web server confined to vlan doesn't obtain dhcp lease

greyoxide · July 12, 2024, 3:29pm

Hey all,

I’ve got a Mikrotik RB3011UIAS-RM, and a Mikrotik CSS326-24G-2S+RM Managed switch.

My issue is this, I’m trying to confine my webserver to a VLAN. My goal here is to improve network security, if the server were to become compromised it would be challenging to gain access to other devices on the network. Keeping with the goal of maintaining some security in the event of a breach, I’m using the switch to set the VLAN rather than set it on the webserver. I’ve attached all of the relevant screenshots that I can think of, let me know if I’m missing something

When I let the server connect to the regular network 192.168.88.0/24 there are no issues. It obtains a lease and I can connect easily. However when I confine the traffic to VLAN only the server doesn’t seem to be able to hear, or maybe respond to the dhcp lease offer.

What am I missing?

Rudios · July 12, 2024, 4:59pm

What i am missing in your information is the way things are interconnected.
Also the bridge config on the RB3011 might be related.

Another check is to be done on your firewall filter rules.
First of all, group them by chain. And make sure the final drop rule is last.
Final thought: i have never added a DHCP allow rule, since this is layer 2 traffic, never reaches the firewall.