Hello
I am kinda new with some questions
Using a CCR2004 running on 7.1.1
Got an existing, running and working LAN 192.168.100.0/24 and want to segregate it into Vlans 10,20,30 (10.0.10.0,10.0.20.0,10.0.30.0)
Some of the ports on the CCR will have to work as an access-port (e.g sfp-sfpplus5)
while others will have to be trunked because they are leading to different access switches ( sfp-sfpplus3, sfp-sfpplus1).
Only sfp-sfpplus5 and vlan10 is supposed to be configured so far since i am moving one access Port after the other.
The client on interface sfp-sfpplus5 doesn’t receive any IPs from the DHCP-Server: dhcp2 .
Giving a fixed address to the client is working alright.
I am not even sure if i have made fundemental fault in my configuration but like that it is just not working.
I also do not know how i have to configure the trunked ports leading to access switches. is it good enough to just add them to the vlan_bridge?
Thank you for your help
# RouterOS 7.1.1
# model = CCR2004-1G-12S+2XS
# serial number = xxx
/interface bridge
add igmp-snooping=yes igmp-version=3 mld-version=2 name=lan
add ingress-filtering=no name=vlan_bridge vlan-filtering=yes
add name=wan protocol-mode=none
/interface ethernet
set [ find default-name=sfp-sfpplus12 ] advertise=\
1000M-full,10000M-full,2500M-full,5000M-full
/interface wireguard
add listen-port=13231 mtu=1420 name=vpn_wk
/interface vlan
add interface=vlan_bridge name=vlan10_clients vlan-id=10
add interface=vlan_bridge name=vlan20_server vlan-id=20
add interface=vlan_bridge name=vlan30_IOT vlan-id=30
/interface list
add name=Vlans
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.100.2-192.168.100.254
add name=vlan10_clients ranges=10.0.10.2-10.0.10.254
add name=vlan20_server ranges=10.0.20.2-10.0.20.254
add name=vlan30_IOT ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=lan name=dhcp1
add address-pool=vlan10_clients interface=vlan10_clients name=dhcp2 relay=\
10.0.10.1
/ipv6 dhcp-server
add address-pool=v6pool interface=lan name=v6server
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
add name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/interface bridge port
add bridge=lan ingress-filtering=no interface=sfp28-1
add bridge=wan ingress-filtering=no interface=sfp28-2
add bridge=lan ingress-filtering=no interface=sfp-sfpplus1
add bridge=lan ingress-filtering=no interface=sfp-sfpplus2
add bridge=lan ingress-filtering=no interface=sfp-sfpplus3
add bridge=lan ingress-filtering=no interface=sfp-sfpplus4
add bridge=vlan_bridge ingress-filtering=no interface=sfp-sfpplus5 pvid=10
add bridge=lan ingress-filtering=no interface=sfp-sfpplus6
add bridge=lan ingress-filtering=no interface=sfp-sfpplus7
add bridge=lan ingress-filtering=no interface=sfp-sfpplus8
add bridge=lan ingress-filtering=no interface=sfp-sfpplus9
add bridge=lan ingress-filtering=no interface=sfp-sfpplus10
add bridge=lan ingress-filtering=no interface=sfp-sfpplus11
add bridge=lan ingress-filtering=no interface=sfp-sfpplus12
add bridge=lan ingress-filtering=no interface=ether1
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set accept-router-advertisements=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=vlan_bridge tagged=vlan_bridge vlan-ids=20,30
add bridge=vlan_bridge tagged=vlan_bridge untagged=sfp-sfpplus5 vlan-ids=10
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=vlan10_clients list=Vlans
add interface=vlan30_IOT list=Vlans
add interface=vlan20_server list=Vlans
/interface ovpn-server server
set auth=sha1 cipher=aes256 port=1195 require-client-certificate=yes
/interface wireguard peers
add allowed-address=10.0.1.2/24 interface=vpn_wk public-key=\
"xxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
192.168.88.0
add address=192.168.100.1/24 interface=lan network=192.168.100.0
add address=10.0.1.1/24 comment=vpn_wk interface=vpn_wk network=10.0.1.0
add address=10.0.10.1/24 interface=vlan10_clients network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20_server network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30_IOT network=10.0.30.0
/ip cloud
set ddns-update-interval=30m
/ip dhcp-client
add interface=wan
/ip dhcp-server lease
add address=192.168.100.198 mac-address=24:5E:BE:4E:AB:5C server=dhcp1
add address=192.168.100.19 client-id=1:24:5a:4c:73:46:4d mac-address=\
24:5A:4C:73:46:4D server=dhcp1
add address=192.168.100.17 client-id=1:14:3f:a6:44:9e:45 mac-address=\
14:3F:A6:44:9E:45 server=dhcp1
add address=192.168.100.15 mac-address=7C:2F:80:FA:AA:DD server=dhcp1
add address=192.168.100.14 client-id=1:ac:35:ee:ce:f4:3c mac-address=\
AC:35:EE:CE:F4:3C server=dhcp1
add address=192.168.100.13 client-id=1:ac:35:ee:5a:73:d3 mac-address=\
AC:35:EE:5A:73:D3 server=dhcp1
add address=192.168.100.100 client-id=1:24:5e:be:5c:7c:6b mac-address=\
24:5E:BE:5C:7C:6B server=dhcp1
add address=192.168.100.105 client-id=1:24:5e:be:5c:7c:6c mac-address=\
24:5E:BE:5C:7C:6C server=dhcp1
add address=192.168.100.199 mac-address=24:5E:BE:54:30:7B server=dhcp1
add address=192.168.100.5 mac-address=EC:B5:FA:18:79:AA server=dhcp1
add address=192.168.100.25 client-id=1:1c:69:7a:6f:a2:92 mac-address=\
1C:69:7A:6F:A2:92 server=dhcp1
add address=192.168.100.200 client-id=1:24:5e:be:3d:8e:1d mac-address=\
24:5E:BE:3D:8E:1D server=dhcp1
add address=192.168.100.16 client-id=1:84:17:15:0:cb:ff mac-address=\
84:17:15:00:CB:FF server=dhcp1
add address=192.168.100.12 client-id=1:f4:92:bf:ac:b3:f4 mac-address=\
F4:92:BF:AC:B3:F4 server=dhcp1
add address=192.168.100.110 mac-address=24:8A:07:EB:0B:90 server=dhcp1
add address=192.168.100.30 client-id=1:52:54:0:0:da:23 mac-address=\
52:54:00:00:DA:23 server=dhcp1
add address=192.168.100.2 client-id=1:0:16:3e:55:34:9 mac-address=\
00:16:3E:55:34:09 server=dhcp1
add address=192.168.100.18 client-id=\
ff:d0:75:dc:27:0:2:0:0:ab:11:55:71:e0:a1:45:75:d7:33 mac-address=\
DC:A6:32:C2:4E:F6 server=dhcp1
add address=192.168.100.10 client-id=1:0:16:3e:a8:54:ec mac-address=\
00:16:3E:A8:54:EC server=dhcp1
add address=192.168.100.9 client-id=1:84:17:15:15:1e:9f mac-address=\
84:17:15:15:1E:9F server=dhcp1
add address=10.0.10.20 client-id=1:0:30:93:12:12:97 mac-address=\
00:30:93:12:12:97
/ip dhcp-server network
add address=10.0.10.0/24 comment=Vlan10_Clients dns-server=192.168.100.1 \
gateway=10.0.10.1 netmask=24
add address=10.0.20.0/24 comment=Vlan20_Server dns-server=192.168.100.1 \
gateway=10.0.20.1 netmask=24
add address=10.0.30.0/24 comment=Vlan30_IOT dns-server=192.168.100.1 gateway=\
10.0.30.1 netmask=24
add address=192.168.100.0/24 comment="Private IP-Range" dns-server=\
192.168.100.1 domain=xx gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.100.1
/ip dns static
add address=192.168.100.100 name=xx
/ip firewall address-list
add address=192.168.100.2-192.168.100.254 list=allowed_to_router_LAN
add address=10.0.1.2-10.0.1.10 list=allowed_to_router_Wireguard
add address=10.0.10.2-10.0.10.254 list=allowed_to_router_VLAN10
/ip firewall filter
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input protocol=igmp
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=Wireguard dst-port=13231 protocol=udp
add action=accept chain=input src-address-list=allowed_to_router_LAN
add action=accept chain=input src-address-list=allowed_to_router_VLAN10
add action=accept chain=input comment="Wireguard allowed to Router/LAN" \
src-address-list=allowed_to_router_Wireguard
add action=drop chain=input
add action=accept chain=forward connection-state=established,related
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (lan)
add action=accept chain=input in-interface=ether1
add action=fasttrack-connection chain=forward hw-offload=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wan
/ip service
set telnet address=192.168.100.0/24
set ftp address=192.168.100.0/24
set www address=192.168.100.0/24
set ssh address=192.168.100.0/24
set www-ssl address=192.168.100.0/24 disabled=no
set api address=192.168.100.0/24
set winbox address=192.168.100.0/24,192.168.88.0/24,10.0.1.2/32,10.0.10.0/24
set api-ssl address=192.168.100.0/24
/ipv6 address
# duplicate address detected
add from-pool=v6pool interface=lan
/ipv6 dhcp-client
add add-default-route=yes interface=wan pool-name=v6pool pool-prefix-length=\
56 request=address,prefix
/ipv6 firewall filter
add action=accept chain=forward connection-state=established,related \
in-interface=wan out-interface=lan
add action=drop chain=forward in-interface=wan out-interface=lan
/ipv6 nd
set [ find default=yes ] interface=lan managed-address-configuration=yes mtu=\
1500 other-configuration=yes
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=wan upstream=yes
add interface=lan
/system clock
set time-zone-name=Europe/Zurich
/system identity
set name=RT-WK
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=194.58.207.148
add address=37.187.205.149
