3 vlan network 3 dhcp servers RB3011

cccoro · Wed Mar 08, 2017 1:08 am

Hi, seam to be having some issue configuring Vlan + DHCP servers and not sure what best to do.

Have reset Mikrotik, ssh in copy and paste this config in however it seams to have issues configuring dhcp since its on a bridge. Any time I change bridges seams I get kicked out of router and have to factory reset it. Any ideas would be great.

/interface vlan
add name=10-office  interface=ether6-master vlan-id=10
add name=20-phone  interface=ether6-master  vlan-id=20
add name=40-wifi  interface=ether6-master  vlan-id=40

/ip address
add address=192.168.10.1/24 interface=10-office
add address=172.16.1.1/24 interface=20-phone
add address=192.168.40.1/24 interface=40-wifi

/ip pool add name=10-office ranges=10.169.184.1-10.169.185.254
/ip pool add name=20-phone ranges=172.16.1.1-172.16.1.254
/ip pool add name=40-wifi ranges=192.168.40.1-192.168.41.254

/ip dhcp-server enable 0
/ip dhcp-server add interface=ether6-master address-pool=10-office
/ip dhcp-server add interface=ether6-master address-pool=20-phone
/ip dhcp-server add interface=ether6-master address-pool=40-wifi

/ip dhcp-server network add address=192.168.10.0/24 gateway=10.169.184.1 dns-server=8.8.8.8 comment=”10-office”
/ip dhcp-server network add address=172.16.1.0/24 gateway=172.16.1.1 dns-server=8.8.8.8 comment=”20-phone”
/ip dhcp-server network add address=192.168.40.0/24 gateway=192.168.40.1 dns-server=8.8.8.8 comment=”40-wifi”

/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.40.0/24 out-interface=ether1
add chain=srcnat action=masquerade src-address=172.16.1.0/24 out-interface=ether1
add chain=srcnat action=masquerade src-address=192.168.10.0/24 out-interface=ether1

dskillin · Wed Mar 08, 2017 1:50 am

You're putting the IP on the VLAN, then placing the servers on to eth6. Try putting them on the respective VLAN.

Also your pool objects have the same name as the VLAN. I'd suggest something like 10-office-vlan and 10-office-pool.

cccoro · Wed Mar 08, 2017 1:59 am

Ok so way around that was to put /interface ether7 into master-port=none

[admin@MikroTik] /interface ethernet> /interface ethernet
[admin@MikroTik] /interface ethernet> set ether7 master-port=none

However if I now plug it into a switch on my network that is already got these configurations working vlan/dchp does not seam to work. However now I am getting DHCP server invalid.

[admin@MikroTik] /ip dhcp-server> print
Flags: X - disabled, I - invalid
 #   NAME               INTERFACE               RELAY           ADDRESS-POOL               LEASE-TIME ADD-ARP
 0   defconf            bridge                                  default-dhcp               10m
 1 I dhcp1              office                                  1-office                   10m
[admin@MikroTik] /ip dhcp-server> /ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   ;;; defconf
     192.168.88.1/24    192.168.88.0    bridge
 1   10.169.184.1/23    10.169.184.0    1-office

dskillin · Wed Mar 08, 2017 8:01 am

I mocked a CHR up in my lab, and configured it as you've laid out here. Be aware that there is no protection enabled on this template, and it shouldn't be used for production without locking it down. Based on your comments, I took some guesses in the example, and provided methods for TRUNK ports and ACCESS ports, covering all of the VLAN you mentioned. This should give a good basis for how to accomplish the various tasks that you are looking at.

First, the proof is in the pudding, the NAT rules, with stats from the exit traffic:

[admin@MikroTik] > /ip firewall nat print stats
Flags: X - disabled, I - invalid, D - dynamic 
 #    CHAIN                                                               ACTION                            BYTES  
 0    srcnat                                                              masquerade                        2 068  
 1    srcnat                                                              masquerade                          372  
 2    srcnat                                                              masquerade                          212  

[admin@MikroTik] > /ip firewall nat print      
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade src-address=10.169.184.0/24 out-interface=wan log=no log-prefix="" 
 1    chain=srcnat action=masquerade src-address=172.16.1.0/24 out-interface=wan log=no log-prefix="" 
 2    chain=srcnat action=masquerade src-address=192.168.40.0/23 out-interface=wan log=no log-prefix=""

Next, a series of pings to various IP addresses on the VLANS from the router.

[admin@MikroTik] > ping 172.16.1.254 count=2
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                                         
    0 172.16.1.254                               56 128 0ms  
    1 172.16.1.254                               56 128 0ms  
    sent=2 received=2 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms 

[admin@MikroTik] > ping 192.168.41.253 count=2
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                                         
    0 192.168.41.253                             56  64 0ms  
    1 192.168.41.253                             56  64 0ms  
    sent=2 received=2 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms 

[admin@MikroTik] > ping 10.169.184.2 count=2
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                                         
    0 10.169.184.2                               56  64 0ms  
    1 10.169.184.2                               56  64 0ms  
    sent=2 received=2 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms

A torch on a VLAN spanning a TRUNK

[admin@MikroTik] > /tool torch ether5-vlan10 duration=30 ip-protocol=any dst-address=0.0.0.0/0
MAC-PROTOCOL    IP-PROTOCOL DST-ADDRESS                                                                               TX         RX TX-PACKETS RX-PACKETS
ip              icmp        8.8.8.8                                                                                 0bps     784bps          0          1
ip              tcp         52.32.124.79                                                                          592bps    3.2kbps          1          3
ip              tcp         52.85.89.207                                                                        43.9kbps   11.7kbps          9          7
ip              tcp         172.217.5.238                                                                      945.9kbps   54.8kbps         86         71
ip              udp         10.169.184.1                                                                        11.3kbps    4.1kbps          6          6
                                                                                                              1001.8kbps   74.8kbps        102         88

Finally, the config that made this all happen:

# mar/08/2017 05:19:34 by RouterOS 6.39rc33
# software id = 
#
/interface bridge
add name=10-office-vlan-bridge
add name=20-phone-vlan-bridge
add name=40-wifi-vlan-bridge
/interface ethernet
set [ find default-name=ether2 ] comment="local port, set to be on VLAN10 (ACCESS)"
set [ find default-name=ether3 ] comment="local port, set to be on VLAN20 (ACCESS)"
set [ find default-name=ether4 ] comment="local port, set to be on VLAN40 (ACCESS)"
set [ find default-name=ether5 ] comment="trunk port, carries VLAN10, VLAN20, and VLAN40 (TRUNK)"
set [ find default-name=ether6 ] comment="trunk port, carries VLAN10 and VLAN20 (TRUNK)"
set [ find default-name=ether1 ] name=wan
/interface vlan
add interface=ether5 name=ether5-vlan10 vlan-id=10
add interface=ether5 name=ether5-vlan20 vlan-id=20
add interface=ether5 name=ether5-vlan40 vlan-id=40
add interface=ether6 name=ether6-vlan10 vlan-id=10
add interface=ether6 name=ether6-vlan20 vlan-id=20
/ip pool
add name=10-office-pool ranges=10.169.184.2-10.169.184.254
add name=20-phone-pool ranges=172.16.1.2-172.16.1.254
add name=40-wifi-pool ranges=192.168.40.2-192.168.41.254
/ip dhcp-server
add add-arp=yes address-pool=20-phone-pool authoritative=yes disabled=no interface=20-phone-vlan-bridge lease-time=1h name=20-phone-dhcp
add add-arp=yes address-pool=40-wifi-pool authoritative=yes disabled=no interface=40-wifi-vlan-bridge lease-time=1h name=40-wifi-dhcp
add add-arp=yes address-pool=10-office-pool authoritative=yes disabled=no interface=10-office-vlan-bridge lease-time=1h name=10-office-dhcp
/caps-man manager interface
add disabled=no
/interface bridge port
add bridge=10-office-vlan-bridge interface=ether2
add bridge=10-office-vlan-bridge interface=ether5-vlan10
add bridge=10-office-vlan-bridge interface=ether6-vlan10
add bridge=20-phone-vlan-bridge interface=ether3
add bridge=20-phone-vlan-bridge interface=ether5-vlan20
add bridge=20-phone-vlan-bridge interface=ether6-vlan20
add bridge=40-wifi-vlan-bridge interface=ether4
add bridge=40-wifi-vlan-bridge interface=ether5-vlan40
/ip address
add address=10.169.184.1/24 interface=10-office-vlan-bridge network=10.169.184.0
add address=172.16.1.1/24 interface=20-phone-vlan-bridge network=172.16.1.0
add address=192.168.40.1/23 interface=40-wifi-vlan-bridge network=192.168.40.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=wan use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=10.169.184.0/24 dns-server=10.169.184.1 gateway=10.169.184.1 ntp-server=10.169.184.1
add address=172.16.1.0/24 dns-server=172.16.1.1 gateway=172.16.1.1 ntp-server=172.16.1.1
add address=192.168.40.0/23 dns-server=192.168.40.1 gateway=192.168.40.1 ntp-server=192.168.40.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wan src-address=10.169.184.0/24
add action=masquerade chain=srcnat out-interface=wan src-address=172.16.1.0/24
add action=masquerade chain=srcnat out-interface=wan src-address=192.168.40.0/23
/system ntp client
set enabled=yes primary-ntp=129.6.15.28 secondary-ntp=129.6.15.30

I hope this helps.

cccoro · Wed Mar 08, 2017 2:18 pm

Really appreciate when I am ssh into mikrotik and copy and pasting it fails, guess because I am factory resetting mikrotik then ssh in 192.168.88.1 and then running command but there must be something there that is conflicting?

Is there any way around this without console cable.

Just so I explain myself I want to setup the following
Vlan 1 - Office - 10.169.184.0/23 (default)
Vlan 20 - Phone - 172.16.1.0/24
Vlan 40 - Wifi - 192.168.40.0/24
Do not need any connection between the vlans they all just need internet access.

[admin@MikroTik] /ip dhcp-server> /caps-man manager interface
bad command name interface (line 1 column 19)
[admin@MikroTik] /ip dhcp-server> add disabled=no
interface:
Script Error: action cancelled

and also

[admin@MikroTik] /ip dhcp-server> /interface bridge port
[admin@MikroTik] /interface bridge port> add bridge=10-office-vlan-bridge interface=ether2
failure: device already added as bridge port
[admin@MikroTik] /interface bridge port> add bridge=10-office-vlan-bridge interface=ether5-vlan10
[admin@MikroTik] /interface bridge port> add bridge=10-office-vlan-bridge interface=ether6-vlan10
[admin@MikroTik] /interface bridge port> add bridge=20-phone-vlan-bridge interface=ether3
failure: device already added as bridge port
[admin@MikroTik] /interface bridge port> add bridge=20-phone-vlan-bridge interface=ether5-vlan20
[admin@MikroTik] /interface bridge port> add bridge=20-phone-vlan-bridge interface=ether6-vlan20
input does not match any value of interface
[admin@MikroTik] /interface bridge port> add bridge=40-wifi-vlan-bridge interface=ether4
failure: device already added as bridge port
[admin@MikroTik] /interface bridge port> add bridge=40-wifi-vlan-bridge interface=ether5-vlan40

dskillin · Wed Mar 08, 2017 3:24 pm

Try this:

Connect after reset with winbox to the MAC not the IP.

Select the option to clear the config in that first connection.

Open the console, in winbox.

Bring your WAN online.

Check for and apply updates.

Winbox will also give you the ability to browse around the router to look for conflicts.
https://mikrotik.com/download

Also, remove the following from your template.

/caps-man manager interface
add disabled=no

cccoro · Fri Mar 10, 2017 9:11 pm

That works really well and that config works, however when I try to change vlan 10 to vlan1 in all locations and plug my laptop directly in port 5 its not picking up ip address. If I plug into managed switch and setup tagging I do get an ip address. Thought vlan1 was default vlan but must be doing something wrong.

dgnevans · Fri Mar 10, 2017 9:29 pm

When you connect directly to a port you have applied a vlan you will not get an ip as the traffic is on the vlan as you have applied the ip to that vlan and the dhcp to that vlan which is tagged and your computer does not see the tagged traffic. Your switch has a trunk port which has that vlan allowed on it and sees the tagged traffic. and then you have an access port on the switch was configured with the vlan as an untagged port.

cccoro · Tue Mar 14, 2017 4:39 pm

Is there a way to untag port 5 so that there is a default VLAN, so its passes thought even then you plugin.

Issue I am having is when I plug in a switch to port 5 I have to tag vlan 1 on the port I am connecting to get access to the mikrotik and even thought switch is set to dhcp its not getting an ip address.

Thank you

dgnevans · Tue Mar 14, 2017 5:01 pm

if you apply the ip address to the port ether 5 and apply the dhcp pool to that port you should get conectivity. it just depends what you are wanting to do.

dskillin · Tue Mar 14, 2017 5:02 pm

Remove the VLAN(s) from port 5, and place that port in a BRIDGE with VLAN(x).

Looking at the old sample config, we see that ether5 is tagged with VLAN 10,20, and 40 in a TRUNK configuration. It's VLAN are added to BRIDGES "tie" the VLAN together.

/interface vlan
add interface=ether5 name=ether5-vlan10 vlan-id=10
add interface=ether5 name=ether5-vlan20 vlan-id=20
add interface=ether5 name=ether5-vlan40 vlan-id=40
add interface=ether6 name=ether6-vlan10 vlan-id=10
add interface=ether6 name=ether6-vlan20 vlan-id=20

/interface bridge port
add bridge=10-office-vlan-bridge interface=ether2
add bridge=10-office-vlan-bridge interface=ether5-vlan10
add bridge=10-office-vlan-bridge interface=ether6-vlan10
add bridge=20-phone-vlan-bridge interface=ether3
add bridge=20-phone-vlan-bridge interface=ether5-vlan20
add bridge=20-phone-vlan-bridge interface=ether6-vlan20
add bridge=40-wifi-vlan-bridge interface=ether4
add bridge=40-wifi-vlan-bridge interface=ether5-vlan40

To undo that, we do exactly as you would expect. Remove the VLAN tagging, and the subsequent tying of bridges. We then tie the interface to the bridge with the VLAN we would like to use. Examples for this were in the original config...

/interface vlan
add interface=ether6 name=ether6-vlan10 vlan-id=10
add interface=ether6 name=ether6-vlan20 vlan-id=20
add interface=ether6 name=ether6-vlan40 vlan-id=40

/interface bridge port
add bridge=10-office-vlan-bridge interface=ether2
add bridge=10-office-vlan-bridge interface=ether5
add bridge=10-office-vlan-bridge interface=ether6-vlan10
add bridge=20-phone-vlan-bridge interface=ether3
add bridge=20-phone-vlan-bridge interface=ether6-vlan20
add bridge=40-wifi-vlan-bridge interface=ether4
add bridge=40-wifi-vlan-bridge interface=ether6-vlan40

Try to remember for ACCESS, you tie a port to a VLAN, with a TRUNK you tie one or more VLAN(s) to VLAN(s). You "tie" with a bridge.

3 vlan network 3 dhcp servers RB3011

3 vlan network 3 dhcp servers RB3011

Re: 3 vlan network 3 dhcp servers RB3011

Re: 3 vlan network 3 dhcp servers RB3011

Re: 3 vlan network 3 dhcp servers RB3011

Re: 3 vlan network 3 dhcp servers RB3011

Re: 3 vlan network 3 dhcp servers RB3011

Re: 3 vlan network 3 dhcp servers RB3011

Re: 3 vlan network 3 dhcp servers RB3011

Re: 3 vlan network 3 dhcp servers RB3011

Re: 3 vlan network 3 dhcp servers RB3011

Re: 3 vlan network 3 dhcp servers RB3011

Who is online