ranges=10.10.30.2-10.10.30.127
add name=pool200-mgmt ranges=10.10.200.2-10.10.200.254
add name=pool20-guest ranges=10.10.20.10-10.10.20.150
add name=pool40-iot ranges=10.10.40.10-10.10.40.254
add name=pool50-cctv ranges=10.10.50.10-10.10.50.254
/ip dhcp-server
add add-arp=yes address-pool=pool10-main disabled=no interface=vlan10-main lease-time=1d name=dhcp10-main
add add-arp=yes address-pool=pool30-lab disabled=no interface=vlan30-lab name=dhcp30-lab
add add-arp=yes address-pool=pool200-mgmt disabled=no interface=vlan200-mgmt name=dhcp200-mgmt
add add-arp=yes address-pool=pool20-guest disabled=no interface=vlan20-guest lease-time=8h name=dhcp20-guest
add add-arp=yes address-pool=pool40-iot disabled=no interface=vlan40-iot name=dhcp40-iot
add add-arp=yes address-pool=pool50-cctv disabled=no interface=vlan50-cctv name=dhcp50-cctv
/interface bridge port
add bridge=bridge1  frame-types-admin-only-vlan-tagged interface=bond-sw1
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,bond-sw1,eth4,eth5,eth6 vlan-ids=10,20,30,40,50,200
/interface list member
add interface=eth1-wan list=WAN
add interface=vlan10-main list=LAN
add interface=vlan20-guest list=LAN
add interface=vlan30-lab list=LAN
add interface=vlan40-iot list=LAN
add interface=vlan50-cctv list=LAN
add interface=vlan200-mgmt list=LAN
add interface=eth3-backup list=LAN
add interface=vlan200-mgmt list=MGMT
add interface=vlan10-main list=MGMT
add interface=eth3-backup list=MGMT
add interface=vlan30-lab list=PERMIT
add interface=vlan40-iot list=PERMIT
add interface=vlan50-cctv list=PERMIT
/ip address
add address=10.255.255.1/24 interface=eth3-backup network=10.255.255.0
add address=10.10.10.1/24 interface=vlan10-main network=10.10.10.0
add address=10.10.30.1/23 interface=vlan30-lab network=10.10.30.0
add address=10.10.40.1/24 interface=vlan40-iot network=10.10.40.0
add address=10.10.20.1/24 interface=vlan20-guest network=10.10.20.0
add address=10.10.50.1/24 interface=vlan50-cctv network=10.10.50.0
add address=10.10.200.1/24 interface=vlan200-mgmt network=10.10.200.0
/ip dhcp-client
add disabled=no interface=eth1-wan
/ip dhcp-server network
add address=10.10.10.0/24 comment=main dns-server=10.10.30.253 gateway=10.10.10.1
add address=10.10.20.0/24 comment=guest dns-server=1.1.1.1 gateway=10.10.20.1
add address=10.10.30.0/23 comment=lab dns-server=10.10.30.253 gateway=10.10.30.1
add address=10.10.40.0/24 comment=iot dns-server=10.10.30.253 gateway=10.10.40.1
add address=10.10.50.0/24 comment=cctv dns-server=10.10.30.253 gateway=10.10.50.1
add address=10.10.200.0/24 comment=mgmt dns-server=10.10.30.253,1.1.1.1 gateway=10.10.200.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1

You need all ports with bridge vlans attached to the bridge.

/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=eth4
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=eth6
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=eth5

You should then find them in winbox in bridge/vlans showing the plugged in ports showing in the current tagged column.

You have no firewall rules :(

Thanks all for the responses. I was still facing issues, so I have (temporarily) reverted to using a single interface with VLANs and will dive deeper into bridges + bonds on a test device I have.

When you have further questions, ensure you provide the full config, the continued presentation of a partial config, is frankly not all that useful.
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys )