Hello,
I have a Mikrotik CRS112-8P-4S directly connected to an HPE switch. The HPE switch is the DHCP server for VLAN 1 and VLAN 50, the DHCP relay for VLAN 1 is working but the relay for VLAN 50 is giving some issues. The DHCP for VLAN 50 on the HPE is correctly assigning DHCP addresses for other switches directly connected to it, the only “problematic” switch is the Mikrotik.
The client that is not receiving the IP address in VLAN 50 is connected on eth2 and the trunk to the HPE switch is on eth8. The client needs to receive an IP address from the HPE switch on VLAN 50 and then, if it has the requirements, on VLAN 1 (the change of VLAN is carried by 802.1x, and is working good this assignment on VLAN 1, so the production VLAN).
Below I’m pasting the configuration of the ports, the vlan, can You please help me to find out what is missing? The IP address of the VLAN 50 on the Mikrotik can ping the VLAN 50 address of the HPE switch and vice versa, but the DHCP is not working.
[...]
/interface bridge
[...]
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=50
[...]
add bridge=bridge comment=defconf interface=ether8
[...]
/interface bridge vlan
[...]
add address=10.1.109.125/25 interface=bridge network=10.1.109.0
[...]
Thank You and kind regards
jaclaz
December 15, 2025, 5:49pm
2
Please post the whole configuration, it is improbable that with only the snippets you posted anyone will be able to understand where the issue might be.
IlKa
December 15, 2025, 6:38pm
3
wild guess: you didn’t mark DHCP port as trusted.
But yes: paste the whole config and create a network diagram
Hello!
I changed the topology: the eth1 is the port of the trunk, eth2 is the port of the IP camera. The DHCP for VLAN1 is working, also I noticed that even if I put the IP camera in vlan 50, the ip address gained in vlan 1 still works and is reachable. Now the 802.1x on the eth2 is disabled, so the device must use the VLAN 50
The configuration:
/interface bridge
Thank You
Hello!
Below the diagram and the configuration. I changed the topology: the eth1 is the port of the trunk, eth2 is the port of the IP camera. The DHCP for VLAN1 is working, also I noticed that even if I put the IP vcamera in vlan 50, the ip address gained in vlan 1 still works and is reachable. Now the 802.1x on the eth2 is disabled, so the device must use the VLAN 50
The configuration:
/interface bridge
Thank You
jaclaz
December 16, 2025, 3:47pm
6
Besides and before anything else, you shouldn't use "numbers" with set, if not in an interactive session:
You never know which item is actually 1 or 2.
Generally speaking the "correct" way is to use find to select an item from one unique characteristic (like name, address, comment, etc.), see:
Bad idea to use such direct numbers in script.
use find construction.
Suppose, we have dhcp clients:
[admin@nufnuf] /ip/dhcp-client> print
Flags: X - DISABLED
Columns: INTERFACE, USE-PEER-DNS, ADD-DEFAULT-ROUTE, STATUS, ADDRESS
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS
0 X wan1 yes no
1 X wan2 yes no
2 manage no no …
but in your case you can probably use port names directly (if this is what you want to obtain) i.e.:
/interface ethernet switch port
set ether1 vlan-type=edge-port
set ether2 vlan-type=edge-port
IlKa
December 16, 2025, 4:55pm
7
Now the 802.1x on the eth2 is disabled, so the device must use the VLAN 50
How did you disable it exactly?
Do you really need dot1x?
set 1 vlan-type=edge-port
Do you use IVL?
As situation isn’t clear, use Torch or sniffer to see which traffic goes to which interface
I disabled it via winbox, using “disable” for 802.1x on the single port, the 802.1x is strictly needed but for now I’m happy if we put the camera in the conditions to have an IP in vlan 50, I don’t use IVL
Since I can reach the camera on a VLAN 1 IP address assigned by DHCP, even if the port is in VLAN 50, it seems that the switch is ignoring the vlan 50 or putting all the incoming/outgoing traffic in VLAN 1, do You know what might cause this behaviour?
Thank You
IlKa
December 16, 2025, 5:11pm
9
I disabled it via winbox, using “disable” for 802.1x on the single port
please, show your config
it seems that the switch is ignoring the vlan 50 or putting all the incoming/outgoing traffic in VLAN 1,
This is why I suggested to use Torch or Sniffer (both available in Winbox) to see which traffic goes where.
PS:
On eth2, set
frame-types=admit-only-untagged-and-priority-tagged
on trunk (eth1) set
frame-types=admit-only-vlan-tagged
and do not use vlan1 as it means “no vlan at all”
Example:
Hello,
I really cannot use a different VLAN to replace VLAN1, unfortunately changing this VLAN will have an impact on a highly sensitive environment. I will perform some test and update You as soon as possible
Thank You!
