DHCP server on VLAN and 7.1beta3

leopardus2 · December 30, 2020, 10:33pm

Hello, I am trying to make DHCP server assign addresses to members of VLAN 166, but I am unable
to make it work. This is with OS 7.1beta3. My guess is I’m missing something obvious, so I would
appreciate if someone could have a look at my config below and tell me what I’ve done wrong…

Thanks in advance,
Rick

# dec/30/2020 23:26:07 by RouterOS 7.1beta3
# software id = G5ES-UNVF
#
# model = RB3011UiAS
# serial number = B8950C9801E6
/interface bridge
add admin-mac=00:00:00:00:00:01 auto-mac=no name=bridge1 vlan-filtering=yes
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge1 name=VLAN7 vlan-id=7
add interface=bridge1 name=VLAN166 vlan-id=166
/interface bonding
add mode=802.3ad name=bond1 slaves=ether5,ether9,ether10
/interface list
add name=WAN
add name=LAN
add name=VPN
/interface lte apn
set [ find default=yes ] apn=internet.it
add apn=internet.it ip-type=ipv4 name=windtre use-network-apn=no
/interface lte
set [ find ] allow-roaming=no apn-profiles=windtre name=lte1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.166.1-192.168.166.99
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no interface=VLAN166 lease-time=23h name=dhcp1
/ip vrf
add list=all name=main
/port
set 1 name=usb2
/routing table
add fib name=vpn
/interface bridge port
add comment=defconf interface=ether1
add comment=defconf interface=ether2
add comment=defconf interface=ether3
add comment=defconf interface=ether4
add comment=defconf interface=ether5
add comment=defconf interface=ether6
add comment=defconf interface=ether7
add comment=defconf interface=ether8
add comment=defconf interface=ether9
add comment=defconf interface=ether10
add comment=defconf interface=sfp1
add bridge=bridge1 interface=bond1
/interface bridge vlan
add bridge=bridge1 tagged=bond1,bridge1 vlan-ids=1-4094
/interface list member
add interface=lte1 list=WAN
add comment=defconf interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add list=VPN
add interface=VLAN166 list=LAN
add interface=VLAN7 list=LAN
add interface=wireguard1 list=VPN
add list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=1.2.3.4 endpoint-port=51820 interface=wireguard1 persistent-keepalive=25s public-key=\
    "redacted"
/ip address
add address=192.168.1.5/24 interface=ether1 network=192.168.1.0
add address=192.168.7.254/24 interface=VLAN7 network=192.168.7.0
add address=192.168.166.254/24 interface=VLAN166 network=192.168.166.0
add address=192.168.69.253/24 interface=wireguard1 network=192.168.69.0
/ip dhcp-client
add comment=defconf disabled=no
/ip dhcp-server network
add address=192.168.166.0/24 dns-server=8.8.8.8,8.8.8.4 gateway=192.168.166.254
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=192.168.166.100-192.168.166.199 list=vpn
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="traffic from VLAN7" in-interface=VLAN7 protocol=tcp
add action=accept chain=forward comment="samba access" dst-address=192.168.7.13 dst-port=139,445 protocol=tcp src-address=192.168.166.243
add action=drop chain=forward comment="drop from VLAN166" in-interface=VLAN166 log=yes out-interface-list=LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn passthrough=no src-address-list=vpn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=vpn

anav · December 31, 2020, 4:15am

Not sure if this is legal to do with bridges???
add bridge=bridge1 interface=bond1
/interface bridge vlan
add bridge=bridge1 tagged=bond1

No idea what your are trying to accomplish by this??
vlan-ids=1-4094

leopardus2 · December 31, 2020, 7:18am

This router has a trunk over bond1 to the switch that distributes VLANs around.
Anyway it is working as supposed, but not for dhcp… VLAN 166 is coming to the RB3011
from the trunk.

Maybe I need some advice here, as I never configured VLANs on RouterOS before.

So the scenario is, I have these VLANs reachable through the trunk bond1.
I need inter-vlan routing between them, and need VLAN 166 to get IP addresses assigned through DHCP.

Can you suggest the proper configuration for this?

Thanks in advance,
Rick

leopardus2 · December 31, 2020, 7:42am

Perhaps my error is this:

add interface=bridge1 name=VLAN166 vlan-id=166

I should instead use:

add interface=bond1 name=VLAN166 vlan-id=166

leopardus2 · December 31, 2020, 11:39am

I have reviewed the config, this should be correct (I have checked documentation) but still DHCP does not work.
Can this be a 7.1beta3 bug?

Rick

# dec/31/2020 12:36:47 by RouterOS 7.1beta3
# software id = G5ES-UNVF
#
# model = RB3011UiAS
# serial number = B8950C9801E6
/interface bridge
add admin-mac=00:00:00:00:00:01 auto-mac=no name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=VLAN7 vlan-id=7
add interface=bridge1 name=VLAN166 vlan-id=166
/interface bonding
add mode=802.3ad name=bond1 slaves=ether5,ether9,ether10
/interface list
add name=WAN
add name=LAN
add name=VPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.166.1-192.168.166.99
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay interface=VLAN166 lease-time=23h name=dhcp1
/ip vrf
add list=all name=main
/interface bridge port
add comment=defconf interface=ether1
add comment=defconf interface=ether2
add comment=defconf interface=ether3
add comment=defconf interface=ether4
add comment=defconf interface=ether6
add comment=defconf interface=ether7
add comment=defconf interface=ether8
add bridge=bridge1 interface=bond1
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,bond1 vlan-ids=166
add bridge=bridge1 tagged=bridge1,bond1 vlan-ids=7
/interface list member
add interface=lte1 list=WAN
add comment=defconf interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add list=VPN
add list=LAN
add list=LAN
add interface=wireguard1 list=VPN
add list=WAN
add interface=VLAN166 list=LAN
add interface=VLAN7 list=LAN
/ip address
add address=192.168.1.5/24 interface=ether1 network=192.168.1.0
add address=192.168.69.253/24 interface=wireguard1 network=192.168.69.0
add address=192.168.166.254/24 interface=VLAN166 network=192.168.166.0
add address=192.168.7.254/24 interface=VLAN7 network=192.168.7.0
/ip dhcp-client
add comment=defconf disabled=no
/ip dhcp-server network
add address=192.168.166.0/24 dns-server=8.8.8.8,8.8.8.4 gateway=192.168.166.254
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=192.168.166.100-192.168.166.199 list=vpn
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="traffic from VLAN7" in-interface=VLAN7 protocol=tcp
add action=accept chain=forward comment="samba access" dst-address=192.168.7.13 dst-port=139,445 protocol=tcp src-address=192.168.166.243
add action=drop chain=forward comment="drop from VLAN166" in-interface=VLAN166 log=yes out-interface-list=LAN
add action=accept chain=input comment=DHCP in-interface=bridge1 protocol=udp src-port=68
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

mkx · December 31, 2020, 8:55pm

Bridge MAC address is not exactly correct, you should use proper locally administeted MAC address. Probably not a show stopper, but one never knows.

You may want to add firewall filter rule allowing UDP port 68 traffic from in-interface=VLAN166 … probably not necessary, but the similar rule regarding in-interface=bridge surely doesn’t help in this particular case.

sindy · January 1, 2021, 9:13am

DHCP servers are disabled by default in RouterOS. As your export doesn’t show disabled=no on the /ip dhcp-server row, it is administratively disabled. Some other configuration items are enabled by default, in yet other ones the name of the parameter is enabled instead of disabled, so it is quite easy to get confused.

leopardus2 · January 1, 2021, 10:53am

It was enabled, just not when I captured the config, so it’s not that unfortunately… anything else that may come to mind? I also checked the firewall and there are no packets dropped by any rule.

sindy · January 1, 2021, 12:07pm

I’d use logging and sniffing to see what’s going on.

The bonding is implemented completely in software on the 3011, so try sniffing on all three Ethernet ports as well as the VLAN one:
tool/sniffer/quick interface=ether5,ether9,ether10,VLAN166 port=67,68

Logging:
/system/logging/add topics=dhcp
/log/print follow-only

Nothing in your configuration seems wrong to me. A similar configuration between two CHR running 7.1beta3 (bond in LACP mode runs over two EoIP links) works fine.

What kind of switch is connected at the other end of your LAG (= bond in 802.3ad mode)?

leopardus2 · January 1, 2021, 1:10pm

A CSS610-8G-2S+IN 8p.Gig + 2p.SFP+

leopardus2 · January 4, 2021, 1:26pm

I enabled the tracing and power cycled an amazon echo, I see the DHCP request coming in, but it is received by bridge and not VLAN166…

  ether9   41.473  251  <-  F0:F0:A4:76:4E:FF  FF:FF:FF:FF:FF:FF  0.0.0.0:68 (bootpc)  255.255.255.255:67 (bootps)  ip:udp  356  0  no
  bridge1  41.473  247  <-  F0:F0:A4:76:4E:FF  FF:FF:FF:FF:FF:FF  0.0.0.0:68 (bootpc)  255.255.255.255:67 (bootps)  ip:udp  356  0  no
  bridge1  41.473  248  <-  F0:F0:A4:76:4E:FF  FF:FF:FF:FF:FF:FF  0.0.0.0:68 (bootpc)  255.255.255.255:67 (bootps)  ip:udp  356  1  no
  ether10  41.473  250  <-  F0:F0:A4:76:4E:FF  FF:FF:FF:FF:FF:FF  0.0.0.0:68 (bootpc)  255.255.255.255:67 (bootps)  ip:udp  356  0  no
  bridge1  41.473  249  <-  F0:F0:A4:76:4E:FF  FF:FF:FF:FF:FF:FF  0.0.0.0:68 (bootpc)  255.255.255.255:67 (bootps)  ip:udp  356  0  no

sindy · January 4, 2021, 1:48pm

It means that the DHCPDISCOVER arrives tagless through the LAG, so concentrate at VLAN handling in the CSS610-xxx . I have no idea how the Amazon thing works, but e. g. most Windows network drivers strip the VLAN header from the received frames, so the networking works even if untagging is configured wrong on the switch in the egress direction. The ACL in the CSS610-xxx doesn’t seem to allow specific handling of DHCPDISCOVER packets, but who knows.

Can you post screenshots of LAG, VLAN, VLANs, and ACL tabs from the CSS610, and indicate to which port the Amazon thing is connected and which ports are connected to the 3011 (and double check that the Amazon box is really plugged to the port to which you intended to plug it)?

leopardus2 · January 4, 2021, 2:03pm

Actually, the DHCP server is meant to serve DHCP requests coming from the wifi clients.
Currently, I have a Mikrotik BaseBox2 which is used for IoT clients. It runs DHCP server for VLAN166.
I am trying to replace this DHCP server and use the RB3011 instead, hence this post.
The BaseBox2 is not directly connected to the CSS610, but rather to a CSS326 which in turn has a fiber connection to the CSS610.
The CSS610 then has the LACP trunk to the RB3011.
Trying to get some screenshots now.

sindy · January 4, 2021, 2:12pm

So it seems the screenshots from the CSS610 alone are not sufficient, the network diagram all the way from the Amazon box to the 3011 is necessary, and those screenshots from both CSS. I won’t be surprised if you find the issue while gathering these data

leopardus2 · January 4, 2021, 2:32pm

Here are the screenshot from relevant tabs and a hand written diagram

leopardus2 · January 4, 2021, 2:42pm

Forgot to tell . I have no ACLs in place, that’s why I did not post these screenshots!

sindy · January 4, 2021, 2:59pm

Hm, so the last thing to come to my mind is the configuration of the Basebox. Both CSS have VLAN mode set to optional on all ports, which means that if something comes tagged with VID 1 from the Basebox, it will make it through the two CSS all the way to the 3011 will get untagged on the Interconnect link already at the CSS326.

As you say that everything else but the DHCP works fine, what happens if you sniff other traffic of the clients when their addresses are assigned by the Basebox? Does this “normal” (=non-DHCP) traffic arrive tagged to the 3011? Vice versa, if you connect a wired DHCP client to one of the access ports to VLAN 166 at the CSS326 and sniff on the 3011, does the DHCPDISCOVER come tagged or not?

leopardus2 · January 4, 2021, 3:20pm

Interesting theory, however, I have no VLANs defined in config on the basebox, and also I have forced VLAN 166 on the CSS326 on that port (see screenshots).
Everything works as expected on the VLAN side anyways. Everything but DHCP…

Rick

leopardus2 · January 4, 2021, 3:35pm

Sniffed on the basebox (Schifo AP) and this seems to indicate you were indeed right:

admin@schifo_AP] > /tool sniffer quick interface=bridge-local port 67
INTERFACE        TIME    NUM DIR SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS                         DST-ADDRESS                         PROTOCOL   SIZE CPU FP 
bridge-local    1.013      3 <-  48:8F:5A:F9:02:96 FF:FF:FF:FF:FF:FF 1      0.0.0.0:68 (bootpc)                 255.255.255.255:67 (bootps)         ip:udp      346   0 no 
bridge-local    2.013      4 <-  48:8F:5A:F9:02:96 FF:FF:FF:FF:FF:FF 1      0.0.0.0:68 (bootpc)                 255.255.255.255:67 (bootps)         ip:udp      346   0 no 
bridge-local    3.013      5 <-  48:8F:5A:F9:02:96 FF:FF:FF:FF:FF:FF 1      0.0.0.0:68 (bootpc)                 255.255.255.255:67 (bootps)         ip:udp      346   0 no 
bridge-local    3.018      6 <-  48:8F:5A:47:0E:C7 FF:FF:FF:FF:FF:FF 1      192.168.88.1:67 (bootps)            255.255.255.255:68 (bootpc)         ip:udp      346   0 no 
bridge-local    4.013      7 <-  48:8F:5A:F9:02:96 FF:FF:FF:FF:FF:FF 1      0.0.0.0:68 (bootpc)                 255.255.255.255:67 (bootps)         ip:udp      346   0 no 
bridge-local    4.017      8 <-  48:8F:5A:47:0E:C7 FF:FF:FF:FF:FF:FF 1      192.168.88.1:67 (bootps)            255.255.255.255:68 (bootpc)         ip:udp      346   0 no 
bridge-local    5.013      9 <-  48:8F:5A:F9:02:96 FF:FF:FF:FF:FF:FF 1      0.0.0.0:68 (bootpc)                 255.255.255.255:67 (bootps)         ip:udp      346   0 no 
bridge-local    6.013     10 <-  48:8F:5A:F9:02:96 FF:FF:FF:FF:FF:FF 1      0.0.0.0:68 (bootpc)                 255.255.255.255:67 (bootps)         ip:udp      346   0 no 
bridge-local    7.014     11 <-  48:8F:5A:F9:02:96 FF:FF:FF:FF:FF:FF 1      0.0.0.0:68 (bootpc)                 255.255.255.255:67 (bootps)         ip:udp      346   0 no 
bridge-local    7.018     12 <-  48:8F:5A:47:0E:C7 FF:FF:FF:FF:FF:FF 1      192.168.88.1:67 (bootps)            255.255.255.255:68 (bootpc)         ip:udp      346   0 no 
bridge-local    8.013     13 <-  48:8F:5A:F9:02:96 FF:FF:FF:FF:FF:FF 1      0.0.0.0:68 (bootpc)                 255.255.255.255:67 (bootps)         ip:udp      346   0 no 
bridge-local    8.017     14 <-  48:8F:5A:47:0E:C7 FF:FF:FF:FF:FF:FF 1      192.168.88.1:67 (bootps)            255.255.255.255:68 (bootpc)         ip:udp      346   0 no 
bridge-local    9.013     15 <-  48:8F:5A:F9:02:96 FF:FF:FF:FF:FF:FF 1      0.0.0.0:68 (bootpc)                 255.255.255.255:67 (bootps)         ip:udp      346   0 no 
bridge-local   10.013     16 <-  48:8F:5A:F9:02:96 FF:FF:FF:FF:FF:FF 1      0.0.0.0:68 (bootpc)                 255.255.255.255:67 (bootps)         ip:udp      346   0 no 
bridge-local   11.013     17 <-  48:8F:5A:F9:02:96 FF:FF:FF:FF:FF:FF 1      0.0.0.0:68 (bootpc)                 255.255.255.255:67 (bootps)         ip:udp      346   0 no 
bridge-local   11.017     18 <-  48:8F:5A:47:0E:C7 FF:FF:FF:FF:FF:FF 1      192.168.88.1:67 (bootps)            255.255.255.255:68 (bootpc)         ip:udp      346   0 no 
bridge-local   12.013     19 <-  48:8F:5A:F9:02:96 FF:FF:FF:FF:FF:FF 1      0.0.0.0:68 (bootpc)                 255.255.255.255:67 (bootps)         ip:udp      346   0 no 
bridge-local   12.017     20 <-  48:8F:5A:47:0E:C7 FF:FF:FF:FF:FF:FF 1      192.168.88.1:67 (bootps)            255.255.255.255:68 (bootpc)         ip:udp      346   0 no 
bridge-local   13.013     21 <-  48:8F:5A:F9:02:96 FF:FF:FF:FF:FF:FF 1      0.0.0.0:68 (bootpc)                 255.255.255.255:67 (bootps)         ip:udp      346   0 no 
bridge-local   14.013     22 <-  48:8F:5A:F9:02:96 FF:FF:FF:FF:FF:FF 1      0.0.0.0:68 (bootpc)                 255.255.255.255:67 (bootps)         ip:udp      346   0 no

So it looks like VLAN ID 1 is actually used. How can I ensure there is no VLAN ID added on egress from the basebox? So that id 166 can be added by the CSS326?

sindy · January 4, 2021, 3:49pm

Do you really expect me to advise anything without seeing the Basebox configuration export ?