Why isn't DHCP working on my VLAN?

jackwilsdon · December 27, 2023, 8:43pm

I am trying to set up ether2 as an access port on VLAN 10 with a DHCP server on that VLAN. I ran the following to create the VLAN and assign the access port:

/interface bridge
set [find name=bridge] vlan-filtering=yes
/interface vlan
add interface=bridge name=vpn vlan-id=10
/ip pool
add name=vpn ranges=10.10.110.2-10.10.110.254
/ip dhcp-server
add address-pool=vpn interface=vpn lease-time=10m name=vpn
/interface bridge port
set [find bridge=bridge interface=ether2] frame-types=\
    admit-only-untagged-and-priority-tagged pvid=10
/ip address
add address=10.10.110.1/24 interface=vpn network=10.10.110.0
/ip dhcp-server network
add address=10.10.110.0/24 gateway=10.10.110.1

I was hoping this would allocate IPs in the 10.10.110.2-10.10.110.254 range on ether2, but I don’t get an IP allocated when connecting to this port.

I am running RouterOS 7.13 on a hAP ac². I’ve seen some guides showing adding ether2 as an untagged port on the bridge (under /interface bridge vlan), but it seems like this is already created dynamically by RouterOS.

I assume I’m missing something obvious. Here’s my full configuration as it is now (the majority of it is stock):

# 2023-12-27 20:33:27 by RouterOS 7.13
# software id = XXXX-XXXX
#
# model = RBD52G-5HacD2HnD
# serial number = XXXXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf \
    ingress-filtering=no name=bridge port-cost-mode=short vlan-filtering=yes
/interface vlan
add interface=bridge name=vpn vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=XXX \
    supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country="united kingdom" disabled=no distance=indoors frequency=2437 \
    installation=indoor mode=ap-bridge security-profile=XXX ssid=XXX \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge security-profile=XXX ssid=XXX \
    wireless-protocol=802.11
add disabled=no mac-address=XX:XX:XX:XX:XX:XX master-interface=wlanX mode=\
    station name=wlan3 ssid=XXX wds-default-bridge=bridge
/ip pool
add name=default-dhcp ranges=10.10.10.2-10.10.10.254
add name=vpn ranges=10.10.110.2-10.10.110.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool=vpn interface=vpn lease-time=10m name=vpn
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=no interface=\
    ether2 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2 \
    internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wlan3 list=WAN
/ip address
add address=10.10.10.1/24 interface=bridge network=10.10.10.0
add address=10.10.110.1/24 interface=vpn network=10.10.110.0
/ip dhcp-client
add comment=defconf interface=ether1
add interface=wlan3
/ip dhcp-server network
add address=10.10.10.0/24 comment=defconf gateway=10.10.10.1
add address=10.10.110.0/24 gateway=10.10.110.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.10.10.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

My current setup connects to another wireless AP using wlan3 (5GHz) and uses that as the WAN interface. Can anyone see what’s wrong with my configuration?

mkx · December 27, 2023, 8:54pm

What you’re missing is to set bridge port to be a tagged member of VLAN 10. Which is needed because you created a vlan interface named vpn, anchored to bridge interface, with vlan-id set to 10. So bridge port has to be tagged member of that VLAN.

So something like this:

/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=10

anav · December 27, 2023, 8:55pm

(1) Get rid of the ingress filtering=no on bridge setting… is there a reason you put that there?/

(2) As far as your configuration why bother with VPN vlan. There is no VPN attached?
Why not attache the subnet directly to the etherport2??

(3) You have no setting for bridge vlan
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=10

(4) The VLAN is not actually included in the LAN interface list either…

jackwilsdon · December 27, 2023, 9:22pm

@mkx that fixed it, thanks!

@anav

(1) Get rid of the ingress filtering=no on bridge setting… is there a reason you put that there?/

I generated the list of commands I ran using export after setting it up in webfig. Not sure why it printed out ingress-filtering as no seems to be the default anyway.

(2) As far as your configuration why bother with VPN vlan. There is no VPN attached?
Why not attache the subnet directly to the etherport2??

I’m going to be setting up wireguard and a separate routing table to force all traffic on this VLAN down the tunnel, however I wanted to get the VLAN working first. I’m using a VLAN instead of just configuring a single port as I’m going to be adding other interfaces to it later (e.g. wireless).

(3) You have no setting for bridge vlan

Yep, that was the issue - thanks!

(4) The VLAN is not actually included in the LAN interface list either…

Good catch - I’ve added this which has fixed accessing the router from the VLAN.

jackwilsdon · December 27, 2023, 9:23pm

Now that it’s working, I’ve noticed that I can communicate with devices not on VLAN 10 whilst on VLAN 10 - is this expected? Is it because the other devices aren’t on a VLAN?

What’s the best way to prevent this? Just put all other traffic in another VLAN?

sid5632 · December 27, 2023, 9:26pm

Define “communicate”.

jackwilsdon · December 27, 2023, 9:27pm

For example, I can ping and make HTTP requests to 10.10.10.11 from 10.10.110.254.

sid5632 · December 27, 2023, 9:30pm

VLAN doesn’t separate at layer 3.

holvoetn · December 27, 2023, 9:31pm

Use proper firewall rules to allow what can be done, drop all the rest from/to that VLAN.

mkx · December 27, 2023, 9:37pm

As the rest already hinted at: your ROS device is a router which will happily pass packets between interfaces with IP address set (according to routing information it’s set up with).
If that doesn’t suit you, you can either use routing rules (pretty effective but not really flexible) or firewall rules (slower but much more flexible) to control which traffic can flow in which direction.