Hi folks, i have a bridge, with 2 vlans (20, 30). I have a dhcp running on each vlan, which is serving the vlan tags to a unifi ap.
Some devices seem to be able to acquire an ip, but most cannot. I have read countless posts about this issue here on the forums, but none solutions found.
I tried disabling rstp, setting admin mac, etc. Nothing works. I’m on the latest stable routeros on RB750gr3
Any help is much appreciated.
Post whole config of hEX … run /export hide-sensitive inside terminal windiw and post results here inside [__code] [/code] tags…
# jun/13/2020 14:07:09 by RouterOS 6.47
# software id = 7CVI-IHGL
#
# model = RouterBOARD 750G r3
# serial number = 6F380719960E
/interface bridge
add fast-forward=no name=bridge1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] arp=proxy-arp comment=LAN1
set [ find default-name=ether3 ] arp=proxy-arp
/interface vlan
add interface=bridge1 name=vlan20 vlan-id=20
add interface=bridge1 name=vlan30 vlan-id=30
/interface list
add name=WAN
add name=LAN
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add name=peer1 passive=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=0s \
pfs-group=none
/ip pool
add name=dhcp ranges=192.168.1.111-192.168.1.199
add name=vpn_pool ranges=192.168.1.80-192.168.1.99
add name=dhcp_pool3 ranges=192.168.2.101-192.168.2.199
add name=dhcp_pool4 ranges=192.168.3.101-192.168.3.199
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=ether2 name=dhcp1
add add-arp=yes address-pool=dhcp_pool3 disabled=no interface=vlan20 name=dhcp2
add add-arp=yes address-pool=dhcp_pool4 disabled=no interface=vlan30 name=dhcp3
/ppp profile
add change-tcp-mss=yes local-address=192.168.1.1 name=vpn-l2tp remote-address=\
vpn_pool use-encryption=no use-upnp=yes
set *FFFFFFFE local-address=192.168.89.1 remote-address=dhcp_pool4
/queue simple
add max-limit=3M/3M name="Limit 192.168.1.7" queue=default/default target=\
192.168.1.7/32
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
ord,web,sniff,sensitive,api,romon,dude,tikapp"
/dude
set data-directory=disk1 enabled=yes
/interface bridge port
add bridge=bridge1 interface=ether3 pvid=20
add bridge=bridge1 interface=ether4 pvid=30 trusted=yes
/interface bridge settings
set allow-fast-path=no
/ip neighbor discovery-settings
set discover-interface-list=WAN
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=20
add bridge=bridge1 tagged=bridge1 vlan-ids=30
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=vpn-l2tp enabled=yes \
keepalive-timeout=disabled
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
/interface pptp-server server
set enabled=yes keepalive-timeout=disabled
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
add address=192.168.0.100/24 interface=ether1 network=192.168.0.0
add address=192.168.2.1/24 interface=vlan20 network=192.168.2.0
add address=192.168.3.1/24 interface=vlan30 network=192.168.3.0
/ip arp
add address=192.168.1.101 interface=ether2 mac-address=0C:9D:92:C1:46:49
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server alert
add disabled=no interface=ether3
/ip dhcp-server config
set store-leases-disk=immediately
/ip dhcp-server lease
add address=192.168.1.31 client-id=1:c4:0:ad:29:ea:b8 mac-address=\
C4:00:AD:29:EA:B8
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 dns-server=8.8.8.8 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=8.8.8.8 gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=accept chain=input dst-port=161 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=udp src-port=161-162
add action=accept chain=input protocol=icmp
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=ether2 log=yes log-prefix=!public_from_LAN \
out-interface=!ether2
add action=drop chain=forward comment=\
"Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=ether1 \
log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=ether2 log=yes \
log-prefix=LAN_!LAN src-address=!192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="Web Server" dst-address=192.168.0.100 \
dst-port=8008 in-interface=ether1 port="" protocol=tcp to-addresses=\
192.168.1.101 to-ports=8008
add action=dst-nat chain=dstnat comment=SNMP dst-port=8161 protocol=udp \
to-ports=161
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec identity
# Suggestion to use stronger pre-shared key or different authentication method
add generate-policy=port-override peer=peer1 remote-id=ignore
/ip route
add distance=1 gateway=192.168.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=9000
set ssh disabled=yes port=2200
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=ether2 type=internal
/ppp secret
add name=anshugiri profile=vpn-l2tp service=l2tp
add name=vpn
add name=yeatiniphone profile=vpn-l2tp service=l2tp
add name=yeatinipad profile=vpn-l2tp service=l2tp
/snmp
set contact="Anshu Giri" enabled=yes location="House (Room)" trap-version=2
/system clock
set time-zone-name=Asia/Kathmandu
/system identity
set name=Router
/system ntp client
set enabled=yes primary-ntp=216.239.35.12 secondary-ntp=52.163.118.68
/system package update
set channel=long-term
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing interface
add interface=ether1
add interface=ether2
add interface=ether3
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
A few problems:
Concur besides missing items MKX noted on bridge vlans, my concerns focus on the FW rules.
WHERE are the input chain rules?? The default rules keep your router safe, its not secure at the moment and should not be connected to the internet.
The order of rules could be improved, fast track in the forward chain should be the first rule I believe.
Then there are really confusing rules, if you have to use ! twice in a rule, something aint efficient and SO hard to read.
The use of ! often backfires as well as unintended items get dropped.
Keep it simple readable and lean.
???
add action=accept chain=input protocol=icmp
{forward chain}
add action=accept chain=forward comment=“Established, Related”
connection-state=established,related
add action=fasttrack-connection chain=forward comment=FastTrack
connection-state=established,related
add action=drop chain=forward comment=“Drop invalid” connection-state=invalid
{rules above are standard/good, - below suggest remove}
+++++++++++++++++++++++++++++++
log=yes log-prefix=invalid
**add action=drop chain=forward comment=
“Drop tries to reach not public addresses from LAN” dst-address-list=
not_in_internet in-interface=ether2 log=yes log-prefix=!public_from_LAN
out-interface=!ether2
add action=drop chain=forward comment=
“Drop incoming packets that are not NATted” connection-nat-state=!dstnat
connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=
“Drop incoming from internet which is not public IP” in-interface=ether1
log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=
“Drop packets from LAN that do not have LAN IP” in-interface=ether2 log=yes
log-prefix=LAN!LAN src-address=!192.168.1.0/24**_
Replace ALL of the above noise with
add (any rules where you want subnets or vlans to be able to access the internet)
add (any rules if you want any internal traffic allowed, for example users on vlanxx to be able to use printer on vlanyy)
add action=accept chain=forward comment=“Allow Port Forwarding”
connection-state=new connection-nat-state=dstnat in-interface-list=WAN
chain=forward action=drop comment='drop all else"
OKAY the DST NAT Rules are a bit funky… or confusing.
Is your WANIP dynamic or static/fixed?? The third rule is incomplete…
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment=“Web Server” dst-address=192.168.0.100
dst-port=8008 in-interface=ether1 port=“” protocol=tcp to-addresses=
192.168.1.101 to-ports=8008
add action=dst-nat chain=dstnat comment=SNMP dst-port=8161 protocol=udp
to-ports=161
IF STATIC IP (assuming wanip=192.168.0.100)
/ip firewall nat
add action=src-nat chain=srcnat to-addresses=192.168.0.100
add action=dst-nat chain=dstnat comment=“Web Server” dst-address=192.168.0.100
dst-port=8008" protocol=tcp to-addresses=192.168.1.101
add action=dst-nat chain=dstnat comment=SNMP" dst-adress=192.168.0.100
dst-port=8161 protocol=udp to-address=??? to-ports=161 ( I am copying and assuming port translation 8161 to 161, if its just a typo (no port translation) then drop to ports)
IF DYNAMIC
/ip firewall nat
add action=src-nat chain=masquerade out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“Web Server” in-interface-list=WAN
dst-port=8008" protocol=tcp to-addresses=192.168.1.101
add action=dst-nat chain=dstnat comment=SNMP" in-interface-list=WAN
dst-port=8161 protocol=udp to-address=??? to-ports=161
Is traffic coming in on ether3 and ether4 being tagged by the AP or a switch? If not, what’s the rationale for using VLANs on the RB750?
Tried all of the above, no success.
No, i am not yet using a managed switch. So basically,
ether1 = WAN
ether2 = Corporate LAN
ether3 = serve as VLAN trunk to Managed switch trunk (but for now, testing vlan tags on unifi ap)
I am evaluating vlan on gb750gr3 cpu usage. Want to make sure it wont crash after it goes live.
Am I interpreting correctly that VLANs are set up on the UniFi AP, so the AP is tagging outgoing traffic? If so, then ether3 and ether4 need to be added as tagged members in the bridge VLAN table.
Yes, the wireless networks themselves are tagged 20 and 30… but not the AP itself.
Try adding the ether3 and ether4 as tagged then. What’s likely happening is that the DHCP replies aren’t tagged on egress, so they aren’t making it back to the AP clients. The PVID setting for the bridge port only assigns the PVID on untagged inbound packets. /interface bridge vlan is the bridge’s VLAN table similar to a VLAN table on a managed switch. Fyi, if you want to use proxy-arp, you’ll need to set it on the VLAN interfaces themselves in /interface vlan. ARP can be completely disabled on ether3 and ether4 if everything coming in is tagged. Once you have everything working, you’ll see all ARP entries related to ether3 and ether4 showing vlan20 and vlan30 as the associated interface with replies coming from the MAC associated with those interfaces, and the bridge hosts table will track the physical port and VLAN associated with each MAC address.
/interface vlan
add interface=bridge1 name=vlan20 vlan-id=20 arp=proxy-arp
add interface=bridge1 name=vlan30 vlan-id=30 arp=proxy-arp
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether3 vlan-ids=20
add bridge=bridge1 tagged=bridge1,ether4 vlan-ids=30
Ok. it worked. Thank you very much.