VLANs, CAPsMAN and the case of the missing DHCP

RouterOS General
1

Hello everyone

Apologies up front if this has been answered elsewhere. I found numerous similar questions, but none that seem to solve my exact problem.

I am trying to set up the following network.
Home Network.png
I realise I could enable VLAN handling in the Proxmox server, but the hardware has multiple Ethernet ports, which I hoped might make things simpler.

I’ve been working through examples from this forum page, but I am coming unstuck when trying to apply a CAPsMAN configuration.

The SSIDs are broadcasted as expected, and the Ethernet ports are offering the correct VLAN’ed network as well.
The problem is that the DHCP service is not available on any of the SSIDs, so clients never receive an IP address.

Here is my current configuration.

#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="Mikrotik"


#######################################
# VLAN Overview
#######################################

# 10 = Main (main)
# 20 = IoT (iot)
# 30 = Guest (guest)


#######################################
# WIFI Setup
#######################################

/caps-man configuration
# MAIN SSID
add country=australia datapath.local-forwarding=yes datapath.vlan-id=10 datapath.vlan-mode=use-tag name=CONFIG_MAIN security.authentication-types=wpa2-psk security.passphrase=TheMainPassword ssid=main
# IOT SSID
add country=australia datapath.local-forwarding=yes datapath.vlan-id=20 datapath.vlan-mode=use-tag name=CONFIG_IOT security.authentication-types=wpa2-psk security.passphrase=TheIotPassword ssid=iot
# GUEST SSID
add country=australia datapath.local-forwarding=yes datapath.vlan-id=30 datapath.vlan-mode=use-tag name=CONFIG_GUEST security.authentication-types=wpa2-psk security.passphrase=TheGuestPassword ssid=guest

/caps-man manager set enabled=yes
/caps-man provisioning add action=create-dynamic-enabled master-configuration=CONFIG_MAIN slave-configurations=CONFIG_IOT,CONFIG_GUEST


#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge
set bridge name=BR1 protocol-mode=none vlan-filtering=no

#######################################
#
# -- Access Ports --
#
#######################################

# ingress behavior
/interface bridge port

# CAP PORT
set [find interface=ether2] bridge=BR1 pvid=1

# MAIN VLAN (MAIN)
set [find interface=ether3] bridge=BR1 pvid=10

# IOT VLAN (IOT)
set [find interface=ether4] bridge=BR1 pvid=20

# GUEST VLAN (GUEST)
#add bridge=BR1 interface=wlan-guest pvid=30

# BASE_VLAN
set [find interface=ether5] bridge=BR1 pvid=99

#
# egress behavior
#
/interface bridge vlan

# MAIN, IOT, & BASE VLAN
add bridge=BR1 untagged=ether3 vlan-ids=10
add bridge=BR1 untagged=ether4 vlan-ids=20
add bridge=BR1 untagged=ether5 vlan-ids=99

# L3 switching so Bridge must be a tagged member
set bridge=BR1 tagged=BR1 [find vlan-ids=10]
set bridge=BR1 tagged=BR1 [find vlan-ids=20]
set bridge=BR1 tagged=BR1 [find vlan-ids=30]
set bridge=BR1 tagged=BR1 [find vlan-ids=99]


#######################################
# IP Addressing & Routing
#######################################

# LAN facing router's IP address on the BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.1/24 interface=BASE_VLAN

# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="8.8.8.8"

# Yellow WAN facing port with IP Address provided by ISP
# /ip dhcp-client add disabled=no interface=ether1


#######################################
# IP Services
#######################################

# MAIN VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=MAIN_VLAN vlan-id=10
/ip address add interface=MAIN_VLAN address=10.10.0.1/24
/ip pool add name=MAIN_POOL ranges=10.10.0.20-10.10.0.254
/ip dhcp-server add address-pool=MAIN_POOL interface=MAIN_VLAN name=MAIN_DHCP disabled=no lease-time=10h
/ip dhcp-server network add address=10.10.0.0/24 dns-server=10.10.0.10 gateway=10.10.0.1

# IOT VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=IOT_VLAN vlan-id=20
/ip address add interface=IOT_VLAN address=10.10.20.1/24
/ip pool add name=IOT_POOL ranges=10.10.20.30-10.10.20.254
/ip dhcp-server add address-pool=IOT_POOL interface=IOT_VLAN name=IOT_DHCP disabled=no lease-time=10h
/ip dhcp-server network add address=10.10.20.0/24 dns-server=10.10.0.10 gateway=10.10.20.1

# GUEST VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=GUEST_VLAN vlan-id=30
/ip address add interface=GUEST_VLAN address=10.10.30.1/24
/ip pool add name=GUEST_POOL ranges=10.10.30.10-10.10.30.254
/ip dhcp-server add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP disabled=no lease-time=10h
/ip dhcp-server network add address=10.10.30.0/24 dns-server=10.10.0.10 gateway=10.10.30.1

# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature for an admin.
/ip pool add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
/ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP disabled=no lease-time=10h
/ip dhcp-server network add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1

# RESERVED DHCP addresses
/ip dhcp-server lease
add address=10.10.20.37 mac-address=A4:CF:12:DB:F9:C6 server=IOT_DHCP
add address=10.10.20.38 client-id=1:0:6:c6:5c:53:e9 mac-address=00:06:C6:5C:53:E9 server=IOT_DHCP
add address=10.10.0.201 client-id=1:b8:27:eb:2e:ce:5d mac-address=B8:27:EB:2E:CE:5D server=MAIN_DHCP


#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE

/interface list member
add interface=ether1 list=WAN
add interface=MAIN_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=BASE_VLAN list=BASE

# VLAN aware firewall. Order is important.
/ip firewall filter


##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"

# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"

#TROUBLE! add chain=input action=drop comment="Drop"

##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop"

##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"


#######################################
# VLAN Security
#######################################

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]

#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
#LATER /ip neighbor discovery-settings set discover-interface-list=BASE
#LATER /tool mac-server mac-winbox set allowed-interface-list=BASE
#LATER /tool mac-server set allowed-interface-list=BASE

#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes

# Yellow WAN facing port with IP Address provided by ISP
# /ip dhcp-client add disabled=no interface=ether1

Can anyone spot where I am going wrong? Or, if I’m way off, even suggest an alternate solution?

Thanks,
Tofu

2

Bump.

Can anyone offer any advice, please?

3

Your example configuration script does not provide enough context. I recommend you study the article you linked first, get it working correctly, before trying to add a CAPsMAN into the mix. The reason you can’t broadcast DHCP requests could be because of a couple of reasons. I would need to see how the cAP AC’s ports are configured as well. However, get it working without CAPsMAN, first.

Also, today is an international holiday. So, you may not get a timely response here.

4

ether2 needs to be set as tagged for vlan 10, 20 and 30, along with the bridge itself.

There is no point in setting untagged= for any VLANs in your case, it doesn’t do anything.