Newbie would appreciate help with slave errors

Imogen · April 2, 2018, 8:02pm

Hi there. I am doing some voluntary work for a community centre. I am not skilled with networking so please be patient and explain technical terms! Thank you.

There is a Unifi 8 port switch running 3 APs and a Raspberry Pi/digital sign.
I am trying to add VLAN tagging, but the ISP's Huwaei router is poor, and cannot create separate DHCP ranges.
So my intention is to insert a Mikrotik RB750r2 between the ISP's router and the Unifi Switch to create the DHCP ranges.

I was lucky to get some great help from a mailing list of IT support teachers. They felt the best way to do this was set up IP pools and addresses, then connect the IP pools to DHCP ranges tied specific ports on the Mikrotik. I can then patch the three ports to the Unifi Switch and set up tagging and VLANs on the switch itself. They advised to check that if the laptop is connected directly to the assigned LAN ports on the Microtik, an IP in the relevant range for that port is offered by the DHCP server.

However, I keep getting these annoying messages about "slaves". It will only let me create one DHCP server on the bridge, so I can't attach the IP pools to specific ports. I can get a dhcp address but it's from the one pool I was able to attach to the bridge no matter which of the LAN ports I plug my laptop to. It won't allow me attach a DHCP server to any of the three LAN ports that I want to (ether3,4,5) because they are "slaves". I have set up DHCP addresses for the three pools. The bridge setting shows the WAN and LANs are attached to the bridge but there doesn't seem to be an option to disconnect them.

What should I try? I have watched lots of videos and read lots of forum posts but I'm stumped.

I attach the exported config file. Thanks in advance for any help you can give! If you need other bits of information eg screenshots, just let me know.

Best wishes

Imogen

apr/02/2018 20:23:28 by RouterOS 6.41.3

software id = FI2A-4PNC

model = RouterBOARD 750 r2

serial number = 67D207818658

/interface bridge
add admin-mac=64:D1:54:51:20:DA auto-mac=no comment=
"created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.8.2-192.168.8.254
add name=TACC10-alternative ranges=192.168.10.100-192.168.10.200
add name=TACC20-alternative ranges=192.168.20.100-192.168.20.200
add name=TACC30-alternative ranges=192.168.30.100-192.168.30.200
add name=TACC10 next-pool=TACC10-alternative ranges=
192.168.10.10-192.168.10.15,192.168.10.20-192.168.10.25
add name=TACC20 next-pool=TACC20-alternative ranges=
92.168.20.10-192.168.20.15,192.168.20.20-192.168.20.25
add name=TACC30 next-pool=TACC30-alternative ranges=
192.168.30.10-192.168.30.15,192.168.30.20-192.168.30.25
/ip dhcp-server
add address-pool=TACC10 authoritative=after-2sec-delay disabled=no interface=
bridge1 name=dhcp-TACC10
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge1 network=
192.168.88.0
add address=192.168.10.1/24 interface=ether2-master network=192.168.10.0
add address=192.168.20.1/24 interface=ether3 network=192.168.20.0
add address=192.168.30.1/24 interface=ether4 network=192.168.30.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=
ether1
/ip dhcp-server network
add address=192.168.8.0/24 gateway=192.168.8.1
add address=192.168.10.0/24 dns-server=89.19.64.164,89.19.64.36 gateway=
192.168.10.1 netmask=24 ntp-server=192.168.10.1
add address=192.168.20.0/24 dns-server=89.19.64.164,89.19.64.36 gateway=
192.168.20.1 netmask=24 ntp-server=192.168.20.1
add address=192.168.30.0/24 dns-server=89.19.64.164,89.19.64.36 gateway=
192.168.30.1 netmask=24 ntp-server=192.168.30.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related"
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN"
in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related"
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
out-interface=ether1
/system clock
set time-zone-name=Europe/Dublin
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

solar77 · April 3, 2018, 3:36pm

I have not gong through all your config but if you want to have DHCP server on each port, these ports cannot be joined by the same bridge. take ehter 2,3,4 out of the bridge and they should be independent from each other.

actually you want to create DHCP server on the VLAN interface, rather than the physical interface.

also, you don’t have to use 3 ports to pass VLANs to Unifi switch, just add all VLANs into one port, this would be the trunk port. then Unifi switch has one trunk port (the one connected to the mikrotik) and then tag the reset of the ports with whatever VLAN you wish to assign them to (access Port).

if they can afford a USG, setting up all these will be fairly easy from the Unifi Controller. However it can definitely be done by using Mikrotik.

Imogen · April 3, 2018, 6:04pm

While I was waiting for my post to be approved, I tried that (removing the ports from the bridge as I’d figured it must be the only way forward) but I only succeeded in blocking myself out of the Mikrotik router and having to reset it and reconfigure. I’ve now discovered “safe mode”!

I was thinking it seemed inefficient to have to patch three cables from the Mikrotik to the Unifi switch, so I like your suggestion about the trunk port too.

But I was going to do the VLAN tagging from the Unifi switch as the interface is so much easier to understand. So I’m not really sure how to put the DHCP server on the VLAN - would that be something I do at the Unifi stage or in some way on the Mikrotik?

The reason the configuration is so basic is simply very limited budget.

Any even more basic explanations, or links to explanations, from anyone very gratefully received.

Thanks again!

Imogen

solar77 · April 4, 2018, 2:25pm

you create VLAN first , then add DHCP server to each VLAN interface. these are in Mikrotik.
examples are here:
https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN

there are lots of youtube videos on this topic as well.

you don’t need access port on the Mikrotik so the port you connect Mikrotik to the Unifi switch is the trunk port.
then configure the Unifi switch accordingly, which port is trunk port (set to ALL), which port is access port (set to this particular VLAN) and which WLAN is on what VLAN ID etc.
note you will have to set up VLAN with same ID on the unifi controller to match the IDs on Mikrotik, so that they can understand eachother.