Community discussions

MikroTik App
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

dhcp on vlan trunk not working

Thu Jun 10, 2021 6:31 pm

Hello!

I have RouterOS HAP AC2 with 3 vlans: vlan10 and vlan20 for private/public access and vlan99 for management access. This router connects (and powered by) RB260GSP.

ether1 on HAP AC2 is a trunk port, connected to RB260GSP port 5 which should also be a trunk port.

The DHCP server on vlan99 does work for sure, because I get an address if I connect my laptop on ether2-mgmt untagged port on the router.

My main problem is that the switch cannot get IP address via DHCP, and specifying static address also does not work.

I have tried everything I could, but now I'm stuck.

Here is my routeros config:
# jun/10/2021 17:22:35 by RouterOS 6.47.10
# software id = BGJQ-V2CF
#
# model = RBD52G-5HacD2HnD
# serial number = D7160D5AA834
/interface bridge
add admin-mac=08:55:31:E7:F3:68 auto-mac=no comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge-main \
    vlan-filtering=yes
add name=vpn-blackhole protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment="to main switch, poe in" name=ether1-trunk
set [ find default-name=ether2 ] comment="Management port, not in bridge" name=ether2-mgmt
set [ find default-name=ether3 ] comment="acess private network" name=ether3-private
set [ find default-name=ether4 ] comment="access private network" name=ether4-private
set [ find default-name=ether5 ] comment="WAN port/internet" name=ether5-wan
/interface vlan
add interface=bridge-main name=vlan-mgmt vlan-id=99
add interface=bridge-main name=vlan-private vlan-id=10
add interface=bridge-main name=vlan-public vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip dhcp-server option
add code=119 name=domain-search-option value="'magnet.'"
/ip pool
add comment="For private vlan10" name=pool-private ranges=192.168.19.100-192.168.19.200
add comment="For public vlan20" name=pool-public ranges=10.10.1.1-10.10.3.254
add comment="For management" name=pool-mgmt ranges=192.168.77.100-192.168.77.200
/ip dhcp-server
add address-pool=pool-private disabled=no interface=vlan-private lease-script=onDhcpLease name=dhcp-private
add address-pool=pool-mgmt disabled=no interface=vlan-mgmt name=dhcp-mgmt
add address-pool=pool-public disabled=no interface=vlan-public name=dhcp-public
/interface bridge port
add bridge=bridge-main comment="access private vlan10" frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=ether3-private pvid=10
add bridge=bridge-main comment="access private vlan10" frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=ether4-private pvid=10
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=vlan-private pvid=10
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=vlan-public pvid=20
add bridge=bridge-main frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1-trunk pvid=10
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2-mgmt pvid=99
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=vlan-mgmt pvid=99
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=strict
/interface bridge vlan
add bridge=bridge-main tagged=ether1-trunk,bridge-main untagged=ether3-private,ether4-private,vlan-private vlan-ids=10
add bridge=bridge-main tagged=ether1-trunk,bridge-main untagged=vlan-public vlan-ids=20
add bridge=bridge-main tagged=bridge-main untagged=ether2-mgmt,vlan-mgmt vlan-ids=99
/interface list member
add comment=defconf interface=bridge-main list=LAN
add comment=defconf interface=ether5-wan list=WAN
/ip address
add address=192.168.19.254/24 comment=defconf interface=vlan-private network=192.168.19.0
add address=192.168.77.254/24 interface=vlan-mgmt network=192.168.77.0
add address=10.10.0.254/22 interface=vlan-public network=10.10.0.0
/ip dhcp-client
add comment=defconf default-route-distance=10 disabled=no interface=ether5-wan use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.19.253 client-id=1:8:55:31:db:5d:2d mac-address=08:55:31:DB:5D:2D server=dhcp-private
/ip dhcp-server network
add address=10.10.0.0/22 dns-server=1.1.1.3,1.0.0.3 domain=pubnet. gateway=10.10.0.254
add address=192.168.19.0/24 comment=defconf dns-server=192.168.19.254 domain=magnet. gateway=192.168.19.254 ntp-server=192.168.19.254
add address=192.168.77.0/24 comment=management dns-server=192.168.77.254 gateway=192.168.77.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.3,1.0.0.3
/ip dns static
add address=192.168.19.254 comment=defconf name=router.magnet.
add address=10.10.0.254 name=router.pubnet
add address=192.168.77.1 name=router.mgmt
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment="Blackhole for RCF 1918 class A" distance=1 dst-address=10.0.0.0/8 gateway=vpn-blackhole
add comment="Blackhole for RCF 1918 class B" distance=1 dst-address=172.16.0.0/12 gateway=vpn-blackhole
add comment="Blackhole for RCF 1918 class C" distance=1 dst-address=192.168.0.0/16 gateway=vpn-blackhole
And here are some screenshots from swos:

https://imgur.com/a/R6cYD2R
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: dhcp on vlan trunk not working

Thu Jun 10, 2021 6:40 pm

Your setup of VLAN ports and interfaces is hosed ... suggest you to read this nice tutorial to see where you failed.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: dhcp on vlan trunk not working

Thu Jun 10, 2021 8:15 pm

As stated read the link that will solve any router vlan issues.

The barebones switches from MT are a biatch to work with.
Do not limit any access connectivity within the menus available (keep it wide open).
Okay I have seen you have that in place, good!

They cannot be accessed by winbox but by IP and port from the PC.
Winbox can detect them but not open them.

All devices that you wish to manage need an IP address that is on your management vlan.
Therefore give your switch an IP address on that subnet manually.
Looks like you have, did you also manually put in the mac address and IP in the router so you know that its there
and the router will not try to use that IP?

Basic rule of thumb Trunk----> enabled/any/1/leave as is (for port membership leave as is for all applicable ports on incoming trunk and all applicable tagged ports)
Basic rule of thumb Access--->strict/only untagged/pvid#/always strip (for port membership, not a member except for applicable port(s))

Router settings:
Most set this to loose, not strict!!!
/ip settings
set rp-filter=strict

No firewall settings visible, so we will have no way to confirm if they are a problem?
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: dhcp on vlan trunk not working

Thu Jun 10, 2021 10:57 pm

As stated read the link that will solve any router vlan issues.
I'm reading it now. In fact I have factory-reset my router and trying the first example from that tutorial.
The barebones switches from MT are a biatch to work with.
Do not limit any access connectivity within the menus available (keep it wide open).
Okay I have seen you have that in place, good!

They cannot be accessed by winbox but by IP and port from the PC.
Winbox can detect them but not open them.
Yes, I was accessing it through direct connection + browser.
All devices that you wish to manage need an IP address that is on your management vlan.
Therefore give your switch an IP address on that subnet manually.
I was hoping that the switch will be able to get an address with DHCP, on a specified vlan. Are you telling that the switch cannot do that?
Looks like you have, did you also manually put in the mac address and IP in the router so you know that its there
and the router will not try to use that IP?
I don't understand this question.
Basic rule of thumb Trunk----> enabled/any/1/leave as is (for port membership leave as is for all applicable ports on incoming trunk and all applicable tagged ports)
Basic rule of thumb Access--->strict/only untagged/pvid#/always strip (for port membership, not a member except for applicable port(s))
I could not try the access ports yet, but if I connect the switch to the router on the trunk port, then I can't ping it from the router. I guess that "strict" mode is also good if the vlan is listed in the VLANS table of the switch. But I deliberately used "enabled" mode because I just wanted to have something that works.
Router settings:
Most set this to loose, not strict!!!
/ip settings
set rp-filter=strict
That might have been the problem, but I have already reset the router. :(
No firewall settings visible, so we will have no way to confirm if they are a problem?
I have deliberately deleted all firewall rules because I wanted to rule out any firewall configuration errors.
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: dhcp on vlan trunk not working

Fri Jun 11, 2021 9:01 pm

All right, I went through that tutorial. I have created my own version of the first example from the tutorial. I had to change it because I have a different router with different number and type of ports.

Here are the only things that I have changed:

- trunk ports are ether1,ether2,ether3,ether4
- management ip is 192.168.19.254/24 instead of 192.168.0.1/24 (I just need this because the "WAN" connection is already using 192.168.0.1)
- vlan networks start with 10.19 instead of 10.0
- wan access port is configured with DHCP instead of static

#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="Router"



#######################################
# VLAN Overview
#######################################

# 10 = BLUE
# 20 = GREEN
# 30 = RED
# 99 = BASE (MGMT) VLAN


#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no


#######################################
#
# -- Trunk Ports --
#
#######################################

# ingress behavior
/interface bridge port

# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether1
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4

# egress behavior
/interface bridge vlan

# Purple Trunk. These need IP Services (L3), so add Bridge as member
add bridge=BR1 tagged=BR1,ether1,ether2,ether3,ether4 vlan-ids=10
add bridge=BR1 tagged=BR1,ether1,ether2,ether3,ether4 vlan-ids=20
add bridge=BR1 tagged=BR1,ether1,ether2,ether3,ether4 vlan-ids=30
add bridge=BR1 tagged=BR1,ether1,ether2,ether3,ether4 vlan-ids=99


#######################################
# IP Addressing & Routing
#######################################

# LAN facing router's IP address on the BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.19.254/24 interface=BASE_VLAN


# DNS server, set to cache for LAN
#/ip dns set allow-remote-requests=yes servers="9.9.9.9"
# Yellow WAN facing port with IP Address provided by ISP
#/ip address add interface=ether1 address=a.a.a.a/aa network=a.a.a.0
# router's gateway provided by ISP
#/ip route add distance=1 gateway=b.b.b.b

/interface ethernet
set [find default-name=ether5] name=ether5-wan

/ip dhcp-client
add interface=ether5-wan use-peer-dns=yes use-peer-ntp=yes disabled=no


#######################################
# IP Services
#######################################

# Blue VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=10
/ip address add interface=BLUE_VLAN address=10.19.10.1/24
/ip pool add name=BLUE_POOL ranges=10.19.10.100-10.19.10.200
/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP disabled=no
/ip dhcp-server network add address=10.19.10.19/24 dns-server=192.168.19.254 gateway=10.19.10.1

# Green VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=GREEN_VLAN vlan-id=20
/ip address add interface=GREEN_VLAN address=10.19.20.1/24
/ip pool add name=GREEN_POOL ranges=10.19.20.100-10.19.20.200
/ip dhcp-server add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP disabled=no
/ip dhcp-server network add address=10.19.20.0/24 dns-server=192.168.19.254 gateway=10.19.20.1

# Red VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=RED_VLAN vlan-id=30
/ip address add interface=RED_VLAN address=10.19.30.1/24
/ip pool add name=RED_POOL ranges=10.19.30.100-10.19.30.200
/ip dhcp-server add address-pool=RED_POOL interface=RED_VLAN name=RED_DHCP disabled=no
/ip dhcp-server network add address=10.19.30.0/24 dns-server=192.168.19.254 gateway=10.19.30.1

# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature for an admin.
/ip pool add name=BASE_POOL ranges=192.168.19.100-192.168.19.200
/ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP disabled=no
/ip dhcp-server network add address=192.168.19.0/24 dns-server=192.168.19.254 gateway=192.168.19.254


#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE

/interface list member
add interface=ether1     list=WAN
add interface=BASE_VLAN  list=VLAN
add interface=BLUE_VLAN  list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=RED_VLAN   list=VLAN
add interface=BASE_VLAN  list=BASE

# VLAN aware firewall. Order is important.
/ip firewall filter


##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"

# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"

add chain=input action=drop comment="Drop"


##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop"


##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"


#######################################
# VLAN Security
#######################################

# Only allow packets with tags over the Trunk Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether4]


#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes

In the next step, I have changed RB260GSP swich config as follows:

1. factory reset
2. Port5 connected to router's ether1 port, Port1 connected to my laptop
3. on system tab: address aquistion: static, static ip address: 192.168.19.253

Save changes, then connect again (with laptop's IPv4 address also changed to 192.168.19.x) and then on the VLAN tab:

Port5/ingress:

* vlan mode: enabled
* vlan receive: only tagged
* default vlan id: 1
* force vlan id: false

Port5/egress:
* vlan header: add if missing

Port1/ingress:

* vlan mode: enabled
* vlan receive: only untagged
* default vlan id: 99
* force vlan id: true

Port1/egress:
* vlan header: always strip

Then Apply all again.

Then I tried to change my laptop to use DHCP on the swtich's Port1 but it did not work. Also tried to manually enter 192.168.19.254 as the default gateway but it does not work.

Since this config is almost identical to the tutorial given, I'm now clueless.
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: dhcp on vlan trunk not working

Fri Jun 11, 2021 9:36 pm

Also tried the same config with all firewall rules deleted, and winbox allowed from all ports.

Result:

* I can login to the router with mac winbox, after vlan filtering is enabled, using its ether5-wan port (which is not part of the BR1 bridge)
* I can also access the switch on 192.168.19.253 by connecting my laptop directly to the switch's Port1
* But I cannot access the switch from the router, using the same 192.168.19.253 address
* And there are no firewall rules, everything is accepted
* And rest of the configuration is almost identical to the one given in the tutorial.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: dhcp on vlan trunk not working

Fri Jun 11, 2021 10:36 pm

/export hide-sensitive file=anynameyouwish and I will have a look at the entire config
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: dhcp on vlan trunk not working

Fri Jun 11, 2021 10:47 pm

Exported config attached. Thank you for your time!
You do not have the required permissions to view the files attached to this post.
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: dhcp on vlan trunk not working

Fri Jun 11, 2021 11:12 pm

Physical connection and SwOs settings here https://imgur.com/a/Xkh7218
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: dhcp on vlan trunk not working

Fri Jun 11, 2021 11:19 pm

I just noticed one error, interface list WAN incorrectly had a member ether1. But it seems that this is not the main problem.
[admin@Router] /interface list> member 
[admin@Router] /interface list member> print 
Flags: X - disabled, D - dynamic 
 #   LIST                                                                                        INTERFACE                                                                                       
 0   WAN                                                                                         ether1                                                                                          
 1   VLAN                                                                                        BASE_VLAN                                                                                       
 2   VLAN                                                                                        BLUE_VLAN                                                                                       
 3   VLAN                                                                                        GREEN_VLAN                                                                                      
 4   VLAN                                                                                        RED_VLAN                                                                                        
 5   BASE                                                                                        BASE_VLAN                                                                                       
[admin@Router] /interface list member> remove 0
[admin@Router] /interface list member> add list=WAN interface=ether5-wan 
[admin@Router] /interface list member> /ping 192.168.19.253
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                             
    0 192.168.19.253                                          timeout                                                                                                                            
    1 192.168.19.253                                          timeout                                                                                                                            
    2 192.168.19.254                             84  64 990ms host unreachable                                                                                                                   
    sent=3 received=0 packet-loss=100% 

[admin@Router] /interface list member> /ip firewall nat 
[admin@Router] /ip firewall nat> print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Default masquerade
      chain=srcnat action=masquerade out-interface-list=WAN 
[admin@Router] /ip firewall nat> remove 0
[admin@Router] /ip firewall nat> /ping 192.168.19.253              
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                             
    0 192.168.19.253                                          timeout                                                                                                                            
    1 192.168.19.253                                          timeout                                                                                                                            
    sent=2 received=0 packet-loss=100% 

[admin@Router] /ip firewall nat> 
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: dhcp on vlan trunk not working

Fri Jun 11, 2021 11:39 pm

I have changed default vlanid on switch port5 from 99 to 1 and now it does work. Then I have tried different default vlan ids, and everything works except vlan 99.

Then I checked the documentation here : https://wiki.mikrotik.com/wiki/SwOS/RB250_RB260

And found this:
Switch will treat both untagged and "Default VLAN ID" tagged ingress packets as they are tagged with this VLAN ID. **It is also used to untag egress traffic if packet's VLAN ID matches "Default VLAN ID".** The VLAN tag itself will only be added if there is VLAN Header = add if missing specified on egress port
Okay, so the default vlanid value is used to create untagged egress packets for a specific vlan id. I did not know about this. It also seems counter intuitive - why would anybody want to tag all packets on a trunk port, except for a very specific one? But probably there is a good reason, just I don't know enough about these things.

Great, now it seems to be working.

I have also compared my original config with the tutorial, and one big difference is that vlan interfaces should not be added to the bridge vlan table. I also did not know about this, and there must be a good explanation about why this is the case.

Thank you for your time again! :-)
Last edited by nagylzs on Sat Jun 12, 2021 9:35 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: dhcp on vlan trunk not working

Sat Jun 12, 2021 12:02 am

(1) Minor point but if all bridge ports are identical can be written as.
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1,ether2,ether3,ether4 vlan-ids=10,20,30,99

(2) Missing blue network settings.........
/ip dhcp-server network
add address=10.19.20.0/24 dns-server=192.168.19.254 gateway=10.19.20.1
add address=10.19.30.0/24 dns-server=192.168.19.254 gateway=10.19.30.1
add address=192.168.19.0/24 dns-server=192.168.19.254 gateway=192.168.19.254
10.19.10.x?????

(3) Missing firewall rules

(4) As far as switch goes, I said earlier in the thread that the ONLY REASON to change the default pvid is if the port is to be used for a dumb device and untagged for that PVID.

(5) I will take more time to look at the switch settings later this evening, they dont look quite correct.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: dhcp on vlan trunk not working

Sat Jun 12, 2021 12:44 am

Switch Comments.
(1) I rename the ports to where they are from./to with the access ports also with pvid indicated.

So mine is like: FromRouter / ToSwitch-44 / ToCAM-77 / ToVOIP-55 / ToAccPoint

(2) VLAN SETTINGS

INGRESS
ON PORT FROM ROUTER
vlanmode=enabled
vlan receive=any
default vlanid=1
EGRESS
Vlan header = leave as is

ON ACCESS PORT TO DUMB DEVICE (lets say unmanaged switch)
INGRESS
vlanmode=strict
vlanreceive=only untagged
default vlanid=44
EGRESS
always strip

VLANS SETTINGS
VLANID=1 (leave as is for EVERY TRUNK PORT not a member FOR ACCESS PORTS)

FROM ROUTER PORT ( every vlanID entry is LEAVE AS IS)
FOR ALL ACCESS PORTS (every vlan ID entry is NOT A MEMBER except for the vlan-id for that port)
FOR ALL TRUNK PORTS (every vlan ID entry that denotes a tagged vlan coming through that port is LEAVE AS IS, the rest, not a member)
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: dhcp on vlan trunk not working

Sat Jun 12, 2021 10:29 am

Hello,

I have tried your suggestions.

1. A dhcp server network address was missing indeed.
2. I'm aware of the missing firewall rules. Just because this was my very first attempt to create a network with vlans, I did not want to add restrictions before I made sure that the vlan works. But certainly I'll add rules (based on the tutorial), possibly I'll post them here.
3. Renamed all ports on the switch to reflect their usages. E.g. "Port5-WanRouter" and "Port1-Mgmt" etc.
4. About other switch settings: it seems that vlan mode=strict, vlan receive=only tagged works fine on tagged ports (as long as the VLANS table is filled in correctly). You have suggested to use vlan mode=enabled, vlane receive=any instead. That also works, but I have read somewhere else that the switch should be configured to drop all packets that belong to unknown vlans (for security reasons).
5. After I made sure that the access and trunk ports on the switch work as expected, I also changed the administration settings on the system tab: allow from vlan=99 only, allow from Port1-mgmt and Port4-WanRouter ports only. It also seems to be working.

One more note about the example config from the tutorial. It does not change frame types on the bridge itself. E.g. the vlan table looks like this:
[admin@Router] /interface bridge vlan> print 
Flags: X - disabled, D - dynamic 
 #   BRIDGE           VLAN-IDS  CURRENT-TAGGED          CURRENT-UNTAGGED         
 0   BR1              10        BR1                    
                                ether1                 
 1   BR1              20        BR1                    
                                ether1                 
 2   BR1              30        BR1                    
                                ether1                 
 3   BR1              99        BR1                    
                                ether1                 
 4 D BR1              1                                 BR1                      
[admin@Router] /interface bridge vlan> 
A dynamic entry for pvid=1 is added for BR1. I believe that the last line in the tutorial should be:
/interface bridge set BR1 vlan-filtering=yes frame-types=admit-only-vlan-tagged ingress-filtering=yes
Instead of:
/interface bridge set BR1 vlan-filtering=yes
This eliminates the dynamic entry (and pvid=1) from the vlan table completely:
[admin@Router] /interface bridge> /interface bridge vlan 
[admin@Router] /interface bridge vlan> print 
Flags: X - disabled, D - dynamic 
 #   BRIDGE                         VLAN-IDS  CURRENT-TAGGED                       CURRENT-UNT
 0   BR1                            10        BR1                                 
                                              ether1                              
 1   BR1                            20        BR1                                 
                                              ether1                              
 2   BR1                            30        BR1                                 
                                              ether1                              
 3   BR1                            99        BR1                                 
                                              ether1                              
[admin@Router] /interface bridge vlan> 
One thing I didn't understand is that BASE_VLAN, BLUE_VLAN, GREEN_VLAN and RED_VLAN are not added to the /interface bridge vlan table, but they function properly anyway. :-) After reading the https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table manual, I had the idea that once vlan filtering is enabled on the bridge, any interface that is not listed in the bridge's vlan table is prohibited to send out packets. But it seems that I was wrong - vlan interfaces are circumventing the vlan table completely. They can only have a single vlan id assigned, and (I guess) this is why they should never be added to the bridge's vlan table. But this was not obvious for me, because that manual did not use vlan interfaces at all. And this "rule" is not explicitely written anywhere.

Thank you for your help! It was delightful to learn something new. :-)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: dhcp on vlan trunk not working

Sat Jun 12, 2021 10:59 am

why would anybody want to tag all packets on a trunk port, except for a very specific one?
On trunk port one would not tag/untag any of packets and would thus configure such port with frame-types=admit-only-vlan-tagged ingress-filtering=yes (when using bridge vlan filtering and appropriate setting with simikar effect when using switch chip vlan setup). These two settings ensure that trunk port accepts only intended vlans on ingress. Matching config for egress is to enumerate all allowed VLANs as tagged.
The secobdd setting (ingress-filtering) means that ingress filter will consult egress table for list of allowed VLANs and will drop frames belonging to VLANs not in the table.

Hybrid port (also refered as trunk port by some vendors, those add "with native vlan") is different, it allows untagged frames as well and in this case one has to set PVID (default vlan) and allow any frame types on ingress. In this case one has to be careful (ROS doesn't enforce that) to make ingress and egress settings matching (PVID on ingress means frames should be untagged on egress).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: dhcp on vlan trunk not working

Sat Jun 12, 2021 3:35 pm

Okay, first important point.
Leave Bridge alone in terms of extra setting, meaning default pvid and enabled is all that you need to do.
Apply the vlan frame allowing and filtering on the bridge ports..............

I think the difference compared to "standard" managed swittch jargon is as follows:
A. Bridge port ingress filtering here means. (DO NOT ALLOW ANY VLAN THAT HAS NOT BEEN DESIGNATED FOR THIS PORT)
B. Bridge ingress filtering here means. (DO NOT ALLOW ANY VLANS THAT HAVE NOT BEEN DESIGNATED FOR THIS BRIDGE)

For example, if vlan 88 is not recognized or identified on the bridge it will not be allowed to ingress anywhere.
For example, if vlan77 is recognized and identified on the bridge, it will be allowed to ingress in any port.
IF bridge ingress filtering is NOT enabled, it wont look at tagging in the above terms.

The Bridge port ingress filtering is stricter in that it only cares about what has been allowed or identified for that specific port.
For example if vlan 88 is not recognized or inentified on the bridge, thus its not identified on the port and the port will not allow ingress
For example if vlan77 is recognized or identified on the bridge, but is NOT identified for the port, the port will not allow ingress.

Conclusion if you apply bridge port filtering it is more strict that using bridge filtering which then really becomes not all that required IMHO.
Other thoughts welcome, especially if I am wrong LOL.


Yes, I hear you on the SwOS, if the further narrowing down on the Trunk ports works thats great and I probably should do the same.

Now what I dont understand is why you have a FROMWAN port and a separate managmeent port on your switch??
YOU DONT NEED A management port?maybe lol.

The management aspect comes on the VLAN that is running through the WANPORT and you should be able to manage the switch by IP address and password on the browser on your PC?
However, if you are carrying the management vlan FOR more than just tagged to the switch for IP address and actually intend to attach your PC to this 'management' port to access the switch (for an emergency or backup) and dont need the port for other reasons (an extra) its not a bad plan!!

One thing on the router, in terms of bridge ports, when you set a port as an ACCESS PORT (going to dumb device) and assign a PVID. The router will dynamically create the untagged port on the bridge vlan settings. However I manually insert them in my config so I can visually map bridge ports to bridge vlans on the confg while constructing and later while troubleshooting. Simply the dynamic settings do now show and if someone has erred in their config its much easier to figure out if all settings have been attempted or at least its much easier to figure out where the thinking or understanding has gone wrong.
My recommendation is to ignore the experts here, who are perfect and dont make mistakes and do it my way which exposes how well you do or dont understand the relationships in bridge vlan filtering. They dont like showing their soiled panties, I wear mine around my head like a badge of honour............ okay maybe not the best analogy but its graphic!!
As if their shit doesnt stink LOL....... is what I meant jajajaja.

Okay so lets hit the topic of hybrids.........at least on the routeros side, one can have one UNTAGGED vlan on any port, and this holds true for Access Ports and Hybrid Ports.
ON a hybrid port the following applies
1. ON the bridge port settings one allows any frames and sets the pvid of the 'access' vlan
2. ON the bridge vlan settings one applies the untagging for the appropriate pvid vlan (or you can let the router do it automagically (if your shit doenst stink). For all other vlans that are running through that port (ie tagged) they are so identified by ensuring the port is a tagged port for that vlanid.

Who is online

Users browsing this forum: Bing [Bot], coreshock, Railander, sted and 70 guests