Switch gets IP address from every VLAN DHCP server

bonovski · January 20, 2022, 5:14pm

I have connected a hap ac2 to a TL-SG105E smart switch.
There are 3 VLANS configured.

192.168.100.1/24 - main vlan
192.168.101.1/24 - iot vlan
192.168.102.1/24 - guest vlan

The switch should get an IP address from the main vlan, which it initially usually does, but as soon as I plug in clients to the access ports on the switch it starts to get random IP addresses from all three VLAN DHCP servers. I’ve set the lease time to 10 sec, so I could figure out what’s going on.

I disabled the DHCP client on the switch and configured a manual IP address on it 192.168.100.3.
After that everything seems to work as intended.
Now I’m trying to find out where I went wrong. I have read “the thread” about vlans and a pretty long list of posts.
Is it best practice to manually assign IPs to all the switches or is there a huge error in my config?

Router config: (I started with the default configuration and haven’t touched the firewall yet)
router.rsc (8.13 KB)
Switch config

anav · January 21, 2022, 9:10pm

For the TPLINK.
(1) Trunk ports–>the default pVID of 1, stays in place do not remove.
(2) Access ports–> the default pvid of 1 is changed to the PVID of the vlan that will be tagged entering the switch heading to router and untagged as traffic leaves switch heading to dumb device.
(3) Add the IP address of the TPLINK manually and then add that address to the MT DHCP Server Lease for the vlan and Make it static, (hint right now the mac address of the tplink you will need it).

Your table is confusing.
For starters you need to decide what you want , trunk, access or hybrid ports.
Trunk ports, one or more vlans flow in and out of the port, data coming from another smart device (that can read vlans) or going to another smart device that can read vlans.
Access ports, can only have ONE vlan associated with the port and the switch tags traffic coming from the dumb device and then removes the tag on return traffic to the dumb device.
Hybrid ports are rarer as few devices are setup to receive and deal with one or more tagged vlans and one untagged vlan)
Clearly 1 is a trunk ports, Ports 3,4 look like access ports maybe? and port 5 is not used ?? and port 2 is confused and is setup like a hybrid port.

( I think the error here is is on your vlan100 setting, it should only be a member of ports 1,3 and should not be tagged for port 2)

Please verify the usage of each port. I think this is where your issues lie!!
I believe port1 is coming from the MT device.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Looking at the MT device.

Your interface list can use work
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN {remove not required not used in your config}
add name=MGMT
/interface list member
add comment=defconf interface=bridge list=LAN { remove not required covered by vlans to list=LAN }
add comment=defconf interface=ether1 list=WAN
add interface=main-vlan list=LAN
add interface=iot-vlan list=LAN
add interface=guest-vlan list=LAN
add interface=main-vlan list=MGMT
add interface=main-vlan list=VLAN { not required not used }
add interface=iot-vlan list=VLAN
add interface=guest-vlan list=VLAN

MISSING - which bridge port is GOING TO THE SWITCH ???

/interface bridge port
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=ether2 pvid=100
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=ether3 pvid=100
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=ether4 pvid=101
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged
interface=ether5 pvid=100
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=wlan1 pvid=100
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=wlan2 pvid=100

You have a problem with ETHER5 as exposed by bridge vlans.
NOTE ABOVE you state only allow tagged frames with an access port setting of PVID-100 doesnt compute!! (problem1),

/interface bridge vlan
add bridge=bridge comment=main-vlan tagged=bridge,ether5 untagged=
ether2,ether3 vlan-ids=100 {if ether 5 was untagged for vlan 100 it would also be untagged on this line}
add bridge=bridge comment=iot-vlan tagged=bridge,ether5 untagged=ether4
vlan-ids=101
add bridge=bridge comment=guest-vlan tagged=bridge,ether5 vlan-ids=102

SO it appears you are using ether5 as a hybrid port to the switch???
PROBLEM2

To fix this for ETHER5
bridge port
a. frame-types=only tagged keep, that is correct, (plus add ingress filtering for all bridge ports)
b. remove pvid of 100
bridge vlans (corrected)
/interface bridge vlan
add bridge=bridge comment=main-vlan tagged=bridge,ether5 untagged=
ether2,ether3,wlan1,wlan22 vlan-ids=100
add bridge=bridge comment=iot-vlan tagged=bridge,ether5, untagged=ether4
vlan-ids=101
add bridge=bridge comment=guest-vlan tagged=bridge,ether5 vlan-ids=102

Summary,
Vlan100 the home vlan will going through port 5 to the switch, along with vlans 101 and 102.
Vlan100 will also go out the two WLANs on the router and well as probably to PCs on ports 2,3
Vlan102 will also go out on the router to an iot device on port 4.

bonovski · January 28, 2022, 2:31pm

Thanks for all the suggestions. I started the above from a config I found online and perfected it in the last week with your help and some extensive googling.
The problem with these switches is apparently widely known so the solution is to disable the DHCP client on them and set up static IP addresses.

I also created a management LAN for the hap and switches and with a few firewall rules everything is kept apart nicely now.

dynek · April 23, 2025, 8:04am

Hey Bonovski,

If you ever see this, do you still have that TP-Link switch and same issue ?

I haven’t found much information online about that specific issue (DHCP) but I’m having the same problem unless I set a static IP and that sounds wrong and weird to me. How does it work behind the scenes?

On a standard switch one would just specify the VLAN ID

Thanks

mkx · April 23, 2025, 12:37pm

Switches I’ve seen so far (not many models, I admit) have option to select “management VLAN” … and if set properly, switch would then only receive IP from the correct VLAN. If the option is not set, then switch might try to obtain IP address from all VLANs it detects (or is configured with).

OTOH I don’t see anything wrong with setting static IP address on network infrastructure building blocks. Imagine everything falls apart and DHCP server is not alive. How would you connect to each of switches/routers/etc. to make things fly again?

dynek · April 23, 2025, 12:48pm

Fair enough for the static IP, good idea, thank you.

I was more referring to the switch fetching an IP from any of the VLAN, I’m wondering how it works behind the scenes.
I’ll just keep the static IP, but I still wonder how the switch knows to which VLAN the IP belongs.
That logic seems to me more awkward to implement compared to just a dropdown list (or input box) to specify VLAN ID.

mkx · April 23, 2025, 3:04pm

As already said: it depends on switch vendor’s “ingenuity”. E.g. my D-link has “L2 features” → “VLAN” → “Management VLAN” and there I can enable it (by default it’s disabled whatever this might mean[*]) and after enabled I can type in VLAN ID (not a drop-down, but does say that valid value range is 1-4094 which nakes it unpractical for a drop-down menu IMO).

And management VLAN selection is actually complementary to IP address setting/acquisition.

[*] A guess: if switch is not set with management VLAN, it will try to obtain IP address via every VLAN configured. If IP address is set statically, it’ll listen for connections on all VLANs and answer to IP connection on VLAN from which connection was initiated. That makes the setup most versatile for admins not very well acquainted with VLANs … but it also makes setup unsecure.

anserk · April 24, 2025, 1:25am

I have the exact same switch, only 8-port model (TL-SG108E). When I purchased it several years ago, I didn’t know it was possible to have such a bad design and was quite disappointed after discovering a number of issues.

The switch replies to whatever DHCP server gets to it first. OK, setting a static IP is no big deal. A much nastier surprise was discovering how it handles management access. You can access the switch IP from any port, any VLAN. All you have to do is assign a static IP to your PC from the same subnet as the switch. It doesn’t matter if the switch port is assigned to a VLAN where this IP doesn’t belong.

Granted, it would take someone to guess the switch IP (although I suspect there might be some discovery packets one could sniff out) and then obviously the password. And of course, have the ability to change IP on the client PC or device. Then it’s possible to gain access and break out of the assigned VLAN by reconfiguring the switch.

None of this is probably a concern in a home environment. It’s not usual to have strangers plug in wired devices to network jacks. I would not use this switch anywhere else other than acting as a dumb switch. With that being said, there are other simple switch brands like Zyxel for the same price that have proper management VID configuration. Others like Netgear (again, in the same price range) suffer from the same issue but at least allow whitelisting source IP.

For some reason MikroTik doesn’t have any simple 8-port switches. The closest ones are L009 and CSS610 or 16-port CSS318 for $20 more, but $120-140 is a tough sell when Zyxel and the likes can be had for $30. Sure, the L009 runs RouterOS, and both CSS’es have SFP+ and much better functionality, but when one just needs a simple VLAN-capable switch…

dynek · April 24, 2025, 6:32am

Very interesting, thank you!