Problems with Access VLANs on 750UP

RouterOS Beginner Basics
1

I am having weird issues with my router. I have 3 VLANS created, 3 IP pools, 3 DHCP servers, and 3 bridge ports. The IP are assigned to the bridge ports. on two out of the three bridges, if I plug the router port into an un-managed switch and the client into the switch, I will get a DHCP address in the range I expect, but I can’t pass any traffic or even ping the default gateway (the bridge IP). On the third bridge, it is also plugged into an un-managed switch and the clients plugged into that switch work fine. I then chained another UM switch off of one ports on the upstream switch, and clients connected to that switch behave the same way (get IP in proper range, but can’t ping gateway/bridge). The weirdest part is that I have had clients working on that bridge on the second switch for nearly a year, and all of a sudden I am getting this behavior.
I need to get this working or I will have to replace the Mikrotik with something else. Any help is greatly appreciated!
Here are what I believe are the pertinent portions of my config:

# RouterOS 5.9
# software id = DKRR-F1JN
#
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes disabled=no forward-delay=15s l2mtu=1594 max-message-age=20s mtu=1500 name=br-home priority=0x8000 protocol-mode=none transmit-hold-count=6
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes disabled=no forward-delay=15s l2mtu=1594 max-message-age=20s mtu=1500 name=br-lab priority=0x8000 protocol-mode=none transmit-hold-count=6
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes disabled=no forward-delay=15s l2mtu=1594 max-message-age=20s mtu=1500 name=br-xfinity priority=0x8000 protocol-mode=none transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1600 mac-address=00:0C:42:FD:62:79 mtu=1500 name=ether1-gateway speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=00:0C:42:FD:62:7A master-port=none mtu=1500 name=Eth2-Lab poe-out=off speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=00:0C:42:FD:62:7B master-port=none mtu=1500 name=Eth3-Xfinity poe-out=off speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=00:0C:42:FD:62:7C master-port=none mtu=1500 name=Eth4-Home poe-out=off speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=00:0C:42:FD:62:7D master-port=Eth4-Home mtu=1500 name=ether5-slave-eth4 poe-out=off speed=100Mbps
/interface vlan
add arp=enabled comment="Aruba Lab Gear" disabled=no interface=Eth2-Lab l2mtu=1594 mtu=1500 name=VLAN-Lab use-service-tag=no vlan-id=50
add arp=enabled comment="Home Network" disabled=no interface=Eth4-Home l2mtu=1594 mtu=1500 name=VLAN-Home use-service-tag=no vlan-id=100
add arp=enabled comment="Xfinity Home Gateway" disabled=no interface=Eth3-Xfinity l2mtu=1594 mtu=1500 name=VLAN-Xfinity use-service-tag=no vlan-id=200
/interface ethernet switch
set switch1 mirror-source=none mirror-target=none name=switch1
/interface bridge port
add bridge=br-xfinity disabled=no edge=auto external-fdb=auto horizon=none interface=Eth3-Xfinity path-cost=10 point-to-point=auto priority=0x80
add bridge=br-xfinity disabled=no edge=auto external-fdb=auto horizon=none interface=VLAN-Xfinity path-cost=10 point-to-point=auto priority=0x80
add bridge=br-home disabled=no edge=auto external-fdb=auto horizon=none interface=Eth4-Home path-cost=10 point-to-point=auto priority=0x80
add bridge=br-home disabled=no edge=auto external-fdb=auto horizon=none interface=VLAN-Home path-cost=10 point-to-point=auto priority=0x80
add bridge=br-lab disabled=no edge=auto external-fdb=auto horizon=none interface=Eth2-Lab path-cost=10 point-to-point=auto priority=0x80
add bridge=br-lab disabled=no edge=auto external-fdb=auto horizon=none interface=VLAN-Lab path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface ethernet switch port
set Eth2-Lab vlan-header=leave-as-is vlan-mode=fallback
set Eth3-Xfinity vlan-header=leave-as-is vlan-mode=fallback
set Eth4-Home vlan-header=leave-as-is vlan-mode=fallback
set ether5-slave-eth4 vlan-header=leave-as-is vlan-mode=fallback
set switch1_cpu vlan-header=leave-as-is vlan-mode=fallback
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=default enabled=no keepalive-timeout=60 mac-address=FE:C4:1D:37:8C:20 max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled port=443 verify-client-certificate=no
#
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=yes interface=Eth2-Lab network=192.168.88.0
add address=192.168.0.1/24 comment="Home VLAN" disabled=no interface=br-home network=192.168.0.0
add address=192.168.1.1/24 comment="Lab VLAN" disabled=no interface=br-lab network=192.168.1.0
add address=192.168.2.1/24 comment="Xfinity Home Security Gateway" disabled=no interface=br-xfinity network=192.168.2.0
#
/ip dhcp-client
add comment="default configuration" default-route-distance=1 disabled=no interface=ether1-gateway
#
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.0.0/24 comment="Home Network" dns-server=68.87.77.130,8.8.8.8 gateway=192.168.0.1 netmask=24
add address=192.168.1.0/24 comment="Lab Network" dns-server=68.87.77.130,8.8.8.8 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 comment="Xfinity @Home Network" dns-server=68.87.77.130,8.8.8.8 gateway=192.168.2.1 netmask=24
add address=192.168.88.0/24 comment="default configuration" dns-server=192.168.88.1 gateway=192.168.88.1
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay bootp-support=static disabled=yes interface=Eth2-Lab lease-time=3d name=default
add address-pool="Home DHCP" authoritative=after-2sec-delay bootp-support=static disabled=no interface=br-home lease-time=3d name="Home Server"
add address-pool="Lab DHCP" authoritative=after-2sec-delay bootp-support=static disabled=no interface=br-lab lease-time=3d name="Lab Server"
add address-pool="Xfinity DHCP" authoritative=after-2sec-delay bootp-support=static disabled=no interface=br-xfinity lease-time=3d name="Xfinity Server"
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 servers=75.75.76.76,75.75.75.75
/ip dns static
add address=68.87.77.130 disabled=no name="Comcast MN" ttl=1d
add address=8.8.8.8 disabled=no name=Google ttl=1d
add address=68.87.72.130 disabled=no name=Comcast2 ttl=1d
2

I don’t see the DHCP servers in the config above.

3

Sorry, I edited the original post and added the server options.

4

So I finally got back home with time to take a closer look and discovered my issue. It was a Newbie mistake in working with Mikrotik and also basing my original config on some slightly flawed advice found on the interweb (not in this forum).
The issue was that I had my VLANs tied to an Ethernet port instead of the bridge port. So for those of you new to Mikrotik like myself, here is how I got my three VLANS set up on my RB-750:

  1. Create a bridge interface for each VLAN (in my case 3) and add the physical ports you want to be access ports for each VLAN.
  2. Create your desired VLANS and tie them to the BRIDGE interfaces that you created in step #1 (this was my mistake, I had the VLANS tied to the Ethernet interface instead of the bridge which makes them TRUNK instead of ACCESS)
  3. Now go back to your bridge interfaces and add the VLAN interfaces you just created to their respective bridge ports.
  4. Create an IP>>Address for each VLAN and tie the address to the VLAN interface
  5. Create an IP>>Pool for each network if you want to do DHCP on that VLAN
  6. Create a DHCP server to use each of the pools created above with the default gateway being the IP you assigned to the corresponding VLAN (in my case 192.168.XXX.1)
  7. Make sure you have a source NAT going out your interface to the Internet with an action of masquerade

That should do the trick. I now have 3 subnets (192.168.0.0/24, 192.168.1.0/24, and 192.168.2.0/24) that have a DHCP server handing out IPs in their proper range and I can communicate between the subnets, but my broadcast/multicast traffic will stay within its own “sandbox” and I shouldn’t have to risk raising the wrath of my family from my tinkering with my home lab taking down the network while they are streaming Netflix :smiley:

  • jan/01/1970 18:43:42 by RouterOS 6.2

software id = DKRR-F1JN

/interface bridge
add l2mtu=1598 name=br-home
add l2mtu=1598 name=br-lab
add l2mtu=1598 name=br-xfinity
/interface ethernet
set 0 poe-out=off
set 1 poe-out=off
set 2 poe-out=off
set 4 master-port=Eth4-Home poe-out=off
/ip neighbor discovery
set VLAN-Home comment=“Home Network”
set VLAN-Lab comment=“Aruba Lab Gear”
set VLAN-Xfinity comment=“Xfinity Home Gateway”
/interface vlan
add comment=“Home Network” interface=br-home l2mtu=1594 name=VLAN-Home vlan-id=100
add comment=“Aruba Lab Gear” interface=br-lab l2mtu=1594 name=VLAN-Lab vlan-id=50
add comment=“Xfinity Home Gateway” interface=br-xfinity l2mtu=1594 name=VLAN-Xfinity vlan-id=200
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=“Home DHCP” ranges=192.168.0.100-192.168.0.198
add name=“Lab DHCP” ranges=192.168.1.50-192.168.1.199
add name=“Xfinity DHCP” ranges=192.168.2.50-192.168.2.100
/ip dhcp-server
add address-pool=default-dhcp interface=Eth2-Lab name=default
add address-pool=“Home DHCP” disabled=no interface=br-home name=“Home Server”
add address-pool=“Lab DHCP” disabled=no interface=br-lab name=“Lab Server”
add address-pool=“Xfinity DHCP” disabled=no interface=br-xfinity name=“Xfinity Server”
/interface bridge port
add bridge=br-xfinity interface=Eth3-Xfinity
add bridge=br-xfinity interface=VLAN-Xfinity
add bridge=br-home interface=Eth4-Home
add bridge=br-home interface=VLAN-Home
add bridge=br-lab interface=Eth2-Lab
add bridge=br-lab interface=VLAN-Lab
/ip address
add address=192.168.88.1/24 comment=“default configuration” disabled=yes interface=Eth2-Lab network=192.168.88.0
add address=192.168.0.1/24 comment=“Home VLAN” interface=VLAN-Home network=192.168.0.0
add address=192.168.1.1/24 comment=“Lab VLAN” interface=VLAN-Lab network=192.168.1.0
add address=192.168.2.1/24 comment=“Xfinity Home Security Gateway” interface=VLAN-Xfinity network=192.168.2.0
/ip dhcp-client
add comment=“default configuration” dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.0.0/24 comment=“Home Network” dns-server=68.87.77.130,8.8.8.8 gateway=192.168.0.1 netmask=24
add address=192.168.1.0/24 comment=“Lab Network” dns-server=68.87.77.130,8.8.8.8 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 comment=“Xfinity @Home Network” dns-server=68.87.77.130,8.8.8.8 gateway=192.168.2.1 netmask=24
add address=192.168.88.0/24 comment=“default configuration” dns-server=192.168.88.1 gateway=192.168.88.1