Different DHCP Pool for VLANs

asintado08 · August 25, 2020, 7:28pm

I am currently using RB3011.
Unifi AP is connected in Ether10.
There are two SSIDs on the Unifi AP. One of the SSID automatically assign VLAN ID 10 to it.
I would like all the devices under that SSID to be connected in a different DHCP Pool.
I would like the Unifi AP to be on the main DHCP Pool. Only clients should be on the different DHCP Pool.

I’m trying to follow this guide but all my devices going to the untag SSID gets the 10.0.5.0/24 IP. The untag SSID should still go to 10.0.0.0/23 pool. http://forum.mikrotik.com/t/dhcp-over-bridge-vlan/119426/1
All the connection to the SSID that has VLAD ID 10 to it is not able to get IPs.

This is the part I don’t understand.

/interface bridge vlan
add bridge=bridge-trunk tagged=ether10,bridge-trunk vlan-ids=10

I’m not sure if I’m tagging this correctly.

Is it also possible to not to remove the ether10 to the main bridge?

/interface bridge
add name=bridge-trunk protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge-trunk name=vlan10 vlan-id=10
/ip pool
add name=wireless ranges=10.0.5.100-10.0.5.200
/ip dhcp-server
add address-pool=wireless disabled=no interface=bridge-trunk name=dhcp-wireless
/interface bridge port
add bridge=bridge-trunk interface=vlan10
add bridge=bridge-trunk interface=ether10
/interface bridge vlan
add bridge=bridge-trunk tagged=ether10,bridge-trunk vlan-ids=10
/ip address
add address=10.0.5.1/24 interface=bridge-trunk network=10.0.5.
/ip dhcp-server network
add address=10.0.5.1/24 gateway=10.0.5.1 netmask=24

mkx · August 28, 2020, 2:49pm

Your VLAN setup is pretty much botched. Read through this tutorial, it should help set VLANs right.

IPAsupport · August 28, 2020, 5:28pm

Your config is putting the pool in the trunk port, not in the VLAN

asintado08 · September 1, 2020, 1:44am

I was able to fix this. My issue right now is, I cannot access the devices on my LAB Network (10.1.1.0/24) from LAN Network (10.1.2.0/24)

I was using the switch based VLAN before and I still have the same issue. I created another software based vlans, same issue as well.

IP Route looks good.

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 152.32.64.113 1
1 ADC 10.1.1.0/24 10.1.1.1 VLAN10 0
2 ADC 10.1.2.0/24 10.1.2.1 bridge1 0
3 ADC 10.1.3.0/24 10.1.3.1 VLAN30 0
4 ADC 10.1.5.0/24 10.1.5.1 VLAN50 0
5 ADC xxxxxx xxxxxxx WAN1 0

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/interface vlan
add interface=bridge1 name=VLAN10 vlan-id=10
add interface=bridge1 name=VLAN30 vlan-id=30
add interface=bridge1 name=VLAN50 vlan-id=50
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Pool-LAN ranges=10.1.2.100-10.1.2.200
add name=Pool-Wireless ranges=10.1.3.100-10.1.3.200
add name=Pool-Guest ranges=10.1.5.100-10.1.5.200
add name=Pool-Lab ranges=10.1.1.100-10.1.1.200
/ip dhcp-server
add address-pool=Pool-LAN disabled=no interface=bridge1 name=DHCP-LAN
add address-pool=Pool-Guest disabled=no interface=VLAN50 name=DHCP-Guest
add address-pool=Pool-Lab disabled=no interface=VLAN10 name=DHCP-Lab
add address-pool=Pool-Wireless disabled=no interface=VLAN30 name=DHCP-Wireless
/interface bridge port
add bridge=bridge1 hw=no interface=ether3 pvid=10
add bridge=bridge1 hw=no interface=ether4 pvid=10
add bridge=bridge1 hw=no interface=ether5 pvid=10
add bridge=bridge1 hw=no interface=ether6
add bridge=bridge1 hw=no interface=ether7
add bridge=bridge1 hw=no interface=ether8
add bridge=bridge1 hw=no interface=ether9
add bridge=bridge1 hw=no interface=ether10
add bridge=bridge1 hw=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether6,ether7,ether8,ether9,ether10 vlan-ids=50
add bridge=bridge1 tagged=bridge1,ether6,ether7,ether8,ether9,ether10 vlan-ids=30
add bridge=bridge1 tagged=bridge1 untagged=ether3,ether4,ether5 vlan-ids=10
/interface list member
add interface=WAN2 list=WAN
add interface=WAN1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=xxxxxxxxx interface=WAN1 network=xxxxxxxx
add address=10.1.2.1/24 comment=LAN interface=bridge1 network=10.1.2.0
add address=10.1.5.1/24 comment=Guest interface=VLAN50 network=10.1.5.0
add address=10.1.1.1/24 comment=LAB interface=VLAN10 network=10.1.1.0
add address=10.1.3.1/24 comment=Wireless interface=VLAN30 network=10.1.3.0
/ip dhcp-server network
add address=10.1.1.0/24 comment=LAB gateway=10.1.1.1 netmask=24
add address=10.1.2.0/24 comment=LAN gateway=10.1.2.1 netmask=24
add address=10.1.3.0/24 comment=Wireless gateway=10.1.3.1 netmask=24
add address=10.1.5.0/24 comment=Guest gateway=10.1.5.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
/ip route
add distance=1 gateway=xxxxxxxxxxx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Manila
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · September 1, 2020, 11:56am

Not sure what you are expecting out of that config but what you are getting is…

(1) Vlan 10 frames getting assigned to all incoming traffic from ports 3,4,5 (assuming these must have non vlan aware devices attached which need to be on vlan 10 after hitting the switch).
(2) VLAN 30 and VLAN 50 are distributed to each of the trunk ports 6,7,8,9,10, spf1 (note you could have doubled up on the vlan ids for only one line of config as they are identical in terms of tagged ports)
(3) What is not clear to me is how or what the bridge assigns addresses to??
Its been awhile and I prefer not to use the bridge to assign addresses, dhcp etc…

For example if I wanted a home or management network LAN I would call it in this case vlan 2
and change everything from dhcp lan to vlan2 except of course vlan2 would be part of the bridge.
then it would be clear to me where you assign vlan2 in bridge ports and bridge vlans.