Simple Vlan tagging not working

Hello,

I have my RB4011iGS SFP+ port sfp-sfpplus1 connected to the fiber of my ISP.
My ISP talks on vlan 836 and it expects me to send dhcp request on this vlan.

I then simply configured one vlan interface attached to the sfp and a dhcp client on this vlan interface.

/interface vlan add interface=sfp-sfpplus1 name=vlan1 vlan-id=836
/ip dhcp-client add disabled=no interface=vlan1

But the DHCP request packets are sent untagged and no responses come back. If I add an address on vlan1, the packets sent are also untagged.
Only if I select Use service tag they will be tagged but in 802.1ad not in 802.1q as expected.

What am I doing wrong…?

(RouterOS 6.47.4)

I woudnt use name vlan1 its too confusing.
Use ISPVLAN or something clearer.

I do the same thing for my bell ISP by the way.
/interface ethernet
set [ find default-name=ether5 ] name=eth5Bell

/interface vlan
add comment=BellFibre interface=eth5Bell name=vlanbell vlan-id=836

/interface list member
add interface=vlanbell list=WAN

And in DHCP CLIENT ensure you use interface=vlanbell

Really, I don’t understand why it is not working for me…

I did an even simpler test:

• My laptop is connected on ether6.
• I created a VLAN on ether6:

interface vlan add name=TESTVlan vlan-id=123 interface=ether6

• Added an address to TESTVlan: 10.0.0.1/24 (network does not exist)

ip address add address=10.0.0.1/24 interface=TESTVlan

• pingged 10.0.0.2 from TESTVlan

ping address=10.0.0.2 interface=TESTVlan

• lauched wireshark on my laptop to see what the arp packets looks like: Packets are NOT tagged…

Again, if I tick ‘use service tag’ packets are properly tagged in 802.1ad…
I slightly start to become crazy here… What am I doing wrong? Is there another setting that would untag the packets? or prevent them from being tagged??

Please help

Is your laptop running Windows? Many NIC drivers will strip 802.1Q tags before the packet is passed to the OS, so they do not appear in Wireshark or other programs. If your driver supports VLAN interfaces, e.g. Intel devices with Advanced Network Services (ANS), try creating an tagged VLAN interface adapter to access the traffic.

Please post entire config
/export hide-sensitive file=anynameyouwish

Thanks @tdw, you were spot on. Doing the same on the linux machine works.
Strangely enough, in the packet sniffer sending in TZSP the packet from the underlying ether6, the VLAN information is also stripped in Wireshark.
I don’t believe the driver strips vlan tags inside encapsulated packets in TWSP… the mikrotik is probably sniffing the packets before tagging them…?

Anyway, it clarifies this issue. I now got one DHCP over VLAN working from my ISP (I was missing the Vendor class identifier option). Still missing another one on another VLAN but I now know that it is not missing a vlan tag.

Thanks again!

Mikrotik is sniffing packets at whatever interface you set it to. If you use physical interface (e.g. sfp-sfpplus1) then sniffer should show tagged packets. If you use vlan interface (e.g. vlan1), sniffer will see untagged packets because vlan interfaces (on named end that is) are untagged interfaces, they are only tagged on the “anchor side” (connection to underlying interface).

This makes sense, but I’m sniffing on the underlying physical interface and they show no tags on the streamed sniffed packets… but they are tagged on the linux endpoint.

Talk less post config more!

I tested again:

• got a linux machine on ether5
• created a TESTVlan interface on ether5
• enabled DHCP client on TESTVlan
• Packet sniffer on ether5 streaming to wireshark (TZSP)
• tcpdump on the linux machine.

The same dhcp requests packets are

• tagged on the linux tcpdump,
• tagged on the sniffer packet monitor on winbox
• but appear untagged on wireshark.

I then don’t think there is anything wrong in my conf but I’ll paste it here:

# aug/23/2021 22:05:36 by RouterOS 6.48.3
# software id = 9ZX2-TY24
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D43B0C014BA6
/interface bridge
add admin-mac=48:8F:5A:98:40:DE auto-mac=no comment=defconf name=bridge \
    protocol-mode=none
/interface ethernet
set [ find default-name=ether6 ] loop-protect=off
set [ find default-name=ether7 ] loop-protect=off
set [ find default-name=sfp-sfpplus1 ] advertise="10M-half,10M-full,100M-half,\
    100M-full,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" \
    auto-negotiation=no mac-address=14:0C:76:65:0F:0C rx-flow-control=on \
    speed=1Gbps tx-flow-control=on
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge secondary-channel=auto ssid=xxxxxxx \
    station-roaming=enabled wireless-protocol=802.11
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=xxxxxxx station-roaming=enabled wireless-protocol=802.11
/interface vlan
add interface=sfp-sfpplus1 loop-protect=off name=ISP835 vlan-id=835
add interface=sfp-sfpplus1 name=ISP836 vlan-id=836
add interface=ether5 name=TESTVlan vlan-id=123
/interface wireless
add keepalive-frames=disabled mac-address=4A:8F:5A:98:40:E9 master-interface=\
    wlan2 multicast-buffering=disabled name=ssidpassword ssid=SSID \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile1 supplicant-identity=""
/interface wireless
add keepalive-frames=disabled mac-address=4A:8F:5A:98:40:E8 master-interface=\
    wlan2 multicast-buffering=disabled name=wlan3 security-profile=profile1 \
    ssid=romiot wds-cost-range=0 wds-default-bridge=bridge wds-default-cost=0 \
    wps-mode=disabled
/ip dhcp-client option
add code=60 name=vendor-class-identifier value=0x66627867773172
add code=57 name="Maximum DHCP Message Size" value=0x05dc
add code=55 name=paramrequest value=0x0103060f1a333a3b808184868d8f90
add code=55 name=options236 value=0x0103060f1a333a3b
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.200
add name=pool1 ranges=10.60.239.10-10.60.239.13
/ip dhcp-server
add add-arp=yes address-pool=dhcp conflict-detection=no disabled=no \
    interface=bridge
/ipv6 dhcp-server
add interface=bridge name=server1
/system logging action
set 3 remote=192.168.1.46 remote-port=5001
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
add name=prometheus policy="read,winbox,api,!local,!telnet,!ssh,!ftp,!reboot,!\
    write,!policy,!test,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan3
add bridge=bridge disabled=yes interface=ssidpassword
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-router-advertisements=yes
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=defconf disabled=yes interface=sfp-sfpplus1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
    192.168.1.0
add address=10.60.239.254/24 disabled=yes interface=TESTVlan network=\
    10.60.239.0
add address=xx.xx.xx.201/24 disabled=yes interface=ISP836 network=xx.xx.xx.0
/ip arp
add address=192.168.1.11 interface=bridge mac-address=00:12:17:EC:1E:4F
/ip dhcp-client
add add-default-route=no dhcp-options=\
    "vendor-class-identifier,Maximum DHCP Message Size,paramrequest" \
    disabled=no interface=ISP835
add !dhcp-options disabled=no interface=ether1
add dhcp-options=\
    "vendor-class-identifier,Maximum DHCP Message Size,options236" interface=\
    ISP836
add disabled=no interface=TESTVlan
/ip dhcp-server network
add address=10.60.239.0/24 dns-server=209.244.0.3 domain=ftth.free.fr \
    gateway=10.60.239.254 netmask=24
add address=192.168.1.0/24 comment=defconf dns-server=\
    192.168.1.1,1.1.1.1,8.8.4.4 domain=home gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.1.46 name=home.home
add address=192.168.1.148 name=syno.home
add address=192.168.1.149 name=ipphone.home
add address=192.168.1.35 comment=defconf-D8:F1:5B:FB:36:58 name=\
    tasmota-fb3658-5720.home ttl=15m
add address=192.168.1.31 comment=defconf-D8:A0:1D:52:B6:14 name=\
    esp32-arduino.home ttl=15m
add address=192.168.1.58 comment=defconf-F4:CF:A2:32:AA:58 name=vmc.home ttl=\
    15m
add address=192.168.1.25 comment=defconf-40:31:3C:A8:A4:4A name=\
    192-168-1-25.home ttl=15m
add address=192.168.1.81 comment=defconf-C8:3A:35:8A:D4:B0 name=\
    192-168-1-81.home ttl=15m
add address=192.168.1.86 comment=defconf-CC:50:E3:5B:58:4E name=\
    esp-5b584e.home ttl=15m
add address=192.168.1.48 comment=defconf-EC:FA:BC:86:FC:84 name=\
    fridge-7300.home ttl=15m
add address=192.168.1.62 comment=defconf-CC:48:3A:C4:10:11 name=\
    fr-iwl-bourgur4.home ttl=15m
add address=192.168.1.82 comment=defconf-60:01:94:CA:27:A2 name=pumpdual.home \
    ttl=15m
add address=192.168.1.36 comment=defconf-60:AB:67:8F:34:DC name=\
    192-168-1-36.home ttl=15m
add address=192.168.1.19 comment=defconf-5C:3A:45:EA:70:9D name=\
    desktop-5gr49ne.home ttl=15m
add address=192.168.1.49 comment=defconf-64:A2:00:0D:87:8F name=\
    m2007j20cg-mephone.home ttl=15m
add address=192.168.1.16 comment=defconf-96:AD:F1:B4:94:A4 name=\
    noelies-iphone.home ttl=15m
add address=192.168.1.15 comment=defconf-BA:20:A1:5E:46:76 name=\
    noelies-iphone.home ttl=15m
add address=192.168.1.50 comment=defconf-D8:A0:1D:46:38:DC name=\
    192-168-1-50.home ttl=15m
add address=192.168.1.11 comment=defconf-F0:A2:25:05:72:7D name=\
    192-168-1-11.home ttl=15m
/ip firewall address-list
add address=192.168.1.9 list=cctv
add address=192.168.1.12 list=cctv
add address=192.168.1.13 list=cctv
add address=192.168.1.14 list=cctv
add address=192.168.1.79 disabled=yes list=cctv
add address=192.168.1.11 comment=" portail" list=cctv
add address=192.168.1.64 comment=Living list=cctv
/ip firewall filter
add action=accept chain=forward dst-port=123 log=yes log-prefix="cctv ntp" \
    protocol=udp
add action=accept chain=forward dst-address=1.1.1.1 dst-port=53 log=yes \
    log-prefix="cctv ntp" protocol=udp src-address-list=cctv src-port=""
add action=drop chain=forward log-prefix="cctv drop" out-interface=ether1 \
    src-address-list=cctv
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=notlan
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="Block china cam" out-interface=ether1 \
    src-address=192.168.1.64
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="home ass from internet" dst-address=\
    xx.xx.xx.201 dst-port=443 protocol=tcp to-addresses=192.168.1.46 \
    to-ports=443
add action=dst-nat chain=dstnat comment="home ass from internet" dst-address=\
    xx.xx.xx.201 dst-port=110 protocol=tcp to-addresses=192.168.1.46 \
    to-ports=22
add action=dst-nat chain=dstnat comment="home ass from internet" dst-address=\
    xx.xx.xx.201 dst-port=4022 protocol=tcp src-address=xxx.xx.xx.136 \
    to-addresses=192.168.1.148 to-ports=4022
add action=dst-nat chain=dstnat comment="general NAT for home udp" \
    dst-address=xx.xx.xx.201 dst-port=111-3000 protocol=udp src-address=\
    xxx.xx.xx.136 to-addresses=192.168.1.148
add action=dst-nat chain=dstnat comment="home ass from internet" dst-address=\
    xx.xx.xx.201 dst-port=111-3000 protocol=tcp src-address=xxx.xx.xx.136 \
    to-addresses=192.168.1.148
add action=dst-nat chain=dstnat comment="Let's encrypt" dst-address=\
    xx.xx.xx.201 dst-port=80 protocol=tcp to-addresses=192.168.1.46
add action=dst-nat chain=dstnat comment="home ass from internet" dst-address=\
    xx.xx.xx.201 dst-port=3000-3100 protocol=tcp src-address=xxx.xx.xx.136 \
    to-addresses=192.168.1.46
add action=dst-nat chain=dstnat comment="home ass from internet" dst-address=\
    xx.xx.xx.201 dst-port=111-3000 protocol=udp src-address=xxx.xx.xx.136 \
    to-addresses=192.168.1.148
add action=masquerade chain=srcnat comment="home ass from internet" \
    dst-address=192.168.1.46 protocol=tcp src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment=IPHone dst-address=xx.xx.xx.201 \
    dst-port=16384-16482 protocol=udp to-addresses=192.168.1.149
add action=dst-nat chain=dstnat comment=IPHone dst-address=xx.xx.xx.201 \
    dst-port=5060 protocol=udp to-addresses=192.168.1.149
/ip route
add disabled=yes distance=1 gateway=xx.xx.xx.254
/ip service
set api address=192.168.1.0/24
/ip traffic-flow
set cache-entries=16k
/ip traffic-flow target
add dst-address=192.168.1.46 port=9995
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 address
add address=xxxx:xxxx:xxx:4691::1/128 advertise=no interface=bridge
add address=xxxx:xxxx:xxx:4690::2/128 advertise=no interface=ether1
/ipv6 dhcp-client
add add-default-route=yes disabled=yes interface=ether1 pool-name=pool_sfr6 \
    pool-prefix-length=56 request=prefix
/ipv6 firewall filter
add action=accept chain=input comment="INPUT : Accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="FWD : Accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="INPUT : Accept established, related" \
    connection-state=established,related
add action=accept chain=forward comment="FWD : Accept established, related" \
    connection-state=established,related
add action=drop chain=forward comment="FWD : Drop everything else" \
    in-interface=ether1 log-prefix="DROP : IPv6 FORWARD"
/ipv6 nd
set [ find default=yes ] disabled=yes
add hop-limit=64 interface=bridge managed-address-configuration=yes \
    other-configuration=yes ra-interval=20s-1m
add hop-limit=64 interface=ether1
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Paris
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging
add action=remote topics=critical
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether5 filter-stream=yes memory-limit=500KiB \
    streaming-enabled=yes streaming-server=192.168.1.62

See some issues maybe,
you have the bridge giving out DHCP addresses and ether2 is on the bridge and then you have ether2 giving out dhcp so seems like a conflict to me.

You have vlan123 not identified by IP address or anything, but attached to ethernet 5. So its unclear what it is for.
Not clear what ether1 is for.

You have two Vlans running on the Sfpplus interface probably okay.

What is ip pool1 for.

HERE IS A DEFINITE PROBLEM - missing entry , at least your internet VLAN Should be added along with sffplus entry to the WAN interface members list.

Your WAN side seems confused to me …

Everything you see on sfpplus and ISP VLANs is disabled by setting or because the interface is down. So don’t worry about this.
Currently I had to move back to my previous setting where my ISP is on ether1.
Anyway, we have found that the tagging is properly working, packets are tagged everywhere except in the TZSP packets on Wireshark.
I’ll clean up my config and re-post it.

Thanks for your support