DHCP Server not working in VLAN setup

Dande · February 2, 2023, 3:25pm

Hi everybody,
I am just setting up my first Mikrotik device (RB5009) to be used as router in our new house. I was mainly following this nice guide: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 Differences are, that I plan to use more VLANs (for better seperation of different device groups) and that I looked into the default firewall configuration and the corresponding documentation pages on the Mikrotik documentation and tried to integrate them.

This summarizes the planned VLANs and how the ports of the RB5009 are planned to be used:

#######################################
# VLAN Overview
#######################################

# BLOCK		IP 192.168.40.xxx / 24		VLAN 40
# 	    Blocked VLAN, used for all unsed ports to just block traffic there
# MANAGEMENT	IP 192.168.80.xxx / 24		VLAN ID 80
#   	Used for MANAGEMENT Access of Mikrotik Devices
# HOME 		IP 192.168.100.xxx / 24 	VLAN ID 100
#   	Used for Adults devices
# VICO			IP 192.168.104.xxx / 24		VLAN ID 104
#   	Used for Kids devices
# WORK			IP 192.168.108.xxx / 24		VLAN ID 108
# 	    Used for work devices
# SHARED		IP 192.168.112.xxx / 24		VLAN ID 112
#   	Printers, NAS...
# HA			IP 192.168.116.xxx / 24		VLAN ID 116
#   	Used for home automation stuff
# IOT			IP 192.168.120.xxx / 24		VLAN ID 120
#   	Used for not trustworthy IOT devices
# ENTERTAIN	IP 192.168.124.xxx / 24		VLAN ID 124
#   	Used for TV, blu ray player ...
# GUESTS		IP 192.168.128.xxx / 24		VLAN ID 128
#   	Used for guests

#######################################
# Port usage overview Overview
#######################################
# sfp-sfpplus1	trunk port 		uplink to switch VLAN IDs 80,100,104,108,112,116,120,124,128
# ether1		access port 	Internet Connection (currently DHCP, must be moved to PPPoE over VLAN 7 later)
# ether2		trunk port		backup to sfp connection to switch, cable only to be plugged in if fiber connection is not working
# ether3-7 		access port		VLAN 40, blocking all access
# ether8		access port		VLAN 80, management access

I used the following script to configure the router (its the adpated version of the guide I linked to)
RB5009_Config_for_publishing.rsc (18.6 KB)
My issue is, that I don’t receive a IP address if I plug in my PC at ether8. Management access through that port is working (using Winbox and MAC access). But also if I switch one of the ports ether3 to ether 7 to some other VLAN (or management VLAN) I don’t get an IP address from the router there. The request always runs into a timeout.

This is the resulting device configuration. In this version ether3 to ether7 were set to other VLANs for testing purposes. But except for that, the missing comments and the order of the entries it is identical to the script which I used for configuration (at least I couldn’t find any differences). Therefore it is most probably easier to look at the script linked above
RB5009_DHCP_not_working.rsc (13.2 KB)
Can anybody tell me what I am doing wrong here?

Thanks a lot in advance
Daniel

anav · February 2, 2023, 9:50pm

Sorry I dont review PCUNITE format LOL. Thus looked at the real config.

model = RB5009UG+S+

serial number = REMOVED FOR SECURITY REASONS

/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=YES { ADDED AS LAST CONFIG ENTRY}

/interface vlan { removed VLAN 40 as it was not entered anywhere but here }
add interface=BR1 name=MANAGEMENT_VLAN vlan-id=80
add interface=BR1 name=HOME_VLAN vlan-id=100
add interface=BR1 name=VICO_VLAN vlan-id=104
add interface=BR1 name=WORK_VLAN vlan-id=108
add interface=BR1 name=SHARED_VLAN vlan-id=112
add interface=BR1 name=HA_VLAN vlan-id=116
add interface=BR1 name=IOT_VLAN vlan-id=120
add interface=BR1 name=ENTERTAIN_VLAN vlan-id=124
add interface=BR1 name=GUESTS_VLAN vlan-id=128

/interface list ( expanded and you will see why in forward chain )
add name=WAN
add name=VLAN
add name=BASE
add name=ACCESS-TO
add name=RECEIVER

/interface bridge port { assuming ether2,sfp-sfpplus are going to managed devices. Added missing but not not 100% necessary components }
add bridge=BR1 interface=ether2 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether3 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=80
add bridge=BR1 interface=ether4 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=112
add bridge=BR1 interface=ether5 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=108
add bridge=BR1 interface=ether6 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=104
add bridge=BR1 interface=ether7 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=100
add bridge=BR1 interface=ether8 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=80
add bridge=BR1 interface=sfp-sfpplus1 ingress-filtering=yes frame-types=admit-only-vlan-tagged

/interface bridge vlan { optional to put in untagged but I prefer it to be visible on exports and easy to cross-check with port settings }
add bridge=BR1 tagged=BR1,ether2,sfp-sfpplus1 untagged=ether3,ether8 vlan-ids=80
add bridge=BR1 tagged=BR1,ether2,sfp-sfpplus1 untagged=ether7 vlan-ids=100
add bridge=BR1 tagged=BR1,ether2,sfp-sfpplus1 untagged=ether6 vlan-ids=104
add bridge=BR1 tagged=BR1,ether2,sfp-sfpplus1 untagged=ether5 vlan-ids=108
add bridge=BR1 tagged=BR1,ether2,sfp-sfpplus1 untagged=ether4 vlan-ids=112
add bridge=BR1 tagged=BR1,ether2,sfp-sfpplus1 vlan-ids=116,120,124,128 { with no differences aka untagged ports you can combine on one line }

/interface list member { removed ether8 it was redundant → you already have management vlan on both VLAN and BASE list, and that is what is carried over ether8 }
add interface=ether1 list=WAN
add interface=HOME_VLAN list=VLAN
add interface=VICO_VLAN list=VLAN
add interface=WORK_VLAN list=VLAN
add interface=SHARED_VLAN list=VLAN
add interface=HA_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=ENTERTAIN_VLAN list=VLAN
add interface=GUESTS_VLAN list=VLAN
add interface=MANAGEMENT_VLAN list=VLAN
add interface=MANAGEMENT_VLAN list=BASE
add interface=HOME_VLAN list=ACCESS-TO
add interface=VICO_VLAN list=ACCESS-TO
add interface=SHARED_VLAN list=RECEIVER
add interface=ENTERTAIN_VLAN list=RECEIVER
add interface=HA_VLAN list=RECEIVER

/ip dns static { REMOVED this default setting}

/ip firewall address-list ( removed all subnets that are on the router, address lists are not appropriate, INTERFACE LISTS ARE !!)
REMOVED all BOGON lists as it should only be used if You know What you are doing, clearly not the case. If you do, later, dont need firewall rules, just black hole them in routing.
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet )

/ip firewall filter { RULES NOT IN ORDER EGADS……}
(default rules)
add action=accept chain=input comment=“Allow Estab & Related”
connection-state=established,related,untracked
add action=drop chain=input comment=“Drop Invalid connections”
connection-state=invalid
add action=accept chain=input comment=“Allow ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
(admin rules)
add action=accept chain=input comment=\ { The ether 8 rule was garbage and removed }
“Allow Management VLAN f\C3\BCll acceess” in-interface=MANAGEMENT_VLAN
add action=accept chain=input comment=“allow DNS from VLAN”
in-interface-list=VLAN port=53 protocol=tcp
add action=accept chain=input comment=“allow DNS from VLAN”
in-interface-list=VLAN port=53 protocol=udp
add action=drop chain=input comment=Drop
(default rules)
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“Allow Estab & Related”
connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
(admin rules)
add action=accept chain=forward comment=“Internet” in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=accept chain=forward comment=“Allowed” in-interface-list=ACCESS-TO out-interface-list=RECEIVER
add action=accept chain=forward comment=“ENT to SH” in-interface=ENTERTAIN_VLAN out-interface=SHARED_VLAN
add action=drop chain=forward comment=Drop

.

anav · February 2, 2023, 9:52pm

You will only get assigned to the management vlan if you plug into ether3 or ether8.

When you reconfig, and still having issues export again the latest config and let us know what the issues are…

Dande · February 4, 2023, 12:51pm

Thanks for your help. After some fiddeling around (with issues mainly sitting in front of the PC) it is working now. I think it was the defintions of the frame-types in /interface bridge port frame-types=admit-priority-and-untagged for the access ports which was missing in my configuration.

I have two questions left regarding the configuration up to this point.

Regarding putting most of the inter VLAN routing into one firewall rule using the ACCESS_TO and RECEIVER interface lists. Was this more to ease readibility or to reduce the number of necessary firewall rules and therefore speeding firewall procssing up or something else which I am not getting?
The DHCP server is using a default lease time of 10 minutes meaning that every client will renew its lease every 5 minutes. Is such a short lease time of any use in a home network environment? I am more used to lease times of several hours or even several days.

Dande · February 4, 2023, 1:03pm

Thrid question as I am just trying out stuff.

If I plug my PC in a port without access to the Management VLAN I can still ping the router on each of its VLAN adresses but I neither can find it using winbox nor opening webfig. I think this is because I allow ICMP on the input chain right? Is there a security benefit in narrowing this down (also for DNS requests which I also allow from all VLANs on the input chain)?

anav · February 4, 2023, 1:05pm

I prefer an efficient firewall that is easy to read/understand.
You can separate them out and it wont make that much of a difference (none that you will see).
Personal preference.
In object oriented design, one tends to make a firewall rule ( with interface lists for subnets, or firewall address lists for users ) and then leave the rule alone and if need to add or subtract subnets or users, change the interface list member or firewall address list.

As far as dhcp lease… in a home setting nothing wrong with 1, 2, 3 day leases.

anav · February 4, 2023, 1:07pm

Remember the interfaces of each subnet on the router are considered part of the router ( input chain ).

So yes you can ping any interface from anywhere and thats a good thing for testing.
It does not mean you can access any other users on other subnets/vlans as that is forward chain and should be dropped by the last DROP ALL rule, unless you specifically allow vlanA to vlanB traffic in the forward chain rules.

In other words, normal expected behaviour and nothing to change or worry about.

Amm0 · February 5, 2023, 1:27am

I won’t change ping. It’s always allowed for a good reason: “Path MTU Discovery” (PMTUD), this allows things to figure out the MTU. And if MTU is “wrong”, things “work”, but the net result is poor performance. If PMTUD is needed is hard to know, which is why Mikrotik defaults to always allowing a ping through default firewalls.