DHCP server in vlan doesn't work

gjniewenhuijse · March 11, 2025, 10:38am

Anyone a idea why my dhcp-server on vlan 201 doesn’t work. Also on other vlans it doesn’t work.

I want to plugin my laptop on Ether 9 (Vlan 201) and get an ip from the dhcp server

Its a CRS326-24G-2S+ that act as a router (yes i know ) and switch.

[admin@MikroTik] > export
# 2025-03-11 11:33:21 by RouterOS 7.18
# software id = R1M2-WJL4
#
# model = CRS326-24G-2S+

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name="vlan guest" vlan-id=209
add interface=bridge1 name="vlan iot" vlan-id=201
add interface=bridge1 name="vlan lan" vlan-id=200
add interface=bridge1 name="vlan mgmt" vlan-id=99
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.22.2-192.168.22.254
add name=dhcp_pool1 ranges=10.0.11.2-10.0.11.254
add name=dhcp_pool2 ranges=10.0.10.2-10.0.10.254
add name=dhcp_pool3 ranges=10.0.12.2-10.0.12.254
add name=dhcp_pool4 ranges=10.0.99.2-10.0.99.254
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name="dhcp bridge"
add address-pool=dhcp_pool1 interface="vlan iot" name="dhcp iot" relay=\
    10.0.11.1
add address-pool=dhcp_pool2 interface="vlan guest" name="dhcp guest" relay=\
    10.0.10.1
add address-pool=dhcp_pool3 interface="vlan lan" name="dhcp lan" relay=\
    10.0.12.1
add address-pool=dhcp_pool4 interface="vlan mgmt" name=dhcp1 relay=10.0.99.1
/port
set 0 name=serial0
/user group
add name=api policy="read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!t\
    est,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9 pvid=201
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24 pvid=99
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether9 vlan-ids=201
add bridge=bridge1 tagged=bridge1 untagged=ether24 vlan-ids=99
add bridge=bridge1 tagged=bridge1 vlan-ids=200
add bridge=bridge1 tagged=bridge1 vlan-ids=209
add bridge=bridge1 untagged=bridge1 vlan-ids=1
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.22.1/24 interface=bridge1 network=192.168.22.0
add address=10.0.10.1/24 interface="vlan guest" network=10.0.10.0
add address=10.0.11.1/24 interface="vlan iot" network=10.0.11.0
add address=10.0.12.1/24 interface="vlan lan" network=10.0.12.0
add address=10.0.99.1/24 interface="vlan mgmt" network=10.0.99.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.11.0/24 dns-server=10.0.11.1 gateway=10.0.11.1
add address=10.0.12.0/24 dns-server=10.0.12.1 gateway=10.0.12.1
add address=10.0.99.0/24 dns-server=10.0.99.1 gateway=10.0.99.1
add address=192.168.22.0/24 dns-server=192.168.22.1 gateway=192.168.22.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=10.0.10.0/24 list=UserNetwork
add address=10.0.11.0/24 list=UserNetwork
add address=10.0.12.0/24 list=UserNetwork
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="accept webmanagement" dst-port=80,8291 \
    in-interface-list=WAN protocol=tcp src-address-list=ITN
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" in-interface-list=\
    !WAN protocol=icmp
add action=accept chain=input comment="vlan accept" in-interface="vlan iot"
add action=drop chain=forward comment="drop to management vlan" dst-address=\
    10.0.99.0/24 src-address-list=UserNetwork
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=Europe/Amsterdam
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes enter-setup-on=delete-key

panisk0 · March 11, 2025, 10:50am

remove relay from dhcp-server config

/ip address
add address=192.168.22.1/24 interface=bridge1 network=192.168.22.0
add address=10.0.10.1/24 interface="vlan guest" network=10.0.10.0
add address=10.0.11.1/24 interface="vlan iot" network=10.0.11.0
add address=10.0.12.1/24 interface="vlan lan" network=10.0.12.0
add address=10.0.99.1/24 interface="vlan mgmt" network=10.0.99.0

/ip dhcp-server
add address-pool=dhcp interface=bridge1 name="dhcp bridge"
add address-pool=dhcp_pool1 interface="vlan iot" name="dhcp iot" relay=10.0.11.1
add address-pool=dhcp_pool2 interface="vlan guest" name="dhcp guest" relay=10.0.10.1
add address-pool=dhcp_pool3 interface="vlan lan" name="dhcp lan" relay=10.0.12.1
add address-pool=dhcp_pool4 interface="vlan mgmt" name=dhcp1 relay=10.0.99.1

loloski · March 11, 2025, 10:53am

Try this instead this is not meant to be complete at any form just to give you a working example

Create a VLAN in the bridge

# Create Bridge
/interface/bridge/add name=bridge1

# Add port on the bridge with pvid=10 let assume pvid=10 LAN vlan

/interface/bridge/port/add pvid=10 interface=ether1 frame-types=admit-only-untagged-and-priority-tagged

# Define vlan id = 10
/interface/bridge/vlan add vlan-ids=10 tagged=br1,untagged=ether1 bridge=bridge1

# Create VLAN interface on the bridge
/interface/vlan/add name=LAN interface=bridge1 vlan-id=10

# Assign IP address to your VLAN 10 called LAN

/ip/address/add address=192.168.0.1/24 interface=LAN

# Activate Bridge Vlan Filtering
/interface/bridge/set vlan-filtering=yes frame-types=admit-only-vlan-tagged

# setup DHCP server

# setup your DHCP server in winbox or CLI

/ip/dhcp-server/setup
Interface: LAN

erlinden · March 11, 2025, 11:00am

Remove this line (/interface bridge vlan):

add bridge=bridge1 untagged=bridge1 vlan-ids=1

Remove these lines (/ip dhcp-server network):

add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=192.168.22.0/24 dns-server=192.168.22.1 gateway=192.168.22.1 netmask=24

Remove relay from these lines(/ip dhcp-server):

add address-pool=dhcp_pool1 interface="vlan iot" name="dhcp iot" relay=10.0.11.1
add address-pool=dhcp_pool2 interface="vlan guest" name="dhcp guest" relay=10.0.10.1
add address-pool=dhcp_pool3 interface="vlan lan" name="dhcp lan" relay=10.0.12.1
add address-pool=dhcp_pool4 interface="vlan mgmt" name=dhcp1 relay=10.0.99.1

Remove relay from this lines (/ip dhcp-server):

add address-pool=dhcp interface=bridge1 name="dhcp bridge"

Remove this line (/ip pool):

add name=dhcp ranges=192.168.22.2-192.168.22.254

Remove this line (/ip address):

add address=192.168.22.1/24 interface=bridge1 network=192.168.22.0

Edit these lines to get proper VLAN handling (/interface bridge port):

add bridge=bridge1 interface=ether2
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether6
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether7
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether8
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=201
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether11
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether12
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether13
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether14
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether15
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether16
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether17
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether18
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether19
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether20
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether21
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether22
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether23
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether24 pvid=99
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp-sfpplus2

And..my preference, don’t set untagged explicitly (it is set implicet above):

/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=201
add bridge=bridge1 tagged=bridge1 vlan-ids=99

gjniewenhuijse · March 11, 2025, 12:33pm

Many thanks to all.. It works now

gjniewenhuijse · March 11, 2025, 1:21pm

If i set frame Types on de bridge to admit-only-vlan-tagged, it doesn’t work.

As suggested:

Activate Bridge Vlan Filtering

/interface/bridge/set vlan-filtering=yes frame-types=admit-only-vlan-tagged

anav · March 11, 2025, 2:21pm

Only thing usually required on bridge is to set vlan-filtering=yes.
Use
/interface bridge port settings to add ingress-filtering=yes ( now is default on), and the applicable frame type!
The only reason not to hve both of the above is for hybrid ports.

Also, if doing vlans do only vlans and not have the bridge do any dhcp. SImply make another vlan