MikroTik

Posted: **Sun Dec 27, 2020 2:36 am**

The DHCP server was happily giving the lease to the switch. I did not change any configuration, only upgraded the CRS from 6.47.7 to 6.48 and the DHCP server lease cannot be given successfully to the switch any longer.
To confirm, everything was working fine, simple upgrading the switch caused this issue.
Both CCR and CRS is running latest stable 6.48

Router: CCR 1009, RouterOS 6.48. Firmware also upgraded
Switch: crs328-24p-4s+rm RouterOS 6.48. Firmware also upgraded

Relevant Config on router: Simple DHCP server running on vlan 801.
Relevant Config on CRS-Switch:

/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge vlan-filtering=yes
/interface vlan
add interface=ether24 name=vlan801 vlan-id=801
/interface bridge port
add bridge=bridge comment=defconf interface=ether24

Ether 24 of the CRS is connected to ether7 of the CCR
So, the CRS is acting as a switch, all ports added to the bridge and tagged/untagged as per config

mms.PNG

Log from the CCR:

02:19:26 dhcp,warning dhcp3 offering lease 10.101.101.5 for C4:AD:34:d2:**:** without success 
02:19:26 system,info log rule changed by Admin 
02:19:28 dhcp,debug dhcp3 received discover id 794389348 from 0.0.0.0 '1:c4:ad:34:d2:**:**' 
02:19:28 dhcp,debug,packet     secs = 33 
02:19:28 dhcp,debug,packet     flags = broadcast 
02:19:28 dhcp,debug,packet     ciaddr = 0.0.0.0 
02:19:28 dhcp,debug,packet     chaddr = C4:AD:34:d2:**:** 
02:19:28 dhcp,debug,packet     Msg-Type = discover 
02:19:28 dhcp,debug,packet     Parameter-List = Subnet-Mask,Classless-Route,Router,Static-Route,Domain-Server,NTP-Server,CAPWAP-Server,Vendor-Specific 
02:19:28 dhcp,debug,packet     Host-Name = "ISP-CRS-Switch" 
02:19:28 dhcp,debug,packet     Client-Id = 01-C4-AD-34-D2-D0-90 
02:19:28 dhcp,debug lease found, offered, offer 
02:19:28 dhcp,debug dhcp3 sending offer with id 794389348 to 255.255.255.255 
02:19:28 dhcp,debug,packet     flags = broadcast 
02:19:28 dhcp,debug,packet     ciaddr = 0.0.0.0 
02:19:28 dhcp,debug,packet     yiaddr = 10.101.101.5 
02:19:28 dhcp,debug,packet     siaddr = 10.101.101.6 
02:19:28 dhcp,debug,packet     chaddr = C4:AD:34:d2:**:** 
02:19:28 dhcp,debug,packet     Msg-Type = offer 
02:19:28 dhcp,debug,packet     Server-Id = 10.101.101.6 
02:19:28 dhcp,debug,packet     Address-Time = 600 
02:19:28 dhcp,debug,packet     Subnet-Mask = 255.255.255.252 
02:19:28 dhcp,debug,packet     Router = 10.101.101.6 
02:19:28 dhcp,debug,packet     Domain-Server = 172.1.1.16,8.8.8.8 
02:19:34 dhcp,debug dhcp3 received discover id 794389348 from 0.0.0.0 '1:c4:ad:34:d2:**:**' 
02:19:34 dhcp,debug,packet     secs = 39 
02:19:34 dhcp,debug,packet     flags = broadcast 
02:19:34 dhcp,debug,packet     ciaddr = 0.0.0.0 
02:19:34 dhcp,debug,packet     chaddr = C4:AD:34:d2:**:** 
02:19:34 dhcp,debug,packet     Msg-Type = discover 
02:19:34 dhcp,debug,packet     Parameter-List = Subnet-Mask,Classless-Route,Router,Static-Route,Domain-Server,NTP-Server,CAPWAP-Server,Vendor-Specific 
02:19:34 dhcp,debug,packet     Host-Name = "ISP-CRS-Switch" 
02:19:34 dhcp,debug,packet     Client-Id = 01-C4-AD-34-D2-D0-90 
02:19:34 dhcp,debug lease found, offered, offer 
02:19:34 dhcp,debug 3 offers in a row => forcing broadcast 
02:19:34 dhcp,debug dhcp3 sending offer with id 794389348 to 255.255.255.255 
02:19:34 dhcp,debug,packet     flags = broadcast 
02:19:34 dhcp,debug,packet     ciaddr = 0.0.0.0 
02:19:34 dhcp,debug,packet     yiaddr = 10.101.101.5 
02:19:34 dhcp,debug,packet     siaddr = 10.101.101.6 
02:19:34 dhcp,debug,packet     chaddr = C4:AD:34:d2:**:** 
02:19:34 dhcp,debug,packet     Msg-Type = offer 
02:19:34 dhcp,debug,packet     Server-Id = 10.101.101.6 
02:19:34 dhcp,debug,packet     Address-Time = 600 
02:19:34 dhcp,debug,packet     Subnet-Mask = 255.255.255.252 
02:19:34 dhcp,debug,packet     Router = 10.101.101.6 
02:19:34 dhcp,debug,packet     Domain-Server = 172.1.1.16,8.8.8.8 
02:19:38 dhcp,debug dhcp3 received discover id 794389348 from 0.0.0.0 '1:c4:ad:34:d2:**:**' 
02:19:38 dhcp,debug,packet     secs = 43 
02:19:38 dhcp,debug,packet     flags = broadcast 
02:19:38 dhcp,debug,packet     ciaddr = 0.0.0.0 
02:19:38 dhcp,debug,packet     chaddr = C4:AD:34:d2:**:** 
02:19:38 dhcp,debug,packet     Msg-Type = discover 
02:19:38 dhcp,debug,packet     Parameter-List = Subnet-Mask,Classless-Route,Router,Static-Route,Domain-Server,NTP-Server,CAPWAP-Server,Vendor-Specific 
02:19:38 dhcp,debug,packet     Host-Name = "ISP-CRS-Switch" 
02:19:38 dhcp,debug,packet     Client-Id = 01-C4-AD-34-D2-D0-90 
02:19:38 dhcp,debug lease found, offered, offer 
02:19:38 dhcp,debug 4 offers in a row 
02:19:38 dhcp,debug dhcp3 sending offer with id 794389348 to 255.255.255.255 
02:19:38 dhcp,debug,packet     flags = broadcast 
02:19:38 dhcp,debug,packet     ciaddr = 0.0.0.0 
02:19:38 dhcp,debug,packet     yiaddr = 10.101.101.5 
02:19:38 dhcp,debug,packet     siaddr = 10.101.101.6 
02:19:38 dhcp,debug,packet     chaddr = C4:AD:34:d2:**:** 
02:19:38 dhcp,debug,packet     Msg-Type = offer 
02:19:38 dhcp,debug,packet     Server-Id = 10.101.101.6 
02:19:38 dhcp,debug,packet     Address-Time = 600 
02:19:38 dhcp,debug,packet     Subnet-Mask = 255.255.255.252 
02:19:38 dhcp,debug,packet     Router = 10.101.101.6 
02:19:38 dhcp,debug,packet     Domain-Server = 172.1.1.16,8.8.8.8 
02:19:41 system,info,account user Admin logged in from 10.100.13.6 via telnet 
02:19:44 dhcp,debug dhcp3 received discover id 794389348 from 0.0.0.0 '1:c4:ad:34:d2:**:**' 
02:19:44 dhcp,debug,packet     secs = 49 
02:19:44 dhcp,debug,packet     ciaddr = 0.0.0.0 
02:19:44 dhcp,debug,packet     chaddr = C4:AD:34:d2:**:** 
02:19:44 dhcp,debug,packet     Msg-Type = discover 
02:19:44 dhcp,debug,packet     Parameter-List = Subnet-Mask,Classless-Route,Router,Static-Route,Domain-Server,NTP-Server,CAPWAP-Server,Vendor-Specific 
02:19:44 dhcp,debug,packet     Host-Name = "ISP-CRS-Switch" 
02:19:44 dhcp,debug,packet     Client-Id = 01-C4-AD-34-D2-D0-90 
02:19:44 dhcp,debug lease found, offered, offer 
02:19:44 dhcp,debug 5 offers in a row => no response, restarting with unicast 
02:19:44 dhcp,warning dhcp3 offering lease 10.101.101.5 for C4:AD:34:d2:**:** without success 
02:19:44 dhcp,debug dhcp3 sending offer with id 794389348 to 10.101.101.5 
02:19:44 dhcp,debug,packet     ciaddr = 0.0.0.0 
02:19:44 dhcp,debug,packet     yiaddr = 10.101.101.5 
02:19:44 dhcp,debug,packet     siaddr = 10.101.101.6 
02:19:44 dhcp,debug,packet     chaddr = C4:AD:34:d2:**:** 
02:19:44 dhcp,debug,packet     Msg-Type = offer 
02:19:44 dhcp,debug,packet     Server-Id = 10.101.101.6 
02:19:44 dhcp,debug,packet     Address-Time = 600 
02:19:44 dhcp,debug,packet     Subnet-Mask = 255.255.255.252 
02:19:44 dhcp,debug,packet     Router = 10.101.101.6 
02:19:44 dhcp,debug,packet     Domain-Server = 8.8.8.8

Posted: **Sun Dec 27, 2020 10:17 am**

I have configured my VLANs in a different way, I configured all VLANs on the bridge instead of on the interface:
viewtopic.php?t=143620

Posted: **Sun Dec 27, 2020 12:09 pm**

I have configured my VLANs in a different way, I configured all VLANs on the bridge instead of on the interface:
viewtopic.php?t=143620

Thank you for the reply.
For VLAN config I have followed this:
https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
and this:
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

From my current understanding, this is a better way to VLAN. Correct me if I am mistaken.

Posted: **Sun Dec 27, 2020 12:50 pm**

Basic idea is: when bridge vlan-filtering is enabled, then VLAN interfaces have to be configured off the bridge, not off member interfaces.

If VLAN interface is defined off a slave interface, then behaviour is slightly undefined (and might change as well between ROS versions). It may have worked "in parallel to bridge" previously but may have broken with new ROS version. Anyway, in this case bridge VLAN filtering doesn't apply to traffic via that VLAN interface at all.

BTW, both wiki manuals and the tutorial linked by @erlinden are talking the same language. So I suggest that you go through the tutorial (it has some great examples which should help you understand VLAN config) and reconfigure your CRS328 accordingly.

Posted: **Sun Dec 27, 2020 5:55 pm**

Basic idea is: when bridge vlan-filtering is enabled, then VLAN interfaces have to be configured off the bridge, not off member interfaces.

If VLAN interface is defined off a slave interface, then behaviour is slightly undefined (and might change as well between ROS versions). It may have worked "in parallel to bridge" previously but may have broken with new ROS version. Anyway, in this case bridge VLAN filtering doesn't apply to traffic via that VLAN interface at all.

BTW, both wiki manuals and the tutorial linked by @erlinden are talking the same language. So I suggest that you go through the tutorial (it has some great examples which should help you understand VLAN config) and reconfigure your CRS328 accordingly.

OK, I will do this, thank you. In the meantime, if anyone sees any error in my config please let me know.

Here is my full config:

# dec/08/2020 20:58:37 by RouterOS 6.47.8
# software id = VNB9-I3ZM
#
# model = CRS328-24P-4S+
# serial number = C7810B345645
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] poe-out=forced-on poe-voltage=low
set [ find default-name=ether2 ] poe-out=forced-on poe-voltage=low
set [ find default-name=ether3 ] poe-out=forced-on poe-voltage=low
set [ find default-name=ether4 ] poe-out=forced-on poe-voltage=low
set [ find default-name=ether22 ] comment=Mainlink poe-out=forced-on \
    poe-voltage=low
set [ find default-name=ether23 ] comment=Backup
/interface vlan
add interface=ether24 name=vlan801 vlan-id=801
/snmp community
set [ find default=yes ] name=ISP
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether1 \
    pvid=101
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether2 \
    pvid=102
add bridge=bridge comment=defconf interface=ether3 pvid=103
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether4 \
    pvid=104
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether5 \
    pvid=105
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether6 \
    pvid=106
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether7 \
    pvid=107
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether8 \
    pvid=108
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether9 \
    pvid=109
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether10 \
    pvid=110
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes interface=ether11 pvid=111
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether12 \
    pvid=112
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether13 \
    pvid=113
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether14 \
    pvid=114
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether15 \
    pvid=115
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether16 \
    pvid=116
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether17 \
    pvid=117
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether18 \
    pvid=118
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether20 \
    pvid=120
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether21 \
    pvid=121
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether22 \
    pvid=122
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether23 \
    pvid=123
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge tagged=ether24 untagged=ether1 vlan-ids=101
add bridge=bridge tagged=ether24 untagged=ether2 vlan-ids=102
add bridge=bridge tagged=ether24 untagged=ether3 vlan-ids=103
add bridge=bridge tagged=ether24 untagged=ether4 vlan-ids=104
add bridge=bridge tagged=ether24 untagged=ether5 vlan-ids=105
add bridge=bridge tagged=ether24 untagged=ether6 vlan-ids=106
add bridge=bridge tagged=ether24 untagged=ether7 vlan-ids=107
add bridge=bridge tagged=ether24 untagged=ether8 vlan-ids=108
add bridge=bridge tagged=ether24 untagged=ether9 vlan-ids=109
add bridge=bridge tagged=ether24 untagged=ether10 vlan-ids=110
add bridge=bridge disabled=yes tagged=ether24,ether3 untagged=ether11 \
    vlan-ids=111
add bridge=bridge tagged=ether24 untagged=ether12 vlan-ids=112
add bridge=bridge tagged=ether24 untagged=ether13 vlan-ids=113
add bridge=bridge tagged=ether24 untagged=ether14 vlan-ids=114
add bridge=bridge tagged=ether24 untagged=ether15 vlan-ids=115
add bridge=bridge tagged=ether24 untagged=ether16 vlan-ids=116
add bridge=bridge tagged=ether24 untagged=ether17 vlan-ids=117
add bridge=bridge tagged=ether24 untagged=ether18 vlan-ids=118
add bridge=bridge disabled=yes tagged=ether3 untagged=ether19 vlan-ids=119
add bridge=bridge tagged=ether24 untagged=ether21 vlan-ids=121
add bridge=bridge tagged=ether24 untagged=ether20 vlan-ids=120
add bridge=bridge tagged=ether24 untagged=ether22 vlan-ids=122
add bridge=bridge tagged=ether24 untagged=ether23 vlan-ids=123
add bridge=bridge tagged="ether1,ether2,ether3,ether4,ether5,ether6,ether7,eth\
    er8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17\
    ,ether18,ether19,ether20,ether21,ether22,ether23,ether24" vlan-ids=10
add bridge=bridge tagged="ether1,ether2,ether3,ether4,ether5,ether6,ether7,eth\
    er8,ether9,ether10,ether20,ether21,ether22,ether23,ether24" vlan-ids=15
add bridge=bridge tagged=ether24,ether3 vlan-ids=201
add bridge=bridge tagged=ether24,ether22 vlan-ids=202
add bridge=bridge tagged=ether19,ether24 vlan-ids=1193
add bridge=bridge tagged=ether19,ether24 vlan-ids=1192
add bridge=bridge tagged=ether19,ether3 vlan-ids=1191
add bridge=bridge tagged=ether24,ether11 vlan-ids=1112
add bridge=bridge tagged=ether3,ether11 vlan-ids=1111
/ip address
add address=10.101.101.5/30 interface=vlan801 network=10.101.101.4
/ip dns
set servers=8.8.8.8
/ip route
add distance=1 gateway=10.101.101.6
/snmp
set contact=Alisha enabled=yes location=Tower7 trap-version=2
/system identity
set name=ISPTower7-CRS-Switch
/system routerboard settings
set auto-upgrade=yes boot-os=router-os
/tool romon
set enabled=yes

Posted: **Sun Dec 27, 2020 10:05 pm**

Basic idea is: when bridge vlan-filtering is enabled, then VLAN interfaces have to be configured off the bridge, not off member interfaces.
Anyway, in this case bridge VLAN filtering doesn't apply to traffic via that VLAN interface at all.

Could you give me a deeper explanation why you say " Anyway, in this case bridge VLAN filtering doesn't apply to traffic via that VLAN interface at all." ?

Posted: **Sun Dec 27, 2020 10:42 pm**

Basic idea is: when bridge vlan-filtering is enabled, then VLAN interfaces have to be configured off the bridge, not off member interfaces.

But in this config, the vlan should be on the member interface, right? Because I just did a lab now, added the vlan interface to the bridge and it did not work.(the router could not see the ip on the vlan interface)

Posted: **Sun Dec 27, 2020 10:44 pm**

So, I just tested the exact config on a 3011 and a hap lite, and it works as expected. But why does the exact same config on the CRS not work?
I cannot connect to the CRS even via RoMON (romon is enabled on both the CCR and CRS)

Posted: **Mon Dec 28, 2020 12:51 am**

CRS3xx offloads bridge VLAN settings to underlying hardware, while the rest of devices implement everything in software. It is possible that pure software implementation is more forgiving than hardware implementation.

You have plenty of VLANs configured in proper bridge-vlan manner. So why don't you want to do the same for VLAN 801? Move vlan interface vlan801 from ether24 to bridge and configure appropriate vlan settings under /interface bridge vlan (e.g. add bridge=bridge tagged=bridge,ether24 vlan-ids=801) and you're all set.

Posted: **Mon Dec 28, 2020 1:30 am**

CRS3xx offloads bridge VLAN settings to underlying hardware, while the rest of devices implement everything in software. It is possible that pure software implementation is more forgiving than hardware implementation.

You have plenty of VLANs configured in proper bridge-vlan manner. So why don't you want to do the same for VLAN 801? Move vlan interface vlan801 from ether24 to bridge and configure appropriate vlan settings under /interface bridge vlan (e.g. add bridge=bridge tagged=bridge,ether24 vlan-ids=801) and you're all set.

Thank you for this excellent advice. The missing part was that I did not think about tagging the bridge itself. Now in my lab its working. Just need to try to get access to the CRS perhaps via console and then will test it

Posted: **Fri Jan 01, 2021 9:38 am**

CRS3xx offloads bridge VLAN settings to underlying hardware, while the rest of devices implement everything in software. It is possible that pure software implementation is more forgiving than hardware implementation.

You have plenty of VLANs configured in proper bridge-vlan manner. So why don't you want to do the same for VLAN 801? Move vlan interface vlan801 from ether24 to bridge and configure appropriate vlan settings under /interface bridge vlan (e.g. add bridge=bridge tagged=bridge,ether24 vlan-ids=801) and you're all set.

This solved the issue, tested and working. Best wishes!

MikroTik

DHCP lease unsuccessful after upgrade to 6.48

DHCP lease unsuccessful after upgrade to 6.48

Re: DHCP lease unsuccessful after upgrade to 5.48

Re: DHCP lease unsuccessful after upgrade to 5.48

Re: DHCP lease unsuccessful after upgrade to 5.48

Re: DHCP lease unsuccessful after upgrade to 5.48

Re: DHCP lease unsuccessful after upgrade to 5.48

Re: DHCP lease unsuccessful after upgrade to 5.48

Re: DHCP lease unsuccessful after upgrade to 5.48

Re: DHCP lease unsuccessful after upgrade to 6.48 [SOLVED]

Re: DHCP lease unsuccessful after upgrade to 6.48

Re: DHCP lease unsuccessful after upgrade to 6.48