RB3011, VLAN switching/routing and DHCP server

Hi!

After spending 10-15+ hours, looking for some help re VLAN & DHCP on RB3011.

Given (one-would-thought-so) a fairly simply setup:

• 1 x RB3011,
  
  
  
• ether1 - ISP, untagged VLAN10 access port;
  
  
  
• ether7-9 - local, untagged VLAN100 access ports;
  
  
  
• ether10 - VLAN100 & 300 tagged trunk to Cisco AP;
  
  
  
• the RB3011 acts as a DHCP server in “home” VLANs,
  
  
  
• and uses dhcp-client on ISP VLAN10 ether1;

After reading countless number of docs, forum threads and doing unknown number of Google searches (hey, I even asked ChatGPT ), have the following:

• DHCP client on ether1 from ISP works;
  
  
  
• Internet connectivity via it works as well (NTP is updated; ping is successful);
  
  
  
• for the sake of testing/troubleshooting, disabled /ip/firewall/filtering completely, there is nothing in /ip/firewall/raw;
  
  
  
• interestingly, CDP works one way, i.e. RB3011 is visible on Cisco AP, but not vice versa;
  
  
  
• connecting via a cable to ether7 or ether9 (ingress-filtering is disabled for the former) works at L2, i.e. /interface/bridge/host/print where !local shows a MAC as well as /interface/print stats shows counters on the physical interface;
  
  
  
• apparently it’s not bridged / patched through properly as counters on “vlan” interface is 0’s ?
  
  
  
• as the result, RB3011’s DHCP server isn’t given the proper IP
  
  
  
• started with 6.9, upgraded to 7.11 and after seeing the changelog/release notes for 7.12rc (which has improvements to DHCP & bridge), updated to it - to no avail in all 3 versions;
  
  
  

#    NAME            RX-BYTE  TX-BYTE  RX-PACKET  TX-PACKET  RX-DROP  TX-DROP  TX-QUEUE-DROP  RX-ERROR  TX-ERROR
0 RS ether1          371 977   95 100      4 230      1 395        0        0              0         0         0
6 RS ether7          212 516   76 832      1 373      1 199        0        0              0         0         0
7  S ether8                0        0          0          0        0        0              0         0         0
8  S ether9                0        0          0          0        0        0              0         0         0
9 RS ether10          54 519  307 482        368      2 629        0        0              0         0         0
11 R  bridge           17 925   19 560        201        212        0        0              0         0         0
12 R  vlan10_ISP       17 121   19 560        201        212        0        0              0         0         0
13 R  vlan100_shared        0        0          0          0        0        0              0         0         0
14 R  vlan300_guest         0        0          0          0        0        0              0         0         0

The config is below and will appreciate any hints/suggestions as already

at this point.

Thanks a lot in advance!

# 2023-10-30 03:40:20 by RouterOS 7.12rc2
# model = RB3011UiAS
/interface bridge
add admin-mac=xxx auto-mac=no comment=defconf ingress-filtering=no name=bridge vlan-filtering=yes

/interface vlan
add interface=bridge name=vlan10_ISP vlan-id=10
add interface=bridge name=vlan100_shared vlan-id=100
add interface=bridge name=vlan300_guest vlan-id=300

/interface ethernet switch port
set 6 default-vlan-id=100 vlan-header=always-strip
set 7 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set 8 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set 9 vlan-header=add-if-missing vlan-mode=secure
set 11 vlan-mode=secure

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="VLAN trunk interfaces" name=trunk

/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether7 pvid=100
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=100
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=100
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether10

/interface bridge vlan
add bridge=bridge tagged=ether10 vlan-ids=100
add bridge=bridge tagged=ether10 vlan-ids=300

/interface ethernet switch vlan
add independent-learning=yes ports=ether10,ether7,ether8,ether9 switch=switch2 vlan-id=100
add independent-learning=yes ports=ether10 switch=switch2 vlan-id=300

/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=vlan100_shared list=LAN
add interface=vlan300_guest list=LAN
add interface=ether1 list=WAN
add interface=ether10 list=trunk


/ip dhcp-client
add comment="WAN ISP" interface=vlan10_ISP use-peer-ntp=no

/ip pool
add name=vlan100_shared ranges=10.0.10.100-10.0.10.200
add name=vlan300_guest ranges=10.0.30.100-10.0.30.200

/ip dhcp-server
add address-pool=vlan100_shared interface=vlan100_shared lease-time=1w name=dhcp_vlan100
add address-pool=vlan300_guest interface=vlan300_guest lease-time=1h name=dhcp_vlan300

/ip address
add address=10.0.10.254/24 interface=vlan100_shared network=10.0.10.0
add address=10.0.30.254/24 interface=vlan300_guest network=10.0.30.0

/ip dhcp-server config
set store-leases-disk=never

/ip dhcp-server network
add address=10.0.10.0/24 dns-server=208.67.222.222,8.8.8.8 gateway=10.0.10.254 netmask=24
add address=10.0.30.0/24 dns-server=208.67.222.222,8.8.8.8 gateway=10.0.30.254 netmask=24


/ip neighbor discovery-settings
set discover-interface-list=trunk protocol=cdp,lldp

PS: something got wrong with the first code block formatting?

Hi,
ChatGPT writes this config? ))

Try this → Made by Human → http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

I wish, lol
Though I shall say it was fairly good configs, as per the manual.

yes, I did see that post, have all 3 configs opened in VSCode parallel to my config.
I guess I’m missing something very specific to the chip / model in my VLAN switching & routing config.

This link has everything to solve your problem. your config is some kind of chaos
https://help.mikrotik.com/docs/display/ROS/Bridge+VLAN+Table

any particular part of it that stands out?

I did follow the docs via the two above mentioned links, as well as https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching#BasicVLANswitching-Otherdeviceswithabuilt-inswitchchip, especially around the notes:

On QCA8337 and Atheros8327 switch chips, a default vlan-header=leave-as-is property should be used. The switch chip will determine which ports are access ports by using the default-vlan-id property. The default-vlan-id should only be used on access/hybrid ports to specify which VLAN the untagged ingress traffic is assigned to.

This type of configuration should be used on RouterBOARD series devices, this includes RB4xx, RB9xx, RB2011, RB3011, hAP, hEX, cAP and other devices.

I guess after so many years, that the first time when I came across of necessity to adjust one’s CLI (fairly high level) config depending on chipset used (which is very low level and should be taken care at another layer of abstraction - but that’s another philosophical question ).

There is another abstraction level: bridge with VLAN filtering enabled. But it seems you don’t like its performance on your particular device.

Attempting to mix a VLAN-aware bridge and switch-chip VLAN filtering is just asking for trouble. Either:
Use a VLAN-aware bridge, the only downside of which is you do not get wirespeed L2 performance between ports in the same VLAN
Or:
Use a non-VLAN-aware bridge which acts like an unmanaged switch and configure the switch chips to handle the VLANs - there are caveats on devices which have multiple switch chips, see https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration#Layer2misconfiguration-VLANfilteringwithmultipleswitchchips

I think we misunderstood each other.
E.g. in Cisco IOS VLAN switching & routing is completed by 3 commands (to simplify example, for one port):

1. L2, define the actual VLAN
   
   
   

• L2, assign the VLAN to a port
  
  
  
• L3, create a virtual iface & assign IP to it

For MikroTik, I had to use 4 commands instead of 1 in step 2:

1. /interface vlan - fair and logical
   
   
   

• 2.1./interface bridge port
  
  
  
• 2.2 /interface bridge vlan
  
  
  
• 2.3. /interface ethernet switch vlan
  
  
  
• 2.4. /interface ethernet switch port
  
  
  
• 3. /ip address - clear & concise

I would love to simplify 2.1-2.4 into one single step. But every documentation piece has been linked above says otherwise.

Btw, I did have my “eureka” / “aha” moment (or after finding the problem, rather “WTF” and “f… me sideways”):

/interface bridge vlan
add bridge=bridge vlan-ids=100 tagged=bridge,ether10
add bridge=bridge vlan-ids=300 tagged=bridge,ether10

tagged=ether10 → tagged=bridge,ether10: really, add bridge to itself as “tagged” port?

That a very clear example of abstraction layer I was talking about: as a network admin, I don’t really care how the processing is done at the configuration stage (I do care at the design / pre-req one though). Of course, if the HW processing is available, I’ll take it - i.e. it shall be enabled by default whenever available and disabled only when explicitly told so within the same CLI command.

All everyone wants is a unified config process (whether UI or CLI) across all devices of the same vendor.

In Cisco IOS (many people here familiar as well), it’s done very simply:

# Catalyst Switch
interface GigabitEthernet1/0/1
 switchport trunk allowed vlan 1,100,200,...
 switchport mode trunk

interface GigabitEthernet1/0/5
 switchport access vlan 100
 switchport mode access

interface Vlan1
 no ip address
!
interface Vlan100
 ip address 10.0.100.21 255.255.255.0

# ASA/PIX FW 
!VLAN: 100,200,... - <- on some older ASA's vlan had to be created outside of running-config
interface GigabitEthernet1/2.100
 vlan 100
 nameif Vlan100

The syntax is simplified, precise, to the point and very logical as well as relates to each other even between different device families.
I.e. whatever chipset differences can exist within the same family but different models, they are masked by standardized CLI which might slightly differ in command args only.

this creates a link (see Cisco section) 1-3 on bridge
for example, if you just need to transit (L2) the vlan through ports, you don’t need an interface/vlan and you don’t need to add a bridge to “itself”
this can really raise questions until you realize that Mikrotik is not a completely dedicated switch/router, but Linux-based OS (like a swiss knife )

you need to specify a specific interfaces, not an ethernet port, if you work with vlan interfaces

/interface list
add name=LLDP
/interface list member
add interface=vlan100 list=LLDP
# add ...
/ip neighbor discovery-settings
set discover-interface-list=LLDP

As @tdw already explained, you are overdoing things. The problem with MT is not lack of grand unified UI for L2 stuff, unified accross all hardware platforms (bridge with vlan-filtering is this UI, the same settings work on all ROS devices regardless of hardware). The problem is that they did not discontinue legacy stuff (whatever you do under /interface/ethernet is legacy) for various reasons - one of reasons is that they didn’t add HW offload support for some of their (powerful at time of conception) device models. On these devices you can do things in two distinct ways (either on bridge or on switch chip, the forner being CPU-bound and hence slow) but you should not mix both approaches (as @tdw already mentioned).

I can agree that this is confusing for user coming from other vendor universes … but things go the other way as well: I find cisco way of doing things confusing as well … even though I believe that if I’d be dealing with cisco stuff on daily basis, I’d get used to it. But if I was to start doing cisco, I’d definitely read some documentation and try to comprehend difference in configuration concepts, because we have to live with those differences (I’m sure MT will never copy cisco config concepts and syntax, it’d be probably illegal as well).