Trying to fix configuration of DHCP client using VLAN Interface

avggeek · January 1, 2025, 1:01pm

Hello,

Happy New Year to all!

I have been trying to configure my Internet connection to go via an aggregation switch since my ISP is offering better than Gigabit speeds. In order to achieve this setup, I have connected the devices as shown in the diagram below:

In terms of configuration in the CCR-2004, this is what I have setup so far (limiting the config export to the relevant portions):

/interface bridge
add admin-mac=6E:D0:A9:F3:E1:35 auto-mac=no name="All Ports Bridge" \
    vlan-filtering=yes

/interface ethernet
<snip>
set [ find default-name=sfp-sfpplus1 ] comment=\
    "USW-Aggregation Uplink (Port 1)"
set [ find default-name=sfp-sfpplus2 ] comment=\
    "USW-Aggregation Uplink (Port 2)"

/interface vlan
add comment="Server Network" interface="All Ports Bridge" name=wan1-net \
    vlan-id=200
add comment="Client Network" interface="All Ports Bridge" name=wan1-net \
    vlan-id=100
add comment="WAN" interface="All Ports Bridge" name=wan1-net \
    vlan-id=1000

/interface vrrp
add authentication=ah interface=server-net name=server-net-vrrp \
    priority=250 version=2 vrid=200
add authentication=ah interface=trusted-clients-net name=trusted-clients-vrrp \
    priority=250 version=2 vrid=100

/interface bonding
add comment="USW-Aggregation Trunk Ports" mode=802.3ad name=\
    bond_sfpplus1-sfpplus2 slaves=sfp-sfpplus1,sfp-sfpplus2

/interface bridge port
add bridge="All Ports Bridge" interface=ether1
add bridge="All Ports Bridge" interface=ether2
<snip>
add bridge="All Ports Bridge" interface=ether15
add bridge="All Ports Bridge" interface=bond_sfpplus1-sfpplus2

/interface bridge vlan
add bridge="All Ports Bridge" comment="Client network" tagged=\
    ether15,bond_sfpplus1-sfpplus2 vlan-ids=100
add bridge="All Ports Bridge" comment="Server network" tagged=\
    ether15,bond_sfpplus1-sfpplus2 vlan-ids=200
add bridge="All Ports Bridge" tagged=bond_sfpplus1-sfpplus2 disabled=yes vlan-ids=1000

/ip dhcp-client
add add-default-route=no interface=wan1-net script=":local rmark \"WAN1\"\r\
    \n:local count [/ip route print count-only where comment=\"WAN1\"]\r\
    \n:if (\$bound=1) do={\r\
    \n    :if (\$count = 0) do={\r\
    \n        # /ip route add gateway=\$\"gateway-address\" comment=\"WAN1\" r\
    outing-mark=\$rmark\r\
    \n        :log info \"Trying to add routes\"\r\
    \n        /ip route add dst-address=0.0.0.0/0 check-gateway=ping distance=\
    2 gateway=8.8.8.8 routing-table=main scope=10 target-scope=12 comme\
    nt=\"\$rmark - MyRepublic Default route with recursive next-hop search\"\r\
    \n        /ip route add dst-address=8.8.8.8/32 distance=2 gateway=\
    \$\"gateway-address\" routing-table=main scope=10 target-scope=11 comment=\
    \"\$rmark - Google DNS route via MyRepublic gateway\"\r\
    \n    } else={\r\
    \n        :if (\$count = 1) do={\r\
    \n            :local test [/ip route find where comment=\"WAN1\"]\r\
    \n            :if ([/ip route get \$test gateway] != \$\"gateway-address\"\
    ) do={\r\
    \n                /ip route set \$test gateway=\$\"gateway-address\"\r\
    \n            }\r\
    \n        } else={\r\
    \n            :error \"Multiple routes found\"\r\
    \n        }\r\
    \n    }\r\
    \n} else={\r\
    \n    /ip route remove [find comment~\"WAN1\"]\r\
    \n}" use-peer-dns=no use-peer-ntp=no
add interface=ether16-gateway use-peer-dns=no use-peer-ntp=no

The basis for the recursive routing script from this awesome post by anav.

If I change

/interface bridge vlan add bridge="All Ports Bridge" tagged=bond_sfpplus1-sfpplus2 disabled=yes vlan-ids=1000

to be enabled, then the DHCP client linked to

wan1-net

will get an IP address from the ISP.

However, at the same time my log will start to fill up with messages such as:

bond_sfpplus1-sfpplus2: bridge RX looped packet - MAC 00:00:5e:00:01:30 -> 6e:d0:a9:f3:e1:35 VID 1000 ETHERTYPE 0x0800 IP PROTO 1 150.5.254.1 -> <DHCP IP from ISP>

The MAC Address

00:00:5e:00:01:30

is one of the VRRP interfaces listed above.

I’m clearly doing something wrong as indicated by the

bridge RX looped packet

, but I will confess I’m not sure how to segregate traffic from the ISP modem terminating at the USW-Aggregation switch without assigning that port a VLAN ID. Extending that further, if I don’t add the same VLAN ID to the bridge then the DHCP client does not get an IP address.

Any advice on what I’m doing wrong would be very welcome!

avggeek · January 3, 2025, 6:57am

I had posted my original question during the time when the forum is down for long stretches of time, so am guessing folks who are generally on the forum might not have seen it. Bumping up the post again in hopes that I can get some kind soul to offer some suggestions.

TheCat12 · January 3, 2025, 9:02am

Only problem I see is that the bridge is not a tagged member of the VLAN1000

/interface bridge vlan
add bridge=“All Ports Bridge” tagged=“All Ports Bridge”,bond_sfpplus1-sfpplus2 disabled=yes vlan-ids=1000

avggeek · January 3, 2025, 9:32am

Hi,

I’m not sure that was the source of the problem? You can see from the log output below that as soon as I added the bridge “All Ports Bridge” as a tagged member to the VLAN1000, the

Bridge RX looped packet

messages started appearing:

 17:04:08 system,info item changed by winbox-3.41/tcp-msg(winbox):admin@192.168.XXX.XXX (/interface bridge vlan set "" bridge="All Ports Bridge" comment="WAN" disabled=yes mvrp-forbidden="" tagged="bond_sfpplus1-sfpplus2,All Ports Bridge" untagged="" vlan-ids=1000)
 17:04:19 system,info item changed by winbox-3.41/tcp-msg(winbox):admin@192.168.XXX.XXX (/interface bridge vlan set "" bridge="All Ports Bridge" comment="WAN" disabled=no mvrp-forbidden="" tagged="bond_sfpplus1-sfpplus2,All Ports Bridge" untagged="" vlan-ids=1000)
 17:07:15 interface,info ether16-gateway link down
 17:07:15 dhcp,info dhcp-client on ether16-gateway lost IP address <DHCP IP from ISP> - lease stopped locally
 17:07:47 interface,warning bond_sfpplus1-sfpplus2: bridge RX looped packet - MAC 00:00:5e:00:01:30 -> 78:9a:18:99:a5:fa VID 1000 ETHERTYPE 0x0800 IP TCP 44.199.80.228:443 -> <DHCP IP from ISP>:39251
 17:07:52 interface,warning bond_sfpplus1-sfpplus2: bridge RX looped packet - MAC 00:00:5e:00:01:30 -> 78:9a:18:99:a5:fa VID 1000 ETHERTYPE 0x0800 IP PROTO 1 150.5.254.0 -> <DHCP IP from ISP>
...
17:09:30 interface,warning bond_sfpplus1-sfpplus2: bridge RX looped packet - MAC 00:00:5e:00:01:30 -> 78:9a:18:99:a5:fa VID 1000 ETHERTYPE 0x0800 IP PROTO 1 101.47.65.6 -> <DHCP IP from ISP>

You can see that

ether16-gateway

which is the port I’ve setup as a direct network connection to the ISP ONT with a DHCP Client lost the the DHCP IP when I removed the connection and instead plugged into the upstream switch. However, the

wan1-net

interface did not pick up an IP address even after waiting for a few minutes.

However, as soon as I removed the “All Ports Bridge” as a tagged member of VLAN ID 1000, while the

bridge RX looped packet

messages did not stop, the

wan1-net

interface did pick up the DHCP address:

 17:09:35 system,info item changed by winbox-3.41/tcp-msg(winbox):admin@192.168.XXX.XXX (/interface bridge vlan set "" bridge="All Ports Bridge" comment="WAN" disabled=no mvrp-forbidden="" tagged=bond_sfpplus1-sfpplus2 untagged="" vlan-ids=1000)
 17:09:35 interface,warning bond_sfpplus1-sfpplus2: bridge RX looped packet - MAC 00:00:5e:00:01:30 -> 78:9a:18:99:a5:fa VID 1000 ETHERTYPE 0x0800 IP PROTO 1 150.5.255.1 -> <DHCP IP from ISP>
 17:09:41 interface,warning bond_sfpplus1-sfpplus2: bridge RX looped packet - MAC 00:00:5e:00:01:30 -> 78:9a:18:99:a5:fa VID 1000 ETHERTYPE 0x0800 IP PROTO 1 150.5.255.1 -> <DHCP IP from ISP>
 17:09:47 interface,warning bond_sfpplus1-sfpplus2: bridge RX looped packet - MAC 00:00:5e:00:01:30 -> 78:9a:18:99:a5:fa VID 1000 ETHERTYPE 0x0800 IP PROTO 1 150.5.255.1 -> <DHCP IP from ISP>
 17:09:49 dhcp,info dhcp-client on wan1-net got IP address <DHCP IP from ISP>
 17:09:49 script,info Trying to add routes
 17:09:49 system,info route 0.0.0.0/0 added by dhcp-client (*80000042 = /ip route add check-gateway=ping comment="WAN1 - Default route with recursive next-hop search" distance=2 dst-address=0.0.0.0/0 gateway=8.8.8.8 routing-table=main scope=10 target-scope=12)
 17:09:49 system,info route 8.8.8.8 added by dhcp-client (*80000043 = /ip route add comment="WAN1 - Google DNS route via gateway" distance=2 dst-address=8.8.8.8/32 gateway=<223.25.79.1> routing-table=main scope=10 target-scope=11)
 17:09:52 interface,warning bond_sfpplus1-sfpplus2: bridge RX looped packet - MAC 00:00:5e:00:01:30 -> 6e:d0:a9:f3:e1:35 VID 1000 ETHERTYPE 0x0800 IP PROTO 1 150.5.255.0 -> <DHCP IP from ISP>

I also want to point out that I can see that in Bridge>VLANs, there is an Dynamic entry which has the comment “added by vlan on bridge” for “All Ports Bridge” that includes VLAN1000.

avggeek · January 3, 2025, 9:50am

Looking carefully at the log messages, I notice that the

bridge RX looped packet - MAC 00:00:5e:00:01:30 -> 6e:d0:a9:f3:e1:35

is always pointing to a specific MAC Address, which turns out to be a VRRP interface for VLAN1 that is tied to the Bridge directly rather than to a VLAN interface:

/interface bridge
add admin-mac=6E:D0:A9:F3:E1:35 auto-mac=no name="All Ports Bridge" \
    vlan-filtering=yes

/interface vrrp
add authentication=ah comment="VLAN 1 Network" interface="All Ports Bridge" \
    name=mgmt-net-vrrp priority=250 version=2 \
    vrid=48

[admin@MikroTik 2004 Router (Primary)] > /interface/bridge/print                  
Flags: X - disabled, R - running 
 0 R name="All Ports Bridge" mtu=auto actual-mtu=1500 l2mtu=1596 arp=enabled 
     arp-timeout=auto mac-address=6E:D0:A9:F3:E1:35 protocol-mode=rstp 
     fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=6E:D0:A9:F3:E1:35 
     ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s 
     transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1 
     frame-types=admit-all ingress-filtering=yes dhcp-snooping=no 

[admin@MikroTik 2004 Router (Primary)] >  /interface vrrp print where name="mgmt-net-vrrp"
Flags: R - RUNNING; M - MASTER
Columns: NAME, INTERFACE, MAC-ADDRESS, VRID, PRIORITY, INTERVAL, VERSION, V3-PROTO
COL
#    NAME           INTERFACE         MAC-ADDRESS        VRID  PRI  IN  V  V3-P
;;; VLAN 1 Network
0 RM mgmt-net-vrrp  All Ports Bridge  00:00:5E:00:01:30    48  250  1s  2  ipv4

In contrast, other VRRP interfaces are tied to a specific VLAN interface.

/interface vlan
add comment="Server Network" interface="All Ports Bridge" name=server-net \
    vlan-id=200

/interface vrrp
add authentication=ah interface=server-net name=server-net-vrrp \
    priority=250 version=2 vrid=200

Not sure if this is contributing to the issue.