I am struggling for some days on a setup I want to achieve.
Background: I want to get rid of my ISP box and let communicate my RB4011 directly to the ONT (so directly to the ISP)
For some reasons, my ISP need to receive DHCP requests through VLAN 832 at a priority to 6 to work.
I know that I can't use mangle for that as DHCP is raw sockets and I also know that my switch chip is not able to support rules to add this priority level to 6 which leaves me with the only option to create a VLAN over a bridge and then create a rule to put priority to 6 for the matching frames.
Is everybody in line with me up to now?
I have never did this, I must be messing with some settings as this is not working... I suspect that my settings around Bridge and VLAN are not correct but can't find out which ones and why (depsite the several hours spent trying various things....)
My DHCP client keeps on searching... (whereas my other DHCP client, when I go through the ISP box, quickly goes from searching, to requesting to bound)
Here is my config. Do you guys see the weak point?
may/11/2019 16:27:31 by RouterOS 6.44.2
software id = 6DZP-Q4TF
model = RB4011iGS+
serial number = AAAF09XXXXX
/interface bridge
add admin-mac=B8:69:F4:XX:XX:XX auto-mac=no comment=defconf name=bridge
add fast-forward=no ingress-filtering=yes name=bridgePrio6 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface vlan
add interface=bridgePrio6 name=Vlan832 vlan-id=832
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=90 name=authentication value="XXXXX"
add code=77 name=userclass value="XXXXX"
add code=60 name=vendorclass value=0x736167656d
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge filter
add action=set-priority chain=output dst-port=67 ip-protocol=udp log=yes
mac-protocol=ip new-priority=6 out-bridge=bridgePrio6 out-interface=
ether1-WAN passthrough=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridgePrio6 ingress-filtering=yes interface=ether1-WAN pvid=832
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridgePrio6 tagged=bridgePrio6 untagged=ether1-WAN vlan-ids=832
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=bridgePrio6 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1-WAN
add dhcp-options=hostname,clientid,authentication,vendorclass,userclass
disabled=no interface=bridgePrio6
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=XXXXXX
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Paris
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name="sniff 11 Mai" filter-interface=bridgePrio6
Thank you in advance for the help!
First of all, move ether1-WAN from untagged to tagged list below,
/interface bridge vlan
add bridge=bridgePrio6 tagged=bridgePrio6**,ether1-WAN** untagged=ether1-WAN vlan-ids=832
Next, change the pvid from 832 to 1 below:
add bridge=bridgePrio6 ingress-filtering=yes interface=ether1-WAN pvid=832 pvid=1.
Disagree with Sindy The Complicated!!
Dont need a bridge for WAN side of the deal.
Get rid of it using any kind of bridge.
my ont is connected to my MT on ether5
In my case no priority is required.
The only issue for me is that we are not given the IP gateway.
I have to go into the DHCP client menu click on the connection, check status tab, find the IP gateway and then put that into my IP Routing rules.
(dont see IP routing rules in your config?)
So your saying that at acquiring DHCP client time, the bridge method is the only way to set QoS or CoS during initial negotiations??
Funny my ISP Bell does this for the TV side of the house, vlan plus certain priority. My Zyxel router could assign Cos but for everything but the intital handshaking (twas very frustrating to see them add the capability and then not apply at the most critical time).
Would be cool if the MT can do this for the initial handshake as well (however my days of paying ISP for Tv are long long gone).
The CoS field can be set in two places: /ip firewall mangle or /interface bridge filter
When working directly on the vlan interface (edge router or device that adds the tag), use /ip firewall mangle.
When dealing with bridges use /interface bridge filter.
To set the CoS field the action that is used on the rules is set-priority. When this is set on the vlan interface, it will set it´s CoS id.
@sindy & @anav, while your little spat is cute you both have failed to notice some glaring errors in this config.
bridgePrio6 is the one that is supposed to filter this WAN VLAN stuff. So why is it a member of the default bridge?! That’s a no no.
There is nothing that shows bridgePrio6 has ether-1 as a member of that bridge. So that is also not correct.
While I’ve only worked on one RB4011 I don’t recall all the switch menu options being set like this. But I won’t know until this week when it’s back up online at a the customer site to double check but wasn’t there when I was doing the initial setup.
There is a DHCP client assigned to both ether-1 AND bridgePrio6, if they are supposed to be in the bridge together and doing VLAN filtering then why do they both need a DHCP client? As far as I can tell they don’t.
So this entire config is a complete mess. The minor details you are discussing need to be addressed after the entire mess is cleaned up. At least that’s how I see it.
I did as suggested, but it doesn’t change anything…
When I sniff either ether1 or bridgeprio6 I see the DHCP Discovery, there is no VLAN tag in the header… We agree that I should see the VLAN header here, right?
And of course no Offer is following…
Just to be sure, the suggested correction:
add bridge=bridgePrio6 ingress-filtering=yes interface=ether1-WAN pvid=832 pvid=1.
was in
/interface bridge port
right?
I’ve tried to modify the WAN interface in Interface list to Bridgeprio6 but still the same…
EDIT: just notice the last post, I am trying those suggestions, will revert
@anav, I’m usually only complicated when the situation requires it. E.g. if you send me a box of chocolate, I’ll just say “thank you”, no complications to be expected.
Your findings are all correct, but what throws a pitchfork into it is the fact that dhcp packets (both those sent/received by a client and those sent/received by a server) bypass the /ip firewall. So the only place where you can modify the priority field of a DHCP packet carried inside a VLAN frame is the /interface bridge filter (or /interface ethernet switch rule, but we deal with a 4011 here and I have no device with the same switch chip to try on before posting), which is what the OP has properly identified and attempted to do. And the only issue is that he’s spent a lot of effort to attach the VLAN tag with VLAN ID and priority to the frame only to strip it again on egress due to incorrect setting of ether1-WAN as an access port, for which I’ve suggested him a correction.
Right, except that the pvid=832 was crossed out in my post in order to show that it has to be replaced by pvid=1. Hope you did it.
And, as @Samot has pointed out correctly, you have to move the dhcp-client from bridgePrio6 to the VLAN interface Vlan832 . But your bridge configuration was otherwise correct, don’t change it.
Where can you see bridgePrio6 as a member of bridge? I cannot see anything like that (Mikrotik lets you do a lot of things which should not be done but it refuses to make a bridge a member interface of another bridge directly).
/interface bridge port
…
add bridge=bridgePrio6 ingress-filtering=yes interface=ether1-WAN pvid=832
That was suspicious to me as well but as long as it would be harmless even if it would work I didn’t care.
Yes, I’ve missed this. The client attached directly to ether1-WAN while ether1-WAN is a member port of a bridge is one of the things which RouterOS should refuse to do but it unfortunately lets you, and it is harmless in this situation; the DHCP client on the bridge rather than on the /interface vlan is the mistake which prevents the frames from getting the tag with VLAN ID.
Seriously, how would one, for traffic coming from an ISP on vlan XX, also ensure that the router meets the necessary requirements of replying with handshakes/traffic with the correct DSCP (tos), CoS or QoS.
So confusing… just how bout the right “priority” LOL
I thought mangling was just for “inside” the router and thus would have no bearing on traffic going back to the ISP?
The RB4011 has a RTL8367 switch chip which does not support Vlan / Rule Tables, so as far as my knowledge goes (nothing compared to sindy’s) I doubt you will find anything in the switch menu. All have to be done on Bridge (Software) level for this device
/interface vlan is a pipe which takes frames tagged with its VID from the underlying interface to which it is attached and untags them; in the opposite direction, it tags untagged frames. So when you attach your (static or dynamic) IP configuration to /interface vlan and send a packet from there, the /interface vlan tags it and sends it out to the underlying bridge or other L2 interface which then handles it further.
The mangle rules can set both “real” fields in the IP packet header, like the DSCP field, and the “metafields”, like connection-mark or routing-mark, which are not actual fields of the packet header but travel through the kernel along with the packet on its internal “tag”. The priority field is something in between, as at IP level it is a metafield but /interface vlan can translate it into 802.1Q priority (CoS) field of the VLAN tag, and /interface wireless can translate it into a WMM field of the wireless frame (and vice versa in the opposite direction).
Terminologically,
QoS is a common name of the method of ensuring that more important packets get priority handling,
CoS (class of service) is the name of the three-bit field in the 802.1Q tag (so L2)
DSCP (differentiated services control point) or TOS (type of service) are two different ways to indicate the QoS class of the packet in the IP header (so L3)
In most devices, you have to define your own rules to map between CoS and DHCP/TOS, and you can assign any of them or both based on other criteria (source/destination address etc.).
Mangle rules handle IP packets before and after routing - see here and here. But the handling of DHCP packets is different and is not mentioned on these pictures. And that’s the reason why you have to use a rule in /interface bridge filter, which unfortunately requires, as the first step, to insert a bridge into the path between the /interface vlan and interface ethernet.
The way Google Fiber and the OP’s ISP use of the CoS field in the VLAN tag is rather a misuse to me, because normally it is used to convey the information about frame priority, not that it would have to contain a single mandatory value. But I have no idea what weakness of their system they had to circumvent this way, so I am careful to judge. See more details here.
BTW, @zigjack, I think you may (or may even have to) simplify the /interface bridge filter rule down to just
action=set-priority chain=output new-priority=6 out-bridge=bridgePrio6 out-interface=ether1-WAN
i.e. that it is not necessary to set the CoS field exclusively for DHCP packets. I don’t know in which order the match conditions are evaluated, but rewriting the three bits in the tag may be equally CPU consuming as finding out that the frame doesn’t match udp protocol and a particular port in it.
But I admit that it may require some more fiddling if, as @CZFan suggests, the purpose of the exercise with a mandatory CoS value is to discourage clients from using their own gear. Oh yes, and my own bet is not France but Germany/Switzerland/Austria
First of all, wait couple minutes after disconnecting the ISP box before trying your DHCP client. Some OLTs have MAC anti-spoofing mechanism.
If OLT learns the same MAC address from two or more ONTs on the same GPON it will block the inflow from the last ONT.
It also might be necessary for your DHCP client to include proper:
Client ID
User Class
Vendor Class ID
