Help with DHCP server in VLAN not working properly

dune · November 9, 2025, 9:13am

I have a few VLANs set up. Only VLAN10 & VLAN30 is working properly as it’s the one I’m mainly focusing on right now.

SFP port 1 is a trunk port for my Ruckus Wireless AP which does VLAN tagging based on which SSID clients connect to.

SFP port 3 is my PC, connected via ethernet → SFP module → SFP port 3 on the switch.

The DHCP server works for the port 1, it can assign IP addresses to clients connected in VLAN 10 and 30.

But SFP port 3, the DHCP server does not work. When doing a sniffer, I can see it crossing from SFP port 3 to bridge and then onto admin-vlan (VLAN10) but it just disappears after that.

Here’s my config:

x/interface bridge
add admin-mac=[censored] auto-mac=no comment=defconf frame-types=admit-only-vlan-tagged igmp-snooping=yes igmp-version=3 mld-version=2 multicast-querier=yes name=bridge pvid=30 vlan-filtering=yes
/interface vlan
add comment="Admin interface VLAN" interface=bridge name=admin-interface-vlan vlan-id=10
add comment="Guest Interface VLAN" interface=bridge name=guest-interface-vlan vlan-id=30
add comment="Internet of Things interface VLAN" interface=bridge name=iot-interface-vlan vlan-id=70
/interface ethernet switch port
set 2 l3-hw-offloading=no
set 7 l3-hw-offloading=no
/interface list
add comment="WAN list" name=WAN
add comment="LAN list" name=LAN
/ip pool
add comment="Admin VLAN DHCP pool" name=admin-vlan-dhcp-pool ranges=192.168.10.10,192.168.10.250
add comment="Guest VLAN DHCP pool" name=guest-vlan-dhcp-pool ranges=192.168.30.10,192.168.30.250
add comment="IoT VLAN DHCP pool" name=iot-vlan-dhcp-pool ranges=192.168.70.10,192.168.70.250
/ip dhcp-server
add address-pool=admin-vlan-dhcp-pool comment="Admin VLAN DHCP server" interface=admin-interface-vlan lease-time=1d name=admin-vlan-dhcp-server server-address=192.168.10.1
add address-pool=guest-vlan-dhcp-pool comment="Guest VLAN DHCP server" interface=guest-interface-vlan lease-time=1d name=guest-vlan-dhcp-server server-address=192.168.30.1
add address-pool=iot-vlan-dhcp-pool comment="IoT VLAN DHCP server" interface=iot-interface-vlan lease-time=1d name=iot-vlan-dhcp-server server-address=192.168.70.1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf hw=no interface=sfp-sfpplus3 pvid=10
add bridge=bridge comment=defconf interface=sfp-sfpplus4
add bridge=bridge comment=defconf interface=sfp-sfpplus5
add bridge=bridge comment=defconf interface=sfp-sfpplus6
add bridge=bridge comment=defconf interface=sfp-sfpplus7
/interface ethernet switch l3hw-settings
set ipv6-hw=yes
/interface bridge vlan
add bridge=bridge comment="Admin bridge VLAN" tagged=bridge,sfp-sfpplus1 untagged=sfp-sfpplus3 vlan-ids=10
add bridge=bridge comment="Guest bridge VLAN" tagged=bridge,sfp-sfpplus1 vlan-ids=30
add bridge=bridge comment="IoT bridge VLAN" tagged=bridge,sfp-sfpplus1 vlan-ids=70
add bridge=bridge comment="Untagged bridge VLAN" tagged=bridge untagged=sfp-sfpplus1 vlan-ids=1
/interface detect-internet
set detect-interface-list=all
/interface ethernet switch
set 0 l3-hw-offloading=yes qos-hw-offloading=yes
/interface list member
add interface=sfp-sfpplus8 list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus7 list=LAN
add interface=sfp-sfpplus5 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=sfp-sfpplus6 list=LAN
add interface=guest-interface-vlan list=LAN
add interface=iot-interface-vlan list=LAN
add interface=admin-interface-vlan list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge network=192.168.88.0
add address=192.168.10.1/24 comment="Admin VLAN IP addresses" interface=admin-interface-vlan network=192.168.10.0
add address=192.168.30.1/24 comment="Guest VLAN IP addresses" interface=guest-interface-vlan network=192.168.30.0
add address=192.168.70.1/24 comment="IoT VLAN IP addresses" interface=iot-interface-vlan network=192.168.70.0
/ip dhcp-client
add disabled=yes interface=bridge
add comment="DHCP client for [censored] ISP" dhcp-options=hostname,clientid,clientid_duid interface=sfp-sfpplus8
/ip dhcp-server network
add address=192.168.10.0/24 comment="Admin VLAN DHCP Network" dns-server=192.168.10.1 domain=[censored] gateway=192.168.10.1
add address=192.168.30.0/24 comment="Guest VLAN DHCP Network" dns-server=192.168.30.1 domain=[censored] gateway=192.168.30.1
add address=192.168.70.0/24 comment="IoT VLAN DHCP Network" dns-server=192.168.70.1 domain=[censored] gateway=192.168.70.1
/ip dns
set allow-remote-requests=yes mdns-repeat-ifaces=admin-interface-vlan servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip service
set ftp address=192.168.10.0/24
set ssh address=192.168.10.0/24
set telnet address=192.168.10.0/24
set www address=192.168.10.0/24
set www-ssl address=192.168.10.0/24
set winbox address=192.168.10.0/24
set api address=192.168.10.0/24
set api-ssl address=192.168.10.0/24

Note: I’ve disabled L2/L3 HW offloading temporarily to help me to diagnose this issue, so far it has not helped. In the final config, it’ll be enabled. Ignore any references to VLAN60 as I haven’t set that up fully yet. I just want to get my access port, SFP port 3 working.

The intention for SFP port 3 is for it to be tagged with VLAN 10 and have the DHCP server to assign it an IP address.

erlinden · November 9, 2025, 9:46am

Disable detect-internet as it seems to cause some weird problems.

add bridge=bridge comment="Untagged bridge VLAN" tagged=bridge untagged=sfp-sfpplus1 vlan-ids=1

What is the purpose of this line?

add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus7 list=LAN
add interface=sfp-sfpplus5 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=sfp-sfpplus6 list=LAN

Why do you add the ethernet ports to the interface list?

The intention for SFP port 3 is for it to be tagged with VLAN 10 and have the DHCP server to assign it an IP address.

Aah...now I see, change this:

/interface bridge vlan
add bridge=bridge comment="Admin bridge VLAN" tagged=bridge,sfp-sfpplus1 untagged=sfp-sfpplus3 vlan-ids=10
add bridge=bridge comment="Guest bridge VLAN" tagged=bridge,sfp-sfpplus1 vlan-ids=30

To this:

/interface bridge vlan
add bridge=bridge comment="Admin bridge VLAN" tagged=bridge,sfp-sfpplus1, sfp-sfpplus3 vlan-ids=10
add bridge=bridge comment="Guest bridge VLAN" tagged=bridge,sfp-sfpplus1 vlan-ids=30

Untagged ports don't have to be set on /interface bridge vlan as it is already set on /interface bridge port

anav · November 9, 2025, 2:05pm

(looks like AI work) in any case.......
Read through this for some pointers........