bridged network - cannot ping other hosts across MT routers

SSI · October 3, 2014, 11:01am

Hi,

Problem: we cannot ping devices in the same broadcast domain in a bridged network across two MikroTik routers. ARP works though. Any L3 traffic seems affected.

Description:
for ease of understanding I have attached an image of the physical layout.
4 storeys in a building, wifi on every level (steel and concrete floors).
(Please don’t take the design apart, as it is implemented).

We have implemented 3 VLANs and 5 Networks:
Business Network: 192.168.127.0/26
VoIP Network: 192.168.127.64/26
Management Network: 192.168.127.128/26
Guest Network: 192.168.255.128/25
VPN (terminates on RB2011): 192.168.127.192/26

VAPs deploy two SSIDs per storey: one for business and one for DMZ/guest access.

The the “business SSID” is bridged to the business VLAN. All VLANs uplink via a trunk port to the RB2011, which runs a DHCP server on each network (apart form VPN).
Initially we didn’t bother using the switch chip features on either MT device as we didn’t consider this as necessary. But with the problems we ran into, we modified one of the RB951G but this it gave us other troubles.

Port 1 on each RB951 is configured as trunk uplinking to RB2011
Port 2 on each RB951 is configured as “access port” for VoIP VLAN.
Ports 3-5 are access ports for Business VLAN.

All VoIP stations successfully received an IP from the DHCP server on RB2011 in the correct LAN/range.
Any wifi client connecting to a RB951 VAP does not receive an IP address. (we’ve disabled the wifi on the RB951 in the interim now)
Clients connected to RB2011 wifi cannot access/ping any other devices on the business LAN.
A client plugged into port 3 on the ground floor RB951G can ping and access the Synology NAS.

Does anything spring to mind to anyone as to why this could be?
Happy to share the config here.

Thanks.
Stefan

[Edit1]: all devices are pingable from RB2011

DLNoah · October 3, 2014, 4:47pm

Will need to see /export compact from at least the 2011 and one of the 951’s that are having problems to provide more detailed help, but have you verified that there are no Firewall Filter/NAT rules that are catching your traffic and causing the problem? Might be worth disabling all rules on a temporary basis to test.

Which RB951 model do you have, specifically? Some RB951 models do not have ether1 in the switch chip, so that may have caused some of your problem when switching over. See http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features or look in the Switch menu within Winbox of your RB951 to determine what ports are in your switch chip.

How do you have your bridges set up? I assume the Office VLAN bridge contains the VLAN interface for the office, ports ether3-ether5, and wlan1? And the Guest VLAN bridge contains the VLAN interface for the office and wlan2 (or whatever you called the vAP interface)?

SSI · October 3, 2014, 8:28pm

RB2011

[admin@rt-main] > /export compact 
# oct/03/2014 22:05:26 by RouterOS 6.19
# software id = KXL4-KADI
#
/interface bridge
add l2mtu=1598 name=brAllVlan
add l2mtu=2290 name=brBusiness
add l2mtu=2290 name=brDMZ
add l2mtu=1598 name=brVoIP
/interface ethernet
set [ find default-name=ether7 ] comment=eth7 name=ISDN
set [ find default-name=ether1 ] comment=eth1 name=internet
set [ find default-name=ether2 ] comment=eth2 name=nas
set [ find default-name=ether5 ] comment=eth5 name=toAttic
set [ find default-name=ether3 ] comment=eth3 name=toGroundfloor
set [ find default-name=ether6 ] comment=eth6 name=toBasement
set [ find default-name=ether4 ] comment=eth4 name=to1stFloor
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors hide-ssid=yes l2mtu=2290 mode=ap-bridge ssid=MikroTik-77DA6F
/ip neighbor discovery
set ISDN comment=eth7
set internet comment=eth1
set nas comment=eth2
set toAttic comment=eth5
set toGroundfloor comment=eth3
set toBasement comment=eth6
set to1stFloor comment=eth4
/interface vlan
add interface=brAllVlan l2mtu=1594 name=vlBusiness vlan-id=1000
add interface=brAllVlan l2mtu=1594 name=vlDMZ vlan-id=1004
add disabled=yes interface=brAllVlan name=vlManagement vlan-id=1002
add interface=brAllVlan l2mtu=1594 name=vlVoIP vlan-id=1001
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=profBusiness supplicant-identity="" \
    wpa2-pre-shared-key=BusinessPSK
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=profGuest supplicant-identity="" \
    wpa-pre-shared-key=GuestPSK wpa2-pre-shared-key=GuestPSK
/interface wireless
add disabled=no l2mtu=2290 mac-address=4E:5E:0C:77:DA:70 master-interface=wlan1 name=vapBusiness security-profile=profBusiness ssid=\
    "Business" wds-cost-range=0 wds-default-cost=0
add disabled=no l2mtu=2290 mac-address=4E:5E:0C:77:DA:6F master-interface=wlan1 name=vapGuest security-profile=profGuest ssid="Gast" \
    wds-cost-range=0 wds-default-cost=0
/ip pool
add name=poolVoIP ranges=192.168.127.65-192.168.127.125
add name=poolDMZ ranges=192.168.255.129-192.168.255.253
add name=poolMgmt ranges=192.168.127.129-192.168.127.189
add name=poolBusiness ranges=192.168.127.1-192.168.127.61
add name=vpnPool ranges=192.168.127.193-192.168.127.254
/ip dhcp-server
add address-pool=poolVoIP disabled=no interface=brVoIP lease-time=20h name=dhcpVoIP
add address-pool=poolDMZ disabled=no interface=brDMZ lease-time=1h name=dhcpDMZ
add address-pool=poolMgmt disabled=no interface=brAllVlan lease-time=8h name=dhcpManagement
add address-pool=poolBusiness disabled=no interface=brBusiness lease-time=20h name=dhcpBusiness
/port
set 0 name=serial0
/ppp profile
set 0 comment="do not touch -- ISP pppoe dial-in profile"
set 1 local-address=vpnPool remote-address=vpnPool
/interface pppoe-client
add ac-name=BERR75-se800-B2244460703306 add-default-route=yes allow=pap,chap default-route-distance=1 dial-on-demand=yes disabled=no interface=\
    internet keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-ISP password=12345678 profile=default service-name="" \
    use-peer-dns=yes user=user@isp.tld
/system logging action
set 1 disk-lines-per-file=300
add disk-lines-per-file=300 name=FirewallDrops target=disk
/interface bridge port
add bridge=brAllVlan interface=toAttic
add bridge=brAllVlan interface=to1stFloor
add bridge=brAllVlan interface=toGroundfloor
add bridge=brVoIP interface=ISDN
add bridge=brAllVlan interface=ether8
add bridge=brAllVlan interface=ether9
add bridge=brBusiness interface=vapBusiness
add bridge=brBusiness interface=vlBusiness
add bridge=brDMZ interface=vapGuest
add bridge=brDMZ interface=vlDMZ
add bridge=brVoIP interface=vlVoIP
add bridge=brAllVlan interface=toBasement
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface l2tp-server server
set enabled=yes ipsec-secret="ipsecPSK" use-ipsec=yes
/ip address
add address=192.168.127.62/26 interface=brBusiness network=192.168.127.0
add address=192.168.127.126/26 interface=brVoIP network=192.168.127.64
add address=192.168.255.254/25 interface=brDMZ network=192.168.255.128
add address=192.168.127.190/26 comment="Management network" interface=brAllVlan network=192.168.127.128
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid interface=internet
/ip dhcp-server lease
add address=192.168.127.125 mac-address=D8:DF:0D:00:19:A7 server=dhcpVoIP
add address=192.168.127.61 client-id=1:0:11:32:2c:fe:b7 mac-address=00:11:32:2C:FE:B7 server=dhcpBusiness
/ip dhcp-server network
add address=192.168.127.0/26 dns-server=192.168.127.62,8.8.8.8 gateway=192.168.127.62
add address=192.168.127.64/26 dns-server=192.168.127.126,8.8.8.8 gateway=192.168.127.126
add address=192.168.127.128/26 dns-server=192.168.127.190,8.8.8.8 gateway=192.168.127.190
add address=192.168.255.128/25 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.255.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=add-src-to-address-list address-list=knock address-list-timeout=15s chain=input dst-port=2014 protocol=tcp
add action=add-src-to-address-list address-list=safe address-list-timeout=15m chain=input dst-port=4102 protocol=tcp src-address-list=knock
add chain=input comment="accept established connection packets" connection-state=established
add chain=input comment="accept related connection packets" connection-state=related
add action=drop chain=input comment="drop invalid packets" connection-state=invalid
add chain=input comment="Allow access to router from known network" src-address-list=safe
add action=drop chain=input comment="detect and drop port scan connections" protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 \
    protocol=tcp
add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP protocol=icmp
add action=jump chain=input comment="jump to chain services" jump-target=services
add chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
add chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=0 limit=5,5 protocol=icmp
add chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5 protocol=icmp
add chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5 protocol=icmp
add chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8 limit=5,5 protocol=icmp
add chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
add chain=services comment="accept localhost" dst-address=127.0.0.1 src-address=127.0.0.1
add chain=services comment="allow MACwinbox " dst-port=20561 protocol=udp
add chain=services comment="Bandwidth server" dst-port=2000 protocol=tcp
add chain=services comment=" MT Discovery Protocol" dst-port=5678 protocol=udp
add chain=services comment="allow SNMP" dst-port=161 protocol=tcp
add chain=services comment="Allow BGP" disabled=yes dst-port=179 protocol=tcp
add chain=services comment="allow BGP" disabled=yes dst-port=5000-5100 protocol=udp
add chain=services comment="Allow NTP" dst-port=123 protocol=udp
add chain=services comment="Allow PPTP" dst-port=1723 protocol=tcp
add chain=services comment="Allow L2TP" dst-port=1701 protocol=udp
add chain=services comment="allow PPTP and EoIP" protocol=gre
add chain=services comment="allow DNS request" dst-port=53 protocol=tcp
add chain=services comment="Allow DNS request" dst-port=53 protocol=udp
add chain=services comment=UPnP disabled=yes dst-port=1900 protocol=udp
add chain=services comment=UPnP disabled=yes dst-port=2828 protocol=tcp
add chain=services comment="allow DHCP" dst-port=67-68 protocol=udp
add chain=services comment="allow Web Proxy" disabled=yes dst-port=8080 protocol=tcp
add chain=services comment="allow IPIP" disabled=yes protocol=ipencap
add chain=services comment="allow https for Hotspot" disabled=yes dst-port=443 protocol=tcp
add chain=services comment="allow Socks for Hotspot" disabled=yes dst-port=1080 protocol=tcp
add chain=services comment="allow IPSec connections" dst-port=500 protocol=udp
add chain=services comment="allow IPSec NAT-T connections" dst-port=4500 protocol=udp
add chain=services comment="allow IPSec" protocol=ipsec-esp
add chain=services comment="allow IPSec" protocol=ipsec-ah
add chain=services comment="allow RIP" disabled=yes dst-port=520-521 protocol=udp
add chain=services comment="allow OSPF" disabled=yes protocol=ospf
add action=return chain=services
add action=log chain=input log-prefix=Filter:
add action=drop chain=input comment="drop everything else"
add chain=forward in-interface=brBusiness out-interface=brVoIP
add chain=forward in-interface=brAllVlan out-interface=brVoIP
add chain=forward in-interface=brVoIP out-interface=brBusiness
add chain=forward in-interface=brVoIP out-interface=brAllVlan
add chain=forward connection-state=new in-interface=brAllVlan out-interface=brDMZ
add action=reject chain=forward connection-state=new in-interface=brDMZ out-interface=brBusiness reject-with=icmp-net-prohibited
add action=reject chain=forward connection-state=invalid in-interface=brDMZ out-interface=brBusiness reject-with=icmp-net-prohibited
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-ISP
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set allow-disable-external-interface=no
/ppp secret
add name=l2tpusername password=password profile=default-encryption service=l2tp
/snmp
set contact=alias@domain.tld enabled=yes location="headoffice"
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=rt-main
/system logging
set 0 topics=info,!firewall
set 1 action=disk
add action=disk topics=critical
add action=FirewallDrops topics=firewall
/system ntp client
set enabled=yes primary-ntp=148.251.6.51 secondary-ntp=89.163.224.15
/tool sniffer
set file-name=sip.pcap filter-interface=toGroundfloor filter-ip-address=192.168.127.125/32

RB951G-2HnD (non-switched configuration)

[admin@rt-basement] > /export compact 
# oct/03/2014 22:12:14 by RouterOS 6.19
# software id = 2VSE-WU8G
#
/interface bridge
add l2mtu=1594 name=brBusiness
add l2mtu=1594 name=brDMZ
add l2mtu=1594 name=brVoIP protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above frequency=auto hide-ssid=yes ht-rxchains=0 ht-txchains=0 l2mtu=2290 \
    mode=ap-bridge ssid=MasterAP
/ip neighbor discovery
set wlan1 discover=no
/interface vlan
add interface=ether1 l2mtu=1594 name=vlBusiness vlan-id=1000
add interface=ether1 l2mtu=1594 name=vlDMZ vlan-id=1004
add interface=ether1 l2mtu=1594 name=vlVoIP vlan-id=1001
/ip neighbor discovery
set vlBusiness discover=no
set vlDMZ discover=no
set vlVoIP discover=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=profBusiness supplicant-identity="" \
    wpa2-pre-shared-key=BusinessPSK
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=profGuest supplicant-identity="" \
    wpa-pre-shared-key=GuestPSK wpa2-pre-shared-key=GuestPSK
/interface wireless
add disabled=no mac-address=4E:5E:0C:4D:DD:CF master-interface=wlan1 name=vapBusiness security-profile=profBusiness ssid="jubelkind Business" \
    wds-cost-range=0 wds-default-cost=0
add disabled=no mac-address=4E:5E:0C:4D:DD:D0 master-interface=wlan1 name=vapGuest security-profile=profGuest ssid="jubelkind Gast" wds-cost-range=0 \
    wds-default-cost=0
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=300
add disk-lines-per-file=300 name=FirewallDrops target=disk
/interface bridge port
add bridge=brVoIP interface=vlVoIP
add bridge=brVoIP interface=ether2
add bridge=brBusiness interface=vapBusiness
add bridge=brBusiness interface=vlBusiness
add bridge=brBusiness interface=ether3
add bridge=brBusiness interface=ether4
add bridge=brBusiness interface=ether5
add bridge=brDMZ interface=vapGuest
add bridge=brDMZ interface=vlDMZ
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip firewall filter
add action=add-src-to-address-list address-list=knock address-list-timeout=15s chain=input dst-port=2014 protocol=tcp
add action=add-src-to-address-list address-list=safe address-list-timeout=15m chain=input dst-port=4102 protocol=tcp src-address-list=knock
add chain=input comment="accept established connection packets" connection-state=established
add chain=input comment="accept related connection packets" connection-state=related
add action=drop chain=input comment="drop invalid packets" connection-state=invalid
add chain=input comment="Allow access to router from known network" src-address-list=safe
add action=drop chain=input comment="detect and drop port scan connections" protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 \
    protocol=tcp
add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP protocol=icmp
add action=jump chain=input comment="jump to chain services" jump-target=services
add chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
add chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=0 limit=5,5 protocol=icmp
add chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5 protocol=icmp
add chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5 protocol=icmp
add chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8 limit=5,5 protocol=icmp
add chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
add chain=services comment="accept localhost" dst-address=127.0.0.1 src-address=127.0.0.1
add chain=services comment="allow MACwinbox " dst-port=20561 protocol=udp
add chain=services comment="Bandwidth server" dst-port=2000 protocol=tcp
add chain=services comment=" MT Discovery Protocol" dst-port=5678 protocol=udp
add chain=services comment="allow SNMP" dst-port=161 protocol=tcp
add chain=services comment="Allow BGP" disabled=yes dst-port=179 protocol=tcp
add chain=services comment="allow BGP" disabled=yes dst-port=5000-5100 protocol=udp
add chain=services comment="Allow NTP" dst-port=123 protocol=udp
add chain=services comment="Allow PPTP" dst-port=1723 protocol=tcp
add chain=services comment="allow PPTP and EoIP" protocol=gre
add chain=services comment="allow DNS request" dst-port=53 protocol=tcp
add chain=services comment="Allow DNS request" dst-port=53 protocol=udp
add chain=services comment=UPnP disabled=yes dst-port=1900 protocol=udp
add chain=services comment=UPnP disabled=yes dst-port=2828 protocol=tcp
add chain=services comment="allow DHCP" dst-port=67-68 protocol=udp
add chain=services comment="allow Web Proxy" disabled=yes dst-port=8080 protocol=tcp
add chain=services comment="allow IPIP" disabled=yes protocol=ipencap
add chain=services comment="allow https for Hotspot" disabled=yes dst-port=443 protocol=tcp
add chain=services comment="allow Socks for Hotspot" disabled=yes dst-port=1080 protocol=tcp
add chain=services comment="allow IPSec connections" dst-port=500 protocol=udp
add chain=services comment="allow IPSec" protocol=ipsec-esp
add chain=services comment="allow IPSec" protocol=ipsec-ah
add chain=services comment="allow RIP" disabled=yes dst-port=520-521 protocol=udp
add chain=services comment="allow OSPF" disabled=yes protocol=ospf
add action=return chain=services
add action=log chain=input log-prefix=Filter:
add action=drop chain=input comment="drop everything else"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set allow-disable-external-interface=no
/snmp
set contact=alias@domain.tld enabled=yes location="headoffice"
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=rt-basement
/system leds
set 0 interface=wlan1
/system logging
set 0 topics=info,!firewall
set 1 action=disk
add action=disk topics=critical
add action=FirewallDrops topics=firewall
/system ntp client
set enabled=yes primary-ntp=192.168.127.190

RB951G-2HnD (switched configuration)

[admin@rt-groundfloor] > /export compact 
# jan/03/1970 07:40:17 by RouterOS 6.19
# software id = 9JPT-U9EL
#
/interface wireless
set [ find default-name=wlan1 ] l2mtu=2290 ssid=MikroTik
/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
/interface vlan
add interface=ether2 l2mtu=1594 name=vlBusiness vlan-id=1000
add interface=ether2 l2mtu=1594 name=vlManagement vlan-id=1004
/interface ethernet switch port
set 1 default-vlan-id=1001 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=1000 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=1000 vlan-header=always-strip vlan-mode=secure
set 4 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface ethernet switch vlan
add independent-learning=no ports=ether2,ether5,switch1-cpu switch=switch1 vlan-id=1001
add independent-learning=no ports=ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=1000
add independent-learning=no ports=ether5,switch1-cpu switch=switch1 vlan-id=1004
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=vlManagement
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlBusiness
/ip upnp
set allow-disable-external-interface=no
/system identity
set name=rt-groundfloor
/system leds
set 0 interface=wlan1

SSI · October 3, 2014, 8:31pm

The switched configuration (rt-groundfloor) is based on http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features
The hardening of the RB2011 and the non-switched RB951G is based on http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router

Interestingly, the VoIP VLAN works like a treat.

We haven’t implemented any blocking firewall rules on the bridge (at least we are not aware of it).
In a bridged network I wouldn’t have thought that the “regular firewall rules” apply to traffic in the same broadcast domain?.

DLNoah · October 6, 2014, 12:21pm

On the RB951 bridged configuration, is the “master” wlan port enabled? I know that the virtual APs draw their band and channel settings from the physical port, but I’m not 100% sure whether or not they can work while the master port is disabled.

When I apply your backup configuration, it leaves the wlan1 port disabled, and I don’t see the vAPs broadcasting at all. I didn’t try to manually connect to them, but I suspect that if you enable wlan1, you should be good to go.

If you’re concerned about having an extra unused SSID running around, you can “move” one of your vAPs onto the physical card (I’d probably do the Office network personally), and then remove the extra vAP. Or you can set the physical to not broadcast SSID, but that doesn’t completely prevent the AP from beaconing.

Depending on your bridge settings (whether or not “Use IP Firewall” is enabled), traffic on bridged interfaces may run the regular firewall chains.

SSI · October 7, 2014, 7:15am

Right,

I’ve got it solved now.
On the RB2011 I’ve involved the switch chip and on the RB951G I didn’t.
I basically stripped back and had my Linux laptop do most the troubleshooting.. checking if the DHCP servers respond properly.
The biggest changes:

no untagged management VLAN anymore.
switch chip is being used on RB2011 and switches between al ports linking to the RB951
RB951 do not use the switch chip but have “regular bridges”: ether1 has the VLANs assigned and bridges link the VLAN to the “access ports”.

What I have found though: If the master port (on RB2011) is not used but the depended switch ports are, then DHCP does not seem to work fully, as I found that only 3 out of 4 networks were served, i.e. dhcp-clients (RB951) on business, voip and DMZ got leases but dhcp-clients on management remained searching (DHCPDISCOVER was received and DHCPOFFER was sent by the RB2011) but the RB951 never received the DHCPOFFER.
Once the master port was physically connected, everything worked like a charm.

DLNoah: Thanks for your time looking into this.

Cheers,
Stefan