RB-4011 VLAN DHCP not working

virmaior · October 31, 2023, 4:35pm

I’m basically new to RouterOS.

I’m planning to configure an RB-4011 for
(1) DS-Lite Based Internet using an SFP+
(2) The use of multiple VLANs (I read up on VLANs from http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1)
(3) Future plan is for one of the VLANs to be wireguard

Right now, I’m testing the VLANs with internet successfully coming from ether1.

I’m not sure what I’m misconfiguring but DHCP is not working from the VLANs

Basic topology is a
trunk port on eth2 to cover 4 vlans that will come from an tp-link omada router
eth3 will be the wireguard VLAN in the future but for now is just the same as any other VLAN
eth4 is for external cameras
eth6 is for internal cameras
eth7-9 are for wired connections on the same VLAN
eth10 is being used as the off-band access.

to simplify I’m only putting in info for eth1, eth4, and eth10

# 2023-11-01 00:09:49 by RouterOS 7.11.2
# model = RB4011iGS+
/interface bridge
add name=BR1 protocol-mode=none
add admin-mac=XX:XX:XX:XX:XX... auto-mac=no comment=defconf name=bridge
add frame-types=admit-only-vlan-tagged name=vlans vlan-filtering=yes
/interface vlan
add interface=BR1 name=ECAM vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=ECAM_POOL ranges=10.200.0.2-10.200.0.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=ECAM_POOL interface=ECAM name=ECAM_DHCP
/interface bridge port
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=ether10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=200
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether4 vlan-ids=200
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ECAM list=VLAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.200.0.1/24 interface=ECAM network=10.200.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.200.0.0/24 dns-server=192.168.88.1 gateway=10.200.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

I’ve gone back through the guide a few times and tried fixing whatever setting I’m getting wrong but I’m still not sure what’s going wrong here.

When I disable/enable the ether4 port or BR1 bridge, I see traffic goes over the bridge for a bit, but then no DHCP success.
I also tried changing the protocol mode for the bridge but that didn’t seem to change anything.

virmaior · October 31, 2023, 11:42pm

The following simplification culled directly from the VLAN guide did work:

/interface bridge add name=BR2 protocol-mode=none vlan-filtering=no

/interface bridge port
add bridge=BR2 interface=ether4 pvid=200
/interface bridge vlan
add bridge=BR2 tagged=BR2 vlan-ids=200

/interface vlan add interface=BR2 name=ECAM vlan-id=10
/ip address add interface=ECAM address=10.200.0.1/24
/ip pool add name=ECAM_POOL ranges=10.200.0.2-10.200.0.254
/ip dhcp-server add address-pool=ECAM_POOL interface=ECAM name=ECAM_DHCP disabled=no
/ip dhcp-server network add address=10.200.0.0/24 dns-server=192.168.88.1 gateway=10.200.0.1
/interface list add name=VLAN2
/interface list member
add interface=ECAM  list=VLAN2
/ip firewall filter
add chain=input action=accept in-interface-list=VLAN2 comment="Allow VLAN"
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
add chain=forward action=accept connection-state=new in-interface-list=VLAN2 out-interface-list=WAN comment="VLAN Internet Access only"
add chain=forward action=drop comment="Drop"
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"
/interface bridge port
set bridge=BR2 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
/interface bridge set BR2 vlan-filtering=yes

anav · November 1, 2023, 12:39am

Provide a complete network diagram as your written text is lacking…

virmaior · November 1, 2023, 11:54am

Here’s the topology visually displayed:
Screenshot 2023-11-01 at 20.47.14.png
List of VLANs:

I don’t entirely know how but retrying the directions from the VLAN has the port-matched VLANs working:

# 2023-10-31 13:13:39 by RouterOS 7.11.2
# model = RB4011iGS+
/interface bridge
add name=BR1 vlan-filtering=yes
add name=BR2 protocol-mode=none vlan-filtering=yes
add admin-mac=78:9A:18:27:3E:03 auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=BR1 name=A101 vlan-id=210
add interface=BR1 name=A102 vlan-id=220
add interface=BR1 name=A103 vlan-id=230
add interface=BR2 name=ECAM vlan-id=200
add interface=BR2 name=MCAM vlan-id=40
add interface=BR2 name=USA vlan-id=255
add interface=BR2 name=W2F_VLAN vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
add name=VLAN2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=W2F_POOL ranges=10.30.0.2-10.30.0.254
add name=A101_POOL ranges=10.210.0.2-10.210.0.254
add name=A102_POOL ranges=10.220.0.2-10.220.0.254
add name=A103_POOL ranges=10.230.0.2-10.230.0.254
add name=ECAM_POOL ranges=10.200.0.2-10.200.0.254
add name=MCAM_POOL ranges=10.40.0.2-10.40.0.254
add name=USA_POOL ranges=10.255.0.2,10.255.0.255
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=A101_POOL interface=A101 name=A101_DHCP
add address-pool=A102_POOL interface=A102 name=A102_DHCP
add address-pool=A103_POOL interface=A103 name=A103_DHCP
add address-pool=ECAM_POOL interface=ECAM name=ECAM_DHCP
add address-pool=MCAM_POOL interface=MCAM name=MCAM_DHCP
add address-pool=W2F_POOL interface=W2F_VLAN name=WF2_DHCP
add address-pool=USA_POOL interface=USA name=USA_DHCP
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=ether10
add bridge=BR2 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether7 pvid=30
add bridge=BR2 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether8 pvid=30
add bridge=BR2 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether9 pvid=30
add bridge=BR2 interface=ether3 pvid=255
add bridge=BR2 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether6 pvid=40
add bridge=BR2 interface=ether4 pvid=200
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=10
add bridge=BR1 tagged=BR1 vlan-ids=30
add bridge=bridge
add bridge=BR2 tagged=BR2 vlan-ids=200
add bridge=BR2 tagged=BR2 vlan-ids=40
add bridge=BR2 tagged=BR2 vlan-ids=30
add bridge=BR2 tagged=BR2 vlan-ids=255
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=W2F_VLAN list=VLAN
add interface=BR2 list=VLAN
add interface=A101 list=VLAN
add interface=A102 list=VLAN
add interface=A103 list=VLAN
add interface=ECAM list=VLAN2
add interface=BR1 list=VLAN
add interface=MCAM list=VLAN2
add interface=W2F_VLAN list=VLAN2
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.30.0.1/24 interface=W2F_VLAN network=10.30.0.0
add address=10.210.0.1/24 interface=A101 network=10.210.0.0
add address=10.220.0.1/24 interface=A102 network=10.220.0.0
add address=10.230.0.1/24 interface=A103 network=10.230.0.0
add address=10.200.0.1/24 interface=ECAM network=10.200.0.0
add address=10.40.0.1/24 interface=MCAM network=10.40.0.0
add address=10.255.0.1/24 interface=USA network=10.255.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.30.0.0/24 dns-server=192.168.88.1 gateway=10.30.0.1
add address=10.40.0.0/24 dns-server=192.168.88.1 gateway=10.40.0.1
add address=10.200.0.0/24 dns-server=192.168.88.1 gateway=10.200.0.1
add address=10.210.0.0/24 dns-server=192.168.88.1 gateway=10.210.0.1
add address=10.220.0.0/24 dns-server=192.168.88.1 gateway=10.220.0.1
add address=10.230.0.0/24 dns-server=192.168.88.1 gateway=10.230.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN2
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN2 out-interface-list=WAN
add action=drop chain=forward comment=Drop
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system identity
set name=Core0
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Future steps:

figure out how to do the trunk-based VLANs
swtich from ether1 with an intervening router to sfp1 ds-lite for internet
setup wireguard
trim fat and inaccuracies