Community discussions

 
baumi
just joined
Topic Author
Posts: 7
Joined: Fri Oct 04, 2019 11:19 am

Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Fri Oct 04, 2019 11:50 am

Hi,

I have already found multiple topics like this but none of them helped me. What I'm trying to achive is to set my geust Wifi (using Unifi unifi ap-ac-pro) and mikrotik RB30011UiAS. All my devices are currently connected to ether2 and my internet connection is connected to ether1.

What I curently did:

1. Enable VLAN for one of my Wifi networks:

Image

2. Created VLAN interface:

Image

3. Assigning new address on vlan interface

Image

4. Setting up DHCP server for that interface:

Image

5. Bridge / VLAN settings:
Here I'm not sure, I was just looking at the solution on the topic viewtopic.php?t=132119

Image

6. Enable vlan filtering on the bridge interface:

Image

Now when I want to connect to my geuest network (that uses vlan10) I get no IP address. What do I miss?
 
tdw
Member Candidate
Member Candidate
Posts: 194
Joined: Sat May 05, 2018 11:55 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Fri Oct 04, 2019 1:00 pm

As you are using a VLAN-aware bridge:
The VLAN interface created in #2 should be attached to bridge-lan NOT ether2
When setting up the DHCP server in #4 you need to create an entry under the Network tab too
The bridge VLAN settings in #5 are not correct, the entry for VLAN 10 should have tagged=bridge-lan,ether2 and no untagged entries
 
baumi
just joined
Topic Author
Posts: 7
Joined: Fri Oct 04, 2019 11:19 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Fri Oct 04, 2019 2:32 pm

Thank you for answer! I have changed the config as you mentioned but nothing has changed. I'm still not able to get and IP from DHCP when connected to geuest network. Also looking at the interface list I can see no traffic on vlan10. Changes I made:

#2
Attaching vlan interface to bridge:

Image

#4
I had an entry in Network tab:

Image

#5
Fixing bridge vlan settings (cannot remove vlan10 from Untagged for vlan id 10):

Image

Any other place I should update or anything else I'm missing?
 
tdw
Member Candidate
Member Candidate
Posts: 194
Joined: Sat May 05, 2018 11:55 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Fri Oct 04, 2019 7:12 pm

The current untagged vlan10 entry is incorrect, it may be cleared by a reboot.

Note that vlan10 should not be included under Bridge>Ports, the output of /export hide-sensitive would be more useful than a selection of screenshots.
 
baumi
just joined
Topic Author
Posts: 7
Joined: Fri Oct 04, 2019 11:19 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Fri Oct 04, 2019 9:00 pm

You're right, I forgot I have added also vlan10 into Bridge > Ports. Removing it from there automatically removed vlan10 from Untagged. But still it's not working :(

Here is the output you've asked for:
[admin@MikroTik] >> export hide-sensitive  
# oct/04/2019 18:58:42 by RouterOS 6.45.1
# software id = JJDI-22UL
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEA09C227E2
/interface bridge
add admin-mac=B8:69:F4:2F:73:7E auto-mac=no comment=defconf name=bridge-lan vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=xxx
/interface vlan
add interface=bridge-lan name=vlan10 use-service-tag=yes vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-lan lease-time=1d name=defconf
add address-pool=dhcp_pool2 disabled=no interface=vlan10 lease-time=20m name=dhcp1
/interface bridge port
add bridge=bridge-lan comment=defconf interface=ether2
add bridge=bridge-lan comment=defconf interface=ether3
add bridge=bridge-lan comment=defconf interface=ether4
add bridge=bridge-lan comment=defconf interface=ether5
add bridge=bridge-lan comment=defconf interface=ether6
add bridge=bridge-lan comment=defconf interface=ether7
add bridge=bridge-lan comment=defconf interface=ether8
add bridge=bridge-lan comment=defconf interface=ether9
add bridge=bridge-lan comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-lan tagged=ether1 untagged=bridge-lan vlan-ids=1
add bridge=bridge-lan tagged=bridge-lan,ether2 vlan-ids=10
/interface ethernet switch vlan
add independent-learning=no ports=ether2 switch=switch1 vlan-id=1
add independent-learning=no ports=ether2 switch=switch1 vlan-id=10
/interface list member
add comment=defconf interface=bridge-lan list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.23 comment="Satel ETHM-1" mac-address=00:1B:9C:09:50:B8 server=defconf
add address=192.168.88.22 client-id=1:0:25:22:af:f0:53 comment="Desktop w gabinecie" mac-address=00:25:22:AF:F0:53 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
tdw
Member Candidate
Member Candidate
Posts: 194
Joined: Sat May 05, 2018 11:55 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Fri Oct 04, 2019 10:30 pm

A few things:
Uncheck 'Use service VLAN' in the configuration for vlan10 - it should be a regular 802.1Q VLAN rather than an 802.1ad (service) VLAN.
Remove the entries under /interface ethernet switch vlan - it is possible to mix a non-VLAN aware bridge with hardware switching and VLAN filtering, but unless you need wirespeed switching it should be avoided as there can be weird interactions.
The vlan10 interface isn't a member of the LAN interface list unless you add it - the default rule to drop input from anything not in the LAN interface list will prevent access to the router from the new VLAN, ICMP is permitted by an earlier rule and as far as I can remember DHCP should work as it uses raw rather than IP sockets.
 
baumi
just joined
Topic Author
Posts: 7
Joined: Fri Oct 04, 2019 11:19 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Sat Oct 05, 2019 12:51 am

Thanks @tdw. I made changes you suggested but it still not working. Current config:
[admin@MikroTik] > export hide-sensitive  
# oct/04/2019 22:47:26 by RouterOS 6.45.1
# software id = JJDI-22UL
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEA09C227E2
/interface bridge
add admin-mac=B8:69:F4:2F:73:7E auto-mac=no comment=defconf name=bridge-lan vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=rzeczna81f@dg-net.pl
/interface vlan
add interface=bridge-lan name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-lan lease-time=1d name=defconf
add address-pool=dhcp_pool2 disabled=no interface=vlan10 lease-time=20m name=dhcp1
/interface bridge port
add bridge=bridge-lan comment=defconf interface=ether2
add bridge=bridge-lan comment=defconf interface=ether3
add bridge=bridge-lan comment=defconf interface=ether4
add bridge=bridge-lan comment=defconf interface=ether5
add bridge=bridge-lan comment=defconf interface=ether6
add bridge=bridge-lan comment=defconf interface=ether7
add bridge=bridge-lan comment=defconf interface=ether8
add bridge=bridge-lan comment=defconf interface=ether9
add bridge=bridge-lan comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-lan tagged=ether1 untagged=bridge-lan vlan-ids=1
add bridge=bridge-lan tagged=bridge-lan,ether2 vlan-ids=10
/interface list member
add comment=defconf interface=bridge-lan list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlan10 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.23 comment="Satel ETHM-1" mac-address=00:1B:9C:09:50:B8 server=defconf
add address=192.168.88.22 client-id=1:0:25:22:af:f0:53 comment="Desktop w gabinecie" mac-address=00:25:22:AF:F0:53 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Any other clue?
 
anav
Forum Guru
Forum Guru
Posts: 2971
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Sat Oct 05, 2019 9:29 pm

1. I think you have a static DNS setting left over from the default quick setup (should be removed).
2. Not sure why you have a VLAN BRIDGE setting for ether1 and vlan1? (it serves no purpose that I can see)
3. What is the purpose of identifying all the bridge ports 3-sfp1 (what is on those ports and what IP do they get which leads me to
4. Change the ip address assignment from ether 2, to the bridge-lan interface!! (192.168.88.......)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
baumi
just joined
Topic Author
Posts: 7
Joined: Fri Oct 04, 2019 11:19 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Mon Oct 07, 2019 10:25 am

All those settings are default ones. Currently nothing is connected to ports from ether3 - to sfp1. After work I will adjust the settings according to your hints and I will share the results, thanks!
 
baumi
just joined
Topic Author
Posts: 7
Joined: Fri Oct 04, 2019 11:19 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Mon Oct 07, 2019 10:59 pm

I made all changes you have mentioned... stil not working :/ Current settings:
[admin@MikroTik] > export hide-sensitive  
# oct/07/2019 20:57:12 by RouterOS 6.45.1
# software id = JJDI-22UL
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEA09C227E2
/interface bridge
add admin-mac=B8:69:F4:2F:73:7E auto-mac=no comment=defconf name=bridge-lan vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=rzeczna81f@dg-net.pl
/interface vlan
add interface=bridge-lan name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-lan lease-time=1d name=defconf
add address-pool=dhcp_pool2 disabled=no interface=vlan10 lease-time=20m name=dhcp1
/interface bridge port
add bridge=bridge-lan comment=defconf interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,ether2 vlan-ids=10
/interface list member
add comment=defconf interface=bridge-lan list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlan10 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge-lan network=192.168.88.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.23 comment="Satel ETHM-1" mac-address=00:1B:9C:09:50:B8 server=defconf
add address=192.168.88.22 client-id=1:0:25:22:af:f0:53 comment="Desktop w gabinecie" mac-address=00:25:22:AF:F0:53 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
complex1
newbie
Posts: 31
Joined: Wed Jan 04, 2017 9:55 pm

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Mon Oct 07, 2019 11:29 pm

Please untag ether2 and try again....
/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan untagged=ether2 vlan-ids=10
Kind regards,
Frank.
 
anav
Forum Guru
Forum Guru
Posts: 2971
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Tue Oct 08, 2019 3:09 am

Please untag ether2 and try again....
/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan untagged=ether2 vlan-ids=10
Hi complex, the reason I didnt untag ether 2 is due to two reasons, first because its acting as a trunk port for vlan10 and the default vlan1.
I am assuming his ubiquiti devices are able to assign vlan10 to attached devices.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
complex1
newbie
Posts: 31
Joined: Wed Jan 04, 2017 9:55 pm

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Tue Oct 08, 2019 11:26 am

Hi anav,

In the latest configuration update I do not see any vlan1 setup.
Also I assuming that his ubiquiti device is not able to assign any vlan to the attached devices, thats why the devices get no IP address from DHCP pool.
If you untag ether2 then all devices should get an IP address.
This is my humble opinion.
Kind regards,
Frank.
 
anav
Forum Guru
Forum Guru
Posts: 2971
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Tue Oct 08, 2019 2:35 pm

VLAN1 is the default, it is assumed by the router.

The DHCP on the VLAN is all setup on the MT, it does give out IP addresses to any device connected on vlan10.
The ubiquities are advanced access points, they have VLAN capabilities similar to the CapACs I use which assign VLAN tags to incoming data.
I just assign trunk ports to capacs....
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
baumi
just joined
Topic Author
Posts: 7
Joined: Fri Oct 04, 2019 11:19 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Tue Oct 08, 2019 10:35 pm

VLAN1 is the default, it is assumed by the router.
This is correct.
I am assuming his ubiquiti devices are able to assign vlan10 to attached devices.
My Ubiquiti UniFi AP, AC PRO should have a capabilities to assign vlan10 to attached devices, but is there a way to test if it works correctly?
If you untag ether2 then all devices should get an IP address.
Tried that and it didn't work - same effect - cannot get IP from dhcp. All devices connected to any other wifi networks gets IP correctly, only the ones connected to the guest wifi - vlan10 cannot get ip. Is there a way to test vlan connection?
 
complex1
newbie
Posts: 31
Joined: Wed Jan 04, 2017 9:55 pm

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Wed Oct 09, 2019 2:20 pm

In the original post I see a screenshot from "Interface <vlan10>" where you have "Use Service Tag" enabled.
Please disable this Service Tag and try again?
Kind regards,
Frank.
 
complex1
newbie
Posts: 31
Joined: Wed Jan 04, 2017 9:55 pm

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Wed Oct 09, 2019 2:39 pm

One more thing what you can try is to connect a PC to port 4 by wire.
Then change/set and check if the PC gets a DHCP address.
/interface bridge port
add bridge=bridge-lan interface=ether2

/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,ether2 untagged=ether4 vlan-ids=10

/interface bridge port
set bridge=bridge-lan ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=10 [find interface=ether4]
Kind regards,
Frank.

Who is online

Users browsing this forum: No registered users and 39 guests