Page 1 of 1

[SOLVED] Dual VLAN on WAN DHCP Client Issue

Posted: Tue Jul 22, 2014 9:15 pm
by peeter123
I've just received my RB2011UIAS-2HND-IN and started configuring it, however I have ran into an issue with DHCP which I cannot resolve. My setup is as follows:

FTTH --> Genexis Media Converter --> (VLAN4 - IPTV, VLAN34 - Internet) --> RB2011 - PORT1

My ISP requires DHCP on both interfaces. On port 1 I have added two VLAN interfaces(vlan-internet, vlan-iptv) and configured NAT to vlan-internet. So far so good, now DHCP clients are added to both interfaces. The DHCP client on vlan-internet has the add default-route option set and the vlan-iptv has not.

The problem is as follows, internet works perfectly if only the vlan-internet DHCP client is on. The exact moment the vlan-iptv DHCP client is turned on my internet connection goes down. Ping to google.com returns timeout and after a while alternating timeout/ext ip: destination unreachable.

If I renew my lease on vlan-internet internet goes back up until vlan-iptv renews it's IP. I've tried searching for a solution but I am at a loss at this moment. Hopefully someone can help me with this issue :)

Re: Dual VLAN on WAN DHCP Client Issue

Posted: Wed Aug 06, 2014 7:55 am
by jayd2k
That sounds pretty much like a routing issue.

Check your routing table before and after enabling the dhcp client on VLAN4 and see if the default route changes once the other link comes up.

Checking the routing table via CLI:

ros code

ip route print detail
You also might want to share your config with us.

Re: Dual VLAN on WAN DHCP Client Issue

Posted: Sun Aug 10, 2014 11:44 pm
by peeter123
Hi thanks for your reply, I've just returned from vacation and are looking into this at the moment. This is more info that should help:

Routes and traceroute:
Before iptv interface dhcp client:
[admin@AquaRouter] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0 ADS  dst-address=0.0.0.0/0 gateway=82.197.195.1 gateway-status=82.197.195.1 reachable via  vlan-internet distance=1 scope=30 target-scope=10 vrf-interface=vlan-internet 
 1 ADC  dst-address=82.197.195.0/24 pref-src=82.197.195.239 gateway=vlan-internet gateway-status=vlan-internet reachable distance=0 scope=10 
 2 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=bridge-local gateway-status=bridge-local reachable distance=0 scope=10 

[admin@AquaRouter] > /tool traceroute 8.8.8.8             
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST
 1 82.197.195.1                       0%   67     3ms       3     2.7     9.8
 2 217.19.16.6                        0%   67   2.9ms     3.1     2.8     7.5
 3 195.69.145.100                   26..   67   3.2ms     3.2       3       4
 4 209.85.254.95                      0%   67   6.9ms     5.1     3.2    29.3
 5 72.14.238.69                       0%   67   3.6ms     4.8     3.4    25.8
 6 209.85.254.231                     0%   67  18.2ms     8.8     6.5      49
 7 209.85.254.189                     0%   67   6.5ms     8.3     6.4    44.4
 8                                  100%   67 timeout
 9 8.8.8.8                            0%   66   6.8ms     6.9     6.6    13.3
 
After iptv interface dhcp client:
[admin@AquaRouter] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0 ADS  dst-address=0.0.0.0/0 gateway=82.197.195.1 gateway-status=82.197.195.1 reachable via  vlan-internet distance=1 scope=30 target-scope=10 vrf-interface=vlan-internet 
 1 ADC  dst-address=10.10.32.0/22 pref-src=10.10.32.151 gateway=vlan-iptv gateway-status=vlan-iptv reachable distance=0 scope=10 
 2 ADC  dst-address=82.197.195.0/24 pref-src=82.197.195.239 gateway=vlan-internet gateway-status=vlan-internet reachable distance=0 scope=10 
 3 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=bridge-local gateway-status=bridge-local reachable distance=0 scope=10
 
[admin@AquaRouter] > /tool traceroute 8.8.8.8
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST
 1                                  100%   17 timeout
 2 82.197.195.239                   93..   17 timeout     988     988     988
 3 82.197.195.239                   87..   16 timeout   987.5   983.8   991.1
 4 82.197.195.239                   93..   16 timeout   989.1   989.1   989.1
 5 82.197.195.239                   87..   16 timeout     510    30.7   989.2
 6                                    0%    0     0ms
Config export:
# aug/10/2014 22:40:19 by RouterOS 6.18
# software id = S62Z-5GTT
#
/interface bridge
add admin-mac=4C:5E:0C:49:43:4A auto-mac=no l2mtu=1598 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan rx-flow-control=auto \
    tx-flow-control=auto
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=\
    ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=\
    ether8-slave-local
set [ find default-name=ether9 ] name=ether9-slave-local
set [ find default-name=ether10 ] name=ether10-test poe-out=off
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=\
    20/40mhz-ht-above distance=indoors l2mtu=2290 mode=ap-bridge name=wlan \
    ssid=Aqua wireless-protocol=802.11
/ip neighbor discovery
set ether1-wan discover=no
/interface vlan
add interface=ether1-wan l2mtu=1594 name=vlan-internet vlan-id=34
add interface=ether1-wan l2mtu=1594 name=vlan-iptv vlan-id=4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add add-arp=yes address-pool=default-dhcp disabled=no interface=bridge-local \
    lease-time=10m name=default
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=wlan
add bridge=bridge-local interface=ether2
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
    bridge-local network=192.168.88.0
/ip dhcp-client
add comment=Internet dhcp-options=hostname,clientid disabled=no interface=\
    vlan-internet use-peer-ntp=no
add add-default-route=no comment=IPTV dhcp-options=hostname,clientid \
    disabled=no interface=vlan-iptv use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall connection tracking
set enabled=yes
/ip firewall filter
add chain=input
add chain=forward
add chain=output
/ip firewall nat
add action=masquerade chain=srcnat comment=Internet out-interface=\
    vlan-internet src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment=IPTV out-interface=vlan-iptv \
    src-address=192.168.88.0/24
/ip route
add distance=1 dst-address=185.6.48.0/26 gateway=vlan-iptv
/ip service
set telnet address=192.168.88.0/24
set ftp address=192.168.88.0/24
set www address=192.168.88.0/24
set ssh address=192.168.88.0/24
set api address=192.168.88.0/24
set winbox address=192.168.88.0/24
set api-ssl address=192.168.88.0/24
/ip smb
set domain=THUIS interfaces=bridge-local
/ip upnp
set allow-disable-external-interface=no
/lcd
set backlight-timeout=5m default-screen=stats
/lcd interface
set sfp1 disabled=yes
set ether1-wan disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6-master-local disabled=yes
set ether7-slave-local disabled=yes
set ether8-slave-local disabled=yes
set ether9-slave-local disabled=yes
set ether10-test disabled=yes
set wlan timeout=5s
add interface=bridge-local timeout=5s
add interface=vlan-internet timeout=5s
add interface=vlan-iptv timeout=5s
/lcd interface pages
add interfaces=vlan-internet,vlan-iptv,bridge-local,wlan
/routing igmp-proxy
set query-interval=1m5s quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=vlan-iptv upstream=yes
add interface=bridge-local
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=AquaRouter
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set vlan-iptv disabled=yes display-time=5s
set vlan-internet disabled=yes display-time=5s
set bridge-local disabled=yes display-time=5s
set wlan disabled=yes display-time=5s
set sfp1 disabled=yes display-time=5s
set ether1-wan disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
set ether6-master-local disabled=yes display-time=5s
set ether7-slave-local disabled=yes display-time=5s
set ether8-slave-local disabled=yes display-time=5s
set ether9-slave-local disabled=yes display-time=5s
set ether10-test disabled=yes display-time=5s
/system logging
add topics=debug
/system ntp client
set enabled=yes primary-ntp=82.193.117.90
/tool graphing
set store-every=hour
/tool graphing interface
add interface=vlan-internet
add interface=bridge-local
add interface=wlan
add interface=vlan-iptv
/tool graphing resource
add
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-test
add interface=sfp1
add interface=wlan
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-test
add interface=sfp1
add interface=wlan
add interface=bridge-local

Re: Dual VLAN on WAN DHCP Client Issue

Posted: Mon Aug 11, 2014 1:47 pm
by xavierc
I think your nat configuration is wrong for IPTV, the source address ip range should be different.

add action=masquerade chain=srcnat comment=Internet out-interface=\
vlan-internet src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment=IPTV out-interface=vlan-iptv \
src-address=192.168.88.0/24

Re: Dual VLAN on WAN DHCP Client Issue

Posted: Mon Aug 11, 2014 6:02 pm
by peeter123
No I don't think that is the problem. The STBs are in my normal LAN and traffic to the the IPTV gateway should be natted. Even if I disable the NAT rules ping from my router to Google does not work. Tonight I will try to do a packet sniff with Wireshark to figure out what is wrong.

BTW Mikrotik support does also not know whats wrong. They fiddled a bit over remote access but ofcourse my internet drops the moment you enable the DHCP client so they cannot really debug.

Re: Dual VLAN on WAN DHCP Client Issue

Posted: Wed Aug 13, 2014 5:49 pm
by peeter123
Finally figured out the problem. Turns out my ISP did not allow the same MAC on the IPTV and Internet VLANs. The IP acquired first would be released if another dhcp request came in from the same MAC, even on another VLAN... Who would have thought that, my ISP has just some things misconfigured. Will contact them about this behaviour.

Now I also needed some ugly hack to change my MAC address on one of the interfaces because RouterOS does not allow change of MAC on the VLAN interfaces (correct behaviour I think).

Anyway thanks for your help!

Re: [SOLVED] Dual VLAN on WAN DHCP Client Issue

Posted: Fri Aug 15, 2014 6:11 am
by jayd2k
Cool, thanks for sharing your solution and properly resolving your thread :)