WAN interface intermittently receiving DHCP from DHCP server

RouterOS Beginner Basics
1

Hi everyone, I’m brand new to all of this. I’m trying to set up my RB5009 as a dual WAN router.

My issue is that one of my WAN interfaces (WAN2) is intermittently receiving a IP address from the router’s DHCP server. (Also when that interface is active, my local devices will sometimes receive IP addresses from the DHCP server on the WAN network.

I’m really not sure what I’m doing wrong here.

Any help would be greatly appreciated.

configuration below:

# 2024-11-22 18:10:52 by RouterOS 7.11.3
# software id = UZNZ-WWVF
#
# model = RB5009UG+S+
# serial number = 
/interface bridge
add add-dhcp-option82=yes admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=\
    "LAN bridge" dhcp-snooping=yes name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name="LAN1 (2.5G) "
set [ find default-name=ether2 ] name=LAN2
set [ find default-name=ether3 ] name=LAN3
set [ find default-name=ether4 ] name=LAN4
set [ find default-name=ether5 ] name=LAN5
set [ find default-name=ether6 ] name=LAN6
set [ find default-name=ether7 ] comment=ether7 name=WAN1
set [ find default-name=ether8 ] comment=ether8 name=WAN2
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name="subnet 10 dhcp pool" ranges=192.168.10.31-192.168.10.254
/ip dhcp-server
add address-pool="subnet 10 dhcp pool" interface=bridge1 lease-time=8h name=\
    "Main DHCP"
/interface bridge port
add bridge=bridge1 interface=LAN2
add bridge=bridge1 interface=LAN3
add bridge=bridge1 interface=LAN4
add bridge=bridge1 interface=LAN5
add bridge=bridge1 interface=LAN6
add bridge=bridge1 disabled=yes interface=sfp-sfpplus1
add bridge=bridge1 interface="LAN1 (2.5G) "
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge1 list=LAN
add interface=WAN2 list=WAN
add interface=WAN1 list=WAN
/ip address
add address=192.168.10.1/24 comment=LAN interface=bridge1 network=\
    192.168.10.0
/ip dhcp-client
add add-default-route=no interface=WAN2
add add-default-route=no interface=WAN1
/ip dhcp-server network
add address=192.168.10.0/24 comment="subnet 10" dns-server=192.168.10.1 \
    gateway=192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.10.1 name=router.local
add address=192.168.10.30 name=truenas.local
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all not coming from LAN" \
    connection-nat-state="" in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-mark="" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \
    out-interface-list=WAN
add action=dst-nat chain=dstnat connection-type="" dst-port=8554 \
    in-interface-list=all protocol=tcp to-addresses=192.168.10.20 to-ports=\
    8554
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=all protocol=\
    tcp to-addresses=192.168.10.20 to-ports=80
add action=dst-nat chain=dstnat dst-port=8000 in-interface-list=all protocol=\
    tcp to-addresses=192.168.10.20 to-ports=8000
add action=dst-nat chain=dstnat dst-port=554 in-interface-list=all protocol=\
    tcp to-addresses=192.168.10.20 to-ports=554
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface-list=\
    WAN protocol=tcp src-port=443 to-addresses=192.168.10.20
add action=dst-nat chain=dstnat dst-port=32400 in-interface-list=all \
    protocol=tcp to-addresses=192.168.10.30 to-ports=32400
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    32.221.168.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=10
add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.10.0/24 disabled=yes
set ssh address=192.168.10.0/24
set api disabled=yes
set winbox address=192.168.10.0/24
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="unspecified address" list=bad_ipv6
add address=::1/128 comment=lo list=bad_ipv6
add address=fec0::/10 comment=site-local list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=ipv4-mapped list=bad_ipv6
add address=::/96 comment="ipv4 compat" list=bad_ipv6
add address=100::/64 comment="discard only " list=bad_ipv6
add address=2001:db8::/32 comment=documentation list=bad_ipv6
add address=2001:10::/28 comment=ORCHID list=bad_ipv6
add address=3ffe::/16 comment=6bone list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="accept all that matches ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="rfc4890 drop hop-limit=1" hop-limit=\
    equal:1 protocol=icmpv6
add action=accept chain=forward comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="accept HIP" protocol=139
add action=accept chain=forward comment="accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment=\
    "accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "drop everything else not coming from LAN" in-interface-list=!LAN
/routing filter rule
add chain="" disabled=no rule=""
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

Maybe I’m blind but I don’t see anything irregular in the configuration you have provided besides the following thing:

/interface bridge
add add-dhcp-option82=yes admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=
“LAN bridge” dhcp-snooping=yes name=bridge1

It’s probably best to remove it since you don’t use a DHCP relay at least according to the config

3

I originally didn’t that in there, I added it as a troubleshooting measure. I’ll remove it again.

4

I created a second bridge called WANBR and added WAN2 to it. As soon as I did that, it stopped getting DHCP from my server. Unfortunately NAT stopped working as well.

5

I was missing the WANBR in my WAN interface list. I added that, now everything works as intended. I have no idea why it’s necessary to have a second single member bridge on the WAN side though.

6

Interesting that your problem is resolved by creating more bridges. Maybe there is a bug in RouterOS with the handling of the switch chip? My config is the reverse. Because the RB5009 has a switch chip with quite a few hardware offload features, and because all the 9 ports are connected to the switch chip, I started an experiment where on my main router a single bridge is used with all the 9 ports as members and VLAN is used exclusively (Bridge VLAN Filtering is hardware offloaded by the switch chip). All my LAN subnets are VLAN (the main bridge has no IP configured), and the WAN ports are part of their own VLANs too, configured as access port. All 9 ports have the H flag (are hardware offloaded). It’s not the case if you create multiple bridges on the router, you can check your Bridge → Ports table.

That experiment has been running for over a year now :rofl: and everything works except for one thing, that is the fasttrack counters all zero. Most of the IPv4 connections still have the fasttrack (F) flag but the byte and packet counters are not incremented. Because the router is fast enough (can still route 2.3Gbps to WAN (limited by GPON) and 2/3 of my traffics are IPv6 anyway) I’ve not bothered to investigate further or to revert the configuration.