Inter vlan with dhcp

anttech · April 6, 2019, 9:43am

Hi

I have a hex router and need to create the following setup

2 vlans which traffic can route between and a dhcp server on one of the vlans

Setup needs to be

Ether 4
Vlan 10 -control
Dhcp server ip - 10.0.100.0/24

Ether 5
Vlan 20 - lighting
No dhcp - ip range : 10.101.10.0/24

Any idea the best way to do this??

anav · April 6, 2019, 12:02pm

Confusing as to why traffic going to a network switch from the router needs no dhcp setting but just a network. How will devices get IPs?? or are you setting them all statically.
This is pretty basic stuff but a good reference is the following…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

You need a bridge
You need two DHCP subnets associated with vlans
One gives out DHCP IPs the other does not
Both vlans are associated with the bridge
Both ports attaching to the network switches would be trunk ports

anttech · April 7, 2019, 2:28pm

The issue is I want to use too dumb switches and not need to set vlans up on the switch.
The switch side of the hex router can do vlans as well.

I want each vlan to be on a separate port and not tagged

anav · April 7, 2019, 6:58pm

In that case treat the the ports to the unmanaged switches as access ports.
/interface bridge port
add bridge=NameofyourBridge —> ingress-filtering=yes interface=ether4 allow only untagged and priority packets pvid=100
add bridge=NameofyourBridgfe —> ingress-filtering=yes interface=ether5 allow only untagged and priority packets pvid=101

/interface bridge vlan
add bridge=NameofyourBridge tagged=NameofyourBridge untagged=eth4 vlan-ids=100
add bridge=NameofyourBridge tagged=NameofyourBridge untagged=eth5 vlan-ids=101
Note if you actually had any trunk ports on the hex with those vlans on them they would be tagged

anttech · April 7, 2019, 10:41pm

The hex router seems to lack the vlan section under bridge.

anav · April 8, 2019, 12:34am

Well, who is in charge here, you or the hex router LOL.

mkx · April 8, 2019, 5:12am

Which version of RouterOS?

anttech · April 10, 2019, 11:20pm

Hi so i have updated the hex router and made a config but its not working correct.

Here is the config

/interface bridge
add admin-mac=B8:69:F4:BF:6A:40 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=Control vlan-id=20
add interface=bridge name=Lighting vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=control-dhcp ranges=10.0.100.230-10.0.100.249
add name=Lighting-dhcp ranges=10.101.10.230-10.101.10.249
/ip dhcp-server
add address-pool=control-dhcp disabled=no interface=Control name=control
add address-pool=Lighting-dhcp disabled=no interface=Lighting name=lighting_dhcp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=lighting tagged=bridge untagged=ether5 vlan-ids=10
add bridge=bridge comment=control tagged=bridge untagged=ether4 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Lighting list=VLAN
add interface=Control list=VLAN
/ip address
add address=10.0.100.254/24 comment=defconf interface=Control network=10.0.100.0
add address=10.101.10.254/24 interface=Lighting network=10.101.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.100.0/24 comment=defconf gateway=10.0.100.254
add address=10.101.10.0/24 gateway=10.101.10.254
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLAN
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=accept chain=input comment=“Allow Estab & Related” connection-state=established,related
add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment=“Allow Estab & Related” connection-state=established,related
add action=accept chain=forward comment=“VLAN inter-VLAN routing” connection-state=new in-interface-list=VLAN
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · April 11, 2019, 12:43am

You can get rid of this quickset default rule…
/ip dns static
add address=192.168.88.1 name=router.lan

and add some dynamic dns server entries such as 1.1.1.1 or 8.8.8.8 for example.

What is the purpose of this input chain rule? You have it inserted twice in your config as well!
add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLAN

What is the purpose of this forward chain rule?
add action=accept chain=forward comment=“VLAN inter-VLAN routing” connection-state=new in-interface-list=VLAN

anttech · April 11, 2019, 6:35am

The issue i currently have is that i cannot seem to ping the other network.

The firewall rules are ones fro the vlan thread that looked like they might help…

Any idea of why it might not be doing intervlan routing

mkx · April 11, 2019, 10:58am

It seems that ROS is case-sensitive. So your definition of VLAN interfaces

/interface bridge vlan
add bridge=bridge comment=lighting tagged=bridge untagged=ether5 vlan-ids=10
add bridge=bridge comment=control tagged=bridge untagged=ether4 vlan-ids=20

(using small initial letters of interface names) actually defines different interfaces than then used elsewhere, e.g. in interface list membership

/interface list member
add interface=Lighting list=VLAN
add interface=Control list=VLAN

(featuring capital letters of interface names).

anttech · April 11, 2019, 11:42am

The small letters are a comment line.

Would it use the comment line?