Community discussions

MikroTik App
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

rb4011 vlan filtering and dhcp issues

Fri May 07, 2021 12:43 pm

HI everyone,

I decided to play with my existing configuration using "legacy" 1 bridge per 1 vlan and changed that to vlan filtering and only one bridge for all.

I did not use pvid (when I tried the router becomes unmanageable ) per bridge port as it looks like rb4011 does not support hardware switching, so I created 2 vlan interfaces for vlan 10 and 20 and then inside bridge I split them without pvid.

I guess it works but not dhcp, dhcp is runs on vlan interfaces assignee to bridge, but no matter what I do clients cannot get a lease :(

can you please advise what did I do wrong?

thanks a lot

[admin@MikroTik_RB4011] > /export hide-sensitive 
# may/07/2021 21:27:56 by RouterOS 6.48.2
# software id = A0JA-PWUH
#
# model = RB4011iGS+
# serial number = D1260BF19E4D
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN_PRIMARY_VIA_FIBRE
set [ find default-name=ether2 ] comment=QNAP_BACKUP_1Gb_LINK
set [ find default-name=ether5 ] comment=Main_PC
set [ find default-name=ether8 ] comment=Monitor_VLAN_20
set [ find default-name=ether9 ] comment=Audience_VLAN_10_20 name=ether9-trunk
set [ find default-name=ether10 ] comment=WAN_SECONDARY_VIA_LTE
set [ find default-name=sfp-sfpplus1 ] comment=QNAP_PRIMARY_10Gb_LINK
/interface vlan
add comment=Secondary_WAN_VLAN_100 interface=bridge name=2Degrees_ISP vlan-id=100
add comment=Primary_WAN_VLAN_10 interface=ether1 name=Orcon_ISP vlan-id=10
add comment=LAN_VLAN_10 interface=bridge name=vlan10_main vlan-id=10
add comment=LAN_VLAN_20 interface=bridge name=vlan20_guest vlan-id=20
/interface bonding
add mode=active-backup name=qnap_bonding primary=sfp-sfpplus1 slaves=sfp-sfpplus1,ether2
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
add dh-group=modp3072,modp2048,modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-peer passive=yes profile=IKEv2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=IKEv2 pfs-group=none
/ip pool
add name=pool_vlan10_main ranges=10.10.0.30-10.10.0.254
add name=pool_vlan20_guest ranges=10.20.0.30-10.20.0.254
add name=pool_ikev2_vpn ranges=10.88.0.1-10.88.0.254
/ip dhcp-server
add address-pool=pool_vlan10_main disabled=no interface=vlan10_main lease-time=23h59m59s name=\
    dhcp_vlan10_main
add add-arp=yes address-pool=pool_vlan20_guest disabled=no interface=vlan20_guest lease-time=23h59m59s name=\
    dhcp_vlan20_guest
/ip ipsec mode-config
add address-pool=pool_ikev2_vpn name=IKEv2-cfg static-dns=10.10.0.1 system-dns=no
/queue simple
add comment="Shapped Internet Traffic Only via ISP 1" dst=Orcon_ISP max-limit=20M/20M name=\
    guest_network_queue_over_primary_ISP target=10.20.0.0/24
/interface bridge port
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9-trunk
add bridge=bridge interface=ether10
add bridge=bridge interface=qnap_bonding
/interface bridge vlan
add bridge=bridge tagged=ether9-trunk untagged=ether3,ether4,ether5,ether6,ether7,ether10,qnap_bonding \
    vlan-ids=10
add bridge=bridge tagged=ether9-trunk untagged=ether8 vlan-ids=20
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=Orcon_ISP list=WAN
add interface=2Degrees_ISP list=WAN
add interface=bridge list=LAN
/ip address
add address=10.10.0.1/24 interface=vlan10_main network=10.10.0.0
add address=10.20.0.1/24 interface=vlan20_guest network=10.20.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add disabled=no interface=Orcon_ISP use-peer-dns=no
/ip dhcp-server lease
add address=10.10.0.4 client-id=1:9c:5c:8e:20:b8:c6 comment=MainPC_wired mac-address=9C:5C:8E:20:B8:C6 \
    server=dhcp_vlan10_main
add address=10.10.0.14 comment=Kettle mac-address=BC:DD:C2:A8:06:52 server=dhcp_vlan10_main
add address=10.10.0.17 client-id=1:d0:73:d5:24:52:2f comment=LIFXBulb mac-address=D0:73:D5:24:52:2F server=\
    dhcp_vlan10_main
add address=10.10.0.20 client-id=1:50:ec:50:3a:f7:c5 comment=CCTV mac-address=50:EC:50:3A:F7:C5 server=\
    dhcp_vlan10_main
add address=10.10.0.13 comment=NestMini_Living_Room mac-address=D4:F5:47:2B:BB:D7 server=dhcp_vlan10_main
add address=10.10.0.8 client-id=1:c0:b5:d7:5b:d7:4e comment=Printer mac-address=C0:B5:D7:5B:D7:4E server=\
    dhcp_vlan10_main
add address=10.10.0.18 comment=NestMini_Bed_Room mac-address=D4:F5:47:12:EE:02 server=dhcp_vlan10_main
add address=10.10.0.16 comment=LIFXBulb mac-address=D0:73:D5:12:25:E9 server=dhcp_vlan10_main
add address=10.10.0.15 client-id=1:ac:d5:64:94:db:dd comment=SonyTV mac-address=AC:D5:64:94:DB:DD server=\
    dhcp_vlan10_main
add address=10.20.0.2 client-id=1:76:4d:28:f4:f7:f3 comment=MikroTik_Audience_VLAN_20 mac-address=\
    76:4D:28:F4:F7:F3 server=dhcp_vlan20_guest
add address=10.10.0.2 client-id=1:74:4d:28:f4:f7:f2 comment=MikroTik_Audience_VLAN_10 mac-address=\
    74:4D:28:F4:F7:F2 server=dhcp_vlan10_main
add address=10.10.0.19 client-id=1:38:f9:d3:52:a6:be comment=MacbookAir mac-address=38:F9:D3:52:A6:BE \
    server=dhcp_vlan10_main
add address=10.10.0.12 client-id=1:0:18:dd:24:1c:fa comment=IPTV_Tuner mac-address=00:18:DD:24:1C:FA server=\
    dhcp_vlan10_main
add address=10.10.0.10 client-id=1:0:a:f5:45:bf:ec comment=BookReader mac-address=00:0A:F5:45:BF:EC server=\
    dhcp_vlan10_main
add address=10.10.0.6 comment=VOIP_PHONE mac-address=00:0B:82:EA:D2:C4 server=dhcp_vlan10_main
add address=10.10.0.5 client-id=1:24:5e:be:1a:4f:37 comment=QNAP mac-address=24:5E:BE:1A:4F:37 server=\
    dhcp_vlan10_main
add address=10.10.0.21 client-id=1:2c:26:17:82:8e:2b comment=Oculus_Quest mac-address=2C:26:17:82:8E:2B \
    server=dhcp_vlan10_main
add address=10.10.0.9 client-id=1:dc:a6:32:e:48:82 comment=Raspberry_Pi mac-address=DC:A6:32:0E:48:82 \
    server=dhcp_vlan10_main
add address=10.10.0.7 client-id=1:88:78:73:d0:27:12 comment=MainPC_wireless mac-address=88:78:73:D0:27:12 \
    server=dhcp_vlan10_main
add address=10.10.0.3 client-id=1:c4:ad:34:57:4:93 comment=MikroTik_RBM33G mac-address=C4:AD:34:57:04:93 \
    server=dhcp_vlan10_main
add address=10.10.0.11 client-id=1:dc:41:a9:f9:65:c8 comment=Dell_XPS mac-address=DC:41:A9:F9:65:C8 server=\
    dhcp_vlan10_main
/ip dhcp-server network
add address=10.10.0.0/24 dns-server=10.10.0.1 gateway=10.10.0.1 netmask=24
add address=10.20.0.0/24 dns-server=10.20.0.1 gateway=10.20.0.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=94.140.14.14,94.140.15.15
/ip dns static
add address=10.10.0.8 name=printer.lan
add address=10.10.0.6 name=phone.lan
add address=10.10.0.12 name=tv.lan
add address=10.10.0.1 name=router1.lan
add address=10.10.0.2 name=router2.lan
add address=10.10.0.3 name=router3.lan
add address=10.10.0.1 name=media.lan
add address=10.10.0.1 name=qnap.lan
/ip firewall address-list
add address=10.20.0.0/24 list=guest_simple_queue
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="accept connection to IKEv2 ports" dst-port=500,4500 \
    in-interface-list=WAN protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="management over VPN" dst-port=22,80,88,8291 ipsec-policy=in,ipsec \
    protocol=tcp
add action=accept chain=input comment="DNS over VPN" dst-port=53 ipsec-policy=in,ipsec protocol=udp
add action=drop chain=input comment=\
    "drop all requests from guest network to management ports of this router" dst-address=10.10.0.1 \
    dst-port=22,88,8291 protocol=tcp src-address=10.20.0.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="allow emby to respond back to guest network" dst-address=\
    10.20.0.0/24 protocol=tcp src-address=10.10.0.5 src-port=8096
add action=accept chain=forward comment="allow acess emby from guest network" dst-address=10.10.0.5 \
    dst-port=8096 protocol=tcp src-address=10.20.0.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" in-interface-list=WAN \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="simple queues rule  for guest network" connection-state=\
    established,related dst-address-list=guest_simple_queue
add action=fasttrack-connection chain=forward comment="fasttrack with guest network exclusion" \
    connection-state=established,related src-address=!10.20.0.0/24
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop all else coming from main to guest " dst-address=10.20.0.0/24 \
    src-address=10.10.0.0/24
add action=drop chain=forward comment="drop all else coming from guest to main" dst-address=10.10.0.0/24 \
    src-address=10.20.0.0/24
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=Primary_ISP out-interface=Orcon_ISP
add action=masquerade chain=srcnat comment=Secondary_ISP out-interface=2Degrees_ISP
/ip ipsec identity
add auth-method=digital-signature certificate=VPN_Server generate-policy=port-strict mode-config=IKEv2-cfg \
    peer=IKEv2-peer policy-template-group=ikev2-policies
/ip ipsec policy
add dst-address=10.88.0.0/24 group=ikev2-policies proposal=IKEv2 src-address=0.0.0.0/0 template=yes
/ip proxy
set enabled=yes port=80
/ip proxy access
add action=deny dst-host=media.lan redirect-to=10.10.0.5:8096
add action=deny dst-host=qnap.lan redirect-to=10.10.0.5:19019
add action=deny dst-address=10.10.0.1 dst-port=80 redirect-to=10.10.0.1:88
add action=deny
/ip route
add comment="for netwatch monitoring" distance=1 dst-address=1.1.1.1/32 gateway=121.99.224.1
add comment="for netwatch monitoring" distance=200 dst-address=1.1.1.1/32 type=unreachable
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=88
set api disabled=yes
set api-ssl disabled=yes
/queue simple
add comment="Shapped Internet Traffic Only via ISP 2" dst=*13 max-limit=5M/5M name=\
    guest_network_queue_over_secondary_ISP target=10.20.0.0/24
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=MikroTik_RB4011
/system scheduler
add interval=8w4d name=monthly_reboot on-event="/system reboot" policy=reboot start-date=mar/29/2021 \
    start-time=03:00:00
[admin@MikroTik_RB4011] > 
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: rb4011 vlan filtering and dhcp issues  [SOLVED]

Fri May 07, 2021 1:19 pm

If you want to have accessports (or hybrid ports) you have to set the vlan id on the bridge port while the trunk port should be left to default (with admit-only-vlan-tagged):

trunk:
/interface bridge port
add bridge=bridge-LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether9-trunk
accessport/hyrbid:
/interface bridge port
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10
The trunk ports should be tagged as you configured, untagged can be left out (as they are defined on the bridge port) and will be assigned dynamically:
/interface bridge vlan
add bridge=bridge tagged=ether9-trunk

Please read this great tutorial:
viewtopic.php?t=143620
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

Re: rb4011 vlan filtering and dhcp issues

Fri May 07, 2021 1:31 pm

If you want to have accessports (or hybrid ports) you have to set the vlan id on the bridge port while the trunk port should be left to default (with admit-only-vlan-tagged):

trunk:
/interface bridge port
add bridge=bridge-LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether9-trunk
accessport/hyrbid:
/interface bridge port
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10
The trunk ports should be tagged as you configured, untagged can be left out (as they are defined on the bridge port) and will be assigned dynamically:
/interface bridge vlan
add bridge=bridge tagged=ether9-trunk

Please read this great tutorial:
viewtopic.php?t=143620
thank you for your quick reply, erlinden, and in terms of DCHP what interface should I use?
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: rb4011 vlan filtering and dhcp issues

Fri May 07, 2021 1:51 pm

You are welcome...DHCP server can be bound to the VLAN interface as you already did.
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

Re: rb4011 vlan filtering and dhcp issues

Fri May 07, 2021 2:24 pm

You are welcome...DHCP server can be bound to the VLAN interface as you already did.
unfortunately, as soon as Ienable vlan filtering on the bridge after I specified pvids the router can no longer be contacted I am not sure if that's the bug or something


Once I was able to connect to it via l2 telnet from the other mikrotik and winbox only worked once i disable bridge interface altogether from telnet :(
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: rb4011 vlan filtering and dhcp issues

Fri May 07, 2021 6:13 pm

VLANs on bridge are not exactly trivial and tutorial, linked by @erlinden, is truly a great resource. Read it, understand it, and you'll get it done. If not, post exact configuration (less vlan-filtering) and we'll check where's the problem.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: rb4011 vlan filtering and dhcp issues

Sat May 08, 2021 4:31 pm

(1) Your VLAN nomenclature is confusing and should be cleaned up! Switching just the Main WAN helps.
However why are your WAN connections on Vlans? Normally the reason to use vlans is if the ISP provider sends the data to you on a VLAN.
Sometimes people have a switch in between the ISP modem and Router and that is another case where one needs to vlan WAN traffic coming into the router (sharing single line).
Thus recommend removing the WAN vlans from your config if not necessary.

/interface vlan
add comment=Secondary_WAN_VLAN_100 interface=bridge name=2Degrees_ISP vlan-id=100
add comment=Primary_WAN_VLAN_200 interface=ether1 name=Orcon_ISP vlan-id=200
add comment=LAN_VLAN_10 interface=bridge name=vlan10_main vlan-id=10
add comment=LAN_VLAN_20 interface=bridge name=vlan20_guest vlan-id=20

(2) Based on your text, this is what bridge ports should look like.
/interface bridge port
add bridge=bridge interface=ether3 ????
add bridge=bridge interface=ether4 ????
add bridge=bridge interface=ether5 pvid=10
add bridge=bridge interface=ether6 ???
add bridge=bridge interface=ether7 ???
add bridge=bridge interface=ether8 pvid=20
add bridge=bridge interface=ether9-trunk
add bridge=bridge interface=ether10
add bridge=bridge interface=qnap_bonding

Note A. your WAN2 should be removed from the bridge (eth10)
Note B. what friggen subnet is your qnap using????
Note C. what is happening on ether 3,4,6,7 ???


Okay hoping to find out as I work my way through the congfig. :-)

(3) After reviewing the bridge Vlans............. I see now 3,4,6,7 are untagged ports and thus require PVID. Ether10 should be removed.
You missed some key points in the LINK/RESOURCE provided.
The bridge must be tagged too!!
/interface bridge vlan
add bridge=bridge tagged=ether9-trunk,????? untagged=ether3,ether4,ether5,ether6,ether7,ether10,qnap_bonding \
vlan-ids=10
add bridge=bridge tagged=ether9-trunk,????? untagged=ether8 vlan-ids=20

Note. Every bridge port needs to be clearly identified as TRUNK (no pvids), ACCESS (with single pvid), HYBRID (with single PVID).
In terms of the hybrid port one simply adds, in the bridge vlan part of the config, the vlan(s) as tagged where required for the additional vlans travelling over the port.

(4) suggest setting this to NONE as it has been known to cause issues.
/interface detect-internet
set detect-interface-list=all
Last edited by anav on Sat May 08, 2021 9:53 pm, edited 2 times in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: rb4011 vlan filtering and dhcp issues

Sat May 08, 2021 5:29 pm

However why are your WAN connections on Vlans? THe only reason to do that is if the ISP provider sends the data to you on a VLAN.

No, it's not the only reason. One can connect ISP's border device (router, media converter, ...) to access port of some switch and use VLAN to carry it to router. No need to connect ISP directly to border router.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: rb4011 vlan filtering and dhcp issues

Sat May 08, 2021 9:52 pm

However why are your WAN connections on Vlans? THe only reason to do that is if the ISP provider sends the data to you on a VLAN.

No, it's not the only reason. One can connect ISP's border device (router, media converter, ...) to access port of some switch and use VLAN to carry it to router. No need to connect ISP directly to border router.
Never meant that as my sentence after notes there are times the ISP may connect via switch to the router................. will adjust text........

Who is online

Users browsing this forum: Bing [Bot] and 71 guests