DHCP is offered but not bound to Brother printers only

I set up a separate isolated guest WIFI on my hAP ax^3 and it seems to work. All devices connect, guests don’t see the home network and vice versa, everything works BUT only two devices refuse to connect — and both of them are Brother printers. The IP acquisition status does not go beyond ‘offered’.

I’d say I’m a bit of an advanced user and after digging through many forums I’m stumped, help please

What could be the problem?

Thanks in advance.

# 2024-09-04 21:23:16 by RouterOS 7.15.3
# software id = S8WP-BR75
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HG609VNY5K8
/interface bridge
add fast-forward=no frame-types=admit-only-vlan-tagged name=bridge \
    port-cost-mode=short protocol-mode=none pvid=10 vlan-filtering=yes
/interface wireguard
add comment=back-to-home-vpn listen-port=18616 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=bridge name=guest_vlan vlan-id=20
add interface=bridge name=luogo_vlan vlan-id=10
/interface list
add name=WAN
add name=LUOGO
add name=GUEST
add name=VLAN
/interface wifi channel
add band=2ghz-ax comment=2GHz disabled=no frequency=2412,2432,2472 name=\
    2GHz_channel width=20/40mhz-Ce
add band=5ghz-ax comment=5GHz disabled=no frequency=5180,5260,5500 name=\
    5GHz_channel skip-dfs-channels=10min-cac width=20/40/80mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk comment=\
    "luogo wifi authentication method" connect-priority=0 disable-pmkid=yes \
    disabled=no ft=yes ft-over-ds=yes group-key-update=10h name=luogo_auth \
    wps=disable
add authentication-types=wpa2-psk,wpa3-psk comment=\
    "guest wifi authentication method" connect-priority=0 disable-pmkid=yes \
    disabled=no ft=yes ft-over-ds=yes group-key-update=10h name=guest_auth \
    wps=disable
/ip pool
add name=luogo_pool ranges=172.17.10.2-172.17.10.100
add name=guest_pool ranges=172.17.20.2-172.17.20.10
/ip dhcp-server
add address-pool=luogo_pool interface=luogo_vlan lease-time=12h name=\
    luogo_dhcp_server
add address-pool=guest_pool interface=guest_vlan lease-time=3h name=\
    guest_dhcp_server
/ip smb users
set [ find default=yes ] disabled=yes
/interface wifi
add configuration=guest_config configuration.mode=ap disabled=no mac-address=\
    D6:01:C3:3C:DF:6B master-interface=luogo_wifi_2GHz name=guest_wifi_2GHz
set [ find default-name=wifi2 ] channel=2GHz_channel channel.frequency=\
    2412,2432,2472 configuration=luogo_config configuration.mode=ap disabled=\
    no name=luogo_wifi_2GHz security=luogo_auth security.connect-priority=0
set [ find default-name=wifi1 ] channel=5GHz_channel channel.frequency=\
    5180,5260,5500 configuration=luogo_config configuration.mode=ap disabled=\
    no name=luogo_wifi_5GHz security.connect-priority=0
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=10 trusted=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=10 trusted=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=10 trusted=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=luogo_wifi_2GHz pvid=10 trusted=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=luogo_wifi_5GHz pvid=10 trusted=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=guest_wifi_2GHz pvid=20
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LUOGO
/ipv6 settings
set accept-router-advertisements=yes
/interface bridge vlan
add bridge=bridge comment="luogo vlan" tagged=bridge vlan-ids=10
add bridge=bridge comment="guest vlan" tagged=bridge vlan-ids=20
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=VLAN wan-interface-list=\
    WAN
/interface list member
add interface=ether1 list=WAN
add interface=luogo_vlan list=VLAN
add interface=guest_vlan list=VLAN
add interface=luogo_vlan list=LUOGO
add interface=guest_vlan list=GUEST
/interface wifi access-list
# I removed some devices
add action=accept comment="brother hl-l2350dw" disabled=no mac-address=\
    00:41:0E:DB:01:6E
add action=accept comment="brother ql-810w" disabled=no mac-address=\
    28:3A:4D:6D:91:4A
add action=accept comment="samsung tv" disabled=no interface=luogo_wifi_2GHz \
    mac-address=BC:14:17:5E:6E:5D
add action=accept comment="guest 01" disabled=yes interface=guest_wifi_2GHz \
    mac-address=E0:6D:17:54:2C:60
add action=reject comment="reject unknown" disabled=no \
    mac-address-mask=FF:FF:FF:FF:FF:FF
/interface wifi configuration
add comment="luogo wifi config" datapath=*1 disabled=no mode=ap \
    multicast-enhance=enabled name=luogo_config security=luogo_auth \
    security.connect-priority=0 ssid=luogo
add comment="guest wifi config" datapath=*2 disabled=no mode=ap \
    multicast-enhance=enabled name=guest_config security=guest_auth \
    security.connect-priority=0 ssid=isola
/interface wireguard peers
add allowed-address=192.168.216.3/32 comment="luogo" \
    interface=back-to-home-vpn name=peer2 public-key=\
    "xxx"
/ip address
add address=172.17.10.1/24 comment=luogo interface=luogo_vlan network=\
    172.17.10.0
add address=172.17.20.1/24 comment=guest interface=guest_vlan network=\
    172.17.20.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=172.17.10.0/24 comment="luogo network" dns-server=172.17.10.1 \
    gateway=172.17.10.1 netmask=24
add address=172.17.20.0/24 comment="guest network" gateway=172.17.20.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=\
    1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001
/ip dns static
add address=1.1.1.1 name=cloudflare-dns.com
add address=1.0.0.1 name=cloudflare-dns.com
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=172.17.10.2-172.17.10.254 comment=luogo list=allowed_to_router
add address=192.168.216.0/24 comment="back to home" list=allowed_to_router
add address=172.17.20.2-172.17.20.254 comment=guest list=allowed_to_router
/ip firewall filter
add action=add-src-to-address-list address-list=blacklist \
    address-list-timeout=1w chain=input comment="port scanner detect" \
    in-interface-list=WAN log=yes log-prefix="[port scanner] " protocol=tcp \
    psd=21,3s,3,1
add action=accept chain=input connection-state=new dst-port=53 \
    in-interface-list=!WAN protocol=tcp
add action=accept chain=input connection-state=new dst-port=53 \
    in-interface-list=!WAN protocol=udp
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=\
    "fast-track for established,related" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "allow all VLANs to access the Internet only, NOT each other" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface-list=VLAN log=yes log-prefix=\
    !public_from_LAN out-interface-list=!VLAN
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface-list=VLAN \
    log=yes log-prefix=LAN_!LAN src-address-list=!allowed_to_router
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat comment="luogo - iliad tcp masquerade" \
    out-interface-list=WAN protocol=tcp to-ports=1-16383
add action=masquerade chain=srcnat comment="luogo - iliad udp masquerade" \
    out-interface-list=WAN protocol=udp to-ports=1-16383
add action=dst-nat chain=dstnat comment="172.17.10.10 Resilio Sync (TCP)" \
    disabled=yes dst-address=81.57.162.27 dst-port=16380 in-interface=ether1 \
    protocol=tcp to-addresses=172.17.10.10 to-ports=16380
add action=dst-nat chain=dstnat comment="172.17.10.10 Resilio Sync (UDP)" \
    disabled=yes dst-address=81.57.162.27 dst-port=16380 in-interface=ether1 \
    protocol=udp to-addresses=172.17.10.10 to-ports=16380
add action=masquerade chain=srcnat comment="portless masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting comment="drop to blacklist list" \
    src-address-list=blacklist
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ipv6 route
add disabled=no distance=1 dst-address=::/0 gateway=\
    fe80::dc00:b0ff:fe68:daaf%ether1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=172.17.10.0/24
set ssh address=172.17.10.0/24
set www-ssl address=172.17.10.0/24 disabled=no
set api disabled=yes
set winbox address=172.17.10.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set strong-crypto=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 address
add address=2a01:e11:500e:b20:d601:c3ff:fe3c:df66 eui-64=yes interface=bridge
/ipv6 firewall address-list
add address=2a01:e11:500e:b20::/64 list=allowed
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
/ipv6 firewall filter
add action=accept chain=input comment="allow established and related" \
    connection-state=established,related
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="allow allowed addresses" \
    src-address-list=allowed
add action=drop chain=input
add action=accept chain=forward comment=established,related connection-state=\
    established,related
add action=drop chain=forward comment=invalid connection-state=invalid log=\
    yes log-prefix=ipv6,invalid
add action=accept chain=forward in-interface-list=VLAN
add action=drop chain=forward log-prefix=IPV6
add action=accept chain=output
/ipv6 nd
set [ find default=yes ] hop-limit=64
add dns=2606:4700:4700::1111,2606:4700:4700::1001 interface=bridge
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=luogo
/system logging
set 0 disabled=yes
add topics=info,!firewall
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=95.216.71.38
add address=162.159.200.123
/tool mac-server
set allowed-interface-list=LUOGO
/tool mac-server mac-winbox
set allowed-interface-list=LUOGO
/user settings
set minimum-password-length=10

PS. Before I configured the guest network and VLANs, the printers were successfully connecting and working.

my first guess would be have you tried turning off wpa3 and rebooted? i have a few devices that wont connect when it is enabled?
also i wouldnt be sharing your key
add allowed-address=192.168.216.3/32 comment=“luogo”
interface=back-to-home-vpn name=peer2 public-key=
“”
or your ip

Thanks for the reply.
Previously, before the guest network and VLAN configuration, printers connected without problems. So WPA3 can’t be a problem.

As for the public key, I had the foresight to litter it. However, you are right, it would probably be better to remove it altogether

And yet … try it.
Plenty of problems with AX wifi which all of a sudden disappear when not using WPA3.

If all other devices can connect on the new setting, there is no issue with VLAN nor guest network.

Done. Tried it.
Unfortunately, it didn’t work.

Maybe there is a reason why I actively swap out Brother for HP printers with my client
(really, I do …)

DHCP offer but not accepted I’ve usually seen with incorrect VLAN configuration (so traffic goes out but doesn’t return back). Haven’t check yet the config, but maybe you will find it yourself, or probably there’s a misconfigured switch in-between.

Edit: my assumption is that you have pvid=10 on both bridge and ports. Set pvid=1 on bridge and try again.

From The unofficial official VLAN bible:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

A word of caution > if you are thinking of using VLAN 1 in your network design. Most vendors use VLAN 1 as the native VLAN for their hardware. MikroTik uses VLAN 0. If you try to create a VLAN 1 scenario with MikroTik, and expecting tagged frames, it will be incompatible with other vendors who default VLAN 1 as untagged. Therefore, unless you are prepared to change the default behavior in MikroTik and/or other vendors, it is simpler to use VLAN 2 and higher.

Summary:
don’t use VLAN=1 at all. Use proper access ports and life will be good.

Something relevant I saw passing by today:
Rule 1 for Mikrotik: never use VLAN=1
Rule 2 for Mikrotik: NEVER use VLAN=1
Rule 3 = see above

Thanks for the reply.

Thank you! Got it. Set the VLAN ID to 2.

And unfortunately it didn’t work
Thanks for your willingness to help Collective intelligence will win out!

There’s something that has to fill PVID field on interfaces, what’s wrong with leaving it to 1 (which is default btw). What I’ve noticed was that config has tagged vlan 10 and PVID 10 set on a bridge, which seemed odd to me. I’ve never offered to create access port with vlan tag 1 or make a trunk for it

Once you set a port as trunk default can remain at 1, true, since the setting “Admit only VLAN tagged” overrules that anyhow.
Access ports should be set to the pvid for the VLAN they are supposed to handle and “Only admit untagged …”.
Nowhere else (besides trunk ports) I have pvid=1. Not even on bridge.

With Mikrotik it’s best to use VLAN all the way (which means pvid=2 or higher on access ports and bridge) or no VLAN at all.

Then what do you have as PVID on a bridge in VLAN tab?

Nothing.

/interface bridge
add admin-mac=48:A9:8A:XX:YY:ZZ auto-mac=no comment=defconf frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes

You can check it with either UI or by typing

/interface bridge export verbose

There is pvid=1 which is not exported since it’s default value, but it is still set

Now we have to return from offtop and try to help the topic author

Tried connecting an older Brother printer — got the IP with no problem, connected.

Can you post some kind of your connection scheme, like are those printers wireless or wired and what ports/networks do they use, is there a switch (managed or dumb) in-between and so on

True. But if frame-types is set as what @holvoetn wrote in quoted quote, then bridge doesn’t appear as untagged member of VLAN 1 if you execute /interface/bridge/vlan/print and that’s what counts (this is simillar to setting speed on ethernet port to anything while auto-negotiation is set to yes - it gets ignored).

Sure.
Here is it.

The older printer, wired or wifi?

WiFi

Yes, I didn’t write that at the beginning, sorry — all Brother printers are WIFI only.