Hi All,
I need some help with configuring VLAN.
My router is an AC3, the connected switch is TP-LINK T1600G-28TS.
AC3 port2 is connected to SW port1.
My VLAN related configuration:
/interface vlan
add interface=bridge1 name=vlan200 vlan-id=200
add interface=bridge1 name=vlan100 vlan-id=100
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2-switch vlan-ids=100,200
/interface bridge port
add bridge=bridge1 interface=ether2-switch internal-path-cost=10 path-cost=10
/ip dhcp-server
add address-pool=dhcp_pool5 interface=vlan200 name=vlan200
On the SW side the port1 is configured as tagged port for VLAN 100 and 200. The port23 is configured as untagged VLAN 200 and a client pc is connected to it.
But my computer failed to get IP address from the DHCP server.
Can somebody suggest me on what could be wrong?
Thanks.
Janos Vincze
Can you provide full config please?
I would expexct frame-types=admit-only-vlan-tagged on the /interface bridge port
For testing purposes, configure an accessport with VLAN ID=200 too test if the router is working properly.
Anything in the logging?
Hi,
This is my Mikrotik config (without static dhcp leases):
# 2025-02-25 13:45:11 by RouterOS 7.15.3
# software id = 51LK-FL29
#
# model = RBD53iG-5HacD2HnD
/interface bridge
add name=bridge1 port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-pppoe
set [ find default-name=ether2 ] name=ether2-switch
set [ find default-name=ether4 ] name=ether4-telekom
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-pppoe name=pppoe-out1 user=55500000000000240404@t-online.hu
/interface wireguard
add listen-port=51840 mtu=1384 name=wg-vps12
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
add interface=bridge1 name=vlan200 vlan-id=200
/interface list
add name=WAN
add name=LAN
add name=ETH
add name=ISOLATED-VLANS
/interface wifi channel
add band=5ghz-ac disabled=no frequency=2300-7300 name=self-5g skip-dfs-channels=all width=20/40/80mhz
add band=2ghz-n disabled=no frequency=2451-2473 name=self-2g-ch11 width=20/40mhz
add band=2ghz-n disabled=yes frequency=2412 name=wAP-R-2nD-01-ch1 skip-dfs-channels=disabled width=20/40mhz
add band=5ghz-ac disabled=yes frequency=5320 name=test width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2300-7300 name=bedrrom-axlite-2gax skip-dfs-channels=10min-cac width=20mhz
/interface wifi datapath
add bridge=bridge1 disabled=no name=bridge1
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp,ccmp-256,gcmp-256 name=jfsz-sb-33-net
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec1
add authentication-types=wpa-psk,wpa2-psk disabled=no encryption=ccmp,gcmp,ccmp-256,gcmp-256 name=camera
add disabled=no encryption=ccmp,ccmp-256,gcmp-256 name=nosec
/interface wifi
set [ find default-name=wifi1 ] channel=self-2g-ch11 channel.frequency=2300-7300 configuration.country=Hungary .mode=ap .ssid=jfsz-sb-33-net disabled=no name=wifi1-2ghz security=\
jfsz-sb-33-net
add configuration.mode=ap .ssid=camera-vlan disabled=no mac-address=DE:2C:6E:2E:77:05 master-interface=wifi1-2ghz name=wifi3-2ghz-cams security=camera
/interface wifi configuration
add channel=self-2g-ch11 country=Hungary disabled=no name=slef-2g security=jfsz-sb-33-net ssid=jfsz-sb-33-net
add channel=self-5g country=Hungary disabled=no name=slef-5g security=jfsz-sb-33-net ssid=jfsz-sb-33-net
add channel=wAP-R-2nD-01-ch1 country=Hungary datapath=bridge1 disabled=no mode=ap name=wAP-R-2nD-01 security=jfsz-sb-33-net ssid=test-map
add channel=bedrrom-axlite-2gax country=Hungary datapath=bridge1 disabled=no name=test security=jfsz-sb-33-net ssid=test
add channel=bedrrom-axlite-2gax datapath=bridge1 disabled=no name=bedrrom-axlite-2gax security=jfsz-sb-33-net ssid=test
/interface wifi
set [ find default-name=wifi2 ] channel=self-5g channel.frequency=5240 configuration=slef-2g configuration.mode=ap disabled=no mtu=1500 name=wifi2-5ghz security=jfsz-sb-33-net
/ip pool
add name="dynamic dhcp" ranges=172.16.3.192/26
add name=servers ranges=172.16.0.32/27
add name=dhcp_pool2 ranges=10.10.100.2-10.10.100.254
add name=dhcp_pool3 ranges=10.10.200.2-10.10.200.254
add name=dhcp-vlan200 ranges=192.168.10.128/25
add name=dhcp_pool5 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool="dynamic dhcp" interface=bridge1 name=dhcp1
add address-pool=dhcp_pool5 interface=vlan200 name=vlan200-cams
/ip smb users
set [ find default=yes ] disabled=yes
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" name=zt1 port=9993
/zerotier interface
add instance=zt1 name=zt1 network=6ab565387abd2122
/interface bridge port
add bridge=bridge1 interface=ether2-switch internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether3 internal-path-cost=10 path-cost=10 pvid=200
add bridge=bridge1 interface=wifi1-2ghz internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=wifi2-5ghz
add bridge=bridge1 interface=ether5
add bridge=bridge1 ingress-filtering=no interface=ether4-telekom pvid=100 trusted=yes
add bridge=bridge1 interface=wifi3-2ghz-cams pvid=200
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2-switch vlan-ids=100,200
add bridge=bridge1 untagged=ether4-telekom vlan-ids=100
/interface list member
add disabled=yes interface=ether1-pppoe list=WAN
add interface=bridge1 list=LAN
add interface=pppoe-out1 list=WAN
add interface=ether2-switch list=ETH
add interface=ether5 list=ETH
add interface=ether4-telekom list=ETH
add interface=ether3 list=ETH
add interface=wg-vps12 list=LAN
add interface=vlan200 list=ISOLATED-VLANS
/interface wifi cap
set certificate=request discovery-interfaces=LAN lock-to-caps-man=yes slaves-static=no
/interface wifi capsman
set ca-certificate=WiFi-CAPsMAN-CA-DC2C6E2E76FF certificate=WiFi-CAPsMAN-DC2C6E2E76FF enabled=yes interfaces=bridge1 package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=wAP-R-2nD-01 radio-mac=CC:2D:E0:36:9F:17
add action=create-dynamic-enabled disabled=no master-configuration=test radio-mac=78:9A:18:2E:54:5D
/ip address
add address=172.16.0.1/22 interface=bridge1 network=172.16.0.0
add address=10.8.0.68/24 interface=wg-vps12 network=10.8.0.0
add address=192.168.10.1/24 interface=vlan200 network=192.168.10.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=30m
/ip dhcp-client
add add-default-route=no interface=vlan100 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=10.10.100.0/24 gateway=10.10.100.1
add address=10.10.200.0/24 gateway=10.10.200.1
add address=10.200.0.0/24 gateway=10.200.0.1
add address=172.16.0.0/22 dns-server=172.16.0.1 gateway=172.16.0.1 netmask=22
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.150.0/24 list=wg-vpn-routes
add address=192.168.100.0/24 list=wg-vpn-routes
add address=10.8.0.132 comment=iphone list=wg2lan
add address=10.8.0.133 comment="lenovo yoga" list=wg2lan
/ip firewall filter
add action=drop chain=forward comment="vlan | disable access main network" connection-state=!established,related dst-address=172.16.0.0/22 in-interface-list=ISOLATED-VLANS
add action=reject chain=input comment="vlan " connection-state=!established,related dst-address=172.16.0.1 in-interface-list=ISOLATED-VLANS reject-with=icmp-network-unreachable
add action=accept chain=input comment="CAPSMANAGER Discovery" protocol=udp src-port=5246,5247
add action=accept chain=input comment="CAPSMANAGER Discovery" dst-port=5246,5247 protocol=udp
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=input in-interface-list=!LAN
add action=accept chain=forward comment="wireguard related | accept remotes" connection-state=established,related
add action=drop chain=forward comment="wireguard related rules" in-interface=wg-vps12 out-interface=bridge1 src-address-list=!wg2lan
add action=drop chain=input comment="wireguard related rules" dst-address=172.16.0.1 in-interface=wg-vps12 src-address-list=!wg2lan
/ip firewall nat
add action=dst-nat chain=dstnat comment="Incommin SSH" dst-address=!172.16.0.1 dst-address-type=local dst-port=22 in-interface=pppoe-out1 protocol=tcp to-addresses=172.16.0.33 \
to-ports=22
add action=dst-nat chain=dstnat comment="qbittorrent-emp nuc to qnap" dst-port=6885 protocol=udp to-addresses=172.16.0.33 to-ports=6885
add action=dst-nat chain=dstnat comment="qbittorrent-emp nuc to qnap" dst-port=6885 protocol=tcp to-addresses=172.16.0.33 to-ports=6885
add action=dst-nat chain=dstnat comment="qbit peti" dst-port=26882 protocol=tcp to-addresses=172.16.3.226 to-ports=26882
add action=dst-nat chain=dstnat comment="qbit peti udp" dst-port=26882 protocol=udp to-addresses=172.16.3.226 to-ports=26882
add action=dst-nat chain=dstnat comment="qbittorrent nuc to qnap" dst-port=16889 protocol=udp to-addresses=172.16.0.33 to-ports=16889
add action=dst-nat chain=dstnat comment="qbittorrent nuc to qnap" dst-port=16889 protocol=tcp to-addresses=172.16.0.33 to-ports=16889
add action=dst-nat chain=dstnat dst-port=52820 protocol=udp to-addresses=172.16.0.38 to-ports=52820
add action=dst-nat chain=dstnat comment="web (http 80)" dst-address-type=local dst-port=80 protocol=tcp to-addresses=172.16.0.33 to-ports=80
add action=dst-nat chain=dstnat comment="webs (https 443)" dst-address-type=local dst-port=443 log=yes protocol=tcp to-addresses=172.16.0.33 to-ports=443
add action=dst-nat chain=dstnat comment=Plex dst-address-type=local dst-port=32400 protocol=tcp to-addresses=172.16.0.35 to-ports=32400
add action=masquerade chain=srcnat comment="default masq" out-interface-list=WAN
add action=masquerade chain=srcnat comment="http masquerade" dst-address=172.16.0.33 dst-port=80 out-interface=bridge1 protocol=tcp src-address=172.16.0.0/22 to-addresses=\
172.16.0.34
add action=masquerade chain=srcnat comment="https masquerade" dst-address=172.16.0.33 dst-port=443 out-interface=bridge1 protocol=tcp src-address=172.16.0.0/22 to-addresses=\
172.16.0.34
add action=masquerade chain=srcnat comment="https masquerade" dst-address=172.16.0.35 dst-port=32400 out-interface=bridge1 protocol=tcp src-address=172.16.0.0/22 to-addresses=\
172.16.0.34
add action=masquerade chain=srcnat comment="wireguard vpn masq" dst-address=10.8.0.0/24 out-interface=wg-vps12 src-address=172.16.0.0/22
add action=masquerade chain=srcnat comment="wireguard routes" dst-address-list=wg-vpn-routes out-interface=wg-vps12 src-address=172.16.0.0/22
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 out-interface=vlan100
/ip route
add dst-address=192.168.150.0/24 gateway=wg-vps12
add dst-address=192.168.100.0/24 gateway=wg-vps12
add disabled=no dst-address=10.20.30.0/24 gateway=bridge1 routing-table=main suppress-hw-offload=no
add disabled=no dst-address=10.20.30.0/24 gateway=172.16.0.33 routing-table=main suppress-hw-offload=no
/ip service
set www port=18080
/ip smb shares
set [ find default=yes ] directory=/pub
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=MikroTikAc3
/system leds
set 0 type=off
/system logging
add prefix=caps topics=manager
add action=echo prefix=caps topics=caps,manager
add topics=wireless
add topics=interface
add topics=firewall
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=pool.ntp.org
add address=hu.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
Thanks a lot.