Help Needed: Setting up DHCP in VLAN topology

Hey All,

We have 6 routerboard (411) access points in our office, and we recently purchases a RouterBoard 1100X2 to act as our router for the segmented network.

I have configured the wireless access points to support two SSID’s - (Main and Guest) - and each of those has been allocated to a VLAN.

On the Access Points, I have a single (ether1) and a single (wlan1). I have added a VirtualAP to the wlan1 (VirtualAP is called wlan2, and has the Guest SSID on it). I’ve created two VLANs (101 and 105) which are attached to ether1. I’ve also created two bridges (br-vlan101 and br-vlan105) - where each bridge contains a wlan and a vlan respectively. This, I think, seems to be working, and devices connected to the Guest network seem to have traffic on vlan105, and devices connected to the main network seem to have traffic on vlan101.

Now, the bit I’m having problems with. Initially, when we configured the Routerboard, we had the first 5 ether ports all with their own DHCP server, each with their own range (10.1.x.x on port 1, 10.2.x.x on port 2, etc..).

What I’m after, is attaching the DHCP server to VLAN effectively, so all clients coming in on vlan101 (main) are put into a particular subnet. All clients coming in from vlan105 (guest) are allocated to a different subnet. From the DHCP server, I can choose a wlan as an interface, but as soon as I do that it highlights in red, and shows ‘I’ (Invalid).

Am I completely mad in my thinking here? I think DHCP operates slightly disjoint from the VLAN level, but I was hoping the Routerboard would be able to cope!

If you need any info, please let me know - otherwise a basic topology of how to link these together should get me going.


Thanks in advance

-Andy

Bit of a bump as it’s bottom of page before it got approved by the moderator

We’re also investigating other channels for help on this - does anyone know if there is a UK company who would be able to provide configuration assistance on this. It’s a fairly urgent requirement.

Cheers
Andy

If you have the VLAN in a bridge you have to put the DHCP server on the bridge. You can’t put a DHCP server on an interface that is in a bridge.

Can you post /interfaces export

Hey,

Thanks for your response. We’ve been trying around different settings, and a chap who has worked quite a bit with Mikrotik equipment previously has been trying things - so it’s perhaps not exactly the same as it was when I made my original post. Hopefully you can understand our intent from the original post, and see how far off the mark we are!

Cheers
Andy

-----------------------------------------------------------------------------------------------------------

The Router config (RB1100) is configured as follows:

-----------------------------------------------------------------------------------------------------------

[admin@MM-ROUTER-01] > /interface export
# jan/02/1970 04:59:46 by RouterOS 5.16
# software id = WR68-3GHY
#
/interface ethernet
set 0 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1600 mac-address=D4:CA:6D:32:E3:95 mtu=1500 name=ether12 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1600 mac-address=D4:CA:6D:32:E3:96 mtu=1500 name=ether13 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:32:E3:8A master-port=none mtu=1500 \
    name=ether1 speed=1Gbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:32:E3:8B master-port=none mtu=1500 \
    name=ether2 speed=1Gbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:32:E3:8C master-port=none mtu=1500 \
    name=ether3 speed=1Gbps
set 5 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:32:E3:8D master-port=none mtu=1500 \
    name=ether4 speed=1Gbps
set 6 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:32:E3:8E master-port=none mtu=1500 \
    name=ether5 speed=1Gbps
set 7 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:32:E3:8F master-port=none mtu=1500 \
    name=ether6 speed=100Mbps
set 8 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:32:E3:90 master-port=none mtu=1500 \
    name=ether7 speed=100Mbps
set 9 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:32:E3:91 master-port=none mtu=1500 \
    name=ether8 speed=100Mbps
set 10 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:32:E3:92 master-port=none mtu=1500 \
    name=ether9 speed=100Mbps
set 11 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:32:E3:93 master-port=none mtu=1500 \
    name=ether10 speed=100Mbps
set 12 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1600 mac-address=D4:CA:6D:32:E3:94 mtu=1500 name=ether11 speed=100Mbps
/interface vlan
add arp=enabled disabled=no interface=ether2 l2mtu=1594 mtu=1500 name=vlan101 use-service-tag=no vlan-id=101
/interface ethernet switch
set 0 mirror-source=none mirror-target=none name=switch2
set 1 mirror-source=none mirror-target=none name=switch1
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface ethernet switch port
set 0 vlan-header=leave-as-is vlan-mode=disabled
set 1 vlan-header=leave-as-is vlan-mode=disabled
set 2 vlan-header=leave-as-is vlan-mode=disabled
set 3 vlan-header=leave-as-is vlan-mode=disabled
set 4 vlan-header=leave-as-is vlan-mode=disabled
set 5 vlan-header=leave-as-is vlan-mode=disabled
set 6 vlan-header=leave-as-is vlan-mode=disabled
set 7 vlan-header=leave-as-is vlan-mode=disabled
set 8 vlan-header=leave-as-is vlan-mode=disabled
set 9 vlan-header=leave-as-is vlan-mode=disabled
set 10 vlan-header=leave-as-is vlan-mode=disabled
set 11 vlan-header=leave-as-is vlan-mode=disabled
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=default enabled=no keepalive-timeout=60 mac-address=FE:80:AE:A2:45:5D max-mtu=1500 mode=ip \
    netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled port=443 \
    verify-client-certificate=no
[admin@MM-ROUTER-01] > 



-----------------------------------------------------------------------------------------------------------

The Wifi Access Point (411) is configured as follows:

-----------------------------------------------------------------------------------------------------------

[admin@MikroTik] > /interface export
# jan/04/1970 04:27:18 by RouterOS 5.16
# software id = NKKR-1X29
#
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    disabled=no forward-delay=15s l2mtu=1522 max-message-age=20s mtu=1500 \
    name=vlan101 priority=0x8000 protocol-mode=none transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1526 \
    mac-address=00:0C:42:C0:0E:BD mtu=1500 name=ether1 speed=100Mbps
/interface vlan
add arp=enabled disabled=no interface=ether1 l2mtu=1522 mtu=1500 name=vlan1 \
    use-service-tag=no vlan-id=101
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
    management-protection=disabled management-protection-key="" mode=\
    dynamic-keys name=default radius-eap-accounting=no radius-mac-accounting=\
    no radius-mac-authentication=no radius-mac-caching=disabled \
    radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
    static-sta-private-algo=none static-sta-private-key="" \
    static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
    none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key=\
    password wpa2-pre-shared-key=password
/interface wireless
set 0 adaptive-noise-immunity=none allow-sharedkey=no antenna-gain=0 area="" \
    arp=enabled band=2ghz-b/g/n basic-rates-a/g=6Mbps basic-rates-b=1Mbps \
    bridge-mode=enabled channel-width=20mhz compression=no country=\
    "united kingdom" default-ap-tx-limit=0 default-authentication=yes \
    default-client-tx-limit=0 default-forwarding=yes dfs-mode=none \
    disable-running-check=no disabled=no disconnect-timeout=3s distance=\
    indoors frame-lifetime=0 frequency=2442 frequency-mode=regulatory-domain \
    frequency-offset=0 hide-ssid=no ht-ampdu-priorities=0 ht-amsdu-limit=8192 \
    ht-amsdu-threshold=8192 ht-basic-mcs=\
    mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-guard-interval=long \
    ht-rxchains=0,1 ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-\
    6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15,mcs-16,mcs-1\
    7,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-23" ht-txchains=0,1 \
    hw-fragmentation-threshold=disabled hw-protection-mode=none \
    hw-protection-threshold=0 hw-retries=7 l2mtu=2290 mac-address=\
    00:0C:42:51:BA:C9 max-station-count=2007 mode=ap-bridge mtu=1500 \
    multicast-helper=default name=wlan1 noise-floor-threshold=default \
    nv2-cell-radius=30 nv2-noise-floor-offset=default nv2-preshared-key="" \
    nv2-qos=default nv2-queue-count=2 nv2-security=disabled \
    on-fail-retry-time=100ms periodic-calibration=default \
    periodic-calibration-interval=60 preamble-mode=both \
    proprietary-extensions=post-2.9.25 radio-name=MM-AP-6 rate-selection=\
    advanced rate-set=default scan-list=default security-profile=default \
    ssid="" station-bridge-clone-mac=00:00:00:00:00:00 supported-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=\
    1Mbps,2Mbps,5.5Mbps,11Mbps tdma-period-size=2 tx-power=17 tx-power-mode=\
    card-rates update-stats-interval=disabled wds-cost-range=50-150 \
    wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no wds-mode=\
    disabled wireless-protocol=any wmm-support=disabled
add area="" arp=enabled bridge-mode=enabled default-ap-tx-limit=0 \
    default-authentication=yes default-client-tx-limit=0 default-forwarding=\
    yes disable-running-check=no disabled=no hide-ssid=no l2mtu=2290 \
    mac-address=02:0C:42:51:BA:C9 master-interface=wlan1 max-station-count=\
    2007 mtu=1500 multicast-helper=default name=AndyGuest \
    proprietary-extensions=post-2.9.25 security-profile=default ssid=\
    AndyGuest update-stats-interval=disabled wds-cost-range=0 \
    wds-default-bridge=none wds-default-cost=0 wds-ignore-ssid=no wds-mode=\
    disabled wmm-support=disabled
add area="" arp=enabled bridge-mode=enabled default-ap-tx-limit=0 \
    default-authentication=yes default-client-tx-limit=0 default-forwarding=\
    yes disable-running-check=no disabled=no hide-ssid=no l2mtu=2290 \
    mac-address=02:0C:42:51:BA:CA master-interface=wlan1 max-station-count=\
    2007 mtu=1500 multicast-helper=default name=AndyTest \
    proprietary-extensions=post-2.9.25 security-profile=default ssid=\
    ANdyTestWifI update-stats-interval=disabled wds-cost-range=0 \
    wds-default-bridge=none wds-default-cost=0 wds-ignore-ssid=no wds-mode=\
    disabled wmm-support=disabled
/interface wireless manual-tx-power-table
set wlan1 manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9M\
    bps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:\
    17,HT20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,H\
    T40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-\
    7:17"
/interface wireless nstreme
set wlan1 disable-csma=no enable-nstreme=no enable-polling=no framer-limit=\
    3200 framer-policy=none
/interface bridge port
add bridge=vlan101 disabled=no edge=auto external-fdb=auto horizon=none \
    interface=vlan1 path-cost=10 point-to-point=auto priority=0x80
add bridge=vlan101 disabled=no edge=auto external-fdb=auto horizon=none \
    interface=AndyGuest path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
    no
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=\
    default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\
    default enabled=no keepalive-timeout=60 mac-address=FE:EF:AE:D9:75:60 \
    max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
    enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
    default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=\
    disabled port=443 verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
    00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
    frames-per-second=25 receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
    multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\
    no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
[admin@MikroTik] > 


-----------------------------------------------------------------------------------------------------------

Could you also post /ip dhcp-server export

We plan to extend this out to 10 subnets in total, currently we’re just using 5 for testing. The plan is to segregate the various VLAN/subnets onto their own interface/IP range. We have 7 companies we have invested in that are going to be partitioned into their own subnet, with access only to the shared (10.1.x.x) ranged, and the internet (pushed via 10.13.x.x to a Watchguard firewall, then out). We’ll have some rules to stop traffic crossing the other subnets.

If any of this sounds ridiculous, please feel free to tell me that too!

Cheers,
Andy

[admin@MM-ROUTER-01] > /ip dhcp-server export
# jan/02/1970 05:46:31 by RouterOS 5.16
# software id = WR68-3GHY
#
/ip dhcp-server
add address-pool="DHCP Pool - 1" authoritative=after-2sec-delay disabled=no \
    interface=ether1 lease-time=3d name="DHCP Server - 1"
add address-pool="DHCP Pool - 2" authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=ether2 lease-time=3d name="DHCP Server - 2"
add address-pool="DHCP Pool - 3" authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=ether3 lease-time=3d name="DHCP Server - 3"
add address-pool="DHCP Pool - 4" authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=ether4 lease-time=3d name="DHCP Server - 4"
add address-pool="DHCP Pool - 5" authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=ether5 lease-time=3d name="DHCP Server - 5"
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=10.1.0.0/16 dhcp-option="" dns-server=8.8.8.8 gateway=10.1.0.1 \
    netmask=16 ntp-server="" wins-server=""
add address=10.2.0.0/16 dhcp-option="" dns-server=8.8.8.8 gateway=10.2.0.1 \
    ntp-server="" wins-server=""
add address=10.3.0.0/16 dhcp-option="" dns-server=8.8.8.8 gateway=10.3.0.1 \
    ntp-server="" wins-server=""
add address=10.4.0.0/16 dhcp-option="" dns-server=8.8.8.8 gateway=10.4.0.1 \
    ntp-server="" wins-server=""
add address=10.5.0.0/16 dhcp-option="" dns-server=8.8.8.8 gateway=10.5.0.1 \
    ntp-server="" wins-server=""
[admin@MM-ROUTER-01] >

Hey,

So, this week is the make or break week for this project - and I’m really trying to get the thumbs up to go with Mikrotik - but I’m not sure given current problems that I can.

Does anyone have any ideas if what we’re trying to achieve is even possible with the Mikrotik gear we have?

Cheers,
Andy

I think the key thing here is to put the dhcp-server on the bridge interface containing the vlan and the vap

It was suggested earlier in the thread, did you try that ?

Nick.

Also this may be a silly question, but what are you actually using the VLANs for ?

If you run separate VirtualAPs and run a seperate dhcp-server and pool on each one, then you can route the traffic and keep it all seperate. There doesn’t seem to be a compelling need for VLANs.

Nick.

Did you get this sorted Andy ?

For what you are trying to do I think you actually need to add the VLANs directly to the ether interface and then add an IP address on each VLAN, and then a dhcp-server on each VLAN.

The bridge solution is used where you want to use an thernet port and push traffic from a connected device into a VLAN.

Nick.

Nick has been really helpful in trying to diagnose this, we spent a few hours on the phone with him remote dialled in trying to work out what’s what!

In the end, I’ve decided to just use our core switch infrastructure to handle the VLAN’ing - it seemed more reliable and easier to configure!

I do have a WiFi problem now with an RB411 though, but I’ve opened another thread for that


Cheers Nick, highly recommend the LinITX.com guys, they’ve really tried to help me resolve this.