DHCP server offers are not bound when used with VLAN and WLAN

Hello everyone,

I want to separate my network so that the IoT crap cannot compromise my main networks.
So I want the IoT stuff (both cable and wireless devices) to be on VLAN 5 and only allow them to got to specific other addresses via the firewall. However, while the WLAN devices get assigned an IP via the DHCP server, connecting a raspberry PI to the wired ports I configured for VLAN5, that raspi is detected but IP never gets bount.

Here’s my config.

# nov/02/2020 00:25:39 by RouterOS 6.47.4
# software id = FXSF-YA53
#
# model = 2011UiAS-2HnD
# serial number = 
/interface bridge
add frame-types=admit-only-untagged-and-priority-tagged name=bridgeIoT pvid=5 \
    vlan-filtering=yes
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridgeLocal \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=e1wan
set [ find default-name=ether2 ] name=e2office
set [ find default-name=ether3 ] name=e3nas
set [ find default-name=ether4 ] name=e4lab
set [ find default-name=ether5 ] name=e5work
set [ find default-name=ether6 ] name=e6mgmt
set [ find default-name=ether7 ] name=e7iot
set [ find default-name=ether8 ] name=e8iot
set [ find default-name=ether9 ] name=e9iot
set [ find default-name=ether10 ] name=e10iot
/interface vlan
add interface=bridgeLocal name=vlan1 vlan-id=1
add interface=bridgeLocal name=vlan2-office vlan-id=2
add interface=bridgeLocal name=vlan3-nas vlan-id=3
add interface=bridgeLocal name=vlan4-lab vlan-id=4
add interface=bridgeIoT name=vlan5-iot-lan vlan-id=5
add interface=bridgeLocal name=vlan6-mgmt vlan-id=6
add interface=bridgeLocal name=vlan7-work vlan-id=7
/interface ethernet switch port
set 7 default-vlan-id=5 vlan-header=add-if-missing
set 8 default-vlan-id=5 vlan-header=add-if-missing
set 9 default-vlan-id=5 vlan-header=add-if-missing
set 10 default-vlan-id=5
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    wlan5-iot supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    wlan2-default supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=germany disabled=no \
    frequency=auto installation=indoor mode=ap-bridge name=wlan2-office \
    security-profile=wlan2-default ssid=wlan1 vlan-id=2 vlan-mode=use-tag
add disabled=no keepalive-frames=disabled mac-address=xx:xx:xx:xx:xx:xx \
    master-interface=wlan2-office multicast-buffering=disabled name=wlan5-iot \
    security-profile=wlan5-iot ssid=wlan5 vlan-id=5 vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=wlan5-iot name=vlan5-iot-wlan vlan-id=5
/ip pool
add name=vlan2-office ranges=10.15.241.0-10.15.254.255
add name=vlan3-nas ranges=10.16.1.0-10.16.15.255
add name=vlan4-lab ranges=10.16.17.0-10.16.31.255
add name=vlan5-iot-lan ranges=10.16.33.0-10.16.47.255
add name=vlan6-mgmt ranges=10.16.49.0-10.16.63.255
add name=vlan7-work ranges=10.16.65.0-10.16.79.255
add name=vlan5-iot-wlan ranges=10.16.81.0-10.16.95.255
/ip dhcp-server
add address-pool=vlan2-office disabled=no interface=vlan2-office name=\
    dhcp-vlan2-office
add address-pool=vlan3-nas disabled=no interface=vlan3-nas name=dhcp-vlan3-nas
add address-pool=vlan4-lab disabled=no interface=vlan4-lab name=dhcp-vlan4-lab
add address-pool=vlan5-iot-lan disabled=no interface=vlan5-iot-lan name=\
    dhcp-vlan5-iot
add address-pool=vlan6-mgmt disabled=no interface=vlan6-mgmt name=\
    dhcp-vlan6-mgmt
add address-pool=vlan7-work disabled=no interface=vlan7-work name=\
    dhcp-vlan7-work
add address-pool=vlan5-iot-wlan disabled=no interface=vlan5-iot-wlan name=\
    dhcp-vlan5-iot-wlan
/interface bridge port
add bridge=bridgeIoT frame-types=admit-only-untagged-and-priority-tagged \
    interface=e7iot pvid=5
add bridge=bridgeIoT frame-types=admit-only-untagged-and-priority-tagged \
    interface=e8iot pvid=5
add bridge=bridgeIoT frame-types=admit-only-untagged-and-priority-tagged \
    interface=e9iot pvid=5
add bridge=bridgeIoT frame-types=admit-only-untagged-and-priority-tagged \
    interface=e10iot pvid=5
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged \
    interface=e2office pvid=2
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged \
    interface=e3nas pvid=3
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged \
    interface=e4lab pvid=4
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged \
    interface=e5work pvid=7
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged \
    interface=e6mgmt pvid=6
add bridge=bridgeIoT frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan5-iot pvid=5
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan2-office pvid=2
/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal untagged=e2office vlan-ids=2
add bridge=bridgeLocal tagged=bridgeLocal untagged=e3nas vlan-ids=3
add bridge=bridgeLocal tagged=bridgeLocal untagged=e4lab vlan-ids=4
add bridge=bridgeLocal tagged=bridgeLocal untagged=e6mgmt vlan-ids=6
add bridge=bridgeLocal tagged=bridgeLocal untagged=e5work vlan-ids=7
add bridge=bridgeIoT tagged=bridgeIoT untagged=\
    e7iot,e8iot,e9iot,e10iot,wlan5-iot,vlan5-iot-wlan,vlan5-iot-lan vlan-ids=5
/interface ethernet switch vlan
add independent-learning=no ports=e2office switch=switch1 vlan-id=2
/interface list member
add interface=e1wan list=WAN
add interface=bridgeLocal list=LAN
add interface=bridgeIoT list=LAN
/interface wireless cap
set bridge=bridgeLocal discovery-interfaces=bridgeLocal interfaces=wlan2-office
/ip address
add address=192.168.3.13/24 interface=e1wan network=192.168.3.0
add address=10.15.240.1/20 interface=vlan2-office network=10.15.240.0
add address=10.16.0.1/20 interface=vlan3-nas network=10.16.0.0
add address=10.16.16.1/20 interface=vlan4-lab network=10.16.16.0
add address=10.16.32.1/20 interface=vlan5-iot-lan network=10.16.32.0
add address=10.16.48.1/20 interface=vlan6-mgmt network=10.16.48.0
add address=10.16.64.1/20 interface=vlan7-work network=10.16.64.0
add address=10.16.80.1/20 interface=vlan5-iot-wlan network=10.16.80.0
/ip dhcp-client
add comment=defconf disabled=no interface=bridgeLocal
/ip dhcp-server network
add address=10.15.240.0/20 dns-server=\
    10.15.240.1,192.168.3.104,94.140.14.15,94.140.14.16,9.9.9.9 domain=home.lan \
    gateway=10.15.240.1 netmask=20
add address=10.16.0.0/20 dns-server=\
    10.16.0.1,192.168.3.104,94.140.14.15,94.140.14.16,9.9.9.9 domain=home.lan \
    gateway=10.16.0.1 netmask=20
add address=10.16.16.0/20 dns-server=\
    10.16.16.1,192.168.3.104,94.140.14.15,94.140.14.16,9.9.9.9 domain=home.lan \
    gateway=10.16.16.1 netmask=20
add address=10.16.32.0/20 dns-server=\
    10.16.32.1,192.168.3.104,94.140.14.15,94.140.14.16,9.9.9.9 domain=home.lan \
    gateway=10.16.32.1 netmask=20
add address=10.16.48.0/20 dns-server=\
    10.16.48.1,192.168.3.104,94.140.14.15,94.140.14.16,9.9.9.9 domain=home.lan \
    gateway=10.16.48.1 netmask=20
add address=10.16.64.0/20 dns-none=yes netmask=20
add address=10.16.80.0/20 netmask=20
/ip dns
set allow-remote-requests=yes servers=\
    192.168.3.104,94.140.14.15,94.140.14.16,9.9.9.9
/lcd pin
set pin-number=6626
/system clock
set time-zone-name=Europe/Berlin
/system routerboard settings
set cpu-frequency=750MHz

The LAN used to be working before I set up VLAN 5 on the virtual WIFI interface. I don’t know what I need to do to make it work.
Please give me a hint

Ooohhh, chip switch vlans, no can do. Hopefully somebody who knows this method can chime in.

Hardware offloading is disabled for VLAN-aware bridges, changing the switch chip settings from default can result in odd behaviour so I would changed those back to the defaults.

There is little point having two VLAN-aware bridges, and bridgeIoT is incorrectly configured with a PVID having the same VLAN ID as an attached VLAN interface - it would be best to remove bridgeIoT and just use bridgeLocal

Thank you

I followed your advice. Now the wired devices get an IP but the WiFi device (my laptop) keeps making new DHCP requests over and over again and in Windows it shows no IP.
I rebooted bother the PC and the router but still no success.

The current configuration is:

# nov/02/2020 01:06:44 by RouterOS 6.47.4
# software id = FXSF-YA53
#
# model = 2011UiAS-2HnD
# serial number = 
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridgeLocal \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=e1wan
set [ find default-name=ether2 ] name=e2office
set [ find default-name=ether3 ] name=e3nas
set [ find default-name=ether4 ] name=e4lab
set [ find default-name=ether5 ] name=e5work
set [ find default-name=ether6 ] name=e6mgmt
set [ find default-name=ether7 ] name=e7iot
set [ find default-name=ether8 ] name=e8iot
set [ find default-name=ether9 ] name=e9iot
set [ find default-name=ether10 ] name=e10iot
/interface vlan
add interface=bridgeLocal name=vlan1 vlan-id=1
add interface=bridgeLocal name=vlan2-office vlan-id=2
add interface=bridgeLocal name=vlan3-nas vlan-id=3
add interface=bridgeLocal name=vlan4-lab vlan-id=4
add interface=bridgeLocal name=vlan5-iot-lan vlan-id=5
add interface=bridgeLocal name=vlan6-mgmt vlan-id=6
add interface=bridgeLocal name=vlan7-work vlan-id=7
/interface ethernet switch port
set 7 default-vlan-id=5 vlan-header=add-if-missing
set 8 default-vlan-id=5 vlan-header=add-if-missing
set 9 default-vlan-id=5 vlan-header=add-if-missing
set 10 default-vlan-id=5
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    wlan5-iot supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    wlan2-default supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=germany disabled=no \
    frequency=auto installation=indoor mode=ap-bridge name=wlan2-office \
    security-profile=wlan2-default ssid=wlan1 vlan-id=2 vlan-mode=use-tag
add disabled=no keepalive-frames=disabled mac-address=xx:xx:xx:xx:xx:xx \
    master-interface=wlan2-office multicast-buffering=disabled name=wlan5-iot \
    security-profile=wlan5-iot ssid=wlan5 vlan-id=5 vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=wlan5-iot name=vlan5-iot-wlan vlan-id=5
/ip pool
add name=vlan2-office ranges=10.15.241.0-10.15.254.255
add name=vlan3-nas ranges=10.16.1.0-10.16.15.255
add name=vlan4-lab ranges=10.16.17.0-10.16.31.255
add name=vlan5-iot-lan ranges=10.16.33.0-10.16.47.255
add name=vlan6-mgmt ranges=10.16.49.0-10.16.63.255
add name=vlan7-work ranges=10.16.65.0-10.16.79.255
add name=vlan5-iot-wlan ranges=10.16.81.0-10.16.95.255
/ip dhcp-server
add address-pool=vlan2-office disabled=no interface=vlan2-office name=\
    dhcp-vlan2-office
add address-pool=vlan3-nas disabled=no interface=vlan3-nas name=\
    dhcp-vlan3-nas
add address-pool=vlan4-lab disabled=no interface=vlan4-lab name=\
    dhcp-vlan4-lab
add address-pool=vlan5-iot-lan disabled=no interface=vlan5-iot-lan name=\
    dhcp-vlan5-iot
add address-pool=vlan6-mgmt disabled=no interface=vlan6-mgmt name=\
    dhcp-vlan6-mgmt
add address-pool=vlan7-work disabled=no interface=vlan7-work name=\
    dhcp-vlan7-work
add address-pool=vlan5-iot-wlan disabled=no interface=vlan5-iot-wlan name=\
    dhcp-vlan5-iot-wlan
/interface bridge port
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged \
    interface=e7iot pvid=5
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged \
    interface=e8iot pvid=5
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged \
    interface=e9iot pvid=5
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged \
    interface=e10iot pvid=5
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged \
    interface=e2office pvid=2
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged \
    interface=e3nas pvid=3
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged \
    interface=e4lab pvid=4
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged \
    interface=e5work pvid=7
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged \
    interface=e6mgmt pvid=6
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan5-iot pvid=5
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan2-office pvid=2
/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal untagged=e2office vlan-ids=2
add bridge=bridgeLocal tagged=bridgeLocal untagged=e3nas vlan-ids=3
add bridge=bridgeLocal tagged=bridgeLocal untagged=e4lab vlan-ids=4
add bridge=bridgeLocal tagged=bridgeLocal untagged=e6mgmt vlan-ids=6
add bridge=bridgeLocal tagged=bridgeLocal untagged=e5work vlan-ids=7
add bridge=bridgeLocal tagged=bridgeLocal untagged=\
    e7iot,e8iot,e9iot,e10iot,wlan5-iot vlan-ids=5
/interface ethernet switch vlan
add independent-learning=no ports=e2office switch=switch1 vlan-id=2
/interface list member
add interface=e1wan list=WAN
add interface=bridgeLocal list=LAN
/interface wireless cap
set bridge=bridgeLocal discovery-interfaces=bridgeLocal interfaces=\
    wlan2-office
/ip address
add address=192.168.3.13/24 interface=e1wan network=192.168.3.0
add address=10.15.240.1/20 interface=vlan2-office network=10.15.240.0
add address=10.16.0.1/20 interface=vlan3-nas network=10.16.0.0
add address=10.16.16.1/20 interface=vlan4-lab network=10.16.16.0
add address=10.16.32.1/20 interface=vlan5-iot-lan network=10.16.32.0
add address=10.16.48.1/20 interface=vlan6-mgmt network=10.16.48.0
add address=10.16.64.1/20 interface=vlan7-work network=10.16.64.0
add address=10.16.80.1/20 interface=vlan5-iot-wlan network=10.16.80.0
/ip dhcp-client
add comment=defconf disabled=no interface=bridgeLocal
/ip dhcp-server network
add address=10.15.240.0/20 dns-server=\
    10.15.240.1,192.168.3.104,94.140.14.15,94.140.14.16,9.9.9.9 domain=\
    fox.home gateway=10.15.240.1 netmask=20
add address=10.16.0.0/20 dns-server=\
    10.16.0.1,192.168.3.104,94.140.14.15,94.140.14.16,9.9.9.9 domain=fox.home \
    gateway=10.16.0.1 netmask=20
add address=10.16.16.0/20 dns-server=\
    10.16.16.1,192.168.3.104,94.140.14.15,94.140.14.16,9.9.9.9 domain=\
    fox.home gateway=10.16.16.1 netmask=20
add address=10.16.32.0/20 dns-server=\
    10.16.32.1,192.168.3.104,94.140.14.15,94.140.14.16,9.9.9.9 domain=\
    fox.home gateway=10.16.32.1 netmask=20
add address=10.16.48.0/20 dns-server=\
    10.16.48.1,192.168.3.104,94.140.14.15,94.140.14.16,9.9.9.9 domain=\
    fox.home gateway=10.16.48.1 netmask=20
add address=10.16.64.0/20 dns-none=yes netmask=20
add address=10.16.80.0/20 netmask=20
/ip dns
set allow-remote-requests=yes servers=\
    192.168.3.104,94.140.14.15,94.140.14.16,9.9.9.9
/lcd pin
set pin-number=6626
/system clock
set time-zone-name=Europe/Berlin
/system routerboard settings
set cpu-frequency=750MHz

Your VLAN setup is mix of switch-chip and bridge-vlan setups. While ROS doesn’t prevent you from doing it, it can end up with misterious glitches. So rework the config to use only one approach (I’d suggest bridge-vlan as it is more readable and covers all types of interfaces, not only ethernet ones … it does come with performance hit though).

Still vlan5-iot-wlan not defined on the bridge but on the WLAN interface that is connected to the bridge.
Still switch and bridge VLAN definitions in the same config setup. (“interface ethernet switch vlan/port” + “interface bridge vlan”)
DHCP server on bridge, and DHCP leases not getting bound on WLAN is indeed known to happen in some cases, sometimes setting the STP protocol on the bridge from RSTP to none helps.

Thank you

I think I don’t really understand what I need to change.

Is this the cause of the problem? How do I need to configure this and what does it do exactly?

PS: I made a new screenshot for my previous post to show how weird the WiFi DHCP behaves. In the previous screenshot the time was already down to 02:xx minutes because the WiFi laptop interface was already disconnected. When keeping it connected, the time jumps up to 10:0x over and over again (sometimes even over 10:00 which is the max. lease time).

See this screenshot:

Don’t add screenshots, they are always a limited view, the config file is complete (but more difficult to read and understand)
Remove all reference to “interface ethernet switch” in your configuration. If you use bridge (what is OK) then don’t use switch configuration.
See http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 for config with bridge VLAN.

You should configure VLAN specific setting either:

1. for ethernet ports in /interface ethernet switch subtree and in /interface wireless for wireless
2. for all interfaces under /interface bridge subtree

definitely don’t mix the two.

In both cases you have to configure L2.5 interdaces under /interface vlan for VLANs which ROS needs to work with (e.g. running DHCP server, acting as default gateway, etc.)

Thank you, that was really helpful
I think post 3 in that thread is closest to what I want to achieve.
Still don’t understand everything but I’ll reset my device and give it a try configuring it via the CLI

I think configuration on the bridge is easiest, right?
What do you mean by L2.5?

Yup, bridge VLAN is easier.

By L2.5 I meant the following: according to OSI 7 layer model, layer 1 are electrical signals over copper wires (or photons through glass fibre or …), layer 2 are ethernet frames, layer 3 are IP packets, layer 4 are TCP or UDP datagrams and layer 5 are TCP/UDP connections (or sessions as they are called in linked article), etc. With VLANs you get something between ethernet and IP and I like to call that L2.5.