Community discussions

MikroTik App
 
baumi
just joined
Topic Author
Posts: 15
Joined: Fri Oct 04, 2019 11:19 am

Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Fri Oct 04, 2019 11:50 am

Hi,

I have already found multiple topics like this but none of them helped me. What I'm trying to achive is to set my geust Wifi (using Unifi unifi ap-ac-pro) and mikrotik RB30011UiAS. All my devices are currently connected to ether2 and my internet connection is connected to ether1.

What I curently did:

1. Enable VLAN for one of my Wifi networks:

Image

2. Created VLAN interface:

Image

3. Assigning new address on vlan interface

Image

4. Setting up DHCP server for that interface:

Image

5. Bridge / VLAN settings:
Here I'm not sure, I was just looking at the solution on the topic viewtopic.php?t=132119

Image

6. Enable vlan filtering on the bridge interface:

Image

Now when I want to connect to my geuest network (that uses vlan10) I get no IP address. What do I miss?
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Fri Oct 04, 2019 1:00 pm

As you are using a VLAN-aware bridge:
The VLAN interface created in #2 should be attached to bridge-lan NOT ether2
When setting up the DHCP server in #4 you need to create an entry under the Network tab too
The bridge VLAN settings in #5 are not correct, the entry for VLAN 10 should have tagged=bridge-lan,ether2 and no untagged entries
 
baumi
just joined
Topic Author
Posts: 15
Joined: Fri Oct 04, 2019 11:19 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Fri Oct 04, 2019 2:32 pm

Thank you for answer! I have changed the config as you mentioned but nothing has changed. I'm still not able to get and IP from DHCP when connected to geuest network. Also looking at the interface list I can see no traffic on vlan10. Changes I made:

#2
Attaching vlan interface to bridge:

Image

#4
I had an entry in Network tab:

Image

#5
Fixing bridge vlan settings (cannot remove vlan10 from Untagged for vlan id 10):

Image

Any other place I should update or anything else I'm missing?
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Fri Oct 04, 2019 7:12 pm

The current untagged vlan10 entry is incorrect, it may be cleared by a reboot.

Note that vlan10 should not be included under Bridge>Ports, the output of /export hide-sensitive would be more useful than a selection of screenshots.
 
baumi
just joined
Topic Author
Posts: 15
Joined: Fri Oct 04, 2019 11:19 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Fri Oct 04, 2019 9:00 pm

You're right, I forgot I have added also vlan10 into Bridge > Ports. Removing it from there automatically removed vlan10 from Untagged. But still it's not working :(

Here is the output you've asked for:
[admin@MikroTik] >> export hide-sensitive  
# oct/04/2019 18:58:42 by RouterOS 6.45.1
# software id = JJDI-22UL
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEA09C227E2
/interface bridge
add admin-mac=B8:69:F4:2F:73:7E auto-mac=no comment=defconf name=bridge-lan vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=xxx
/interface vlan
add interface=bridge-lan name=vlan10 use-service-tag=yes vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-lan lease-time=1d name=defconf
add address-pool=dhcp_pool2 disabled=no interface=vlan10 lease-time=20m name=dhcp1
/interface bridge port
add bridge=bridge-lan comment=defconf interface=ether2
add bridge=bridge-lan comment=defconf interface=ether3
add bridge=bridge-lan comment=defconf interface=ether4
add bridge=bridge-lan comment=defconf interface=ether5
add bridge=bridge-lan comment=defconf interface=ether6
add bridge=bridge-lan comment=defconf interface=ether7
add bridge=bridge-lan comment=defconf interface=ether8
add bridge=bridge-lan comment=defconf interface=ether9
add bridge=bridge-lan comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-lan tagged=ether1 untagged=bridge-lan vlan-ids=1
add bridge=bridge-lan tagged=bridge-lan,ether2 vlan-ids=10
/interface ethernet switch vlan
add independent-learning=no ports=ether2 switch=switch1 vlan-id=1
add independent-learning=no ports=ether2 switch=switch1 vlan-id=10
/interface list member
add comment=defconf interface=bridge-lan list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.23 comment="Satel ETHM-1" mac-address=00:1B:9C:09:50:B8 server=defconf
add address=192.168.88.22 client-id=1:0:25:22:af:f0:53 comment="Desktop w gabinecie" mac-address=00:25:22:AF:F0:53 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Fri Oct 04, 2019 10:30 pm

A few things:
Uncheck 'Use service VLAN' in the configuration for vlan10 - it should be a regular 802.1Q VLAN rather than an 802.1ad (service) VLAN.
Remove the entries under /interface ethernet switch vlan - it is possible to mix a non-VLAN aware bridge with hardware switching and VLAN filtering, but unless you need wirespeed switching it should be avoided as there can be weird interactions.
The vlan10 interface isn't a member of the LAN interface list unless you add it - the default rule to drop input from anything not in the LAN interface list will prevent access to the router from the new VLAN, ICMP is permitted by an earlier rule and as far as I can remember DHCP should work as it uses raw rather than IP sockets.
 
baumi
just joined
Topic Author
Posts: 15
Joined: Fri Oct 04, 2019 11:19 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Sat Oct 05, 2019 12:51 am

Thanks @tdw. I made changes you suggested but it still not working. Current config:
[admin@MikroTik] > export hide-sensitive  
# oct/04/2019 22:47:26 by RouterOS 6.45.1
# software id = JJDI-22UL
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEA09C227E2
/interface bridge
add admin-mac=B8:69:F4:2F:73:7E auto-mac=no comment=defconf name=bridge-lan vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=rzeczna81f@dg-net.pl
/interface vlan
add interface=bridge-lan name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-lan lease-time=1d name=defconf
add address-pool=dhcp_pool2 disabled=no interface=vlan10 lease-time=20m name=dhcp1
/interface bridge port
add bridge=bridge-lan comment=defconf interface=ether2
add bridge=bridge-lan comment=defconf interface=ether3
add bridge=bridge-lan comment=defconf interface=ether4
add bridge=bridge-lan comment=defconf interface=ether5
add bridge=bridge-lan comment=defconf interface=ether6
add bridge=bridge-lan comment=defconf interface=ether7
add bridge=bridge-lan comment=defconf interface=ether8
add bridge=bridge-lan comment=defconf interface=ether9
add bridge=bridge-lan comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-lan tagged=ether1 untagged=bridge-lan vlan-ids=1
add bridge=bridge-lan tagged=bridge-lan,ether2 vlan-ids=10
/interface list member
add comment=defconf interface=bridge-lan list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlan10 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.23 comment="Satel ETHM-1" mac-address=00:1B:9C:09:50:B8 server=defconf
add address=192.168.88.22 client-id=1:0:25:22:af:f0:53 comment="Desktop w gabinecie" mac-address=00:25:22:AF:F0:53 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Any other clue?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Sat Oct 05, 2019 9:29 pm

1. I think you have a static DNS setting left over from the default quick setup (should be removed).
2. Not sure why you have a VLAN BRIDGE setting for ether1 and vlan1? (it serves no purpose that I can see)
3. What is the purpose of identifying all the bridge ports 3-sfp1 (what is on those ports and what IP do they get which leads me to
4. Change the ip address assignment from ether 2, to the bridge-lan interface!! (192.168.88.......)
 
baumi
just joined
Topic Author
Posts: 15
Joined: Fri Oct 04, 2019 11:19 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Mon Oct 07, 2019 10:25 am

All those settings are default ones. Currently nothing is connected to ports from ether3 - to sfp1. After work I will adjust the settings according to your hints and I will share the results, thanks!
 
baumi
just joined
Topic Author
Posts: 15
Joined: Fri Oct 04, 2019 11:19 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Mon Oct 07, 2019 10:59 pm

I made all changes you have mentioned... stil not working :/ Current settings:
[admin@MikroTik] > export hide-sensitive  
# oct/07/2019 20:57:12 by RouterOS 6.45.1
# software id = JJDI-22UL
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEA09C227E2
/interface bridge
add admin-mac=B8:69:F4:2F:73:7E auto-mac=no comment=defconf name=bridge-lan vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=rzeczna81f@dg-net.pl
/interface vlan
add interface=bridge-lan name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-lan lease-time=1d name=defconf
add address-pool=dhcp_pool2 disabled=no interface=vlan10 lease-time=20m name=dhcp1
/interface bridge port
add bridge=bridge-lan comment=defconf interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,ether2 vlan-ids=10
/interface list member
add comment=defconf interface=bridge-lan list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlan10 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge-lan network=192.168.88.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.23 comment="Satel ETHM-1" mac-address=00:1B:9C:09:50:B8 server=defconf
add address=192.168.88.22 client-id=1:0:25:22:af:f0:53 comment="Desktop w gabinecie" mac-address=00:25:22:AF:F0:53 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
complex1
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Wed Jan 04, 2017 9:55 pm
Location: NL-NH

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Mon Oct 07, 2019 11:29 pm

Please untag ether2 and try again....
/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan untagged=ether2 vlan-ids=10
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Tue Oct 08, 2019 3:09 am

Please untag ether2 and try again....
/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan untagged=ether2 vlan-ids=10
Hi complex, the reason I didnt untag ether 2 is due to two reasons, first because its acting as a trunk port for vlan10 and the default vlan1.
I am assuming his ubiquiti devices are able to assign vlan10 to attached devices.
 
complex1
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Wed Jan 04, 2017 9:55 pm
Location: NL-NH

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Tue Oct 08, 2019 11:26 am

Hi anav,

In the latest configuration update I do not see any vlan1 setup.
Also I assuming that his ubiquiti device is not able to assign any vlan to the attached devices, thats why the devices get no IP address from DHCP pool.
If you untag ether2 then all devices should get an IP address.
This is my humble opinion.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Tue Oct 08, 2019 2:35 pm

VLAN1 is the default, it is assumed by the router.

The DHCP on the VLAN is all setup on the MT, it does give out IP addresses to any device connected on vlan10.
The ubiquities are advanced access points, they have VLAN capabilities similar to the CapACs I use which assign VLAN tags to incoming data.
I just assign trunk ports to capacs....
 
baumi
just joined
Topic Author
Posts: 15
Joined: Fri Oct 04, 2019 11:19 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Tue Oct 08, 2019 10:35 pm

VLAN1 is the default, it is assumed by the router.
This is correct.
I am assuming his ubiquiti devices are able to assign vlan10 to attached devices.
My Ubiquiti UniFi AP, AC PRO should have a capabilities to assign vlan10 to attached devices, but is there a way to test if it works correctly?
If you untag ether2 then all devices should get an IP address.
Tried that and it didn't work - same effect - cannot get IP from dhcp. All devices connected to any other wifi networks gets IP correctly, only the ones connected to the guest wifi - vlan10 cannot get ip. Is there a way to test vlan connection?
 
complex1
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Wed Jan 04, 2017 9:55 pm
Location: NL-NH

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Wed Oct 09, 2019 2:20 pm

In the original post I see a screenshot from "Interface <vlan10>" where you have "Use Service Tag" enabled.
Please disable this Service Tag and try again?
 
complex1
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Wed Jan 04, 2017 9:55 pm
Location: NL-NH

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Wed Oct 09, 2019 2:39 pm

One more thing what you can try is to connect a PC to port 4 by wire.
Then change/set and check if the PC gets a DHCP address.
/interface bridge port
add bridge=bridge-lan interface=ether2

/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,ether2 untagged=ether4 vlan-ids=10

/interface bridge port
set bridge=bridge-lan ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=10 [find interface=ether4]
 
baumi
just joined
Topic Author
Posts: 15
Joined: Fri Oct 04, 2019 11:19 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Sun Nov 03, 2019 10:39 pm

Sorry for late reply but I got so busy at work for the last month that I had no time to play with it. Now I came back to it and I decided to reset the MT config and start from the begining, but with no success. Same result.

My config is:
[admin@MikroTik] > export hide-sensitive 
# nov/03/2019 21:22:17 by RouterOS 6.45.1
# software id = JJDI-22UL
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEA09C227E2
/interface bridge
add admin-mac=B8:69:F4:2F:73:7E auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=rzeczna81f@dg-net.pl
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool2 disabled=no interface=vlan10 lease-time=20m name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlan10 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I have tried to connect to the guest WiFi (vlan10) with statically set IP and no luck. I have also tried @complex1 hint:

One more thing what you can try is to connect a PC to port 4 by wire.
Then change/set and check if the PC gets a DHCP address.
/interface bridge port
add bridge=bridge-lan interface=ether2

/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,ether2 untagged=ether4 vlan-ids=10

/interface bridge port
set bridge=bridge-lan ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=10 [find interface=ether4]
New config:
[admin@MikroTik] > export hide-sensitive 
# nov/03/2019 21:38:16 by RouterOS 6.45.1
# software id = JJDI-22UL
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEA09C227E2
/interface bridge
add admin-mac=B8:69:F4:2F:73:7E auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=rzeczna81f@dg-net.pl
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool2 disabled=no interface=vlan10 lease-time=20m name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 untagged=ether4 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlan10 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Device connected to ether 4 by wire got the IP address from main dhcp: 192.168.88.xxx, not the one from vlan10. Still no traffic is shown on interface vlan10.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Mon Nov 04, 2019 2:30 am

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 vlan-ids=10

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0

/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool2 disabled=no interface=vlan10 lease-time=20m name=dhcp1

Do you not see the issues of your config??
(1) How can you assign an IP address to an interface and especially ether2
when you assigned the associated dhcp server to the bridge??

(2) Ether2 seems to be where you want the vlan10 so I am assuming its a hybrid port ??

One can only conclude that ether2 connects to a device that is feeding the router both regular LAN traffic and vlan10 traffic and therefore the router is connecting to a smart switch or something that can have trunk ports at its end (be it switch, a capAC another mT router etc......)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Following that logic..........
It should look like....
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
 
baumi
just joined
Topic Author
Posts: 15
Joined: Fri Oct 04, 2019 11:19 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Mon Nov 04, 2019 9:22 am

Thanks @anav fir answer but assigning address to ether2 works fine and I have no problems with it. On my eth2 I have connected switch (Cisco SRW2048) where all devices (including APs) are connected and all of them works fine - gets an IP, etc. Problem I have is that no devices connected to ether2 with vlanID = 10 can get and IP address from dhcp_pool2 (192.168.10.x)
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Mon Nov 04, 2019 11:35 am

Thanks @anav fir answer but assigning address to ether2 works fine and I have no problems with it. On my eth2 I have connected switch (Cisco SRW2048) where all devices (including APs) are connected and all of them works fine - gets an IP, etc. Problem I have is that no devices connected to ether2 with vlanID = 10 can get and IP address from dhcp_pool2 (192.168.10.x)
Even if it works somehow, it is still a typical misconfiguration, that can lead to potential problems, that are hard to track.
 
baumi
just joined
Topic Author
Posts: 15
Joined: Fri Oct 04, 2019 11:19 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Mon Nov 04, 2019 1:36 pm

Of course, I forgot to write that I have changed that according to @anav suggestion. It was supposed to be a bridge but due to my typo I have assigned address to the specific port.
[admin@MikroTik] /ip address> export hide-sensitive  
# nov/04/2019 12:34:18 by RouterOS 6.45.1
# software id = JJDI-22UL
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEA09C227E2
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
What I ment in my previous message was that this was not a main problem I try to solve.
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Mon Nov 04, 2019 3:04 pm

What does
/interface bridge vlan print
show?
 
baumi
just joined
Topic Author
Posts: 15
Joined: Fri Oct 04, 2019 11:19 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Mon Nov 04, 2019 10:30 pm

@xvo, I have already posted whole config. It looks like this:
[admin@MikroTik] > export hide-sensitive  
# nov/04/2019 21:27:58 by RouterOS 6.45.1
# software id = JJDI-22UL
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEA09C227E2
/interface bridge
add admin-mac=B8:69:F4:2F:73:7E auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=rzeczna81f@dg-net.pl
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool2 disabled=no interface=vlan10 lease-time=20m name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlan10 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Section you're asking for:
add bridge=bridge tagged=bridge,ether2 vlan-ids=10
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Mon Nov 04, 2019 10:48 pm

Config (export) shows only static entries, while "print" command shows the dynamic ones as well.
 
baumi
just joined
Topic Author
Posts: 15
Joined: Fri Oct 04, 2019 11:19 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Mon Nov 04, 2019 11:30 pm

Oh, I had no idea of this, thanks!

Result:
[admin@MikroTik] >> /interface bridge vlan print 
Flags: X - disabled, D - dynamic 
 #   BRIDGE                VLAN-IDS  CURRENT-TAGGED              CURRENT-UNTAGGED             
 0 D bridge                1                                     bridge                       
                                                                 ether2                       
 1   bridge                10        bridge                     
                                     ether2
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Tue Nov 05, 2019 12:47 am

I don't see anything wrong neither in your config nor here.
Are you sure the problem is not on the UniFi side?
Maybe it needs some special settings for hybrid port to work properly?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Tue Nov 05, 2019 1:14 am

Same, here, I suspect either the switch settings after the MT or the AP settings.
 
baumi
just joined
Topic Author
Posts: 15
Joined: Fri Oct 04, 2019 11:19 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Tue Nov 05, 2019 10:30 am

After work I'll try to connect AP directly to MT. I was consulting the AP settings with friend of mine that has the vlans working properly with Cisco router and I'm sure that the settings on AP is correct. I'll let you know the results.
 
baumi
just joined
Topic Author
Posts: 15
Joined: Fri Oct 04, 2019 11:19 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Wed Nov 06, 2019 12:01 am

I have confirmed that when APs are connected directly to MT I can easily connect to my guest WiFi on VLAN. Thanks! This proofs that the problem is the Cisco switch I have between APs and MT. Once again thanks for big help!!!
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Wed Nov 06, 2019 7:03 am

You are welcome! :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Wed Nov 06, 2019 6:35 pm

Awesome, glad you found the issue, no payment required LOL but please please send xvo a razor and shaving cream. ;-)
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Wed Nov 06, 2019 7:37 pm

a razor and shaving cream. ;-)
What are these?!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Wed Nov 06, 2019 8:02 pm

a razor and shaving cream. ;-)
What are these?!
A plot to make you uglier ...
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Wed Nov 06, 2019 9:51 pm

a razor and shaving cream. ;-)
What are these?!
A plot to make you uglier ...
:lol:
 
neco91
just joined
Posts: 12
Joined: Wed Nov 06, 2019 8:25 pm

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Wed Nov 06, 2019 10:36 pm

Is the result of this config such that AP get's the 88.x IP and wifi clients 10.x?
 
baumi
just joined
Topic Author
Posts: 15
Joined: Fri Oct 04, 2019 11:19 am

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Thu Nov 07, 2019 1:02 pm

All clients connected by wire and all WiFi Clients connected to any network but guest network get 88.x. All clients connected to Wifi guest network get 10.x.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't make VLANs to work with RB30011 (cant get PI addres from dhcp)

Thu Nov 07, 2019 3:07 pm

a razor and shaving cream. ;-)
What are these?!
A plot to make you uglier ...
Glad for that kernel of truth Sob.
In that case, don't send the razor or shaving cream, I don't want to lose my breakfast opening threads on the forum. ;-P

Who is online

Users browsing this forum: UkRainUa and 48 guests