virtual interface for DHCP Client WAN over VLAN

RouterOS General
1

Looking for guidance of how to use a virtual interface instead of using two ports on router (ether1 DHCP Client and ether4 vlan400 untagged port)

The application is for school where Starlink has to be installed at secondary campus (on hill) for unobstructed view of sky. The main campus is 900+ meters away with fiber optic run between campuses.

In lab we have successful setup using vlan400 to carry the Starlink WAN to RB5009 main router. However, we are using two ports on RB5009 to accomplish the Starlink WAN to DHCP Client in router (red jumper in diagram). We would like to know if using a virtual interface for DHCP Client of Starlink is possible with some modifications to our configurations?

System diagram
SL-WAN.jpg
CRS305 config at Starlink site used for input of Starlink WAN on ether1, SFP1 to local router and SFP2 to main router

# 2024-08-11 23:31:26 by RouterOS 7.15.2
# model = CRS305-1G-4S+

/interface bridge
add name=bridge pvid=999 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-starlink-feed
set [ find default-name=sfp-sfpplus1 ] name=sfpplus1-hEX
set [ find default-name=sfp-sfpplus2 ] name=sfpplus2-FO-trunk
set [ find default-name=sfp-sfpplus3 ] name=sfpplus3
set [ find default-name=sfp-sfpplus4 ] name=sfpplus4
/interface vlan
add interface=bridge name=vlan100-mgmnt vlan-id=100
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge interface=ether1-starlink-feed pvid=400
add bridge=bridge interface=sfpplus1-hEX
add bridge=bridge interface=sfpplus2-FO-trunk
add bridge=bridge interface=sfpplus3
add bridge=bridge interface=sfpplus4
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge comment=management tagged=\
    sfpplus4,sfpplus2-FO-trunk,sfpplus3,sfpplus1-hEX,bridge vlan-ids=100
add bridge=bridge comment=student-staff tagged=\
    sfpplus4,sfpplus3,sfpplus2-FO-trunk,sfpplus1-hEX vlan-ids=200
add bridge=bridge comment=servers tagged=\
    sfpplus4,sfpplus3,sfpplus2-FO-trunk,sfpplus1-hEX vlan-ids=300
add bridge=bridge comment=starlink-feed tagged=\
    sfpplus4,sfpplus3,sfpplus2-FO-trunk,sfpplus1-hEX untagged=\
    ether1-starlink-feed vlan-ids=400
/ip address
add address=10.145.0.2/23 interface=bridge network=10.145.0.0
add address=10.0.100.2/24 interface=vlan100-mgmnt network=10.0.100.0
/ip cloud
set update-time=no
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/system identity
set name=CRS-305
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.0.100.1
/system routerboard settings
set boot-os=router-os

RB5009 main router config with SFP1 from CRS305, RJ45 jumper ether4 to ether1 and ether3 to servers

# 2024-08-11 19:55:06 by RouterOS 7.15.2
# model = RB5009UPr+S+

/interface bridge
add name=bridge pvid=999 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-vl100-mgmnt
set [ find default-name=ether3 ] name=ether3-vl300-proxmox
set [ find default-name=ether4 ] name=ether4-vl400-starlink-feed
set [ find default-name=sfp-sfpplus1 ] name=sfpplus1-FO-trunk
/interface vlan
add interface=bridge name=vlan100-management vlan-id=100
add interface=bridge name=vlan200-students-staff vlan-id=200
add interface=bridge name=vlan300-servers vlan-id=300
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-mgmnt ranges=10.0.100.200-10.0.100.254
add name=dhcp-stdnt-staff ranges=10.0.200.10-10.0.200.254
add name=dhcp-servers ranges=10.30.30.200-10.30.30.254
/ip dhcp-server
add address-pool=dhcp-mgmnt interface=vlan100-management name=dhcp-mgmnt
add address-pool=dhcp-stdnt-staff interface=vlan200-students-staff name=\
    dhcp-studnt-staff
add address-pool=dhcp-servers interface=vlan300-servers name=dhcp-servers
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    disabled=yes disabled=yes name=zt1 port=9993
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge interface=ether2-vl100-mgmnt pvid=100
add bridge=bridge interface=ether3-vl300-proxmox
add bridge=bridge interface=ether4-vl400-starlink-feed pvid=400
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=sfpplus1-FO-trunk pvid=999
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=management tagged=sfpplus1-FO-trunk,bridge \
    vlan-ids=100
add bridge=bridge comment=students-staff tagged=sfpplus1-FO-trunk,bridge \
    vlan-ids=200
add bridge=bridge comment=servers tagged=sfpplus1-FO-trunk,bridge vlan-ids=\
    300
add bridge=bridge comment=starlink-feed tagged=sfpplus1-FO-trunk untagged=\
    ether4-vl400-starlink-feed vlan-ids=400
/interface list member
add interface=bridge list=LAN
add interface=ether1-WAN list=WAN
add interface=vlan100-management list=LAN
add interface=vlan200-students-staff list=LAN
add interface=vlan300-servers list=LAN
/ip address
add address=10.145.0.1/23 interface=bridge network=10.145.0.0
add address=10.0.100.1/24 interface=vlan100-management network=10.0.100.0
add address=10.0.200.1/24 interface=vlan200-students-staff network=10.0.200.0
add address=10.30.30.1/24 interface=vlan300-servers network=10.30.30.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether1-WAN use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=10.0.100.0/24 gateway=10.0.100.1
add address=10.0.200.0/24 gateway=10.0.200.1
add address=10.30.30.0/24 gateway=10.30.30.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.3
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \
    out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=RB5009
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system ntp client servers
add address=time.google.com
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

hEX S config at secondary campus for local access to WiFi network

# 2024-08-11 19:48:34 by RouterOS 7.15.2
# model = RB760iGS
/interface bridge
add name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-vl100-mgmnt
set [ find default-name=ether2 ] name=ether2-vl200-stdnt-staf
set [ find default-name=ether3 ] name=ether3-vl300-servers
set [ find default-name=sfp1 ] name=sfp1-local-trunk
/interface vlan
add interface=bridge name=vlan100-mgmnt vlan-id=100
add interface=bridge name=vlan200-student-staff vlan-id=200
add interface=bridge name=vlan300-servers vlan-id=300
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge interface=ether2-vl200-stdnt-staf internal-path-cost=10 \
    path-cost=10 pvid=200
add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether3-vl300-servers internal-path-cost=10 \
    path-cost=10 pvid=300
add bridge=bridge interface=ether1-vl100-mgmnt internal-path-cost=10 \
    path-cost=10 pvid=100
add bridge=bridge interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge interface=sfp1-local-trunk
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=bridge comment=management tagged=sfp1-local-trunk,bridge untagged=\
    ether1-vl100-mgmnt vlan-ids=100
add bridge=bridge comment=students-staff tagged=sfp1-local-trunk,bridge \
    untagged=ether2-vl200-stdnt-staf vlan-ids=200
add bridge=bridge comment=servers tagged=sfp1-local-trunk,bridge untagged=\
    ether3-vl300-servers vlan-ids=300
/interface list member
add interface=bridge list=LAN
add interface=sfp1-local-trunk list=LAN
add interface=vlan100-mgmnt list=LAN
add interface=vlan200-student-staff list=LAN
add interface=vlan300-servers list=LAN
/ip address
add address=10.145.0.4/23 interface=bridge network=10.145.0.0
add address=10.0.100.4/24 interface=vlan100-mgmnt network=10.0.100.0
add address=10.0.200.4/24 interface=vlan200-student-staff network=10.0.200.0
add address=10.30.30.4/24 interface=vlan300-servers network=10.30.30.0
/ip cloud
set update-time=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=America/New_York
/system identity
set name=hEX
/system logging
set 0 topics=info,!dhcp,!caps
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system ntp client servers
add address=10.0.100.1

Thank you in advance for your help

2

I think you need to change your concept of VLANs a little bit, so please read the following first and after that come back to discuss a possible solution:

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

3

Thank you, I have read the post mentioned several times in the past to help me learn how to configure vlan aware bridge with multiple vlans. Perhaps I am incorrectly using a vlan to transport the Starlink WAN connection to the main router.

What is the recommended or preferred method of transporting a WAN connection from ISP to a router in different location in a network?

Maybe I should close this thread and open a new one with the question posed as - What is the best method of transporting ISP WAN to router at different location in network?

4

No need, I could answer that with ease - leave the WAN interface out of the equation, i.e. remove it from the bridge and remove all VLAN configurations from and associated with it. If you do that, all of your VLANs will have by default internet access which you can then limit with the help of firewall rules if necessary.

In this line of thought, how come you don’t make the CRS305 the DHCP server for the VLANs? After all it is your gateway to the internet

5

Yes, the CRS305s purpose should only be as a switch
a. to carry the starlink signal to the 5009 to be terminated on the 5009
b. to carry the other 5009 vlans (to the switch and hex for management purpose), and to the hex for data flows.

why do have sfpplus3,4 doing anything nothing is connected on the diagram
why have starlink feed to go hex ???

SWITCH
interface bridge
add name=bridge vlan-filtering=no ( turn it to yes after config complete )

/interface ethernet
set [ find default-name=ether1 ] name=ether1-starlink-feed
set [ find default-name=sfp-sfpplus1 ] name=sfpplus1-hEX
set [ find default-name=sfp-sfpplus2 ] name=sfpplus2-FO-trunk
set [ find default-name=sfp-sfpplus3 ] name=sfpplus3 disabled=yes
set [ find default-name=sfp-sfpplus4 ] name=sfpplus4 disabled=yes

/interface vlan
add interface=bridge name=vlan100-mgmnt vlan-id=100

/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-untagged-and priority interface=ether1-starlink-feed pvid=400
add bridge=bridge ingress-filtering=yes frame-types=admit-only-tagged-vlans interface=sfpplus1-hEX
add bridge=bridge ingress-filtering=yes frame-types=admit-only-tagged-vlans interface=sfpplus2-FO-trunk

/interface bridge vlan
add bridge=bridge comment=management tagged=sfpplus2-FO-trunk,sfpplus1-hEX,bridge vlan-ids=100
add bridge=bridge comment=student-staff tagged=sfpplus2-FO-trunk,sfpplus1-hEX vlan-ids=200
add bridge=bridge comment=servers tagged=sfpplus2-FO-trunk,sfpplus1-hEX vlan-ids=300
add bridge=bridge comment=starlink-feed tagged=sfpplus2-FO-trunk untagged=ether1-starlink-feed vlan-ids=400

/ip address
add address=10.0.100.2/24 interface=vlan100-mgmnt network=10.0.100.0

/interface list
add name=Trusted
/interface list member
add interface=vlan100-mgmnt list=Trusted

/ip neighbor discovery-settings
set discover-interface-list=Trusted

/ip route
add dst-address=0.0.0.0/0 gateway=10.0.100.1

/ip dns
set server=10.0.100.1

/system ntp client
set enabled=yes server=10.0.100.1

HEX
interface bridge
add name=bridge vlan-filtering=no ( turn it to yes after config complete )

/interface ethernet
set [ find default-name=sfpplus1 ] name=Trunk1
set [ find default-name=ether1 ] name=ether1
set [ find default-name=sfp-sfpplus1 ] name=ether2
set [ find default-name=sfp-sfpplus2 ] name=ether3
set [ find default-name=sfp-sfpplus3 ] name=ether4
set [ find default-name=sfp-sfpplus4 ] name=ether5-offBridge

/interface vlan
add interface=bridge name=vlan100-mgmnt vlan-id=100

/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=trunk1
add bridge=bridge ingress-filtering=yes frame-types=admit-untagged-and priority interface=ether1 pvid=100
add bridge=bridge ingress-filtering=yes frame-types=admit-untagged-and priority interface=ether2 pvid=200
add bridge=bridge ingress-filtering=yes frame-types=admit-untagged-and priority interface=ether3 pvid=200
add bridge=bridge ingress-filtering=yes frame-types=admit-untagged-and priority interface=ether4 pvid=300

/interface bridge vlan
add bridge=bridge comment=management tagged=trunk1,bridge untagged=ether1 vlan-ids=100
add bridge=bridge comment=student-staff tagged=trunk1 untagged=ether2,ether3 vlan-ids=200
add bridge=bridge comment=servers tagged=trunk1 untagged=ether4 vlan-ids=300

/ip address
add address=10.0.100.3/24 interface=vlan100-mgmnt network=10.0.100.0
add address=192.168.55.1/30 inteface=ether5-offBridge network=192.168.55.0
/interface list
add name=Trusted
/interface list member
add interface=vlan100-mgmnt list=Trusted
add interface=ether5-offBridge list=Trusted

/ip neighbor discovery-settings
set discover-interface-list=Trusted

/ip route
add dst-address=0.0.0.0/0 gateway=10.0.100.1

/ip dns
set server=10.0.100.1

/system ntp client
set enabled=yes server=10.0.100.1

6

What is with eth4?? and ether1 ??
The starlink comes in on vlan400 on FO trunk and is terminated on the router???
Your diagram does not show any other WAN feed…!!

5009

/interface bridge
add name=bridge vlan-filtering=no ( change to yes after finishing vlan setup )
/interface ethernet
set [ find default-name=ether1 ] name=ether1
set [ find default-name=ether2 ] name=ether2-vl100-mgmnt
set [ find default-name=ether3 ] name=ether3-vl300-proxmox
set [ find default-name=ether4 ] name=ether4-offBridge
set [ find default-name=sfp-sfpplus1 ] name=sfpplus1-FO-trunk

/interface vlan
add interface=bridge name=vlan100-management vlan-id=100
add interface=bridge name=vlan200-students-staff vlan-id=200
add interface=bridge name=vlan300-servers vlan-id=300
add interface=bridge name=vlan400 vlan-id=400

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Trusted

/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-untagged-and-priority interface=ether1 pvid=300 comment=“to test server access”
add bridge=bridge ingress-filtering=yes frame-types=admit-untagged-and-priority interface=ether2-vl100-mgmnt pvid=100
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether3-vl300-proxmox
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfpplus1-FO-trunk

/ip neighbor discovery-settings
set discover-interface-list=Trusted

/interface bridge vlan
add bridge=bridge comment=management tagged=sfpplus1-FO-trunk,bridge untagged=ether2-vl100 vlan-ids=100
add bridge=bridge comment=students-staff tagged=sfpplus1-FO-trunk,bridge vlan-ids=200
add bridge=bridge comment=servers tagged=sfpplus1-FO-trunk,bridge untagged=ether1 vlan-ids=300
add bridge=bridge comment=starlink-feed tagged=bridge, sfpplus1-FO-trunk vlan-ids=400

/interface list member
add interface=vlan400 list=WAN
add interface=vlan100-management list=LAN
add interface=vlan200-students-staff list=LAN
add interface=vlan300-servers list=LAN
add interface=vlan100-management list=Trusted
add interface=ether4-offBride list=Trusted

/ip address
add address=10.0.100.1/24 interface=vlan100-management network=10.0.100.0
add address=10.0.200.1/24 interface=vlan200-students-staff network=10.0.200.0
add address=10.30.30.1/24 interface=vlan300-servers network=10.30.30.0
add address=192.168.55.1/30 interface=ether4-offBridge network=192.168.55.0

/ip dhcp-client
add interface=vlan400 use-peer-dns=no use-peer-ntp=no

7

Hello @anav
Thank you for the excellent solution. ether4 and ether1 were a clumsy approach to terminating vlan400 (starlink feed) on ether4 and using a jumper to ether1 dhcp client

I had tried your solution before - but I was missing some important pieces -
vlan400 in WAN list
vlan400 in bridge/vlan tagged for bridge itself
bridge/port settings not using admit all

Thank you again for your help

8

Thank you for the advice on default route - I will try your suggestion and hopefully get a better understanding of the simple solution

The RB5009 is more advantageous as gateway mostly because this is remote site at school in Papua, Indonesia and the local tech has good understanding of existing infrastructure and wanting to keep changes to a minimum. The Starlink is replacing a legacy C-Band dish and only needed to get the Starlink feed back to main router.