help with DHCP on VLAN

RouterOS Beginner Basics
1

Hi everyone.
I’m setting a 5009 as a router with SFP as a trunk port, ether8 as an access port for an access point, and ether3 as an access port for ISP.
I configured few VLANs to allow access to the wifi and ISP networks for other devices.
The problem is the DHCP server doesn’t work on the VLAN. If I detach port from the bridge and connect it directly to the DHCP server, everything is OK.
Here is my configuration:

/interface bridge
add comment="all the vlans" ingress-filtering=no name=trunk vlan-filtering=yes
/interface vlan
add interface=trunk name=dsl vlan-id=20
add interface=trunk name=wifi vlan-id=10
/ip pool
add name=dhcp_pool1 ranges=192.168.15.100-192.168.15.200
/interface bridge port
add bridge=trunk comment=defconf interface=ether2
add bridge=trunk comment=defconf interface=ether3
add bridge=trunk comment=defconf interface=ether4
add bridge=trunk comment=defconf interface=ether5
add bridge=trunk comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether6
add bridge=trunk comment=defconf ingress-filtering=no interface=sfp-sfpplus1
add bridge=trunk interface=ether1
add bridge=trunk frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=10
/interface bridge vlan
add bridge=trunk comment=wifi tagged=sfp-sfpplus1,ether4 untagged=ether8 vlan-ids=10
add bridge=trunk comment=dsl tagged=sfp-sfpplus1,ether4 untagged=ether3 vlan-ids=20
/ip address
add address=192.168.15.1/24 interface=wifi network=192.168.15.0
/ip dhcp-client
add comment="default ip" interface=trunk
add comment=dsl interface=dsl
/ip dhcp-server
add address-pool=dhcp_pool1 interface=wifi lease-time=2h name=dhcp1
/ip dhcp-server network
add address=192.168.15.0/24 gateway=192.168.15.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
2

Not sure where to start, quite a bit of things which are off.

You may want to start reading this excellent tutorial on setting up VLAN:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Where is the firewall ?
Where is DHCP server for the rest of your network ?
Where is address assignments for router itself ?

Generally not a good idea to ask for help here and only show part of your config.
Since things don’t work, it might be some other parts of your config are the reason.

3

Yep, I’ve done my config based on this article.

For now I just want to get the DHCP working, so I didn’t add NAT, etc.

The router itself gets IP by DHCP with

/ip dhcp-client
add comment="defalt ip" interface=trunk

There’s no problem there.

There’s also 1 DHCP client for the ISP VLAN. It also works without any problem.
The static IP for the wifi VLAN interface is present:

/ip address
add address=192.168.15.1/24 interface=wifi network=192.168.15.0

Here is the firewall. I tried actually to add few entries based on the VLAN tutorial, but the counters for the last 2 chains are 0s

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="accept dhcp" protocol=udp src-port=68
add action=accept chain=input comment="Allow VLAN" in-interface=wifi
4

As was stated, dont start the config until
a. you have a plan for the network ( a network diagram helps )
b. you have identified
– all the users/devices on you network (both external/internal and admin)
– have described the traffic they require to accomplish.

Sorry a config cannnot be made in parts, in ignorance of all the requirements and plan.
That is why a complete config view is necessary.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)

5

Here is the full config:

/interface bridge
add comment="all the vlans" ingress-filtering=no name=trunk vlan-filtering=yes
/interface vlan
add interface=trunk name=dsl vlan-id=20
add interface=trunk name=wifi vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf include=all name=LAN
/ip pool
add name=dhcp_pool1 ranges=192.168.15.100-192.168.15.200
/interface bridge port
add bridge=trunk comment=defconf interface=ether2
add bridge=trunk comment=defconf interface=ether3
add bridge=trunk comment=defconf interface=ether4
add bridge=trunk comment=defconf interface=ether5
add bridge=trunk comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether6
add bridge=trunk comment=defconf ingress-filtering=no interface=sfp-sfpplus1
add bridge=trunk interface=ether1
add bridge=trunk frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=trunk comment=wifi tagged=sfp-sfpplus1,ether4 untagged=ether8 vlan-ids=10
add bridge=trunk comment=dsl tagged=sfp-sfpplus1,ether4 untagged=ether3 vlan-ids=20
/ip address
add address=192.168.15.1/24 interface=wifi network=192.168.15.0
/ip dhcp-client
add comment="defalt ip" interface=trunk
add comment=dsl disabled=yes interface=dsl
/ip dhcp-server
add address-pool=*1 disabled=yes interface=*B name=defconf
add address-pool=dhcp_pool1 interface=wifi lease-time=2h name=dhcp1
/ip dhcp-server network
add address=192.168.15.0/24 gateway=192.168.15.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="accept dhcp" protocol=udp src-port=68
add action=accept chain=input comment="Allow VLAN" in-interface=wifi
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MainRouter
/system note
set show-at-login=no
/tool sniffer
set filter-interface=wifi memory-scroll=no
6
  1. The mistake is putting the WAN vlan on the bridge…
  2. You only have three ports active, 3 and two on the bridge 8, and sfp, so what in tarnation is ether6 doing in your config for example or ether4 for example
  3. Forgot to tag bridge…
  4. Wrong address EDIT: my mistake crappy naming of vlan, so I Changed it to be clearer to the reader.
  5. Bridge has nothing to do with WAN IP, so removed from IP DHCP client.
  6. Remove default old static IP DNS setting.
  7. Added drop rule to end of input chain to make your exposure safer.

_/interface bridge
add comment=“Lan Bridge” ingress-filtering=no name=trunk vlan-filtering=y_es
/interface vlan
add interface=ether3 name=dsl vlan-id=20
add interface=trunk name=wifiV10 vlan-id=10
/interface bridge port
add bridge=trunk ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=10
add bridge=trunk ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
/interface bridge vlan
add bridge=trunk tagged=trunk,sfpplus1 untagged=ether8 vlan-ids=10
add bridge=trunk tagged=trunk,sfpplus1 vlan-ids=20

/ip address
add address=192.168.15.1/24 interface=wifiV10 network=192.168.15.0
/ip dhcp-client
add comment=dsl interface=dsl

/ip firewall filter ( do not need 68 rule and moved rules so within chain for easy reading
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“Allow VLAN” in-interface=wifiV10
add action=drop chain=input comment="drop all else
+++++++++++++++++++++++++++++++++++++++++++++++++