VLAN and DHCP Server configuration help

Panda01 · April 4, 2023, 12:56pm

Hello All,

I am very new to Mikrotik and I got a HEX RB750GR3 to play with. I would appreciate some help to configure two vlans and a DHCP server.

What I am trying to do is:
ether1: WAN
ether2: TRUNK - VLANS 30 and 40
ether3: VLAN 30 - access port - member of bridge-1 - IP: 192.168.30.1 - DHCP server → range 192.168.30.2-192.168.30.254
ether4: VLAN 40 - access port - member of bridge-1 - IP: 192.168.40.1
ether5: emergency port - IP: 192.168.50.1 - DHCP server → range: 192.168.50.100-192.168.50.150

At the moment I only got the ether5 emergency port to work.
DHCP is running on ether5 I get an IP and I can play with the remaining settings without losing access to the device.

I am not sure if I even configured the VLANs correctly. If I connect my laptop to ether3 I do not get an ip.

My configuration:

/interface bridge
add name=bridge-1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=ether5emergency
/interface vlan
add interface=bridge-1 name=vlan-30 vlan-id=30
add interface=bridge-1 name=vlan-40 vlan-id=40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp-pool-50 ranges=192.168.50.100-192.168.50.150
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=dhcp-pool-50 interface=ether5emergency name=dhcp1
add address-pool=dhcp_pool2 interface=vlan-30 name=dhcp2
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=30
add bridge=bridge-1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=40
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-1 tagged=ether2 vlan-ids=30
add bridge=bridge-1 tagged=ether2 vlan-ids=40
/interface list member
add comment=defconf interface=bridge-1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether5emergency list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.50.1/24 interface=ether5emergency network=192.168.50.0
add address=192.168.30.1/24 interface=vlan-30 network=192.168.30.0
add address=192.168.40.1/24 interface=vlan-40 network=192.168.40.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=5201 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.254 \
    to-ports=5201
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

holvoetn · April 4, 2023, 1:32pm

Read and digest this, then apply what’s been explained there

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

anav · April 4, 2023, 1:40pm

(1) Ether5 does NOT require a pool.

(2) Missing the defining of ether2 on bridge ports …

/interface bridge port
add bridge=bridge-1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=30
add bridge=bridge-1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=40
add bridge=bridge-1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether2

(3) Similarly missing info on interface bridge vlans…
/interface bridge vlan
add bridge=bridge-1 tagged=bridge,ether2 untagged=ether3 vlan-ids=30
add bridge=bridge-1 tagged=bridge,ether2 untagged=ether4 vlan-ids=40

You can get away with untagged entries as the router dynamically adds them for traffic based on pvid, however I always manually put them on the config,
so that they are available on exports and one can map between bridge ports and bridge vlans to see what was intended or understood and what makes sense…

(4) Ether5 does NOT require dhcp-server network

(5) mac-server by itself is not secure set to NONE.
/tool mac-server
set allowed-interface-list=LAN

(6) The bridge just does bridging so need to modify.
From:
/interface list member
add comment=defconf interface=bridge-1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether5emergency list=LAN
TO:
/interface list member
add interface=vlan-30 list=LAN
add interface=vlan-40 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether5emergency list=LAN

Panda01 · April 4, 2023, 2:53pm

ether5 has an ip of 192.168.50.1 and I did not want to manual give my laptop everytime an ip address. So DHCP was the solution and it works on ether5

(2) Missing the defining of ether2 on bridge ports …

/interface bridge port
add bridge=bridge-1 > ingress-filtering=yes > frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=30
add bridge=bridge-1 i> ngress-filtering=yes > frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=40
add bridge=bridge-1 ingress-filtering=yes > frame-types=admit-only-vlan-tagged > > interface=ether2

(3) Similarly missing info on interface bridge vlans…
/interface bridge vlan
add bridge=bridge-1 tagged> =bridge> ,ether2 > untagged=ether3 > vlan-ids=30
add bridge=bridge-1 tagged=> bridge> ,ether2 > untagged=ether4 > vlan-ids=40

You can get away with untagged entries as the router dynamically adds them for traffic based on pvid, however I always manually put them on the config,
so that they are available on exports and one can map between bridge ports and bridge vlans to see what was intended or understood and what makes sense…

I added the missing configurations

(4) Ether5 does NOT require dhcp-server network

I assume this would not cause any issue if I leave DHCP server and pool enabled on ether5

(5) mac-server by itself is not secure set to NONE.
/tool mac-server
set allowed-interface-list=> LAN

Configured.

(6) The bridge just does bridging so need to modify.
From:
/interface list member
add comment=defconf interface=bridge-1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether5emergency list=LAN
TO:
/interface list member
add interface=vlan-30 list=LAN
add interface=vlan-40 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether5emergency list=LAN

Configured.

Still I am not able to get an IP address with my laptop connected to ether3 and ether4.
I have tried to disable all firewall rules and still the same result. Also configuring a static ip on my laptop to 192.168.30.5 and connecting to ether3 does not work.
No responce to a ping 192.168.30.1

/interface bridge
add name=bridge-1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=ether5emergency
/interface vlan
add interface=bridge-1 name=vlan-30 vlan-id=30
add interface=bridge-1 name=vlan-40 vlan-id=40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp-pool-50 ranges=192.168.50.100-192.168.50.150
add name=dhcp-pool-30 ranges=192.168.30.2-192.168.30.254
add name=dhcp-pool-40 ranges=192.168.40.2-192.168.40.254
/ip dhcp-server
add address-pool=dhcp-pool-50 interface=ether5emergency name=dhcp-port-5
add address-pool=dhcp-pool-30 interface=vlan-30 name=dhcp-vlan-30
add address-pool=dhcp-pool-40 interface=vlan-40 name=dhcp-vlan-40
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=30
add bridge=bridge-1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=40
add bridge=bridge-1 frame-types=admit-only-vlan-tagged interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-1 tagged=ether2 vlan-ids=30
add bridge=bridge-1 tagged=ether2 vlan-ids=40
/interface list member
add comment=defconf interface=bridge-1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether5emergency list=LAN
add interface=vlan-30 list=LAN
add interface=vlan-40 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.50.1/24 interface=ether5emergency network=192.168.50.0
add address=192.168.30.1/24 interface=vlan-30 network=192.168.30.0
add address=192.168.40.1/24 interface=vlan-40 network=192.168.40.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=5201 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.254 \
    to-ports=5201
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Panda01 · April 4, 2023, 2:54pm

I will have a good look at this and try some settings. Thank you.

anav · April 4, 2023, 3:30pm

Ether5 does not require a pool just the IP address, its that simple.
You have two choices, use ANY number all will work, i typically use 192.168.50.5
Then you can use that IP address for source address lists or winbox lists to limit access on the etherport to the correct one.

Imagine anyone can hook into that port now, and the router will provide an IP. Thats crappy security.
Only you know that it has to be 192.168.55.X address LOL.

Up to you.

As to not being able to login dont forget to set back your laptop to get IP and DNS automatically on nic card settings.

anav · April 4, 2023, 3:49pm

Since you refuse to listen, this will be my last post here.

(1) You have two vlans and four pools… Get rid of emergaccess pool where is the third one coming from??
add name=default-dhcp ranges=192.168.88.10-192.168.88.254 → See (9) below!!

(2) What is the purpose of this… get rid of it.
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 → See (9) below!!

(3) You have three servers… get rid of emergaccess server…

(4) Your /interface bridge vlans are incorrect!!! AGAIN/STILL !!

/interface bridge vlan
add bridge=bridge-1 tagged=**bridge,**ether2 untagged=ether3 vlan-ids=30
add bridge=bridge-1 tagged=bridge,ether2 untagged=ether4 vlan-ids=40

The bridge tagging is mandatory!!
The untagging is optional as the pvid creates the untagging dynamically, however I always manually put them in so they are visible on config exports
and much easier to cross match with bridge ports to understand and see if OP understands the setup.

(5) Get rid of bridge line here… not needed.
/interface list member
add comment=defconf interface=bridge-1 list=LAN

(6) Get rid of old default static dns and put some servers in…
/ip dns
set allow-remote-requests=yes servers=1.1.1.2, 9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

(7) You are port forwarding to a non-existant entity.
add action=dst-nat chain=dstnat dst-port=5201 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.254
to-ports=5201

(8) Not sure why you are using vlans you have no rules blocking vlan to vlan traffic ???
From this:
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

TO:
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else” { this drops all other LAN to LAN (including vlan to vlan) and WAN to LAN and LAN to WAN traffic }

(9) Note if you really have another subnet then do it properly
a. give it a vlan name vlan-88 with master interface bridge.
b. add the vlan as untagged to some etherport if any left. OR add it tagged to ether2 I suppose…
c. you have a pool already no change
d. you would need to add a dhcp-server for it, with interface vlan-88
e. you would have to add it to lan interface list.
f. you would have to add to bridge interface vlan listing, tagged maybe only to ether2,bridge ??
g. you would have to add an IP address for it, interface=vlan-88
h. already have a dhcp-server-network for it…

Buh BYE!

holvoetn · April 4, 2023, 4:09pm

Anav, you’re spoon feeding way to much.

Buckeye · April 4, 2023, 4:24pm

While what @anav says about ether5 is correct, that if anyone plugs into ether5, they will get an ip address via dhcp, depending on where the router is, and what your requirements are, that may be exactly what you want. One man’s crappy security is another man’s convenience factor (and when you want access in an emergency, trying to remember what ip address you have to set your pc to isn’t what you want to be spending time on). If this is in your home, and you know who will be connecting, I don’t think it is that big of a security issue myself. I mean, if a person has access to the router, all bets are already off.

Now to your question. Assuming the config at the end of post #4 is your current export, it appears you didn’t make many changes you said you did. This is what your latest post had:

/interface bridge vlan
add bridge=bridge-1 tagged=ether2 vlan-ids=30
add bridge=bridge-1 tagged=ether2 vlan-ids=40

The above has no connection from the CPU (bridge-1) to either vlan 30 or 40. So the dhcp server on the CPU can’t respond. Adding the untagged ports is not a necessity, but makes your intentions explicit and makes reading the config more clear (as to what ports are members of the vlan in question, as well as which are tagged and untagged). If the bridge-1 “cpu port” isn’t specified, that is a valid configuration, it just means that only the members of the the vlan on the switch will be able to communicate with each other. E.g. if you had ports 4 and 5 as access ports to vlan 40, devices connected to ether4 and ether5 would be able to communicate with each other, but not to the CPU. But in your case you do want a connection from ether3 to vlan 30 and a connection from ether4 to vlan40, so the ether (bridge ports) will have access to the internet and dhcp server, therefore you need to add tagged connection via /interface bridge vlan for the bridge-1 “cpu port” that is then “connected” to the /interface vlans (vlan-30 and vlan-40)

Change to the following (to allow a connection from the Router to the “switch”) See RouterOS bridge mysteries explained

/interface bridge vlan
add bridge=bridge-1 tagged=**bridge-1,**ether2 untagged=ether3 vlan-ids=30
add bridge=bridge-1 tagged=**bridge-1,**ether2 untagged=ether4 vlan-ids=40

anav · April 4, 2023, 6:43pm

your post buckeye is more confusing than helpful…but good try LOL

mkx · April 4, 2023, 6:51pm

Correct. The colors used are completely uncommon and thus confusing.

anav · April 4, 2023, 9:03pm

I thought you were color blind…

Buckeye · April 4, 2023, 10:47pm

Writing isn’t my strong point.

The thing I was trying to get across was that the bridge-1 interface has to be specified as tagged, because it is representing the CPU/Routing engine’s “connection” to a specific vlan on the switch like entity of the bridge.

I agree that using a common “standard” color scheme would be helpful. Where are the accepted guidelines?

I’ve removed the dead wood from the end of the offending post #9

I also changed to @anav’s color scheme.

Buckeye · April 4, 2023, 11:11pm

When I use tab completion the bridge names are what are offered as valid

[demo@RB760iGS-1] > /interface bridge/vlan/add bridge=[tab]
BR-SW loopback
[demo@RB760iGS-1] > /interface bridge/vlan/add bridge=BR-SW tagged=[tab]
BR-SW eth4-BR-SW_U10_T241 ether1-WAN ether2-BR-SW-Base-U1 ether3-BR-SW-U241 ether5-off_bridge_wrk loopback sfp1 vlan10 vlan241

So I do think that the correct syntax for the tagged bridge entity is tagged=bridge-1, not tagged=bridge

anav · April 5, 2023, 12:39am

You are quite correct I was writing bridge how i see it written a gaziillion times and not the Ops definition yes bridge-1 !!

Panda01 · April 5, 2023, 4:53am

I understand what you are saying. And this sounds like a good security practice. But it is not needed at the moment in my situation. I have the HEX on my desktop and traying to learn. Not to secure the device. Also, If someone has physical access to the device, I have other problems.

Panda01 · April 5, 2023, 6:31am

I definitly try to listen and implement what is suggested. I just did it wrong. Please remeber I am very new to Mikrotik and even if I think I do it right, I maybe wrong.

What I now did is:

I used ssh to the HEX. did a fresh export and copy pasted the contend to my text editor. I changed everything that you suggested in the editor.
reset the HEX via ssh
configured an static ip on ether 5 via winbox and connected with ssh
pasted the suggested config via ssh.

Everything works now. Thank you. I get a DHCP on ether3 in the right range (30) and same for ether4 (40)
I will save this export now and try to study it and learn from it.

More configurations and test setups will follow. Thank you

erlinden · April 5, 2023, 6:35am

Cool to hear…MikroTik can be a bit overwhelming…think you chose wise.

Panda01 · April 5, 2023, 6:44am

This is exactly my case. I have the HEX on my desk to learn and play. I want to be able to connect to port 5 and get an ip from the DHCP.
At some point I hope to feel comfortable enought to use Mikrotik products to replace my ISP modem… I want to have an emergency port with DHCP on it.

Visitors should not connect to my network. And if they need access, I should have a Guest WLAN in a seperated and restricted VLAN.

Now to your question. Assuming the config at the end of > post #4 > is your current export, it appears you didn’t make many changes you said you did. This is what your latest post had:

/interface bridge vlan
add bridge=bridge-1 tagged=ether2 vlan-ids=30
add bridge=bridge-1 tagged=ether2 vlan-ids=40

Seems I implemented the changes wrong. I got it now running. see my other post. fresh export, implement changes, hex reset. and copy paste via ssh…

The above has no connection from the CPU (bridge-1) to either vlan 30 or 40. So the dhcp server on the CPU can’t respond. Adding the untagged ports is not a necessity, but makes your intentions explicit and makes reading the config more clear (as to what ports are members of the vlan in question, as well as which are tagged and untagged). If the bridge-1 “cpu port” isn’t specified, that is a valid configuration, it just means that only the members of the the vlan on the switch will be able to communicate with each other. E.g. if you had ports 4 and 5 as access ports to vlan 40, devices connected to ether4 and ether5 would be able to communicate with each other, but not to the CPU. But in your case you do want a connection from ether3 to vlan 30 and a connection from ether4 to vlan40, so the ether (bridge ports) will have access to the internet and dhcp server, therefore you need to add tagged connection via /interface bridge vlan for the bridge-1 “cpu port” that is then “connected” to the /interface vlans (vlan-30 and vlan-40)

Change to the following (to allow a connection from the Router to the “switch”) See > RouterOS bridge mysteries explained

/interface bridge vlan
add bridge=bridge-1 tagged=> bridge-1,> ether2 > untagged=ether3 > vlan-ids=30
add bridge=bridge-1 tagged=> bridge-1,> ether2 > untagged=ether4 > vlan-ids=40

Thank you for the explanation.

Panda01 · April 5, 2023, 6:47am

Its definitly something not easy for a beginner.