Issues with IP-Lease over VLAN

Hi there,
So my topology is:
WAN → RB5009 -(802.3ad bond)> L009

In which I create VLANs with their subnet and DHCP Server on the RB5009 Level. I want to forward these VLANs to the L009, so I send tagged packets via a 802.3ad Bond to the L009.

Issue: If I restart I port on the L009, that untags VLAN10, I do get a IP-Lease from the DHCP server.
Problem 1: The host is still not reachable via this IP.
Problem 2: The release is not renewed
Problem 3. I should also have internet access on this VLAN10, but I don’t..

Something I noticed when creating my VLAN99 for management, was that I do have internet, and renewable IP-leases. The difference in configuration is that I have created an VLAN interface for this VLAN, as I want the device to also get its own IP-address.

Should I create/replicate VLAN interfaces on the L009?

Below are the configurations:

L009

# 2024-10-02 15:48:10 by RouterOS 7.15.2
# software id = xxx
#
# model = L009UiGS-2HaxD
# serial number = xxx
/interface bridge
add admin-mac=D4:01:C3:39:FD:24 auto-mac=no name=Bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-RB5009
set [ find default-name=ether2 ] name=ether2-RB5009
set [ find default-name=sfp1 ] disabled=yes
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-39FD2C \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface vlan
add interface=Bridge name=VLAN99-Management vlan-id=99
/interface bonding
add mode=802.3ad name=Bond-RB5009 slaves=ether1-RB5009,ether2-RB5009 \
    transmit-hash-policy=layer-3-and-4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=10.10.10.1-10.10.10.9,10.10.10.11-10.10.10.254
/port
set 0 name=serial0
/disk settings
set auto-media-interface=Bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=Bridge interface=ether3 pvid=10
add bridge=Bridge interface=ether4 pvid=10
add bridge=Bridge interface=ether5 pvid=10
add bridge=Bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 pvid=99
add bridge=Bridge frame-types=admit-only-vlan-tagged interface=Bond-RB5009
add bridge=Bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=Bridge tagged=Bond-RB5009 untagged=ether3,ether4,ether5,ether6 \
    vlan-ids=10
add bridge=Bridge tagged=Bond-RB5009,Bridge untagged=ether8 vlan-ids=99
/ip address
add address=10.0.99.2/24 interface=VLAN99-Management network=10.0.99.0
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add comment=defconf interface=ether1-RB5009
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward in-interface=Bridge
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

And the RB5009

# 2024-10-03 13:03:53 by RouterOS 7.15.2
# software id = xxx
#
# model = RB5009UPr+S+
# serial number = xxx
/interface bridge
add mtu=1500 name=Bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] disabled=yes name=ether2-WAN
set [ find default-name=ether3 ] name=ether3-L009
set [ find default-name=ether4 ] name=ether4-L009 poe-out=off
set [ find default-name=ether5 ] name=ether5-hAPX2
set [ find default-name=ether6 ] name="ether6-[TRNG]ESP32PoE"
set [ find default-name=ether7 ] name=ether7-test
set [ find default-name=ether8 ] name=ether8-ManagementPort
set [ find default-name=sfp-sfpplus1 ] disabled=yes l2mtu=1500 name=sfp1
/interface vlan
add interface=Bridge name=VLAN10-General vlan-id=10
add interface=Bridge name=VLAN20-TRNG vlan-id=20
add interface=Bridge name=VLAN99-Management vlan-id=99
add interface=Bridge name=VLAN100-Guest vlan-id=100
/interface bonding
add mode=802.3ad name=Bond-L009 slaves=ether3-L009,ether4-L009 \
    transmit-hash-policy=layer-3-and-4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool-VLAN10-General ranges=10.0.0.2-10.0.0.254
add name=dhcp_pool-VLAN99-Management ranges=10.0.99.2-10.0.99.254
add name=dhcp_pool-VLAN20-TRNG ranges=10.0.1.2-10.0.1.254
add name=dhcp_pool-VLAN100-Guest ranges=10.0.2.2-10.0.2.254
/ip dhcp-server
add address-pool=dhcp_pool-VLAN10-General interface=VLAN10-General \
    lease-time=10m name=dhcp_VLAN10-General
add address-pool=dhcp_pool-VLAN99-Management interface=VLAN99-Management \
    lease-time=10m name=dhco_VLAN99-Management
add address-pool=dhcp_pool-VLAN20-TRNG interface=VLAN20-TRNG lease-time=10m \
    name=dhcp_VLAN20-TRNG
add address-pool=dhcp_pool-VLAN100-Guest interface=VLAN100-Guest lease-time=\
    10m name=dhcp-VLAN100-Guest
/interface bridge port
add bridge=Bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8-ManagementPort internal-path-cost=10 path-cost=10 pvid=\
    99
add bridge=Bridge frame-types=admit-only-vlan-tagged interface=Bond-L009
add bridge=Bridge frame-types=admit-only-vlan-tagged interface=ether5-hAPX2
add bridge=Bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface="ether6-[TRNG]ESP32PoE" pvid=20
add bridge=Bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7-test pvid=10
/ip firewall connection tracking
set enabled=yes udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=Bridge comment=Main tagged=Bond-L009,Bridge,ether5-hAPX2 untagged=\
    ether7-test vlan-ids=10
add bridge=Bridge comment="Project - TRNG" tagged=\
    Bond-L009,Bridge,ether5-hAPX2 untagged="ether6-[TRNG]ESP32PoE" vlan-ids=\
    20
add bridge=Bridge comment=Guest tagged=Bond-L009,Bridge vlan-ids=100
add bridge=Bridge comment=Management tagged=Bridge,Bond-L009,ether5-hAPX2 \
    untagged=ether8-ManagementPort vlan-ids=99
/interface detect-internet
set detect-interface-list=all
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-address=10.71.87.119/32 client-dns=\
    10.64.0.1 client-endpoint=185.254.75.3 endpoint-address=185.254.75.3 \
    endpoint-port=51820 interface=*C name=peer1 private-key=\
    "####" public-key=\
    "####"
/ip address
add address=10.0.0.1/24 interface=VLAN10-General network=10.0.0.0
add address=10.0.1.1/24 interface=VLAN20-TRNG network=10.0.1.0
add address=10.0.2.1/24 interface=VLAN100-Guest network=10.0.2.0
add address=10.0.99.1/24 interface=VLAN99-Management network=10.0.99.0
/ip dhcp-client
add interface=ether1-WAN
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
add address=10.0.1.0/24 gateway=10.0.1.1
add address=10.0.2.0/24 gateway=10.0.2.1
add address=10.0.99.0/24 gateway=10.0.99.1
/ip dns
set servers=8.8.8.8,4.4.4.4
/ip firewall filter
add action=accept chain=forward connection-type="" in-interface=Bridge \
    out-interface=ether1-WAN
add action=accept chain=forward
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system upgrade mirror
set enabled=yes

Please remove sensitive information from config (passwords,IP address etc.)

For the primary router to which the WAN is connected, we arrange the firewall section so that there is a correct traffic flow. You don’t need a firewall on the other router. You simply don’t have this firewall! This affects not only security but the entire traffic flow, etc. Why not use “default” firewall rules?
How to configure firewall - http://forum.mikrotik.com/t/default-firewall-config/134431/1
How to create Vlan - https://www.youtube.com/watch?v=4Z32oOPqCqc

Hi Johnson73,
Thank you for your prompt response, I have removed the private-key from the Mullvad VPN, even though it is an invalid for a while. I have removed the firewall rules on the other router, but it did not resolve the issue. What do you mean by

correct traffic flow

? So the VLANs do work without issue on the same router. It’s just as soon as I go to the L009, that I get issues. Again, this is not true for my Management VLAN..

So I have done some further investigating, but before I can share that I need to clarify my topology:

--(WAN)--> RB5009 --(802ad Bond with 2 Ethernet Ports)-->  L009 
                 |--(PoE Converter Ubiquiti from 40 to 24 Volts)--> hAPX2

So when testing the VLANs over multiple routers, any combination over the route of RB5009 and hAPX2 works. It is only when I try to connect to the L009, that it doesn’t work. Again, the problem is that the host is not reachable, even though it does get an IP. More-over, the IP Lease is not renewed. Note that the VLAN99-Management, does work without a problem.

In my investigation, I have played with the Transmit Hash Policy, as this is the basis for load-balancing the bond. This didn’t resolve anything.
Another thing that I tried is to do away with the bonding entirely. So I used the same principle of connection as with the hAPX2, a simple single Port that is part of the bridge. Again, VLAN99-Management seems to be working, but the other VLANs are not.

I am a novice, and struggle to make sense of this. It seems irrational..
Any help would be appreciated

I meant publicly copied passwords that are visible to everyone.

What do you mean by correct traffic flow? = I wanted to tell you that incorrectly defined firewall rules affect not only security but also traffic flow. The rules are executed from top to bottom - sequentially. First is the Input section and then the forward section.
INPUT CHAIN ​​–> To the Router or to Router Services. Directional flow is WAN to Router, and LAN to Router.
FORWARD CHAIN ​​–> Through the Router. Direction flow is LAN to LAN, LAN to WAN, WAN to LAN.
OUTPUT CHAIN ​​–> From the Router. Directional flow is Router to WAN.
In your case, there is practically nothing from it. Accordingly, you don’t have any firewall policy that allows or prohibits certain things. This is not correct.
As good practice shows, it is recommended to use the security roll policy where everything is prohibited and only what you allow is allowed.
You can safely use my copied example. And only after that, start creating a VLAN policy, define everything you need, as you can see in the YouTube link I copied for you earlier. And you’ll see - everything will work out
p.s. sorry for my englsih..

/interface list
add name=WAN
add name=LAN
add name=MGMT (optional)
add name=VlanXX
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=bridge1 list=Vlan10
/ip firewall address-list
add address=10.0.0.0/24 list=Local-LAN
add address=10.1.0.0/24 list=MGMT

/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1 (remove if not needed)
add action=accept chain=input comment="Allow access to router from known network" in-interface-list=LAN \ src-address-list=Local-LAN
add action=accept chain=input comment="users services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else" 
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=LAN-Access dst-address-list=VLAN10 \
    src-address-list=Local-LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat 
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

Hey there,

Sorry for my late reply, I was ill for a few weeks but wanted to get back to you earlier. My firewall rules are as follows:

# 2024-10-21 20:12:58 by RouterOS 7.15.2
# software id = XXXXXXX
#
# model = RB5009UPr+S+
# serial number = XXXXXXX
/ip firewall address-list
add address=10.0.0.0/24 list=VLAN10-General
add address=10.0.1.0/24 list=VLAN20-TRNG
add address=10.0.2.0/24 list=VLAN100-Guest
add address=10.0.80.0/24 list=VLAN80-IoT
add address=10.0.99.0/24 list="VLAN99-Management "
add address=10.0.2.0/24 list=Local-Networks
add address=10.0.1.0/24 list=Local-Networks
add address=10.0.0.0/24 list=Local-Networks
add address=10.0.80.0/24 list=Local-Networks
add address=10.0.99.0/24 list=Local-Networks
/ip firewall connection tracking
set enabled=yes udp-timeout=10s
/ip firewall filter
add action=passthrough chain=forward
add action=accept chain=forward comment="Traffic to the outside" \
    connection-nat-state=srcnat src-address-list=Local-Networks
add action=accept chain=forward comment="Main can access all local nets" \
    dst-address-list=Local-Networks src-address-list=VLAN10-General
add action=accept chain=forward comment=\
    "VLAN20 TRNG can communicate within network" dst-address-list=VLAN20-TRNG \
    src-address-list=VLAN20-TRNG
add action=accept chain=forward comment=\
    "VLAN80 IoT can communicate within network" dst-address-list=VLAN80-IoT \
    src-address-list=VLAN80-IoT
add action=drop chain=forward comment="VLAN100 - Isolate Guests" \
    dst-address-list=VLAN100-Guest src-address-list=VLAN100-Guest
add action=accept chain=forward comment=\
    "Management can access all local Nets" dst-address-list=Local-Networks \
    src-address-list="VLAN99-Management "
add action=accept chain=forward comment=\
    "All traffic that is related, established or untracked will be forwarded" \
    connection-state=established,related,untracked
add action=accept chain=forward disabled=yes
add action=drop chain=forward comment=\
    "Drop Local traffic is not specifically allowed" connection-state=new \
    dst-address-list=Local-Networks src-address-list=Local-Networks
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN

The idea is that I want VLAN10 and VLAN99 to have access to all devices. The other VLANs should be confined to themselves. The Guest VLAN should have complete isolation and should only be able to talk to the outside.

The issue persisted, however. What I know did, was replicated the VLAN-Interfaces that on the L009, and added the bridge interface to the VLANs section in the bridge. Now everything seems to be working rather well .

Is there anyone that can explain why this is?