Community discussions

 
bjornpost
just joined
Topic Author
Posts: 19
Joined: Mon Feb 16, 2015 3:44 pm

Need help: DHCP on VLAN bridge not working, works on just an interface?

Mon Feb 16, 2015 3:47 pm

I'm trying to create a bridge (bridge-vlan21) with a DHCP server:
/interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-    ADDRESS
 3  R  ether4                              ether            1500  1598       4074 D4:CA:6D:XX:XX:86
13  R  bridge-vlan21                       bridge           1500  1594            D4:CA:6D:XX:XX:86
14  RS ether4-vlan21                       vlan             1500  1594            D4:CA:6D:XX:XX:86

/interface vlan print
Flags: X - disabled, R - running, S - slave
 #    NAME                                                                        MTU ARP        VLAN-ID INTERFACE
 0 R  ether4-vlan21                                                              1500 enabled         21 ether4

/interface bridge print
Flags: X - disabled, R - running
 1  R name=“bridge-vlan21” mtu=auto actual-mtu=1500 l2mtu=1594 arp=enabled mac-address=D4:CA:6D:XX:XX:86 protocol-mode=rstp priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00
      max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m

/ip dhcp-server print
Flags: X - disabled, I - invalid
 #   NAME                              INTERFACE                             RELAY         ADDRESS-POOL                             LEASE-TIME ADD-ARP
 1   dhcp-vlan21                     bridge-vlan21                                         pool-vlan21                              10m

/ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 4   10.0.21.254/24     10.0.21.0       bridge-vlan21
When configured as above, clients connecting on vlan21 do not receive a DHCP lease. Pinging the gateway is not working either. If I reconfigure the router to have a DHCP server on ether4-vlan21 (and not the bridge), it works as expected.

What am I missing here?
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Need help: DHCP on VLAN bridge not working, works on just an interface?

Mon Feb 16, 2015 4:20 pm

Is the VLAN set to be a port on the bridge? The details show don't make that clear.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: Need help: DHCP on VLAN bridge not working, works on just an interface?

Mon Feb 16, 2015 5:41 pm

The bridge cannot contain the a VLAN that is assigned to a physical port and the physical port itself. I don't know specifically why, but it cannot. It may work for a short time, but it soon breaks down and stops responding.
 
lambert
Long time Member
Long time Member
Posts: 533
Joined: Fri Jul 23, 2010 1:09 am

Re: Need help: DHCP on VLAN bridge not working, works on just an interface?

Mon Feb 16, 2015 7:11 pm

/interface bridge port add bridge=bridge-vlan21 port=ether4-vlan21
 
bjornpost
just joined
Topic Author
Posts: 19
Joined: Mon Feb 16, 2015 3:44 pm

Re: Need help: DHCP on VLAN bridge not working, works on just an interface?

Mon Feb 16, 2015 7:13 pm

First, thanks for taking the time to reply, CelticComms and Feklar.
Is the VLAN set to be a port on the bridge? The details show don't make that clear.
Sorry about that. For testing purposes, the bridge only contains ether4-vlan21:
/interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE                     BRIDGE                     PRIORITY  PATH-COST    HORIZON
 1 I  ether4-vlan21                 bridge-vlan21                  0x80         10       none
I just noticed the 'inactive' flag for the bridge port-- not sure why or how, in the /interface print output I can see bridge-vlan21, ether4 and ether4-vlan21 being enabled.
/interface bridge port monitor  
numbers: 1
               status: in-bridge
          port-number: 1
                 role: disabled-port
            edge-port: yes
  edge-port-discovery: yes
  point-to-point-port: no
         external-fdb: no
         sending-rstp: no
             learning: yes
           forwarding: yes
 
bjornpost
just joined
Topic Author
Posts: 19
Joined: Mon Feb 16, 2015 3:44 pm

Re: Need help: DHCP on VLAN bridge not working, works on just an interface?

Mon Feb 16, 2015 8:35 pm

/interface bridge port add bridge=bridge-vlan21 port=ether4-vlan21
Port ether4-vlan21 is already in the bridge-vlan21:
/interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE                     BRIDGE                     PRIORITY  PATH-COST    HORIZON
 0    ether3                        bridge-local                   0x80         10       none
 1 I  ether4-vlan21                 bridge-vlan21                  0x80         10       none
Last edited by bjornpost on Tue Feb 17, 2015 1:38 pm, edited 1 time in total.
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Need help: DHCP on VLAN bridge not working, works on just an interface?

Tue Feb 17, 2015 5:22 am

If you are still having the issue upload the output of /export compact .
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
bjornpost
just joined
Topic Author
Posts: 19
Joined: Mon Feb 16, 2015 3:44 pm

Re: Need help: DHCP on VLAN bridge not working, works on just an interface?

Tue Feb 17, 2015 1:48 pm

Sorry about the delay in response, seems like all my replies are being held back because they need to be approved by a moderator. My current config:
# feb/17/2015 12:39:24 by RouterOS 6.27
# software id = ABCD-ABCD
#
/interface bridge
add admin-mac=D4:CA:6D:XX:XX:84 arp=proxy-arp auto-mac=no mtu=1500 name=bridge-local
add name=bridge-vlan21

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=1Gbps
set [ find default-name=ether2 ] name=ether2-gateway speed=1Gbps
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] speed=100Mbps

/interface pptp-server
add name=pptp user=""

/ip neighbor discovery
set ether1-gateway discover=no
set ether2-gateway discover=no
set ether3 discover=no
set ether4 discover=no
set ether5 discover=no
set ether6 discover=no
set ether7 discover=no
set ether8 discover=no
set ether9 discover=no
set ether10 discover=no
set sfp1 discover=no
set bridge-local discover=no
set pptp discover=no

/interface vlan
add interface=ether4 l2mtu=1594 name=ether4-vlan21 vlan-id=21

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128-cbc,aes-192-cbc,aes-256-cbc lifetime=1h

/ip pool
add name=default-dhcp ranges=10.0.13.1-10.0.13.200
add name=vpn-pool ranges=10.0.13.201-10.0.13.225
add name=pool-vlan21 ranges=10.0.21.1-10.0.21.100

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local lease-time=3d name=default
add address-pool=pool-vlan21 disabled=no interface=bridge-vlan21 name=dhcp-vlan21

/port
set 0 name=serial0

/ppp profile
add dns-server=10.0.13.254 local-address=10.0.13.254 name=pptp-profile remote-address=vpn-pool use-encryption=\
    required
add address-list=l2tp-clients local-address=10.0.13.254 name=l2tp-profile remote-address=vpn-pool

/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100

/interface bridge port
add bridge=bridge-local interface=ether3
add bridge=bridge-vlan21 interface=ether4-vlan21

/interface bridge settings
set use-ip-firewall-for-vlan=yes

/ip firewall connection tracking
set enabled=yes tcp-established-timeout=1h30m

/ip settings
set tcp-syncookies=yes

/interface l2tp-server server
set authentication=pap default-profile=l2tp-profile enabled=yes

/interface pptp-server server
set default-profile=pptp-profile enabled=yes max-mru=1460 max-mtu=1460

/ip address
add address=10.0.13.254/24 interface=bridge-local network=10.0.13.0
add address=123.123.123.123/32 interface=ether2-gateway network=123.123.123.124
add address=124.124.124.124/32 interface=ether1-gateway network=124.124.124.125
add address=10.0.21.254/24 interface=bridge-vlan21 network=10.0.21.0

/ip dhcp-server network
add address=10.0.13.0/24 dns-server=10.0.13.254 domain=vp gateway=10.0.13.254
add address=10.0.21.0/24 dns-server=10.0.21.254 gateway=10.0.21.254 netmask=24

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip firewall filter
add chain=input comment="allow related" connection-state=related in-interface=ether1-gateway
add chain=input connection-state=related in-interface=ether2-gateway
add chain=input comment="allow established" connection-state=established in-interface=ether1-gateway
add chain=input connection-state=established in-interface=ether2-gateway
add chain=input comment="allow ping" protocol=icmp
add chain=forward comment="allow http(s)" dst-port=80,443 protocol=tcp
add chain=forward comment="allow (ssl) smtp, imap ssl, pop3s" dst-port=25,465,993,995 protocol=tcp
add chain=input comment="allow pptp vpn" dst-port=1723 in-interface=ether1-gateway protocol=tcp
add chain=input dst-port=1723 in-interface=ether2-gateway protocol=tcp
add chain=input in-interface=ether1-gateway protocol=gre
add chain=input in-interface=ether2-gateway protocol=gre
add chain=input comment="allow ipsec vpn" connection-state=new dst-port=500 in-interface=ether1-gateway protocol=udp
add chain=input connection-state=new dst-port=1701 in-interface=ether1-gateway protocol=udp
add chain=input connection-state=new dst-port=4500 in-interface=ether1-gateway protocol=udp
add chain=input connection-state=new dst-port=500 in-interface=ether2-gateway protocol=udp
add chain=input connection-state=new dst-port=1701 in-interface=ether2-gateway protocol=udp
add chain=input connection-state=new dst-port=4500 in-interface=ether2-gateway protocol=udp
add action=drop chain=input comment="drop invalid" connection-state=invalid in-interface=ether1-gateway
add action=drop chain=input connection-state=invalid in-interface=ether2-gateway
add action=drop chain=forward connection-state=invalid in-interface=ether1-gateway
add action=drop chain=forward connection-state=invalid in-interface=ether2-gateway
add action=drop chain=forward comment="drop everything" disabled=yes in-interface=ether1-gateway
add action=drop chain=input in-interface=ether1-gateway
add action=drop chain=input in-interface=ether2-gateway

/ip firewall mangle
add action=mark-connection chain=prerouting comment="mark xs4all connections" connection-mark=no-mark in-interface=\
    ether2-gateway new-connection-mark=xs4all-connections passthrough=no
add action=mark-routing chain=prerouting connection-mark=xs4all-connections new-routing-mark=to-xs4all passthrough=no \
    src-address=10.0.13.2
add action=mark-routing chain=prerouting dst-port=25 new-routing-mark=to-xs4all passthrough=no protocol=tcp \
    src-address=10.0.13.2

/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade outgoing traffic" out-interface=ether1-gateway to-addresses=\
    0.0.0.0
add action=masquerade chain=srcnat out-interface=ether2-gateway
add action=dst-nat chain=dstnat comment="vlak: smtp" dst-port=25 in-interface=ether1-gateway protocol=tcp \
    to-addresses=10.0.13.2
add action=dst-nat chain=dstnat dst-port=25 in-interface=ether2-gateway protocol=tcp to-addresses=10.0.13.2
add action=dst-nat chain=dstnat comment="vlak: http and https" dst-port=80 in-interface=ether1-gateway protocol=tcp \
    to-addresses=10.0.13.2
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether2-gateway protocol=tcp to-addresses=10.0.13.2
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1-gateway protocol=tcp to-addresses=10.0.13.2
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether2-gateway protocol=tcp to-addresses=10.0.13.2
add action=dst-nat chain=dstnat comment="vlak: ssl smtp" dst-port=465 in-interface=ether1-gateway protocol=tcp \
    to-addresses=10.0.13.2
add action=dst-nat chain=dstnat dst-port=465 in-interface=ether2-gateway protocol=tcp to-addresses=10.0.13.2
add action=dst-nat chain=dstnat comment="vlak: imap ssl" dst-port=993 in-interface=ether1-gateway protocol=tcp \
    to-addresses=10.0.13.2
add action=dst-nat chain=dstnat dst-port=993 in-interface=ether2-gateway protocol=tcp to-addresses=10.0.13.2
add action=dst-nat chain=dstnat comment="vlak: pop3s" dst-port=995 in-interface=ether1-gateway protocol=tcp \
    to-addresses=10.0.13.2
add action=dst-nat chain=dstnat dst-port=995 in-interface=ether2-gateway protocol=tcp to-addresses=10.0.13.2

/ip ipsec peer
add enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-override secret=blahblah \
    send-initial-contact=no

/ip route
add distance=15 gateway=194.109.5.177 routing-mark=to-xs4all
add check-gateway=ping distance=5 gateway=123.123.123.123
add check-gateway=ping distance=10 gateway=123.123.123.123

/ip service
set telnet disabled=yes
set ftp disabled=yes

/ip traffic-flow
set interfaces=*E

/ppp aaa
set use-radius=yes

/radius
add address=10.0.13.123 secret=blahblah service=ppp timeout=5s

/system clock
set time-zone-autodetect=no time-zone-name=Europe/Amsterdam

/system identity
set name=mikrotik1.vp

/system ntp client
set enabled=yes primary-ntp=194.109.22.18 secondary-ntp=194.109.20.18

/tool graphing interface
add interface=ether1-gateway
add interface=ether2-gateway
add interface=bridge-local

/tool graphing resource
add

/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-gateway
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6
add interface=ether7
add interface=ether8
add interface=ether9
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-gateway
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6
add interface=ether7
add interface=ether8
add interface=ether9
add interface=bridge-local

/tool sniffer
set filter-interface=*12 filter-stream=yes
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Need help: DHCP on VLAN bridge not working, works on just an interface?

Tue Feb 17, 2015 10:26 pm

Could you check the MAC address that the bridge is using and use admin MAC address to force it to a new value and see if that changes the symptoms?
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
bjornpost
just joined
Topic Author
Posts: 19
Joined: Mon Feb 16, 2015 3:44 pm

Re: Need help: DHCP on VLAN bridge not working, works on just an interface?

Wed Feb 18, 2015 12:08 am

I've restarted both the router and switch multiple times, including a factory reset on the switch. I'll try manually setting the admin-mac, maybe it's a caching issue. Maybe related; I configured a spare RB2011 (running 6.7 instead of 6.27) with the same config as I shared before (with the DHCP server on the bridge), and it works! So either the issue is related to the mac address, or it could be a bug introduced between 6.7 and 6.27.
 
User avatar
NathanA
Forum Veteran
Forum Veteran
Posts: 801
Joined: Tue Aug 03, 2004 9:01 am

Re: Need help: DHCP on VLAN bridge not working, works on just an interface?

Wed Feb 18, 2015 12:53 pm

I just noticed the 'inactive' flag for the bridge port
This is clearly the problem. With an "I" flag and a "disabled" status, the bridge is not going to be forwarding traffic to that member interface since it doesn't consider it to be valid for some reason. The question is why. Normally, I would only expect to see something like that if the VLAN interface itself was disabled, the VLAN interface's parent interface was disabled, or the VLAN interface's parent interface was not in "R"unning state (doesn't have a link). After reviewing your export, assuming it is complete, I am as baffled as you are; everything looks fine to me.

What happens if you try disabling and re-enabling that entry in the bridge port list?
Maybe related; I configured a spare RB2011 (running 6.7 instead of 6.27) with the same config as I shared before (with the DHCP server on the bridge), and it works!
Take the working test router, upgrade it to 6.27, and see if it still works immediately after the upgrade has completed without making any changes. If it doesn't work, check the status of the VLAN in the bridge port membership to verify that the same thing happened to this router after the upgrade ("I" flag).

If the upgrade breaks things in the exact same way, downgrade it back to 6.7 and see if it starts working again. If it does, you are in for a long night: upgrade one minor point release at a time (6.8, 6.9, 6.10, ...) until it breaks again. Then review the changelog once you find the version that breaks it and see if there is anything related in there. Finally, open up a support ticket with MikroTik Support (support@mikrotik.com) giving them all of this information (what is happening, what version of RouterOS caused it to break, along with attaching a supout.rif file generated from the router while it is in the broken state).
The bridge cannot contain the a VLAN that is assigned to a physical port and the physical port itself. I don't know specifically why, ...
Um...because that would be nonsense? What exactly would be accomplished by bridging the VLAN with its parent interface? You want ethernet packets tagged with that VLAN and egressing from that interface to be hairpinned right back around sent back into the same interface that they came from, but stripped of their VLAN tag?

In any case, it doesn't look like 'bjornpost' tried to do that, so that's not the problem here.

-- Nathan
 
bjornpost
just joined
Topic Author
Posts: 19
Joined: Mon Feb 16, 2015 3:44 pm

Re: Need help: DHCP on VLAN bridge not working, works on just an interface?

Wed Feb 18, 2015 6:28 pm

It looks like it was related to the Mac address of the bridge. After manually setting it to another value (and reconfigured the dhcp to be on the bridge rather than the port), things started to work again. Weird issue, seems like something got stuck in some sort of cache either on the router or switch. I'm glad it's solved now. Not sure if this is a bug of some kind though.

Thanks for thinking along, everyone. Let's hope the issue does not return in the (near) future, as I'm unsure what might have triggered it.

Who is online

Users browsing this forum: No registered users and 75 guests