DHCP on VLAN

Josep2020 · December 6, 2020, 4:51pm

Hello everyone.
This will be pretty basic stuff to most of you, but I just can’t figure it out. I have already wasted too much time on this and I am ready to declare defeat.
I have a hEX RB750Gr3.
I am still learning the basics of it. I have started with the default configuration (WAN=ether1, LAN=bridge=ether2..5).
From here, I wanted to have:

ether2 = management
ether3 = VLAN Staff (20)
ether4 = VLAN Guests (10)
ether5 = trunk

Devices on VLAN Guests should receive 10.0.10.x addresses, while devices on VLAN Staff should receive 10.0.20.x addresses.
I believe I have done everything by the book, but still can’t get the IPs.
Any help is very wellcome.

Here it is the entire configuration script for my device:

# dec/06/2020 16:25:31 by RouterOS 6.47.8
# software id = M643-1B1M
#
# model = RB750Gr3
# serial number = CC210B6AF091
/interface bridge
	add admin-mac=C4:AD:34:A1:64:F2 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface list
	add comment=defconf name=WAN
	add comment=defconf name=LAN
/interface list member
	add comment=defconf interface=bridge list=LAN
	add comment=defconf interface=ether1 list=WAN
/ip neighbor discovery-settings
	set discover-interface-list=LAN
/ip dns
	set allow-remote-requests=yes
/ip dns static
	add address=192.168.88.1 comment=defconf name=router.lan
/ip dhcp-client
	add comment=defconf disabled=no interface=ether1
/ip firewall filter
	add action=accept chain=input comment=\
		"defconf: accept established,related,untracked" connection-state=\
		established,related,untracked
	add action=drop chain=input comment="defconf: drop invalid" connection-state=\
		invalid
	add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
	add action=accept chain=input comment=\
		"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
	add action=drop chain=input comment="defconf: drop all not coming from LAN" \
		in-interface-list=!LAN
	add action=accept chain=forward comment="defconf: accept in ipsec policy" \
		ipsec-policy=in,ipsec
	add action=accept chain=forward comment="defconf: accept out ipsec policy" \
		ipsec-policy=out,ipsec
	add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
		connection-state=established,related
	add action=accept chain=forward comment=\
		"defconf: accept established,related, untracked" connection-state=\
		established,related,untracked
	add action=drop chain=forward comment="defconf: drop invalid" \
		connection-state=invalid
	add action=drop chain=forward comment=\
		"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
		connection-state=new in-interface-list=WAN
/ip firewall nat
	add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
	set time-zone-name=Europe/Lisbon
/tool mac-server
	set allowed-interface-list=LAN
/tool mac-server mac-winbox
	set allowed-interface-list=LAN



/interface vlan
	add interface=bridge name=Guests use-service-tag=yes vlan-id=10
	add interface=bridge name=Staff use-service-tag=yes vlan-id=20
/interface bridge port
	add bridge=bridge comment=defconf interface=ether2
	add bridge=bridge comment=defconf interface=ether3 pvid=20
	add bridge=bridge comment=defconf interface=ether4 pvid=10
	add bridge=bridge comment=defconf interface=ether5
/interface bridge vlan
	add bridge=bridge tagged=ether5 untagged=ether3 vlan-ids=20
	add bridge=bridge tagged=ether5 untagged=ether4 vlan-ids=10
/ip address
	add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
	add address=10.0.10.1/24 interface=Guests network=10.0.10.0
	add address=10.0.20.1/24 interface=Staff network=10.0.20.0
/ip dhcp-server network
	add address=10.0.10.0/24 gateway=10.0.10.1
	add address=10.0.20.0/24 gateway=10.0.20.1
	add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip pool
	add name=default-dhcp ranges=192.168.88.10-192.168.88.254
	add name=Guests ranges=10.0.10.2-10.0.10.254
	add name=Staf ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
	add address-pool=default-dhcp disabled=no interface=bridge name=defconf
	add address-pool=Guests disabled=no interface=Guests name=dhcpGuests
	add address-pool=Staf disabled=no interface=Staff name=dhcpStaff

satman1w · December 10, 2020, 10:55pm

you have created DHCP servers on VLAN interfaces and users connected to ethernet ports cannot get the IP addresses??

How could they? Ethernet ports and VLANs are in no connection.

Ether3 and VLAN “staff” should be in separate bridge - move the IP address and DHCP server from the vlan to the bridgeand everything will be fine.

Josep2020 · December 10, 2020, 11:02pm

Thank you for taking the time to reply.
I created that config following this example: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#VLAN_Example_.231_.28Trunk_and_Access_Ports.29
and using vlan-filtering=yes for the Bridge.

tdw · December 10, 2020, 11:19pm

Using use-service-tag=yes under /interface vlan is incorrect for standard VLANs.

A bridge has two roles - its is both like a switch connecting various ethernet ports together, and also like an ethernet port to pass traffic to services on the Mikrotik itself. So to provide access to DHCP and routing the bridge itself must be included in the bridge vlan configuration. It is not necessary to include the untagged definitions as these are dynamically added from the bridge port PVID settings:
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether3 vlan-ids=20
add bridge=bridge tagged=bridge,ether5 untagged=ether4 vlan-ids=10

mkx · December 11, 2020, 7:09am

In addition to what @tdw wrote: you should read the firewall filter and firewall NAT rules and consider adding interfaces Guests and Staff to interface list LAN.

anav · December 11, 2020, 1:19pm

The best reference for vlans using vlan filtering is here.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Read that and then rejig your config, repost it here for review.