Problem getting public IP address for VLAN 300

Henk1 · June 18, 2025, 11:26am

Hello everyone!

I have recently got a fiber optic internet connection from Odido (formerly: T-Mobile Netherlands). Odido has provided a static IP address.

Odido issued a Zyxel T-54 modem but I want to replace this modem with a MicroTik Hex Refresh router (model E50UG).

Odido supports the use of your own modem because it is a legal right of customers. These are the settings for your own modem that Odido has published:

These are the changes I made in the default configuration:

I have added an interface with type VLAN with VLAN ID 300, name “vlan300”.
I have changed the interface of the DHCP client to vlan300.
I have changed the interface of WAN to vlan300 in the interface list.

But I am unable to get the public IP address provided by Odido for vlan300:

[admin@MikroTik] > /ip/address/print          
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS          NETWORK       INTERFACE
;;; defconf
0 192.168.88.1/24  192.168.88.0  bridge

This is an export of my configuration:

# 1970-01-02 00:14:07 by RouterOS 7.15.3
# software id = XXXX-XXXX
#
# model = E50UG
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=F4:1E:57:71:4C:68 auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether1 name=vlan300 vlan-id=300
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=vlan300 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=vlan300
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Can anyone please help me with this?
Thank you in advance!

TheCat12 · June 18, 2025, 11:36am

Shouldn’t you connect to the internet via the SFP port and therefore put the VLAN interface onto it?

anav · June 18, 2025, 11:38am

Use the modem it will provide a public IP address to the hEX.
Unless you mean the zyxel device is a MODEM/ROUTER and not a modem?

Also you would have to be able to set the values for 802.1p 802.1q appropriately on the MT device for the vlan handshake/termination, and I have no clue how to achieve that>??

TheCat12 · June 18, 2025, 11:45am

It seems that Zyxel T-54 is a ONT/VDSL modem/router and if the connection to the internet occurs via fibre optic, as marked by
@Henk1 , then the SFP port should be tagged against VLAN 300 via the VLAN interface

Henk1 · June 19, 2025, 4:38am

Odido has installed a Huawei ONT and a Zyxel T-54. I would like to replace the Zyxel T-54 with the MikroTik hEX.
Could you please elaborate on what you mean that the SFP port should be tagged against VLAN 300 via the VLANB interface?
Thank you!

TheCat12 · June 19, 2025, 8:00am

It means that if the port, through which the connection the internet is made, is SFP, you should change the interface parameter of the VLAN interface to SFP:

/interface vlan set 0 interface="SFP_port_name"

Henk1 · June 19, 2025, 10:42am

Thank you for the clarification!

Henk1 · June 21, 2025, 3:59pm

I would like to thank everyone for their input.
It turned out my ISP uses PPPoE over VLAN 32. As I am a newbie, I had to try to figure out how to translate that in settings for a working internet connection. lol

mc1 · November 17, 2025, 11:38am

Hi Henk, im trying the same setup with Odido. Did you manage to make it work?

Henk1 · November 17, 2025, 12:05pm

Hey mc1, I got it working. Do you have a business account or a consumer account? I am asking this because I found out that the procedure is different with a business account. Please let me know if you are on a Odido business account, I will then collect everything I know and then share it with you.

Edit: error

mc1 · November 17, 2025, 1:10pm

Hi Henk, Thanks! I have a consumer account.

Best,
Mateo

Henk1 · November 17, 2025, 4:28pm

Hi Mateo,

After I got it working, I did not document it. I probably should have.

From my memory: for consumer accounts you should add a VLAN with VLAN ID 300 while the VLAN ID is 32 for business accounts. Sorry, my memory is a bit hazy on what I actually did to get it working. But if I am to believe a few posts I found, it is very easy. Quoting one post, it is just a matter of connecting your router to the ONT and set the WAN to VLAN 300 (in Dutch “Eigen router aansluiten op de ONT, WAN instellen op DHCP met vlan 300 en gaan, meer is het niet“).

Here a few links (in Dutch) that are hopely helpful for you:

[Odido Glasvezel] Ervaringen & Discussie

ODIDO met eigen router?

VLANs in het Odido netwerk

Good luck!

mc1 · November 18, 2025, 9:46am

Hi Henk, I got it working, thanks a lot for your help. The following were the main terminal commands i used on my Mikrotik Hap.

/interface vlan
add name=vlan300-wan interface=ether1 vlan-id=300

/ip dhcp-client
add interface=vlan300-wan disabled=no

/interface list
add name=WAN
/interface list member
add interface=vlan300-wan list=WAN

/ip dhcp-client
add interface=vlan300-wan use-peer-dns=yes use-peer-ntp=yes disabled=no

/ip firewall nat
add chain=srcnat out-interface=vlan300-wan action=masquerade

Henk1 · November 18, 2025, 9:55am

Hi Mateo,

That is great! Thank you for documenting this for anyone looking for this information in the future.

mkx · November 18, 2025, 10:06am

The first quoted part (the DHCP client) should be either run instead of similar command, shown in the part of post above the line. Or it should not be run at all.
If both commands are run, tehn you'll end up with two DHCP clients running on the same interface ... which either won't work at all or you'll see some weird results.

The second command should not be necessary if you keep (mostly) default firewall config (including default src-nat configuration) and you do add VLAN interface to WAN interface list (as it's done with the last command in the part above the line).

jaclaz · November 18, 2025, 10:14am

To expand on the above, you need to categorize the VLAN300 as WAN in order to have the default firewall (that uses extensively LAN and WAN categorization) working correctly.
So, instead of using a single interface in the masquerade in /ip firewall nat, you can use an interface-list, i.e.:

/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none comment="defconf: masquerade"