Issue with DHCP on VLAN 1 on a switch configured as a router

ArielIC · June 29, 2026, 4:57pm

Good morning. I’m facing a problem I can't seem to solve: I can't get my DHCP service (range 172.16.0.1/16) to pass through my bridge and VLAN 1; nothing is able to obtain an address from that DHCP pool.

I also tried injecting DHCP traffic from another device via ports 7 and 8 with VLAN 1 tagged.

Can anyone help me figure out what I’m doing wrong?

[aminaktor@MK-RB_Router-Salon] > export
# 2026-06-29 18:45:08 by RouterOS 7.23
# software id = WJCB-GVIP
#
# model = CRS310-8G+2S+
# serial number = HFH09FR0JTS
/interface bridge
add fast-forward=no ingress-filtering=no name=SW_Main vlan-filtering=yes
/interface vlan
add interface=SW_Main name=SW_HDoIP vlan-id=23
add interface=SW_Main name=SW_LAN0 vlan-id=20
add interface=SW_Main name=SW_LAN1 vlan-id=21
add interface=SW_Main name=SW_LAN2 vlan-id=22
add interface=SW_Main name=SW_WAN1 vlan-id=11
/caps-man configuration
add channel.band=2ghz-b/g/n country=spain datapath.bridge=SW_Main .vlan-id=21 \
    .vlan-mode=use-tag installation=indoor mode=ap name=WIFI_EFF5 \
    security.authentication-types=wpa-psk,wpa2-psk ssid=WIFI_EFF5
add country=spain datapath.bridge=SW_Main .vlan-id=22 .vlan-mode=use-tag \
    hide-ssid=yes installation=indoor mode=ap name=WIFI_EFF5_Domo00 \
    security.authentication-types=wpa-psk,wpa2-psk ssid=WIFI_EFF5_Domo00
add country=spain datapath.bridge=SW_Main .interface-list=all .vlan-id=22 \
    .vlan-mode=use-tag hide-ssid=yes installation=indoor mode=ap name=\
    WIFI_EFF5_Domo02 security.authentication-types=wpa-psk,wpa2-psk ssid=\
    WIFI_EFF5_Domo02
/interface wifi datapath
add disabled=no name=datapath_LAN1 vlan-id=21
add disabled=no name=datapath_LAN2 vlan-id=22
add disabled=no name=datapath_LAN0 vlan-id=20
add disabled=no name=datapath_WAN1 vlan-id=11
/interface wifi security
add disabled=no ft=yes ft-over-ds=yes name=WIFI_EFF5
add disabled=no ft=no ft-over-ds=no name=WIFI_EFF5_Domo
/interface wifi configuration
add datapath=datapath_LAN1 disabled=no mode=ap name=cfg1 security=WIFI_EFF5 \
    ssid=WIFI_EFF5
add datapath=datapath_LAN2 disabled=no mode=ap name=cfg2 security=\
    WIFI_EFF5_Domo ssid=WIFI_EFF5_Domo00
add datapath=datapath_LAN2 disabled=no mode=ap name=cfg3 security=\
    WIFI_EFF5_Domo ssid=WIFI_EFF5_Domo02
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=172.21.250.1-172.21.255.254
add name=dhcp_pool1 ranges=172.22.250.1-172.22.255.254
add name=dhcp_pool2 ranges=172.16.250.1-172.16.255.254
add name=dhcp_pool3 ranges=172.16.0.2-172.16.255.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=SW_LAN1 name=dhcp1
add address-pool=dhcp_pool1 interface=SW_LAN2 name=dhcp2
add address-pool=dhcp_pool3 interface=SW_Main name=dhcp3
/queue simple
add max-limit=200M/200M name=queue1 target=172.21.255.191/32,172.21.255.188/32
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=SW_LAN0
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=WIFI_EFF5 name-format=\
    identity slave-configurations=WIFI_EFF5_Domo00,WIFI_EFF5_Domo02
/interface bridge port
add bridge=SW_Main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether1 pvid=11
add bridge=SW_Main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=23
add bridge=SW_Main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=11
add bridge=SW_Main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6 pvid=11
add bridge=SW_Main frame-types=admit-only-vlan-tagged interface=ether7
add bridge=SW_Main frame-types=admit-only-vlan-tagged interface=ether8
add bridge=SW_Main frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
/interface bridge vlan
add bridge=SW_Main tagged=SW_Main,sfp-sfpplus1,ether7,ether8 untagged=\
    ether1,ether6,ether5 vlan-ids=11
add bridge=SW_Main tagged=SW_Main,sfp-sfpplus1,ether7,ether8 vlan-ids=20
add bridge=SW_Main tagged=SW_Main,sfp-sfpplus1,ether7,ether8 vlan-ids=21
add bridge=SW_Main mvrp-forbidden=ether1 tagged=\
    SW_Main,sfp-sfpplus1,ether7,ether8 vlan-ids=22
add bridge=SW_Main tagged=SW_Main,sfp-sfpplus1,ether7,ether8 untagged=ether3 \
    vlan-ids=23
add bridge=SW_Main tagged=ether7,ether8,sfp-sfpplus1 untagged=SW_Main \
    vlan-ids=1
/interface wifi capsman
set enabled=yes interfaces=SW_LAN0 package-path="" require-peer-certificate=no \
    upgrade-policy=none
/ip address
add address=172.20.0.1/16 interface=SW_LAN0 network=172.20.0.0
add address=172.21.0.1/16 interface=SW_LAN1 network=172.21.0.0
add address=172.22.0.1/16 interface=SW_LAN2 network=172.22.0.0
add address=172.16.0.1/16 interface=SW_Main network=172.16.0.0
/ip dhcp-client
add interface=SW_WAN1 name=SW_WAN1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=172.22.255.210 mac-address=14:08:08:69:93:FA server=dhcp2
add address=172.21.255.191 client-id=1:94:de:80:66:c2:90 mac-address=\
    94:DE:80:66:C2:90 server=dhcp1
add address=172.21.255.188 client-id=1:0:8:22:4c:72:fc mac-address=\
    00:08:22:4C:72:FC server=dhcp1
add address=172.21.255.133 client-id=1:dc:a6:32:3b:4f:f8 mac-address=\
    DC:A6:32:3B:4F:F8 server=dhcp1
/ip dhcp-server network
add address=172.16.0.0/16 dns-none=yes gateway=172.16.0.1
add address=172.21.0.0/16 gateway=172.21.0.1
add address=172.22.0.0/16 gateway=172.22.0.1
/ip dns
set servers=1.1.1.1,8.8.4.4 verify-doh-cert=yes
/ip firewall address-list
add address=127.0.0.1 list=VPN_22_ALLOWED
add address=88.22.44.189 list=VPN_22_ALLOWED
/ip firewall filter
add action=drop chain=forward disabled=yes dst-port=80 in-interface=SW_WAN1 \
    protocol=tcp src-address-list=!VPN_22_ALLOWED
add action=accept chain=forward connection-state=established,related disabled=\
    yes in-interface=SW_WAN1
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-port=80 protocol=tcp \
    to-addresses=172.22.1.1 to-ports=8123
add action=masquerade chain=srcnat comment=WAN1 out-interface=SW_WAN1
/ip service
set ftp address=172.22.0.0/16
set ssh address=172.22.0.0/16
set telnet address=172.22.0.0/16
set www address=172.22.0.0/16
set winbox address=172.22.0.0/16
set api address=172.22.0.0/16
set api-ssl address=172.22.0.0/16
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=MK-RB_Router-Salon
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.google.com
add address=time.cloudflare.com
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
set auto-upgrade=yes
/system swos
set address-acquisition-mode=static identity=SW_Salon static-ip-address=\
    172.16.0.12
[aminaktor@MK-RB_Router-Salon] >

tadawson · June 29, 2026, 6:48pm

Maybe I missed something, but nowhere do I see a DHCP server configured on the bridge/vlan1 . . . Or, for that matter, an untagged port with PVID 1 that could access it.

TheCat12 · June 29, 2026, 7:58pm

To use VLAN 1 is always a bad idea, let alone tagged, due to differences in its implementation on different devices. Better to use some VLAN ID other than 1 or 0 also in an all-VLAN setup

tadawson · June 30, 2026, 12:29am

Use it heavily, and always have. It's the default for untagged . . . Likely more standard than other solutions - anything else would be an exception. (Cisco, Netgear, TPLink, Mikrotik all coexist flawlessly).

Then again, I have zero desire (or reason) to use 100% tagged . . . . (and I'd never try to use VLAN1 tagged)

I'll argue that any VLAN1 ussues would be from trying to run it tagged (which, by definition, it is not) or incompetence in config.

Heck, if you run a router/switch with no tagging, untaggedbtraffic is still considered VLAN1 . . .