HexS RB760 iGS vlans and dhcp

RouterOS General
1

hi all we have a HexS RB760iGS and I’ve want to use several vlans and dhcp instances for all of them. The Vlans trunk go to other switch and the switch ports are configurated as adge port with the untaged vlan with the vlan that I’ve want, but the dhcp don’t works.
This is the export of my router.

model = RB760iGS

serial number = HCG08E0F9RN

/interface bridge
add admin-mac=18:FD:74:0D:40:73 auto-mac=no ingress-filtering=no name=bridge
pvid=96 vlan-filtering=yes
/interface vlan
add interface=bridge name=DEFAULT vlan-id=96
add interface=bridge name=HW_PRIVADO vlan-id=98
add interface=bridge name=HW_PUBLICO vlan-id=97
add interface=bridge name=IOT vlan-id=107
add interface=bridge name=IT vlan-id=104
add interface=bridge name=MANAGEMENT vlan-id=99
add interface=bridge name=SEGURIDAD vlan-id=108
add interface=bridge name=USR_FILTRADOS vlan-id=102
add interface=bridge name=USR_ILIMITADOS vlan-id=103
add interface=bridge name=USR_PROD vlan-id=101
add interface=bridge name=USR_VISITAS vlan-id=100
add interface=bridge name=VIDEO vlan-id=106
add interface=bridge name=VOIP vlan-id=105
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool96 ranges=192.168.96.1-192.168.96.200
add name=pool97 ranges=192.168.97.200-192.168.97.250
add name=pool98 ranges=192.168.98.200-192.168.98.250
add name=pool99 ranges=192.168.99.200-192.168.99.250
add name=pool100 ranges=192.168.100.1-192.168.100.200
add name=pool101 ranges=192.168.101.1-192.168.101.200
add name=pool102 ranges=192.168.102.1-192.168.102.200
add name=pool103 ranges=192.168.103.1-192.168.103.200
add name=pool104 ranges=192.168.104.1-192.168.104.200
add name=pool105 ranges=192.168.105.1-192.168.105.200
add name=pool106 ranges=192.168.106.1-192.168.106.200
add name=pool107 ranges=192.168.107.200-192.168.107.250
add name=pool108 ranges=192.168.108.200-192.168.108.250
/ip dhcp-server
add address-pool=pool96 interface=bridge name=DHCP_VLAN_96
add address-pool=pool97 interface=HW_PUBLICO name=DHCP_VLAN_97
add address-pool=pool98 interface=HW_PRIVADO name=DHCP_VLAN_98
add address-pool=pool99 interface=MANAGEMENT name=DHCP_VLAN_99
add address-pool=pool100 interface=USR_VISITAS name=DHCP_VLAN_100
add address-pool=pool101 interface=USR_PROD name=DHCP_VLAN_101
add address-pool=pool102 interface=USR_FILTRADOS name=DHCP_VLAN_102
add address-pool=pool103 interface=USR_ILIMITADOS name=DHCP_VLAN_103
add address-pool=pool104 interface=IT name=DHCP_VLAN_104
add address-pool=pool105 interface=VOIP name=DHCP_VLAN_105
add address-pool=pool106 interface=VIDEO name=DHCP_VLAN_106
add address-pool=pool107 interface=IOT name=DHCP_VLAN_107
add address-pool=pool108 interface=SEGURIDAD name=DHCP_VLAN_108
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether2 pvid=96
add bridge=bridge ingress-filtering=no interface=ether3 pvid=96
add bridge=bridge ingress-filtering=no interface=ether4 pvid=96
add bridge=bridge ingress-filtering=no interface=sfp1 pvid=96
add bridge=bridge ingress-filtering=no interface=ether1 pvid=96
add bridge=bridge ingress-filtering=no interface=ether5 pvid=96
/ip neighbor discovery-settings
set discover-interface-list=*2000011
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge untagged=DEFAULT vlan-ids=96
add bridge=bridge tagged=HW_PUBLICO vlan-ids=97
add bridge=bridge tagged=HW_PRIVADO vlan-ids=98
add bridge=bridge tagged=MANAGEMENT vlan-ids=99
add bridge=bridge tagged=USR_VISITAS vlan-ids=100
add bridge=bridge tagged=USR_PROD vlan-ids=101
add bridge=bridge tagged=USR_FILTRADOS vlan-ids=102
add bridge=bridge tagged=USR_ILIMITADOS vlan-ids=103
add bridge=bridge tagged=IT vlan-ids=104
add bridge=bridge tagged=VOIP vlan-ids=105
add bridge=bridge tagged=VIDEO vlan-ids=106
add bridge=bridge tagged=IOT vlan-ids=107
add bridge=bridge tagged=SEGURIDAD vlan-ids=108
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.96.253/24 comment=defconf interface=bridge network=
192.168.96.0
add address=192.168.97.253/24 interface=HW_PUBLICO network=192.168.97.0
add address=192.168.98.253/24 interface=HW_PRIVADO network=192.168.98.0
add address=192.168.99.253/24 interface=MANAGEMENT network=192.168.99.0
add address=192.168.100.253/24 interface=USR_VISITAS network=192.168.100.0
add address=192.168.101.253/24 interface=USR_PROD network=192.168.101.0
add address=192.168.102.253/24 interface=USR_FILTRADOS network=192.168.102.0
add address=192.168.103.253/24 interface=USR_ILIMITADOS network=192.168.103.0
add address=192.168.104.253/24 interface=IT network=192.168.104.0
add address=192.168.105.253/24 interface=VOIP network=192.168.105.0
add address=192.168.106.253/24 interface=VIDEO network=192.168.106.0
add address=192.168.107.253/24 interface=IOT network=192.168.107.0
add address=192.168.108.253/24 interface=SEGURIDAD network=192.168.108.0
/ip dhcp-client
add interface=bridge
/ip dhcp-server network
add address=192.168.96.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8 domain=
gateway=192.168.96.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.97.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8 domain=
gateway=192.168.97.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.98.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8 domain=
gateway=192.168.98.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.99.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8 domain=
gateway=192.168.99.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.100.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8
domain= gateway=192.168.100.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.101.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8
domain=gateway=192.168.101.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.102.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8
domain= gateway=192.168.102.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.103.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8
domain= gateway=192.168.103.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.104.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8
domain= gateway=192.168.104.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.105.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8
domain= gateway=192.168.105.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.106.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8
domain= gateway=192.168.106.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.107.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8
domain= gateway=192.168.107.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.108.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8
domain= gateway=192.168.108.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
/ip dns
set allow-remote-requests=yes servers=192.168.0.2,192.168.0.22,8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=input dst-address=0.0.0.0 protocol=icmp src-address=
0.0.0.0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.96.254
/system identity
set name=SWRP06L3

Anyone knows what I’m doing wrong?
Thank you for your help

2

I think that:

  • the bridge should have no pvid configured
  • frame-types are missing on the /interface bridge port
  • bridge should also be added to the /interface bridge port as tagged

Have a (good) look at this great topic, that describes all VLAN scenarios perfectly:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Can you please add code tags to make things better readable?

3

Scenario:
Router Mikrotik RB760iGS
Switch Cisco Small Business SG500 52PI would like to use a vlan range 96-108 and with dhcp instances for each vlan and use vlan 96 as Native or PVID untagged and the rest tagged on the bridge. In the Cisco switch I have already created the trunk with vlan 96 as Management and PVID and the rest as tag.


#########################################################################
##I create a bridge with pvid on vlan 96 and support all types of frames.
#########################################################################

/interface bridge
add admin-mac=18:FD:74:0D:40:73 auto-mac=no ingress-filtering=no name=bridge
pvid=96 vlan-filtering=yes



#########################################################################
##I create the vlans that I need. The 96 is the default one.
#########################################################################
/interface vlan
add interface=bridge name=DEFAULT vlan-id=96
add interface=bridge name=HW_PRIVADO vlan-id=98
add interface=bridge name=HW_PUBLICO vlan-id=97
add interface=bridge name=IOT vlan-id=107
add interface=bridge name=IT vlan-id=104
add interface=bridge name=MANAGEMENT vlan-id=99
add interface=bridge name=SEGURIDAD vlan-id=108
add interface=bridge name=USR_FILTRADOS vlan-id=102
add interface=bridge name=USR_ILIMITADOS vlan-id=103
add interface=bridge name=USR_PROD vlan-id=101
add interface=bridge name=USR_VISITAS vlan-id=100
add interface=bridge name=VIDEO vlan-id=106
add interface=bridge name=VOIP vlan-id=105

#########################################################################
##I create the dhcp pools network ranges.
#########################################################################
/ip pool
add name=pool96 ranges=192.168.96.1-192.168.96.200
add name=pool97 ranges=192.168.97.200-192.168.97.250
add name=pool98 ranges=192.168.98.200-192.168.98.250
add name=pool99 ranges=192.168.99.200-192.168.99.250
add name=pool100 ranges=192.168.100.1-192.168.100.200
add name=pool101 ranges=192.168.101.1-192.168.101.200
add name=pool102 ranges=192.168.102.1-192.168.102.200
add name=pool103 ranges=192.168.103.1-192.168.103.200
add name=pool104 ranges=192.168.104.1-192.168.104.200
add name=pool105 ranges=192.168.105.1-192.168.105.200
add name=pool106 ranges=192.168.106.1-192.168.106.200
add name=pool107 ranges=192.168.107.200-192.168.107.250
add name=pool108 ranges=192.168.108.200-192.168.108.250


#########################################################################

Create dhcp servers for each vlan

#########################################################################
/ip dhcp-server
add address-pool=pool96 interface=bridge name=DHCP_VLAN_96
add address-pool=pool97 interface=HW_PUBLICO name=DHCP_VLAN_97
add address-pool=pool98 interface=HW_PRIVADO name=DHCP_VLAN_98
add address-pool=pool99 interface=MANAGEMENT name=DHCP_VLAN_99
add address-pool=pool100 interface=USR_VISITAS name=DHCP_VLAN_100
add address-pool=pool101 interface=USR_PROD name=DHCP_VLAN_101
add address-pool=pool102 interface=USR_FILTRADOS name=DHCP_VLAN_102
add address-pool=pool103 interface=USR_ILIMITADOS name=DHCP_VLAN_103
add address-pool=pool104 interface=IT name=DHCP_VLAN_104
add address-pool=pool105 interface=VOIP name=DHCP_VLAN_105
add address-pool=pool106 interface=VIDEO name=DHCP_VLAN_106
add address-pool=pool107 interface=IOT name=DHCP_VLAN_107
add address-pool=pool108 interface=SEGURIDAD name=DHCP_VLAN_108


#########################################################################

Create a bridge port with all the interfaces

#########################################################################
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether1 pvid=96
add bridge=bridge ingress-filtering=no interface=ether2 pvid=96
add bridge=bridge ingress-filtering=no interface=ether3 pvid=96
add bridge=bridge ingress-filtering=no interface=ether4 pvid=96
add bridge=bridge ingress-filtering=no interface=ether5 pvid=96
add bridge=bridge ingress-filtering=no interface=sfp1 pvid=96


#########################################################################

I assign the vlan to the bridge as tagged and vlan 96 as untagged because it is the one I need to use by default.

#########################################################################
/interface bridge vlan
add bridge=bridge untagged=DEFAULT vlan-ids=96
add bridge=bridge tagged=HW_PUBLICO vlan-ids=97
add bridge=bridge tagged=HW_PRIVADO vlan-ids=98
add bridge=bridge tagged=MANAGEMENT vlan-ids=99
add bridge=bridge tagged=USR_VISITAS vlan-ids=100
add bridge=bridge tagged=USR_PROD vlan-ids=101
add bridge=bridge tagged=USR_FILTRADOS vlan-ids=102
add bridge=bridge tagged=USR_ILIMITADOS vlan-ids=103
add bridge=bridge tagged=IT vlan-ids=104
add bridge=bridge tagged=VOIP vlan-ids=105
add bridge=bridge tagged=VIDEO vlan-ids=106
add bridge=bridge tagged=IOT vlan-ids=107
add bridge=bridge tagged=SEGURIDAD vlan-ids=108


#########################################################################

create the different network addresses I need

#########################################################################
/ip address
add address=192.168.96.253/24 interface=bridge network=
192.168.96.0
add address=192.168.97.253/24 interface=HW_PUBLICO network=192.168.97.0
add address=192.168.98.253/24 interface=HW_PRIVADO network=192.168.98.0
add address=192.168.99.253/24 interface=MANAGEMENT network=192.168.99.0
add address=192.168.100.253/24 interface=USR_VISITAS network=192.168.100.0
add address=192.168.101.253/24 interface=USR_PROD network=192.168.101.0
add address=192.168.102.253/24 interface=USR_FILTRADOS network=192.168.102.0
add address=192.168.103.253/24 interface=USR_ILIMITADOS network=192.168.103.0
add address=192.168.104.253/24 interface=IT network=192.168.104.0
add address=192.168.105.253/24 interface=VOIP network=192.168.105.0
add address=192.168.106.253/24 interface=VIDEO network=192.168.106.0
add address=192.168.107.253/24 interface=IOT network=192.168.107.0
add address=192.168.108.253/24 interface=SEGURIDAD network=192.168.108.0

#########################################################################

I define the addresses of the DHCP servers

#########################################################################
/ip dhcp-client
add interface=bridge
/ip dhcp-server network
add address=192.168.96.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8 domain=
gateway=192.168.96.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.97.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8 domain=
gateway=192.168.97.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.98.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8 domain=
gateway=192.168.98.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.99.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8 domain=
gateway=192.168.99.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.100.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8
domain= gateway=192.168.100.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.101.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8
domain=gateway=192.168.101.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.102.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8
domain= gateway=192.168.102.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.103.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8
domain= gateway=192.168.103.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.104.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8
domain= gateway=192.168.104.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.105.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8
domain= gateway=192.168.105.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.106.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8
domain= gateway=192.168.106.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.107.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8
domain= gateway=192.168.107.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22
add address=192.168.108.0/24 dns-server=192.168.0.2,192.168.0.22,8.8.8.8
domain= gateway=192.168.108.253 netmask=24 ntp-server=
192.168.0.2,192.168.0.22

#########################################################################

I define the DNS

#########################################################################
/ip dns
set allow-remote-requests=yes servers=192.168.0.2,192.168.0.22,8.8.8.8,1.1.1.1
#########################################################################

I define test firewall rule

#########################################################################
/ip firewall filter
add action=accept chain=input dst-address=0.0.0.0 protocol=icmp src-address=
0.0.0.0

#########################################################################

I define the default route to internet

#########################################################################
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.96.254

4

No need to put 96 on the bridge…
Keep it at default 1
Create a proper vlan96 a management vlan.
All smart devices should get an IP from this subnet.
Done. If you had followed the article provided they call this BASE.

/interface list
add name=management
/interface list members
add interface=vlan96 list=management
/ip neighbor discovery-settings
set discover-interface-list=management
/tool mac-server mac-winbox
set allowed-interface-list=management

5

Why is not possible to avoid de default vlan1? I only wan’t to use the vlan 96 up to 111.

6

There are two (complementary) ways of getting rid of VLAN ID 1 in your setup:

  • configure different pvid on all ports (pvid=1 is a mere default)
  • configure port as tagged only by setting frame-types=admit-only-vlan-tagged in which case pvid setting is completely ignored

Don’t forget to adjust also settings of bridge interface.

There’s nothing magical about VLAN ID 1 … other than it’s used as default setting everywhere which means that getting rid of it is a tedious task.

7

/ip address
add address=192.168.96.253/24 comment=defconf interface=bridge network=
192.168.96.0

To this
/ip address
add address=192.168.96.253/24 comment=defconf interface=DEFAULT network=
192.168.96.0

{ DEFAULT is the great name you gave vlan96 LOL)

8

You are completely missing.

A. Firewall rules so assuming you ahve a router in front of this one and its not public facing??

B. The /interface bridge vlan settings.

You need to provide a network diagram so we we know which vlans are going to which router ports (tagged or untagged etc…) intentions/requirements!!!

9

I’m sorry for the questions but I come from the Cisco world and I’m having a hard time understanding Mikrotik devices. Although I admit that I am being amazed by the possibilities they offer. This is the diagram of what I want to do and what I need to configure.

10

This atach is the export of my last config.
router.txt (7.86 KB)

11

Any Ideas??

12

For router (the IP layer of it) to be able to interact with tagged VLANs, you have to add bridge interface[*] as tagged member of those VLANs.

E.g.:

/interface bridge vlan
add bridge=bridge untagged=> bridge,> ether1,ether2,ether3,ether4,ether5 vlan-ids=96 > # change is not strictly necessary, ports with PVID set get automatically added as untagged member ports
add bridge=bridge tagged=> bridge,> ether1,ether2,ether3,ether4,ether5 vlan-ids=97
add bridge=bridge tagged=> bridge,> ether1,ether2,ether3,ether4,ether5 vlan-ids=98
add bridge=bridge tagged=> bridge,> ether1,ether2,ether3,ether4,ether5 vlan-ids=99
add bridge=bridge tagged=> bridge,> ether1,ether2,ether3,ether4,ether5 vlan-ids=100
add bridge=bridge tagged=> bridge,> ether1,ether2,ether3,ether4,ether5 vlan-ids=101
add bridge=bridge tagged=> bridge,> ether1,ether2,ether3,ether4,ether5 vlan-ids=102
add bridge=bridge tagged=> bridge,> ether1,ether2,ether3,ether4,ether5 vlan-ids=103
add bridge=bridge tagged=> bridge,> ether1,ether2,ether3,ether4,ether5 vlan-ids=104
add bridge=bridge tagged=> bridge,> ether1,ether2,ether3,ether4,ether5 vlan-ids=105
add bridge=bridge tagged=> bridge,> ether1,ether2,ether3,ether4,ether5 vlan-ids=106
add bridge=bridge tagged=> bridge,> ether1,ether2,ether3,ether4,ether5 vlan-ids=107
add bridge=bridge tagged=> bridge,> ether1,ether2,ether3,ether4,ether5 vlan-ids=108

Other than that, you don’t want to have DHCP client set on all those VLAN interfaces as you want to run DHCP server on those interfaces if I understand your requirements correctly.

[*]More on different bridge personalities, does help to understand things better.

13

DHCP Client on Bridge is unnecessary IMO…

14

Well its not that its not unnecessary for me its mixing apples and oranges, keep it clean keep it simple if doing vlans do all vlans for subnets.

15

Yeah some frigging clarity.

a. this device is NOT acting as a router??

  • is it connected to the internet directly through a modem? I dont see an ether1 WAN type connection at all.
  • is it connected to another router directly or only switches?

b. Do you or do you not want the MT device to provide dhcp services to the vlans?

c. It appears that you want the MT device to be in between

  • no internet
  • dhcp ??? yes/no ???
  • firewall rules yes
  • very basic routing

d. Why would you want the management vlan to be untagged going into a managed port switch, makes no sense!!

In summary what are you using the MT device for??