vlan issue, dhcp not working

Note · May 9, 2017, 11:56am

Hi guys,

My setup is like as following

bridge
ether1= my modem
ether2=lan-bridge
wlan1=lan-bridge

Im trying to setup a vlan under bridge interface, everything seems that applies, but vlans dhcp’s does not share any ips and machines cannot connect via dhcp. only via static.

interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no name=bridge

/interface ethernet
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
    ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
    ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
    ether5-slave-local

/interface vlan
add interface=bridge name=vlan100 use-service-tag=yes vlan-id=100
add interface=bridge name=vlan200 use-service-tag=yes vlan-id=200

/interface bridge port
add bridge=bridge interface=ether2-master-local
add bridge=bridge interface=wlan1
add bridge=bridge interface=vlan100
add bridge=bridge interface=vlan200

/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0    (My lan)
add address=192.168.0.2/24 interface=ether1 network=192.168.0.0  (My pppoe server - wan)
add address=2.2.2.1/24 interface=vlan100 network=2.2.2.0
add address=3.3.3.1/24 interface=vlan200 network=3.3.3.0

/ip dhcp-server
add address-pool=dhcp_pool4 interface=vlan100 name=dhcp1

/ip dhcp-server network
add address=2.2.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=2.2.2.1

/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=62.38.0.81,62.38.1.81,8.8.8.8
    
/ip pool
add name=dhcp_pool4 ranges=2.2.2.2-2.2.2.254

I do not know what im doing wrong and any help will be appreciated.

Ty in advance.

cdiedrich · May 9, 2017, 12:15pm

Remove those:

/interface bridge port
add bridge=bridge interface=vlan100
add bridge=bridge interface=vlan200

This will tag all bridge traffic with vlan 100 and 200.
As you already have tagged traffic in your bridge, you’re creating QinQ.
In your case it’s enough to add the vlan interfaces to the bridge as you did in /interface vlan

-Chris

Note · May 9, 2017, 12:29pm

cdiedrich:

Remove those:
/interface bridge port
add bridge=bridge interface=vlan100
add bridge=bridge interface=vlan200
This will tag all bridge traffic with vlan 100 and 200.
As you already have tagged traffic in your bridge, you’re creating QinQ.
In your case it’s enough to add the vlan interfaces to the bridge as you did in /interface vlan

-Chris

Hi dude and ty for ur reply,

As u can see in my script , i have added the vlan interfaces to the bridge. dhcp still works only on bribge, not on vlans

cdiedrich · May 9, 2017, 12:33pm

Exactly. And this is most likely your problem:
It’s enough to add them with

/interface vlan
add interface=bridge name=vlan100 use-service-tag=yes vlan-id=100
add interface=bridge name=vlan200 use-service-tag=yes vlan-id=200

So remove the vlans from /interface bridge port and it should work.
And BTW: Are you sure you need to use the service tag?
-Chris

Note · May 9, 2017, 12:41pm

Ty again for ur reply,

ill try it in a few minutes and ill feedback. No im not sure about service tag. i dint find any documentation about that and i saw it somewhere else checked.

Cause im rookie in vlans, my goal for starting, is to create just another lan isolated (or not, just for tests in beggining). So… do i need the vlan200 in my configuration?

Note · May 9, 2017, 1:10pm

so… nope, i removed vlans from bridge ports and still dhcp is not working on vlans. Any other ideas?

cdiedrich · May 9, 2017, 1:15pm

Try to set use-service-tag=no - maybe your secondary/tertiary hardware doesn’t like it.
The rest of your config looks fine.
-Chris

Note · May 9, 2017, 1:32pm

I did that from the time u mentioned it before. I pay my rest with that issue. Everything i read seems that iv done it and still doesnt work. I turn off firewall, reboot… nothing.

Any further help plz?

cdiedrich · May 9, 2017, 1:34pm

Now that is getting interesting.
How do you test the access to that vlan? Maybe some incomplete configuration on the attached switch?
What’s your involved gear, its configs and physical topology?
-Chris

Note · May 9, 2017, 1:44pm

i will expalin u right now,

Im testing that with my smarthone directly to the wlan1 and nothing happens when i change from bridge dhcp to vlan dhcp, i cant obtain ip address at all.Same thing happens to a desktop which is connected to an unmanaged switch before RB.

pc’s>switch(unmanaged)>RB>modem(wan)

Simple topology lets say

cdiedrich · May 9, 2017, 1:48pm

So…

A dumb switch is probably the least ideal device to test vlans with.
You won’t have any vlan functionality in basic 802.11 equipment. It works with a MikroTik wireless client due to MTs proprietary extensions.
Did you configure your PCs NIC to use vlan100 ?

And finally - what do you want to achieve? Maybe it’s faster to come to a working solution when we’re starting from the other direction

-Chris

Note · May 9, 2017, 2:22pm

First of all i do all that tests from my home and i want to achieve the following.

Im technician in a couple of soho companies that have the needs for 2 networks. ex. 1 static lan for some employees and the dhcp isolated network (other subnet e.t.c.) for other people. I know that some things can take place via RB firewall or hotspot, but i want also learn slowly more features i can get from RB. Thats why i try this now.

I wanna ty for spending ur time for my issues.

cdiedrich · May 9, 2017, 2:32pm

You’re very welcome.

Now we’re getting there.
I’d suggest this:

Step 1:
Create another bridge.
Move the address and dhcp server from vlan100 to that bridge.
delete the vlan interfaces.
Create a virtual access point with different security profile and ssid.
Add this vap to the newly created bridge.
Now you have a guest wifi.
Play around with “default forward” settings and see what it does when having two or more w/l clients connected to the guest network.
Then find your way through firewall filter rules to isolate the two networks. Hint: you’ll mostly need the forward chain but the input chain is not completely unimportant.

Step 2:
remove one of your (unused) ethernet ports from its master port.
Add it to the guest bridge.
Now you created an access port for guests.
Now play around with bridge horizon and see what it does to client-to-client communication (try one wired and one wireless client).

Step 3:
Add a vlan with id=100 to ether2-master.
Add this as a port to the guest bridge.
Get a managed switch and create an access port for vlan 100.
Connect your computer to it.

Step 4:
For more advanced isolating practice, set the bridges arp-mode to reply-only and set the dhcp-server to “add arp for leases”.
Then try to get into the network with a self-assigned static IP address.

After those steps, you have a basic understanding of creating multiple networks and distribution of those.
Good luck!

-Chris

Note · May 9, 2017, 2:40pm

Very ty again,

Ill do all that tests tomorrow, cause im far now, but i suspect that my issue is that specially smartphones and other wireless machines does not support vlan feature, in net cards. also as u said unmanaged switches. So i hope…

Note · May 10, 2017, 2:22pm

well…

according to ur recommendation i did the following, cause the equipment right now does not allow vlans to run, so i created…

a guest bridge ip 1.1.1.1
a virtual ethernet interface, assinged in to guest bridge port, i do not need MT wlan for that case, cause i have set AP’s in the areas. i do not know if rly virtual ethernet interface is needed, cause i have assing ip on guest bridge.
another one guest dhcp server on guest bridge that works fine.
firewall forward drop rule src-add 1.1.1.0/24 > dst-add 192.168.0.1 (my server ip), for those who r under the quest dhcp server, to drop access to the server.

the question that comes out now is how to configure the guest dhcp server to be the default one that share ip’s first and not the main one for the employees? i want that server to give 1st the ip’s and not the main one.

ty in advance.

cdiedrich · May 10, 2017, 3:01pm

I don’t get your #2 - what did you create a virtual ethernet for?
This type of interface is intended to be used with virtual routers within your hardware.
If you want to connect your guest bridge to a physical interface, follow my advise in Step 2.
This will be connected and to and served through your guest bridge (along with its dhcp server) only.
And concerning your question about dhcp server, I have the impression that you’re still connecting to your “private” network and wonder why the clients don’t get guest addresses - right?
In this case: you created two completely independent networks - plugging gear into network 1 does connect it to network 1. If you want to have it on network 2, connect it to network 2.

And for the APs you already deployed: Either they need get the guest network on a vlan on their feed (refer to my advises in step 3) or you deployed dedicated APs for the guest network - in that case, they need to be connected according my advises above.

-Chris

Note · May 10, 2017, 3:10pm

Yes i know that this configuration is wrong, thats why im here again.

I also have to say that all network cables r crossing the building and turn out to a gigabit switch, that is connected to MT’s ether2 port and only that. So i cant do step 2. i do not have other physical interface connected to MT.

with virtual wlan and bridge i tested home and all works fine. and the 2 dhcp servers also. but i do not need that. i need the wired implementation to work with that only 1 ethernet cable.

cdiedrich · May 10, 2017, 3:13pm

OK.
The physical access port is more meant as a proof of concept. No need to forcibly do it.
Then proceed with step 3. You might be lucky and your dumb switches forward vlan-tagged frames unmodified respectively undropped.
In this case, just add the vlan to your APs and it should be good to go.

if not, you’re out of options but get managed switches.
-Chris

Note · May 10, 2017, 3:15pm

ty again my friend, ill workaround first to look if i can pass a cable directly to MT’s ether3 port to do something that works.