DHCP not working with vlan bridge

phitx · March 22, 2015, 1:02pm

I using mikrotik RB750 (version 6.18) and ubiquity (versi 3.2.1)
I want to make multiple SSID

I have found thread same with my case in
Ubiquiti Unifi, Mikrotik & Vlans
I try the same and doing test
connect cable to port 2,3,4,5 all is working and give correct as DHCP.
On port 2 and 5 result same DHCP
But when I connect port 5 to ubiquity I only can get IP from SSID 1 which I connect to DHCP_LAN
when I connect to SSID 2 or 3 is not getting IP from DHCP

Maybe something need to change/wrong

My setting on phisycal port mikrotik
port 1 = ISP ( cable connect from ISP)
port 2 = LAN ( cable connect with LAN)
port 3 = cable not connect
port 4 = cable not connect
port 5 = ubiquity ( cable connect ubiquity )

And this setting of my mikrotik

/interface bridge
add l2mtu=1598 name=bridge-LAN
add l2mtu=1594 name=bridge-W2LAN
add l2mtu=1594 name=bridge-PSID_Inet

/interface ethernet
set 0 name=eth1_ISP
set 1 name=eth2_LAN
set 2 name=eth3_PSID_W2LAN
set 3 name=eth4_PSID_Inet
set 4 name=eth5_trunk

/interface vlan
add interface=bridge-LAN l2mtu=1594 name=vl-W2LAN-bridge-LAN vlan-id=101
add interface=bridge-LAN l2mtu=1594 name=vl-PSID_Inet-bridge-LAN vlan-id=102

/ip pool
add name=pool_LAN ranges=172.20.1.1-172.20.1.199
add name=pool_W2LAN ranges=172.21.52.1-172.21.52.199
add name=pool_PSID_Inet ranges=10.206.0.1-10.206.0.199

/ip dhcp-server
add address-pool=pool_LAN disabled=no interface=bridge-LAN name=DHCP_LAN
add address-pool=pool_W2LAN disabled=no interface=bridge-W2LAN name=DHCP_W2LAN
add address-pool=pool_PSID_Inet LAN disabled=no interface=bridge-PSID_Inet name=DHCP_PSID_Inet

/interface bridge port
add bridge=bridge-LAN interface=ether2-local\eth2_LAN
add bridge=bridge-LAN interface=eth5_trunk

add bridge=bridge-W2LAN interface=eth3_PSID_W2LAN
add bridge=bridge-W2LAN interface=vl-W2LAN-bridge-LAN

add bridge=bridge-PSID_Inet interface=eth4_PSID_Inet
add bridge=bridge-PSID_Inet interface=vl-PSID_Inet-bridge-LAN

/ip address
add address=172.20.1.240/24 interface=bridge-LAN
add address=172.21.52.240/24 interface=bridge-W2LAN
add address=10.206.0.240/24 interface=bridge-PSID_Inet

/ip dhcp-server network
add address=172.20.1.0/24 dns-server=172.20.1.240 gateway=172.20.1.240
add address=172.21.52.0/24 dns-server=172.21.52.240 gateway=172.21.52.240
add address=10.206.0.0/24 dns-server=10.206.0.240 gateway=10.206.0.240

/ip dns
set allow-remote-requests=yes

/ip firewall filter
add action=jump chain=input jump-target=input-guest in-interface=bridge-W2LAN
add action=jump chain=input jump-target=input-guest in-interface=bridge-PSID_Inet

add action=accept chain=input connection-state=established disabled=no
add action=accept chain=input connection-state=related disabled=no

add action=accept chain=input in-interface=bridge-LAN

add action=drop chain=input

add action=accept chain=forward out-interface=eth1_ISP
add action=drop chain=forward

add action=accept chain=input-guest dst-port=53 protocol=tcp
add action=accept chain=input-guest dst-port=53 protocol=udp
add action=accept chain=input-guest dst-port=67 protocol=udp
add action=accept chain=input-guest dst-port=68 protocol=udp

/ip firewall nat
add chain=srcnat action=masquerade out-interface=eth1_ISP

/ip neighbor discovery
set eth1_ISP discover=no
set eth3_W2LAN discover=no
set eth4_PSID_Inet discover=no
set bridge_W2LAN discover=no
set bridge_PSID_Inet discover=no
set vl-W2LAN-eth5 discover=no
set vl-PSID_Inet-eth5 discover=no

Anyone can help?

ZeroByte · March 25, 2015, 12:15am

I think you could simplify this quite a lot.
Move all VLAN subinterfaces to ether2. (you only need one vlan interface per vlan you plan to support on the Unifi, so if there are duplicates, just move one and delete the extras)

Then in the ether3 - ether5 ports, set master → ether2
This will make 2-5 all behave the same way, including vlan tags.
Put your IP addresses / DHCP services / hotspot services / etc - put all of them onto the correct VLAN subinterfaces / or directly on ether2 for the LAN itself.

That should do it. You will be able to plug the unifi into any port 2-5 and it should work.
Also, make sure the Unifi is configured with VLAN tags on the extra SSIDs.

tnx · March 27, 2015, 12:28am

I’m testing an RB2011 with v6.18 and unifi 2.4.6
I read the same thread you linked and had the same problems. I made a syntax change and
everything is working for me.

Here’s what I changed:
/ip neighbor discovery
set ether1-gateway discover=no
set ether3-kids discover=no
set ether4-guest discover=no
set vlan-kids-ether5 discover=no
set vlan-guest-ether5 discover=no
set bridge-kids discover=no
set bridge-guest discover=no

I had to disable this firewall filter because it wouldn’t allow DNS resolution:
add action=drop chain=forward

I haven’t figured out how to stop the WAN from replying to pings yet.
Other than that, everything is working fine.
Hope this helps you solve your problem.

ros code

/interface bridge
add comment=“Local Bridge” l2mtu=1598 name=bridge-local
add comment=“Kids Bridge” name=bridge-kids
add comment=“Guest Bridge” name=bridge-guest

/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-local
set 2 name=ether3-kids
set 3 name=ether4-guest
set 4 name=ether5-trunk

/interface vlan
add interface=ether5-trunk l2mtu=1594 name=vlan-kids-ether5 vlan-id=4
add interface=ether5-trunk l2mtu=1594 name=vlan-guest-ether5 vlan-id=5

/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m

/ip pool
add name=pool-local ranges=192.168.5.2-192.168.5.254
add name=pool-kids ranges=192.168.2.2-192.168.2.254
add name=pool-guest ranges=192.168.3.2-192.168.3.254

/ip dhcp-server
add address-pool=pool-local disabled=no interface=bridge-local name=local
add address-pool=pool-kids disabled=no interface=bridge-kids name=kids
add address-pool=pool-guest disabled=no interface=bridge-guest name=guest

/interface bridge port
add bridge=bridge-local interface=ether2-local
add bridge=bridge-local interface=ether5-trunk
add bridge=bridge-kids interface=ether3-kids
add bridge=bridge-kids interface=vlan-kids-ether5
add bridge=bridge-guest interface=ether4-guest
add bridge=bridge-guest interface=vlan-guest-ether5

/ip address
add address=192.168.5.1/24 interface=bridge-local
add address=192.168.2.1/24 interface=bridge-kids
add address=192.168.3.1/24 interface=bridge-guest

/ip dhcp-server network
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1

/ip dns
set allow-remote-requests=yes

/ip firewall filter
add chain=input connection-state=established
add chain=input connection-state=related
add action=jump chain=input in-interface=bridge-kids jump-target=input-guest
add action=jump chain=input in-interface=bridge-guest jump-target=input-guest
add chain=input in-interface=bridge-local
add action=drop chain=input
add chain=forward out-interface=ether1-gateway
add action=drop chain=forward
add chain=input-guest dst-port=53 protocol=tcp
add chain=input-guest dst-port=53 protocol=udp
add chain=input-guest dst-port=67 protocol=udp
add chain=input-guest dst-port=68 protocol=udp

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-gateway to-addresses=
0.0.0.0

/ip neighbor discovery
set ether1-gateway discover=no
set ether3-kids discover=no
set ether4-guest discover=no
set vlan-kids-ether5 discover=no
set vlan-guest-ether5 discover=no
set bridge-kids discover=no
set bridge-guest discover=no