VLAN interface is interfering with my STB

Currently I’m using a fibre modem from my provider that supplies a single LAN (for connecting the router to) and two TV connections. I want to get rid of this modem and attach the fibre directly to my RB3011 through an SFP. Internet is supplied through VLAN 100 and IPTV through VLAN 101. Nothing really special except for one thing: though my both STB’s should receive an IP address only one gets it. The other one keeps on searching (at least, that’s what it says).

At that moment: Internet was working perfectly and the one STB that got an IP address worked perfectly as well.

Contacted the ISP and they tell me that they see a MAC address getting an IP (I think I saw it at /ip dhcp-client as a dynamic address). The MAC address corresponds to the VLAN interface that I created for VLAN 101.

/interface vlan
add interface=sfp1-WAN name=CAIW-VLAN-INTERNET vlan-id=100
add interface=sfp1-WAN name=CAIW-VLAN-IPTV vlan-id=101

/interface bridge
add fast-forward=no name=bridge-IPTV protocol-mode=none

/interface bridge port
add bridge=bridge-IPTV interface=CAIW-VLAN-IPTV trusted=yes
add bridge=bridge-IPTV interface=ether7-tv-beneden
add bridge=bridge-IPTV interface=ether8-tv-boven

How come this interface is interfering with the two STB’s?
I thought that such a bridge would be transparent!?
The same config (running on RB4011’s) is working perfectly (didn’t test it at my place, two acquaintances confirmed this to me…
Is there a difference in the hardware that can explain this behavior?

Running latest stable (6.47) but latest LTS (6.45.9) showed the same behavior.

Any help would be really appreciated!

It sounds strange, so a complete configuration export may reveal some mistake outside the part you’ve posted, which itself seems fine to me. See my automatic signature below regarding anonymisation.

Here you go:

# jun/10/2020 11:33:24 by RouterOS 6.47
# software id = VGMW-KPFA
#
# model = RouterBOARD 3011UiAS
# serial number = 783D0802DBF4
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2462 name=f-2462 tx-power=9
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ceee \
    frequency=5500 name=f-5500 tx-power=25
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce \
    frequency=5260 name=f-5260 tx-power=22
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce \
    frequency=5660 name=f-5660 tx-power=20
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=dp-50 vlan-id=\
    50 vlan-mode=use-tag
add client-to-client-forwarding=no local-forwarding=yes name=dp-51 vlan-id=51 \
    vlan-mode=use-tag
/interface bridge
add fast-forward=no name=bridge-IPTV protocol-mode=none
add name=bridge-LAN protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-trunk
set [ find default-name=ether4 ] name=ether4-printer
set [ find default-name=ether5 ] name=ether5-nas
set [ find default-name=ether6 ] name=ether6-solar
set [ find default-name=ether7 ] name=ether7-tv-beneden
set [ find default-name=ether8 ] name=ether8-tv-boven
set [ find default-name=ether10 ] name=ether10-ap-boven
set [ find default-name=sfp1 ] name=sfp1-WAN
/caps-man interface
add disabled=yes l2mtu=1600 mac-address=6C:3B:6B:7D:68:AF master-interface=\
    none name=cap7 radio-mac=6C:3B:6B:7D:68:AF radio-name=6C3B6B7D68AF
add disabled=yes l2mtu=1600 mac-address=C4:AD:34:59:F5:FC master-interface=\
    none name=cap8 radio-mac=C4:AD:34:59:F5:FC radio-name=C4AD3459F5FC
/interface vlan
add interface=sfp1-WAN name=CAIW-VLAN-INTERNET vlan-id=100
add interface=sfp1-WAN name=CAIW-VLAN-IPTV vlan-id=101
add interface=bridge-LAN name=GUEST_VLAN vlan-id=51
add interface=bridge-LAN name=HOME_VLAN vlan-id=50
add interface=bridge-LAN name=SOLAR_VLAN vlan-id=53
add disabled=yes interface=bridge-LAN name=TV_VLAN vlan-id=54
add interface=bridge-LAN name=VIDEO_VLAN vlan-id=52
/caps-man rates
add basic=12Mbps,24Mbps name=rate1 supported=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=ELC
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=ELC_Guest
/caps-man configuration
add channel=f-5660 country=netherlands datapath=dp-50 distance=dynamic \
    hw-retries=4 installation=outdoor mode=ap multicast-helper=default name=\
    Conf-Buiten rates=rate1 security=ELC ssid=ELC
add channel=f-2462 country=netherlands datapath=dp-50 distance=indoors \
    hw-retries=4 installation=indoor mode=ap multicast-helper=default name=\
    Conf-2G rates=rate1 security=ELC ssid=ELC
add datapath=dp-51 name=Conf-Guest rates=rate1 security=ELC_Guest ssid=\
    ELC_Guest
add channel=f-5260 country=netherlands datapath=dp-50 distance=indoors \
    hw-retries=4 installation=indoor mode=ap multicast-helper=default name=\
    Conf-Boven rates=rate1 security=ELC ssid=ELC
add channel=f-5500 country=netherlands datapath=dp-50 distance=indoors \
    hw-retries=4 installation=indoor mode=ap multicast-helper=default name=\
    Conf-Beneden rates=rate1 security=ELC ssid=ELC
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp4096 enc-algorithm=aes-256,aes-128 hash-algorithm=sha512 \
    name=secure-profile
add dh-group=modp4096 enc-algorithm=aes-256,aes-128 hash-algorithm=sha512 \
    name=site2site-profile
/ip ipsec peer
add address=x.x.x.x/32 comment=site2site exchange-mode=ike2 name=\
    site2site profile=site2site-profile
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=secure-proposal \
    pfs-group=modp4096
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=site2site-proposal \
    pfs-group=modp4096
/ip pool
add name=HOME_POOL ranges=192.168.50.50-192.168.50.150
add name=GUEST_POOL ranges=192.168.51.50-192.168.51.150
add name=VIDEO_POOL ranges=192.168.52.50-192.168.52.150
add name=SOLAR_POOL ranges=192.168.53.50-192.168.53.150
add name=LT2P_POOL ranges=192.168.100.50-192.168.100.150
add name=VPN_POOL ranges=192.168.89.50-192.168.89.150
add name=TV_POOL ranges=192.168.54.50-192.168.54.150
/ip dhcp-server
add address-pool=HOME_POOL disabled=no interface=HOME_VLAN lease-time=1d \
    name=HOME_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN lease-time=1h \
    name=GUEST_DHCP
add address-pool=VIDEO_POOL disabled=no interface=VIDEO_VLAN lease-time=1d \
    name=VIDEO_DHCP
add address-pool=SOLAR_POOL disabled=no interface=SOLAR_VLAN lease-time=1d \
    name=SOLAR_DHCP
add address-pool=TV_POOL interface=TV_VLAN lease-time=1d name=TV_DHCP
/ppp profile
add change-tcp-mss=yes dns-server=1.1.1.1,1.0.0.1 local-address=\
    192.168.100.254 name=l2tp-profile remote-address=LT2P_POOL \
    use-encryption=required
set *FFFFFFFE dns-server=192.168.89.254 local-address=192.168.89.254 \
    remote-address=VPN_POOL use-upnp=no
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=any \
    signal-range=-80..-10 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=any \
    signal-range=-120..-81 ssid-regexp=""
/caps-man manager
set ca-certificate=CAPsMAN-CA-B09D35164F3E certificate=CAPsMAN-B09D35164F3E \
    enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Conf-Boven \
    name-format=identity radio-mac=C4:AD:34:59:F5:FD slave-configurations=\
    Conf-Guest
add action=create-dynamic-enabled master-configuration=Conf-Beneden \
    name-format=identity radio-mac=C4:AD:34:59:DF:A2 slave-configurations=\
    Conf-Guest
add action=create-dynamic-enabled master-configuration=Conf-Buiten \
    name-format=identity radio-mac=6C:3B:6B:7D:68:AE slave-configurations=\
    Conf-Guest
add action=create-dynamic-enabled master-configuration=Conf-2G name-format=\
    identity radio-mac=C4:AD:34:59:DF:A1 slave-configurations=Conf-Guest
/interface bridge port
add bridge=bridge-LAN interface=ether2-trunk
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=50
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4-printer pvid=50
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether5-nas pvid=50
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether6-solar pvid=53
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether9 pvid=50
add bridge=bridge-LAN interface=ether10-ap-boven
add bridge=bridge-IPTV interface=CAIW-VLAN-IPTV trusted=yes
add bridge=bridge-IPTV interface=ether7-tv-beneden
add bridge=bridge-IPTV interface=ether8-tv-boven
/interface bridge vlan
add bridge=bridge-LAN tagged=bridge-LAN,ether2-trunk,ether10-ap-boven \
    untagged=ether3,ether4-printer,ether5-nas,ether9 vlan-ids=50
add bridge=bridge-LAN tagged=bridge-LAN,ether2-trunk,ether10-ap-boven \
    vlan-ids=51
add bridge=bridge-LAN tagged=bridge-LAN,ether2-trunk vlan-ids=52
add bridge=bridge-LAN tagged=bridge-LAN untagged=ether6-solar vlan-ids=53
add bridge=bridge-LAN disabled=yes tagged=bridge-LAN untagged=ether8-tv-boven \
    vlan-ids=54
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=l2tp-profile enabled=yes \
    max-mru=1460 max-mtu=1460 use-ipsec=required
/interface list member
add interface=ether1-WAN list=WAN
add interface=HOME_VLAN list=LAN
add interface=GUEST_VLAN list=LAN
add interface=VIDEO_VLAN list=LAN
add interface=SOLAR_VLAN list=LAN
add interface=CAIW-VLAN-INTERNET list=WAN
/ip address
add address=192.168.50.254/24 interface=HOME_VLAN network=192.168.50.0
add address=192.168.51.254/24 interface=GUEST_VLAN network=192.168.51.0
add address=192.168.52.254/24 interface=VIDEO_VLAN network=192.168.52.0
add address=192.168.53.254/24 interface=SOLAR_VLAN network=192.168.53.0
add address=192.168.100.254/24 interface=HOME_VLAN network=192.168.100.0
add address=192.168.54.254/24 disabled=yes interface=TV_VLAN network=\
    192.168.54.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add interface=ether1-WAN use-peer-dns=no
add dhcp-options=clientid,hostname disabled=no interface=CAIW-VLAN-INTERNET \
    use-peer-dns=no
add add-default-route=no disabled=no interface=sfp1-WAN
/ip dhcp-server lease
add address=192.168.52.150 client-id=1:e0:50:8b:c:65:22 mac-address=\
    E0:50:8B:0C:65:22 server=VIDEO_DHCP
add address=192.168.50.201 mac-address=00:30:6E:FC:1F:83 server=HOME_DHCP
add address=192.168.50.10 client-id=1:0:11:32:c8:3b:51 mac-address=\
    00:11:32:C8:3B:51 server=HOME_DHCP
/ip dhcp-server network
add address=192.168.50.0/24 dns-server=192.168.50.10 gateway=192.168.50.254
add address=192.168.51.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.51.254
add address=192.168.52.0/24 dns-none=yes gateway=192.168.52.254
add address=192.168.53.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.53.254
add address=192.168.54.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.54.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.50.254 name=router type=A
add address=192.168.50.10 name=nassie type=A
add address=192.168.50.201 name=laserjet type=A
add address=192.168.60.10 name=nas type=A
/ip firewall address-list
add address=216.218.206.0/24 list=Block-address-list
add address=roblox.com list="Block games"
add address=supercell.com list="Block games"
add address=192.168.88.0/24 list=VPN-list
add address=192.168.200.0/24 list=VPN-list
/ip firewall filter
# inactive time
add action=drop chain=forward comment="Drop Games 20:30 - 0:00 (ma-zo)" \
    dst-address-list="Block games" time=\
    20h30m-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="Drop Games 8:30 - 15:00 (ma-vr)" \
    dst-address-list="Block games" time=8h30m-15h,mon,tue,wed,thu,fri
# inactive time
add action=drop chain=forward comment="Drop Games 11:30 - 15:00 (za-zo)" \
    dst-address-list="Block games" time=11h30m-15h,sun,sat
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="BlockList (Secured with address list)" \
    src-address-list=Block-address-list
add action=accept chain=forward comment=site2site dst-address=192.168.50.0/24 \
    in-interface-list=WAN ipsec-policy=in,ipsec src-address=192.168.60.0/24
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment=ipsec-ike-natt dst-port=1701,500,4500 \
    in-interface-list=WAN protocol=udp
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="allow all coming from site-2-site" \
    protocol=tcp src-address=192.168.60.0/24
add action=accept chain=input comment="allow all coming from VPN" protocol=\
    tcp src-address=192.168.100.0/24
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=drop chain=forward comment="Block guest network except WAN" \
    in-interface=GUEST_VLAN out-interface-list=!WAN
add action=drop chain=forward comment="Block solar network except WAN" \
    in-interface=SOLAR_VLAN out-interface-list=!WAN
add action=drop chain=forward comment="Block video network except LAN" \
    in-interface=VIDEO_VLAN out-interface=!HOME_VLAN
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat comment=site2site dst-address=192.168.60.0/24 \
    src-address=192.168.50.0/24
add action=accept chain=dstnat comment=site2site dst-address=192.168.50.0/24 \
    src-address=192.168.60.0/24
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip ipsec identity
add comment=site2site peer=site2site
/ip ipsec policy
add comment=site2site dst-address=192.168.60.0/24 peer=site2site proposal=\
    site2site-proposal sa-dst-address=x.x.x.x sa-src-address=0.0.0.0 \
    src-address=192.168.50.0/24 tunnel=yes
/ip route
add comment=site2site distance=1 dst-address=192.168.60.0/24 gateway=\
    HOME_VLAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=vpnuser profile=l2tp-profile service=l2tp
/routing igmp-proxy
set quick-leave=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=Router
/system ntp client
set enabled=yes primary-ntp=149.210.230.59 secondary-ntp=80.127.119.186

As you’ve shown in the OP, there is a dedicated bridge for the VLAN 101 of the uplink port alone, and no DHCP client attached to it (which would explain why the ISP can see DHCPDISCOVER coming from the Mikrotik’s own MAC address), no /interface bridge nat rules (which would explain why the source MAC address of a DHCPDISCOVER actually sent by the STB would be seen as Mikrotik’s own one at the ISP’s end).

However, you’ve attached one of the Mikrotik’s own DHCP clients directly to the sfp1-WAN, so if the PVID on the ISP’s interface is 101, it may explain why the ISP can see the MAC of the Mikrotik itself as a DHCP client in the TV VLAN. But this would only explain the issue of the STB not receiving a lease if the number of leases per customer link is limited, is it the case? If it is, it may take some time after disabling this client until the lease expires at the server. It is quite surprising for me that the ISP runs a DHCP server at all - I’ve always thought that the IP addresses must be provided to the STBs by the customers’ routers, and that multicast forwarding needs to be activated at the router so that the video streams would be delivered from the uplink VLAN 101 to the STBs in their LAN subnet.

Less important - according to the manual, trusted=yes at the /interface bridge port row is only taken into account when DHCP snooping is enabled on the bridge, but I’ve never tried that practically.

Thanks for the extensive answer, probably going to give the fibre a second chance. I’ll keep you posted.

Still a bit puzzled by why the ISP is seeing the DHCPDISCOVER from the VLAN interface MAC address, especially because the other STB is getting an IP address without any problems. I would assume that either both would have the VLAN MAC address or neither.

However, you’ve attached one of the Mikrotik’s own DHCP clients directly to the > sfp1-WAN> , so if the PVID on the ISP’s interface is 101, it may explain why the ISP can see the MAC of the Mikrotik itself as a DHCP client in the TV VLAN. But this would only explain the issue of the STB not receiving a lease if the number of leases per customer link is limited, is it the case? If it is, it may take some time after disabling this client until the lease expires at the server. It is quite surprising for me that the ISP runs a DHCP server at all - I’ve always thought that the IP addresses must be provided to the STBs by the customers’ routers, and that multicast forwarding needs to be activated at the router so that the video streams would be delivered from the uplink VLAN 101 to the STBs in their LAN subnet.

How would I disable “this client” (to make the lease expire)? Your assumption is correct: the ISP has a DHCP server (on all VLAN’s) and it is restricted to two IP addresses for IPTV (as I have 2 STB’s).

Less important - according to the manual, > trusted=yes > at the > /interface bridge port > row is only taken into account when DHCP snooping is enabled on the bridge, but I’ve never tried that practically.

I copy/pasted a working config (that unfortunately is not working for me). I thought that IGMP snooping should be active as well, but working configs don’t have this option enabled.

I found a topic on the forum mentioning some problems with two VLAN’s sharing the same MAC address…could this have something to do with it?

If anyone has any thoughts I could try…?

Can anyone explain why if I start torch and select the VLAN 101 interface the source address is filled with an IP address?

Nothing to be puzzled about. There is no thing like a VLAN MAC address - the VLAN interface inherits the MAC address of its underlying interface. And if that underlying interface is a bridge, it inherits its address from the first slave port to come up, unless you set one for the bridge administratively. So two VLAN interfaces on the same bridge will always have the same MAC address. So all three devices send their DHCPDISCOVERs - both STBs from their own MAC addresses, and the Mikrotik from the bridge MAC address. The latter sends it tagless as I wrote. If you haven't disabled it yet, /ip dhcp-client print detail should show you expires-after.

/ip dhcp-client disable [find interface=sfp1-WAN]

DHCP snooping and IGMP snooping are two different things. IGMP snooping is necessary when you need to route multicast packets from one IP subnet to another, i.e. when the router gets its IP address from the TV vlan, and the STBs get it from the router itself in another subnet. In this case, you need to see to which multicast groups the STB subscribes, and send an own subscription to the ISP. But that's not your current setup. And you don't need to worry about any rogue DHCP servers either, so the trusted=yes property of the /interface bridge port row is not necessary.

I can imagine a DHCP server with a centralized client database to get confused by getting a request from two different LANs with the same MAC address. So this way or another,

The roles of "source" and "destination" in torch are a bit confusing. /tool sniffer quick gives results that are much easier to understand.

As I was working on the changes, it turned out my ISP supports routed IPTV. Therefor I changed the configuration, no longer require VLAN 101. Will have to turn on IGMP spoofing on the bridge.

Thanks @sindy, I really appreciate all the effort. You taught me a lot.