Recently I’ve acquired Brocade ICX6610 and Zyxel XS3700 switches. Apart from those two, all my other gear (router, switches, APs) is Mikrotik.
My main network is 192.168.0.0
Guest networks are 192.168.4.0 and 192.168.6.0
I’m having an issue - when Zyxel or Brocade is between main router and some other MT switch and APs, IP addresses via DHCP are not passed from main router to wifi clients that are connecting on two guest networks. Main network DHCP is working fine, IP addresses are handed out.
When I remove those two switches out of equation DHCP on guest networks is working fine.

I think I screwed something up when making bridges, VLANs and WLANs on APs and on main router because I cannot find any option on these industry-grade switches that could solve this mystery.
In attachment there are configs from main router and from one of the APs. All other MT APs are configured same as this one, regarding bridging.
I’m not an expert regarding configurations , all is done by trial and error until I got it working. But it seems I made some serious errors.
Thank you in advance for all your help !
supout_CCR2116.rsc (8.59 KB)
supout_rb4011.rsc (7.71 KB)

I forgot to mention, both mentioned switches are on default settings - they should act as unmanaged switches. Only thing that is set up is main IP address on switch to match main subnet (192.168.0.x).
I’m clueless.

This are settings on Zyxel:

; Product Name = XS3700-24
; Firmware Version = V4.30(AASS.1) | 02/20/2019
; SysConf Engine Version = 1.2
vlan 1 
  name 1 
  normal "" 
  fixed 1-24 
  forbidden "" 
  untagged 1-24 
  ip address 192.168.0.20 255.255.255.0 
  ip address default-gateway 192.168.0.1 
exit
interface route-domain 192.168.0.20/24 
exit
ip address 192.168.1.20 255.255.255.0

With the configuration snippet from 3rd party switches I wouldn’t bet they actually work as dumb switches … My advice is to configure those switches as VLAN switches properly. And then see how it goes.

Id say major screwed up.
You really need to provide a network diagram to figure out what you want.need to do here. Its hard to figure out what the devices are doing, an RB4011 as a an AP/Switch or router ???
I would also not use unmanaged switches between the devices. or more accurately use managed switches as intended as managed switches.

Following is what I need and it’s relatively simple:

1. Main network 192.168.0.0 - everything on LAN ports is solely on this subnet and everything on main WLAN across APs is on this subnet. No queues here, no limitations of any kind.
2. Guest network 192.168.4.0. - everything on virtual WLAN1 across APs is on this subnet. Queues for speed limitation.
3. Private-Guest network 192.168.6.0 - everything on virtual WLAN2 across APs is on this subnet. Queues for speed limitation.
   RB4011 mentioned above is acting as AP, I took him as an example of AP config.

Here’s the rough network diagram:

Zyxel and Brocade are added to make use of 10Gbit connections that they have (lots of SFP+ and 10Gbit RJ45 ports).
If I move any existing switch (with connected APs) or APs on them, both guest network clients cannot get IP address from main router. Primary network is working fine.

Managed switch. OP will have to do quite some reading: https://www.zyxelguard.com/datasheets/Switches/XS3700-24.pdf

It is my understanding that, under initial setup (VID=1) and nothing else, managed switch should pass-through all the traffic regardless.
Or am I wrong ?

No, VID=1 is a legal VLAN ID. Some switches consider it as “native VLAN”, mostly meaning that it’s used as default PVID. Which likely means that switch will tag untagged frames on ingress and untag them on egress. And that gives impression of being dumb switch passing everything … but that is only true as long as all frames in network are untagged.
Doesn’t say anything about treating already tagged frames tough. So do as everybody suggested: don’t assume, do some reading.

Some dumb switches will pass tagged VLAN traffic without messing it up, and some will not. Sounds like the switches you are trying to use do not. Proper solution is managed switches that are properly configured.

100 percent, Thank you Sir…
Trunk port on MT heading out to zyxel, trunk port in at zyxel from MT.

CCR2116 Observations
-Dont use bridge for dhcp
-Lacking some basic structure such as interface list and members…
-Where are your /interface bridge vlan settings???

• diagram does not detail which ports coming out of CCR216 are going to which device and carrying which subnets!

For an internet facing router, your firewall rules are very weak and incomplete ???.
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=fasttrack-connection chain=forward connection-state=
established,related disabled=yes hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=forward dst-address=192.168.0.0/16 in-interface=
private-guest-vlan
add action=drop chain=forward dst-address=192.168.0.0/16 in-interface=
guest-vlan

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Assumes sfp plus ports are going to zyxel/brocade,csr3051G and Netgear.
Other ethernet ports are going to hapac,hapac2,hapac3, basebox2, hexpoe, crs112
The netgear is unmanaged thus not sure how to best setup..so disabled for now.

All managed devices get an IP on the trusted subnet…
Assume ether4 is a trusted subnet available port for the admin to plug into.
Assume connection to basebox is trusted subnet for IP address and config, and only guest wifi…
Assume all other devices can handle 3 WIFIs, trusted, guest and private guest.
Assume ether11 is off bridge for emergency access in case something goes wrong with bridge and can still access device.
(all you need to do is plug your laptop to that port and give it an IP in the 192.168.55.0 subnet- can really save your bacon )

model = CCR2116-12G-4S+

/interface bridge
add name=Bridge-local
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-288-vDSL name=
“WAN1 (vDSL)-ether1”
set [ find default-name=ether2 ] comment=WAN-434-optics name=
“WAN2 (Optics)-ether2”
set [ find default-name=ether3 ] comment=WAN-LTE/5G disabled=yes name=
“WAN3 (LTE-5G))-ether3”
set [ find default-name=sfp-sfpplus1 ] advertise=
1000M-full,10000M-full,2500M-full,5000M-full
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no
/interface vlan
add interface=Bridge-local name=trusted-vlan vlan-id=5
add interface=Bridge-local name=guest-vlan vlan-id=100
add interface=Bridge-local name=private-guest-vlan vlan-id=200
/interface list
add name=WAN
add name=LAN
add name=MGMT
/interface list members
add interface=“WAN1 (vDSL)-ether1” list=WAN
add interface=“WAN2 (Optics)-ether2” list=WAN
add interface=“WAN3 (LTE-5G))-ether3” list=WAN
add interface=trusted-vlan list=LAN
add interface=guest-vlan list=LAN
add interface=private-guest-vlan list=LAN
add interface=trusted-vlan list=MGMT
add interface=ether11 list=MGMT
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge port { all trunk ports except ether4 }
add bridge=Bridge-local interface=ether4 ingress-filtering=yes frame-types=admit-priority-and-untagged-vlans pvid=5 { admin PC or available port }
add bridge=Bridge-local interface=ether5 ingress-filtering=yes frame-types=admit-only-vlan-tagged ( hapac )
add bridge=Bridge-local interface=ether6 ingress-filtering=yes frame-types=admit-only-vlan-tagged ( hapac2 )
add bridge=Bridge-local interface=ether7 ingress-filtering=yes frame-types=admit-only-vlan-tagged ( basebox )
add bridge=Bridge-local interface=ether8 ingress-filtering=yes frame-types=admit-only-vlan-tagged ( hapac3 )
add bridge=Bridge-local interface=ether9 ingress-filtering=yes frame-types=admit-only-vlan-tagged (crs112 )
add bridge=Bridge-local interface=ether10 ingress-filtering=yes frame-types=admit-only-vlan-tagged ( hexpoe )
add bridge=Bridge-local interface=ether12 disabled=yes (spare)
add bridge=Bridge-local interface=ether13 disabled=yes (spare)
add bridge=Bridge-local interface=sfp-sfpplus1 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=Bridge-local interface=sfp-sfpplus2 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=Bridge-local interface=sfp-sfpplus3 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=Bridge-local interface=sfp-sfpplus4 disabled=yes ingress-filtering=yes frame-types=admit-priority-and-untagged-vlan pvid=X ( netgear )
/interface bridge vlan
add bridge=Bridge-local tagged=Bridge-local,sfp-sfpplus1,sfp-sfpplus2,spf-sfpplus3,ether5,ether6,ether7,ether8,ether9,ether10 untagged=ether4 vlan-ids=5
add bridge=Bridge-local tagged=Bridge-local,sfp-sfpplus1,sfp-sfpplus2,spf-sfpplus3,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=100
add bridge=Bridge-local tagged=Bridge-local,sfp-sfpplus1,sfp-sfpplus2,spf-sfpplus3,ether5,ether6,ether8,ether9,ether10 vlan-ids=200
/ip address
add address=192.168.0.1/24 interface=trusted-vlan network=192.168.0.0
add address=192.168.2.2/24 interface=“WAN1 (vDSL)-ether1” network=192.168.2.0
add address=192.168.3.2/24 interface=“WAN3 (LTE-5G))-ether3” network=
192.168.3.0
add address=192.168.4.1/24 interface=guest-vlan network=192.168.4.0
add address=192.168.5.2/24 interface=“WAN2 (Optics)-ether2” network=
192.168.5.0
add address=192.168.6.1/24 interface=private-guest-vlan network=192.168.6.0
add address=192.168.55.1/24 interface=ether11 network=192.168.55.0 comment=“Emergency Access off Bridge”
/ip firewall filter
{Input Chain}
(default rules)
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
(admin rules)
add action=accept chain=input in-interface-list=MGMT
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment=“drop all else” { put this in as very last change to entire config }
{forward chain}
(default rules)
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(admin rules)
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

If you elect to go this way, then the rest of the MIKROTIK DEVICES USING ROS can be set up as follows…

/interface bridge
add ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
/interface vlan
add interface=bridge name=TRUSTED vlan-id=5 { Only vlan required to be identified }
/interface list
add name=management
/interface wireless _ as per your requirements!!!
/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether1 { trunk port for traffic to/fro CCR2116 }
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=name_of_WLAN-A pvid=5
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=name_of_WLAN-B pvid=100
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=name_of_WLAN-C pvid=200
etc…
/ip neighbor discovery-settings
set discover-interface-list=management
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=WLAN-A vlan-ids=5
add bridge=bridge tagged=bridge,ether1 untagged=WLAN-B vlan-ids=100
add bridge=bridge tagged=bridge,ether1 untagged=WLAN-C vlan-ids=200
/interface list member
add interface=TRUSTED list=management
/ip address { assumes device to be given an IP of 192.168.0.77 }
add address=192.168.0.77/24 interface=TRUSTED network=192.168.0.0 comment=“IP of MT device on trusted subnet”
/ip dns
set allow-remote-requests=yes servers=192.168.0.1 comment=“dns through trusted subnet gateway”
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.0.1 comment=“ensures route avail through trusted subnet gateway”
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management

Attempt to apply the latter to the RB4011 and post the config, and I will have a look…

First of all, thank you for all your help, much appreciated !

Regarding network topology - it may appear complicated but, actually, it’s very simple:
1. Main router CCR2216
2. 10-15 APs, all doing the same thing and configured in the same way, all of them Mikrotik.
3. Few switches in-between, to provide PoE to APs and surveillance cameras and to connect them (and 4-5 PCs, few printers) to CCR2116. Most of them Mikrotik.
4. Main subnet 192.168.0.0 - all physical LAN connectors connect to that network. All APs with main SSID are in that subnet. No restrictions regarding speed, access, etc. Main WAN for this subnet is “WAN2 (Optics)-ether2” with failover to “WAN1 (vDSL)-ether1”.
5. Guest subnet 192.168.4.0 - All APs with virtual SSID are in this subnet. Restrictions regarding speed, access only to internet, nothing else. Main WAN for this subnet is “WAN1 (vDSL)-ether1” with failover to “WAN2 (Optics)-ether2”.
6. Private-guest subnet 192.168.6.0 - All APs with second virtual SSID are in this subnet. Restrictions regarding speed (differ from first vlan), access only to internet, nothing else. Main WAN for this subnet is “WAN1 (vDSL)-ether1” with failover to “WAN2 (Optics)-ether2”.
7. “WAN3 (LTE-5G))-ether3” is currently disabled, not in use. It was used as second failover for all 3 subnet in case of both WAN failure.
And that’s it.
.
.

CCR2116 Observations[/u]
-Dont use bridge for dhcp

I’m not sure that I understood you correctly. Bridge is my private network, I also access it over wifi, not just from manual IP-assigned computers.
.
.

Never bothered to use those.
.
.

Is it mandatory to put main subnet (bridge) into vlan ?
.
.

As mentioned above - all ports are exclusively part of main 192.168.0.0 subnet.
.
.

Hmm, apart from the rules above - what else do I need ? The ones you wrote below ?

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Assumes sfp plus ports are going to zyxel/brocade,csr3051G and Netgear.
Other ethernet ports are going to hapac,hapac2,hapac3, basebox2, hexpoe, crs112
The netgear is unmanaged thus not sure how to best setup..so disabled for now.

Correct.
Brocade and Zyxel are disabled at the moment, un til I figure out how to congifure them properly. When configured they will be connected to CCR2116 via SFP+ ports.
All other ports on CCR2116 are for APs directly, PCs directly or MT switches that have APs connected to it.
.
All APs, including Basebox have all 3 SSIDs (trusted/mine, guest and private guest)
ether 11 - yes, plans was out of band managment. Currenty, it’s part of the bridge.

Thank you once more !

I’ll definitely try, thank you !

I have an MT main router and multiple MT devices acting as switches or AP/switches and a number of other vendor managed switches, all works smooth as butta with the method/setup described.