[RB750Gr3] DHCP failure on default/native VLAN (VLAN ID 1) of bridge

squeeze · March 26, 2018, 10:24pm

Device: RB750Gr3 on RouterOS 6.41.3

Problem: DHCP clients are not receiving IPs from the default or native VLAN (VLAN ID 1). I tested both a default VLAN port on the router and a native VLAN port on a VLAN-aware switch attached to the trunk. Neither worked. DHCP works on all other ports.

Context: a simple home VLAN setup with an Internet WAN (ether1), a management port (ether2), a trunk to the rest of the network (ether5) connecting to a VLAN-aware switch. The four VLANs are “Default” (all Ethernet LAN clients), “SegregatedWiF” (WiFi with only Internet access), “SiteLAN” (LAN only access, no Internet), “Management” (management VLAN for routers and switches).

Initial setup: supplied default script from RouterOS upgrade. I deleted the single bridge containing only Ethernet ports.

VLAN plan:

                VLAN     Ports
                      2  3  4  5
                1     X  U  U  U
SegregatedWiFi  5     X  X  X  T
SiteLAN         6     X  T  T  T
Management      7     U  X  X  T
                PVID  7  1  1  1

X = uninvolved/empty
U = untagged
T = tagged

VLAN and DHCP configuration:

/interface bridge
add name=bridge-vlan vlan-filtering=yes

/interface vlan
add interface=bridge-vlan name=Default vlan-id=1
add interface=bridge-vlan name=SegregatedWiFi vlan-id=5
add interface=bridge-vlan name=SiteLAN vlan-id=6
add interface=bridge-vlan name=Management vlan-id=7

/interface bridge port
add bridge=bridge-vlan interface=ether5
add bridge=bridge-vlan interface=ether4
add bridge=bridge-vlan interface=ether3
add bridge=bridge-vlan interface=ether2 pvid=7

/interface bridge vlan
add bridge=bridge-vlan tagged=bridge-vlan untagged=ether5,ether4,ether3 vlan-ids=1
add bridge=bridge-vlan tagged=bridge-vlan,ether5 vlan-ids=5
add bridge=bridge-vlan tagged=bridge-vlan,ether5,ether4,ether3 vlan-ids=6
add bridge=bridge-vlan tagged=bridge-vlan,ether5 untagged=ether2 vlan-ids=7

/ip address
add address=192.168.88.1/24 comment=defconf interface=Default network=192.168.88.0
add address=192.168.5.1/24 interface=SegregatedWiFi network=192.168.5.0
add address=192.168.6.1/24 interface=SiteLAN network=192.168.6.0
add address=192.168.7.1/24 interface=Management network=192.168.7.0
 
/ip dhcp-server
add address-pool=Default disabled=no interface=Default lease-time=1d name=Default
add address-pool=SegregatedWifi disabled=no interface=SegregatedWiFi lease-time=1d name=SegregatedWiFi
add address-pool=SiteLan disabled=no interface=SiteLAN lease-time=1d name=SiteLAN
add address-pool=Management disabled=no interface=Management lease-time=1d name=Management

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1
add address=192.168.6.0/24 dns-server=192.168.6.1 gateway=192.168.6.1
add address=192.168.7.0/24 dns-server=192.168.7.1 gateway=192.168.7.1

Network analysis: on changing ports, Wireshark on the client device shows only DHCP Request and DHCP Discover from the client, but no DHCP NAK, Offer or ACK events from the router.

Status: no part of the entire router configuration is marked invalid. The rest of the tested configuration works as expected to date. Image below from Winbox interface of the current status:

I tried to keep it as clear and concise as possible. Can anyone help, please?

squeeze · March 27, 2018, 7:54am

I conducted a simple experiment and changed VLAN ID 1 everywhere to VLAN ID 4. DHCP on that subnet promptly started working on one of the “Default” VLAN ports of the router.

That is, I did the equivalent of:

/interface vlan
set interface=bridge-vlan name=Default vlan-id=4
set interface=bridge-vlan name=SegregatedWiFi vlan-id=5
set interface=bridge-vlan name=SiteLAN vlan-id=6
set interface=bridge-vlan name=Management vlan-id=7

/interface bridge port
set bridge=bridge-vlan interface=ether5 pvid=4
set bridge=bridge-vlan interface=ether4 pvid=4
set bridge=bridge-vlan interface=ether3 pvid=4
set bridge=bridge-vlan interface=ether2 pvid=7

/interface bridge vlan
set bridge=bridge-vlan tagged=bridge-vlan untagged=ether5,ether4,ether3 vlan-ids=4
set bridge=bridge-vlan tagged=bridge-vlan,ether5 vlan-ids=5
set bridge=bridge-vlan tagged=bridge-vlan,ether5,ether4,ether3 vlan-ids=6
set bridge=bridge-vlan tagged=bridge-vlan,ether5 untagged=ether2 vlan-ids=7

So, there really does appear to be an issue with at least DHCP on VLAN ID 1 of bridges.

I am assuming simply updating VLAN 4, ether5 (the trunk) to “tagged” and informing the switch of the new VLAN ID will also work since this is no different from all the other VLANs. If it does not, I will update here.

mkx · March 27, 2018, 9:37am

In some oder post I mentioned that I’ve had my share of problems when trying to utilize VLAN ID=1. So if you’re starting proper VLAN-based set-up it’s best to stay away from VLAN ID=1 (if my memory serves me right it used to be possible to use also VLAN ID=0 but I’ve read somewhere that recent ROS doesn’t support/allow it anymore).