Two DHCP servers on two tagged VLANs - not working

RouterOS Beginner Basics
1

Hello,

My setup: 5009 router – GS724T – Audience
I have two VLANs: 10 (wired clients) and 11 (wifi clients)
Port setup on 5009: onde bridge, with ether2, ether3 ports. VLANs on bridge: VLAN10 (tagged ether2, bridge), VLAN11 (tagged ether3, bridge)
Port setup on Audience: one bridge, ether1 and wifi1. VLANs on bridge: VLAN11 (tagged ether1, bridge; untagged wifi1)
5009 link to gs724t uses VLAN trunking, and all ports where clients are connected have PVID 10.
I also have two DHCP servers, one bound to VLAN10, and one bound to VLAN11.
Link between 5009 and Audience is also using VLAN trunking.
First DHCP server works fine: whenever a client request comes in, it is allocated IP from dhcp-wired pool.
Second DHCP server does not work: I can see packets coming in on VLAN11, but that’s all.
I tried DHCP client on VLAN11 on Audience - no allocation, but packets are seen on 5009 VLAN11 interface
I tried DHCP from wifi clients - same, packets showing up on 5009 VLAN11, but no replies.
If I configure IP statically on Audience’s VLAN11 or Wifi clients everything works fine, traffic is routed, and I can reach outside networks.
I’ve enabled IGMP and DHCP snooping on both bridges, made no difference.
Firewall only has default rules, and I’m not seeing anything dropped there either (apart from occasional invalid frame drop, but I it doesn’t seem to correlate with DHCP requests)

Relevant config:

/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan11 vlan-id=11
/ip pool
add name=wired-clients ranges=10.4.10.50-10.4.10.250
add name=wifi-clients ranges=10.4.11.50-10.4.11.250
/ip dhcp-server
add address-pool=dhcp disabled=yes interface=bridge name=defconf
add address-pool=wired-clients interface=vlan10 name=wired-clients
add address-pool=wifi-clients interface=vlan11 name=wifi-clients
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether3
/interface bridge vlan
add bridge=bridge tagged=ether2,bridge vlan-ids=10
add bridge=bridge tagged=ether3,bridge vlan-ids=11
/ip address
add address=10.4.10.1/24 interface=vlan10 network=10.4.10.0
add address=10.4.11.1/24 interface=vlan11 network=10.4.11.0
/ip dhcp-server network
add address=10.4.10.0/24 dns-server=1.1.1.1 gateway=10.4.10.1 netmask=24
add address=10.4.11.0/24 dns-server=1.1.1.1 gateway=10.4.11.1 netmask=24

Any ideas?? I’m so confused…

2

The relevant config is the entire config
/export hide-sensitive file=anynameyouwish.

A diagram would go a long way in concert with the text description too?
https://forum.mikrotik.com/viewtopic.php?p=908118#p908118

3

Yup, since the /interface/bridge part is missing. But it could be as simple is that he’s missing the “vlan-filtering=yes” on the bridge interface. Default is vlan-filtering=no

Without vlan-filtering being enabled, the /interface/bridge/vlan stuff has no effect. And, static address might work because it be a single subnet just multihomed (e.g. vlan had no effect).

4

Hi all, thanks for your time!

Adding full config and a diagram.

# feb/06/2022 15:10:12 by RouterOS 7.1.1
# software id = VC32-0YFP
#
# model = RB5009UG+S+
# serial number = xxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no dhcp-snooping=yes igmp-snooping=\
    yes ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment="LAN - wired clients"
set [ find default-name=ether3 ] comment="LAN - WiFi"
set [ find default-name=ether4 ] comment="LAN - wired services"
/interface vlan
add comment="LAN - wired clients" interface=bridge name=vlan10 vlan-id=10
add comment="LAN - WiFi clients" interface=bridge name=vlan11 vlan-id=11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name="LAN interfaces"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=wired-clients ranges=10.4.10.50-10.4.10.250
add name=wifi-clients ranges=10.4.11.50-10.4.11.250
/ip dhcp-server
add address-pool=dhcp disabled=yes interface=bridge name=defconf
add address-pool=wired-clients interface=vlan10 name=wired-clients
add address-pool=wifi-clients interface=vlan11 name=wifi-clients
/interface bridge port
add bridge=bridge comment="LAN - wired" frame-types=admit-only-vlan-tagged \
    interface=ether2
add bridge=bridge comment="LAN - WiFi" frame-types=admit-only-vlan-tagged \
    interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge comment="LAN - wired" tagged=ether2,bridge vlan-ids=10
add bridge=bridge comment="LAN - WiFi" tagged=ether3,bridge vlan-ids=11
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list="LAN interfaces"
add interface=ether3 list="LAN interfaces"
/ip address
add address=10.4.10.1/24 comment="wired clients" interface=vlan10 network=\
    10.4.10.0
add address=10.4.11.1/24 comment="wifi - clients" interface=vlan11 network=\
    10.4.11.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.4.10.0/24 dns-server=192.168.1.131 domain=xxx.xxx \
    gateway=10.4.10.1 netmask=24
add address=10.4.11.0/24 dns-server=192.168.1.131 domain=xxx.xxx \
    gateway=10.4.11.1 netmask=24
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Access to UI from local net" \
    in-interface-list=WAN src-address=192.168.0.0/16
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Etc/UTC
/system identity
set name=MT-5009
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=vlan11

Untitled Diagram.drawio.png
So:

  • Hosts on VLAN 10 (like “Some host” in the diagram) are getting DHCP requests served from 10.4.10.x pool, no problem
  • Wifi clients on wifi1 not getting DHCP requests served
  • Wifi clients on wifi1 with static IP work fine, traffic is routed via “ext router” correctly
  • VLAN11 interface on Audience configured with DHCP is not getting an IP either
  • VLAN11 interface on Audience configured with static IP works fine
  • DHCP requests coming in on VLAN11 (ether3) on 5009 are being picked up by the packet sniffer (see last config item), but no replies are generated
5

An update… this is even more confusing now.

So, I tried plumbing VLAN11 to a port on a switch, and a machine on that port received an address from VLAN11 DHCP pool.

This means 5009’s config is correct and it’s serving as expected.

However, Audience (which is connected directly as per diagram) still not receiving any DHCP responses.

Here’s full config on Audience (BTW, on the diagram I incorrectly showed ether2 as VLAN11 interface, in fact it is ether1):

# feb/06/2022 16:05:19 by RouterOS 7.1.1
# software id = L7GE-C8VF
#
# model = RBD25G-5HPacQD2HPnD
# serial number = xxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf dhcp-snooping=yes \
    igmp-snooping=yes ingress-filtering=no name=bridge vlan-filtering=yes
/interface wifiwave2
set [ find default-name=wifi1 ] configuration.mode=ap .ssid=xxx-2 disabled=\
    no
set [ find default-name=wifi2 ] configuration.mode=ap .ssid=xxx-5 disabled=\
    yes
/interface vlan
add interface=bridge name=vlan11 vlan-id=11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 configuration
add name=main-wifi ssid=xx
/interface wifiwave2
set [ find default-name=wifi3 ] configuration=main-wifi configuration.mode=ap \
    disabled=yes
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge ingress-filtering=no interface=wifi1 pvid=11
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=wifi1 vlan-ids=11
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip dhcp-client
add interface=ether2
add interface=vlan11
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Etc/UTC
/system routerboard settings
set cpu-frequency=auto
/tool graphing interface
add store-on-disk=no
/tool graphing queue
add store-on-disk=no
/tool graphing resource
add store-on-disk=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=bridge
6

5009

(1) One difference I would do is not mix apples and oranges, if I am doing vlans, I am all in with vlans.
NO BRIDGE subnet, I would change bridge subnet to vlan20 for example and thus the bridge just does bridging.
But thats a personal choice.

(2) BAD RULE>maybe?..
add action=accept chain=input comment=“Access to UI from local net”
in-interface-list=WAN src-address=192.168.0.0/16

Typically you should only access the Router (input chain) via VPN.
Perhaps you do have access to the private router before the MT and wish to access the MT from that location (still local) and that would be okay.
However its still too wide a window of a whole subnet. If its you on that first router needing access, limit it to your PCs IP address.

(3) Make sure if vlan11 is running on ether1, that ether1 is still not your default Ip DHCP client!

7

Audience.
What I dont like is the fact that you are managing the Audience not from a trusted subnet but by the subnet that the wifi clients are also on.
So either create a management subnet (vlan) to pass to the SWITCH and AUDIENCE or use the existing LAN wired SUBNET.
The AUDIENCE SHOULD NOT GET an IP address on the same VLAN as the WIFI users. Best security practice.

So either VLAN10 or VLANMANAGE lets say vlan20 192.168.20…


There is no WAN and LAN here… its just an AP not a router.
FROM
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

TO
/interface list=manage

Interface list-members (take your pick)
add interface=vlan10 list=manage
add interface=vlanmanage list=manage

/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 ingress-filtering=yes
add bridge=bridge ingress-filtering=no interface=wifi1 pvid=11 { ingress filtering=YES + frame-types-allowed=priority-and-untagged }

/interface bridge vlan MODIFY as required.
add bridge=bridge tagged=ether1 untagged=wifi1 vlan-ids=11
{ Note that vlan 11, supporting the wlan, is no longer associated with the Access point and thus bridge need not be tagged. }
add bridge=bridge tagged=bridge,ether1 vlan-ids=10 OR 20

/ip dhcp-client DELETE NOT REQUIRED
add interface=ether2
add interface=vlan11

/ip firewall filter { DELETE NOT REQUIRED }
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN

/tool mac-server set this to NONE its a plain mac not a protected schema!
set allowed-interface-list=LAN

/tool mac-server mac-winbox set this tomanage
set allowed-interface-list=LAN

++++++++++++++++++
Finally, the missing parts
dst-address=0.0.0.0/0 gwy=gatewayIP_of_trusted_subnet table=main (either 192.168.20.1 OR 192.168.10.1)

/ip address
add address=192.168.20.1/24 interface=vlanmanage
192.168.20.0
OR
add address=192.168.10.1/24 interface=vlan10
192.168.10.0

8

The WifiWave2 adds a twist and another potential for unknown issues/bugs too :wink:. Your config looks right to me…but since

…so maybe a V7 bug?

While not directly related, this has some clue there might be some issues with vlan-filtering in V7 still lurking:
http://forum.mikrotik.com/t/v7-2rc2-and-v7-2rc3-is-released/155369/119

So the suggestion to just “admit-all” may not be bad, even if not same problem – at least to see if that gets DHCP working. If that works, open a support case since you shouldn’t need to use “admit-all”. There may be good reason to upgrade to 7.2rc3 on the RB5009, see
http://forum.mikrotik.com/t/fastpath-fasttrack-l2hw-l3hw-clarification/155333/3 related to FastTrack/VLANs/Bridges, with the specific on RB5009 covered here:
http://forum.mikrotik.com/t/v7-2rc2-and-v7-2rc3-is-released/155369/113

Not sure this be related to the DHCP not working nor “BAD”:

@anav may a bit too canonical when he say “BAD RULE”. If the point of VLAN is Layer2 isolation, but allowing Layer3 routing between the subnets, then “allow 192.168.0.0/16” firewall rule be okay/make sense. If IoT devices support/need local web management, you need to allow access Layer3 across VLANs, thus some “allow rule”. Now if you are going to allow full routing between VLANs, it a fair question why use them… IMO.

9

thank you, that was good tips! I’ve done a full reset on Audience and created minimal config incorporating your advise about moving management to vlan10 (I’ll probably move that away to something else altogether in the future, something along the lines of vlan20 that you mentioned, but for now I just want to get the full flow going before adding more config).

Annoyingly wifi clients still not getting DHCP replies…

  • wifi statically configured - works fine, fully routed
  • wifi DHCP - no response
  • VLAN10 ip statically configured (as in the config below) - works fine
  • VLAN10 set to DHCP - no response (HOWEVER: I see on 5009 that the leases are showing up, but expiry time resets every 5 secs, almost as if 5009 issues an address but audience doesn’t see it and re-requests)
  • as per previous - vlan10 dhcp works fine for wired clients (ie hosts connected to 5009 via switch)
  • similarly if I tag vlan11 on gs724 and get a host to request an address - it gets dhcp rely no problem

Almost starting to think that there’s a bug in that audience s/w release… but surely that can’t be, as this is very fundamental functionality?..

# feb/07/2022 05:48:18 by RouterOS 7.1.1
# software id = L7GE-C8VF
#
# model = RBD25G-5HPacQD2HPnD
# serial number = xxx
/interface bridge
add dhcp-snooping=yes igmp-snooping=yes name=bridge vlan-filtering=yes
/interface wifiwave2
set [ find default-name=wifi2 ] disabled=yes
set [ find default-name=wifi3 ] disabled=yes
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan11 vlan-id=11
/interface wifiwave2 configuration
add name=cfg1 ssid=ssid-test
/interface wifiwave2
set [ find default-name=wifi1 ] configuration=cfg1 configuration.mode=ap \
    disabled=no
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi1 pvid=11
/interface bridge vlan
add bridge=bridge tagged=ether1 untagged=wifi1 vlan-ids=11
add bridge=bridge tagged=bridge,ether1 vlan-ids=10
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=10.4.10.2/24 interface=vlan10 network=10.4.10.0
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.4.10.1 pref-src=\
    "" routing-table=main suppress-hw-offload=no
/system routerboard settings
set cpu-frequency=auto
10

@Amm0, I’ve checked the posts you linked, and now:

  • updated both 5009 and audience to 7.2rc2
  • set to accept-all on ether3 (5009), ether1 and wifi1 (audience)
  • still no DHCP going through
  • when wifi client makes DHCP request I can see that request coming in on VLAN11 on 5009, but never a reply sent there
11

There are several issues with RB5009 switch chip, just for testing could you please disable Hardware offload on bridge ports.

I’m not sure it will help, just to eliminate switch chip.

12

@mike7, just tried that now, disabled h/w offloading on ether3 (vlan11), still the same…

do you have any links to what the problems are with 5009 switch? is that something new s/w releases can fix, or is that a h/w problem?

13

On the audience also add this…
Probably wont make a difference but worth a try…

/ip dns
set allow-remote-requests=yes servers=10.4.10.1

14

try all ports

For me there are issues with ipv6 RA and igmp snooping, but I can’t find reproducible sequence of changing configs, it may work or not with the exactly the same config. I hope it can be fixed by SW.
You can search issues in the forum )

15

Agree, I’d make sure the “H” in the bridge doesn’t appear anywhere in Bridge>Ports, at least right now to narrow down issue. You do want to disable HW-offloading on all the active ports.

Yeah I won’t discount the potential for bugs in V7 RouterOS, pretty sure the hardware is fine. I think your issue is just both the OS and hardware are new, and it how Mikrotik is using the switch chip from the OS that is likely the issue, not the hardware.

The other thing to try, since this seems limited to the Wi-Fi on the Audience, is removing the wifiwave2 package. If it standard wifi package works, then you’d know it’s a bug in the wifiwave2 side, not the RB5009.

I’d would recommend change your logging settings (System>Logging) to include topic of “dhcp” with destination “memory”. Perhaps add another one for the “debug” topic if it didn’t clutter your logs to much. Maybe there is some error/warning that gives a clue. This will add allow add’l log storage and include more dhcp logging:

/system logging action add name=memtrace target=memory memory-lines=16384
/system logging add action=memtrace topics=dhcp
/system logging add action=memtrace topics=debug

Now the “switch chip” is controlled somewhat by setting under /interface/ethernet/switch controls the switch chip. It the alternative to “vlan-filtering=yes” to tagging/untagging VLANs, but it’s complex to get right using this approach. And whether it fix DHCP/broadcasts is unknown. Basically instead of using /interface/bridge/vlan to tag/untag, you use /interface/ethernet/switch/vlan instead to configure them. You’re likely better off long term using the “bridge VLAN” setting, but you can TRY /interface/ethernet/switch (“Switch” in winbox) to configure the VLANs if you run out of options. See https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features but the big feature of the RB5009 is the “Bridge VLAN Hardware Offloading” should work on them WITHOUT using the “Switch” settings.

Anyway, maybe it is still something in your config that wrong, but doesn’t seem likely. This does seem like a bug. It not a quick path, but you may want to open a ticket with Mikrotik, https://help.mikrotik.com/servicedesk/servicedesk/customer/portal/1. Make sure to collect the “supout.rif” from both the devices AND include your diagram if you do. The may ask you for another supout with different logging. But the more details on where the problem may be, the quicker it may be resolved. Still I would try removing wifiwave2 before opening a case, perhaps collecting a supout.rif before and after doing that.

16

By the way, a TPLINK EAP245v3 (wifi5) or 620HD (wifi6), would have been up and running shortly after opening the box.

17

Hey, thanks for all the advice so far! I’m yet to solve the problem, but I’ve learned quite a lot from you guys.

  • I’ve disabled h/w on all ports on 5009 - no change
  • enabled DHCP logging, and nothing showing up when wifi clients are trying to connect!
  • captured and analysed packets on 5009
  • vlan11 - no dhcp, just random iOS stuff
  • ether3 - same
  • packets on Audience
  • wifi1 - I can see DHCP packets, but they seem to be VLAN tagged (see below)
  • vlan11 - nothing from the wifi clients (why??)
  • ether1 (had to filter on client MAC, as mgmt is also there, so very noisy) - same stuff as seen on 5009

here’s a DHCP packet on wifi1 interface:

Frame 17: 346 bytes on wire (2768 bits), 346 bytes captured (2768 bits)
Ethernet II, Src: 0a:fc:e2:c2:79:d0 (0a:fc:e2:c2:79:d0), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
    Source: 0a:fc:e2:c2:79:d0 (0a:fc:e2:c2:79:d0)
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 11
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 0000 1011 = ID: 11
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255
User Datagram Protocol, Src Port: 68, Dst Port: 67
Dynamic Host Configuration Protocol (Discover)

Where is this .1Q stuff coming from?!

/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan11 vlan-id=11
/interface wifiwave2 configuration
add name=cfg1 ssid=ssid-test
/interface wifiwave2
set [ find default-name=wifi1 ] configuration=cfg1 configuration.mode=ap \
    disabled=no
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi1 pvid=11
/interface bridge vlan
add bridge=bridge tagged=ether1 untagged=wifi1 vlan-ids=11
add bridge=bridge tagged=bridge,ether1 vlan-ids=10

Am I missing something trivial here?..

BTW, I’ve raised a support ticket with MikroTik, we’ll see what happens. The support system is bit strange, I registered on the main site, tried raising an issue, it then failed and redirected to what looks like Jira (it is actually), where I had to register again. And raised it there too.

18

Just an update, when I try connecting with WiFi client, wifi1 interface shows up under “current untagged”, if that matters…

19

Is wifi1 untagged in VLAN 11 (which be correct), or default/management/another VLAN?

One thing is you probably should add “bridge” should be a “tagged” for the VLAN 11 in the bridge config:

/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=wifi1 vlan-ids=11

Now since the DHCP is coming from the RB5009, maybe not needed on Audience, but can’t hurt. This is also VERY complex topic on the bridge port itself being listed in the VLAN (essentially you need to do that in order for IP services on the Mikrotik to work)

If that didn’t work, while not ideal, maybe you can try use “admit-all” on the Audience, there was another v7.2 bug that suggest this as a workground – again not same problem but if you want to try while waiting for Mikrotik:

/interface bridge port
add bridge=bridge frame-types=admit-all interface=ether1
add bridge=bridge frame-types=admit-all interface=wifi1 pvid=11

Again, I worry the WifiWave2 is involved in why this doesn’t just work.

20

I can confirm the bridge does not need to be tagged for a WLAN if that vlan is not used elsewhere, trunk in, access port out, no bridge need be tagged.
If the AP had an IP in that vlan yes, the bridge would be tagged, but tis not the case here