Community discussions

MikroTik App
 
cwm9
just joined
Topic Author
Posts: 18
Joined: Sun Mar 12, 2023 7:35 pm

Trying to create DHCP server on VLAN

Wed Aug 30, 2023 8:35 am

Hi. I'm trying to get my feet wet in VLANs, and for right now I'm trying to do something I thought would be really simple and it's just not working.

The initial state of my router is pretty simple: a bridge named mainBridge has ether2-ether8 assigned to it. ether1 is WAN, and masquerading is set up in a simple home network configuration. The bridge is set up with default rules, PVID set 1 on all bridge ports. There are no VLANS.

What I want to do is simple: I want to shave off ether3 into a VLAN and setup a DHCP server on that VLAN it. That's it. All I want to do is to be able to plug into that port and do nothing more than get a different IP address from a different pool.

Here's what I tried:
  • Create a Layer 2 VLAN on the bridge with ID 2 and tag it for untagged egress from ether3
    • /interface bridge vlan add bridge=mainBridge vlan-ids=2 untagged=ether3
    Create a new Layer 3 VLAN interface on mainBridge with ID 2
    • /interface vlan add name=rentalVLAN vlan-id=2 interface=mainBridge
    Assign the Layer 3 VLAN interface an IP address and network
    • /ip address add address=192.168.102.1/24 interface=rentalVLAN
    Create a new IP pool
    • /ip pool add name=rentalHDCPIPPool ranges=192.168.102.100-192.168.102.254
    Create a new HDCP network
    • /ip dhcp network add address=192.168.102.0/24 gateway=192.168.102.1 dns-server=192.168.102.1
    Create a new HDCP server on the VLAN interface
    • /ip dhcp add name=rentalHDCP interface=rentalVLAN address-pool=rentalHDCPIPPool
    Drop all packets from one network to the other
    • /ip firewall filter add chain=forward src-address=192.168.102.0/24 dst-address=192.168.1.0/24 action=drop
    • /ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=192.168.102.0/24 action=drop
    Enable VLAN on mainBridge
    • /interface bridge set mainBridge vlan-filtering=yes
    The moment of truth, set my port to PVID2
    • /interface bridge port set [find interface=ether3] pvid=2
But as soon as I do the last step, I lose all connection to the router, even via MAC address and must move my Ethernet cable to another port to recover.

What have I done wrong?

Thanks.
Last edited by cwm9 on Sun Sep 03, 2023 8:46 pm, edited 3 times in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12908
Joined: Thu Mar 03, 2016 10:23 pm

Re: Trying to create DHCP server on VLAN

Wed Aug 30, 2023 9:04 am

If you did the last step while being connected to your router via ether3, then that's expected. Because at that point ether3 becomes member of VLAN 2 while all of your generic stuff (including management access) is configured for VLAN 1.

And a gotcha: PC doesn't know it moved to another ethernet broadcast domain because its physical connectivity did not break. If you disconnect network cable for a few seconds and connect it back, then it should receive IP configuration, relevant for VLAN 2. If it doesn't, then please post actual resulting config to verify that everything is done correctly. Open terminal window, execute /export hide-sensitive file=anynameyouwish, fetch resulting file, open it in text editor, redact any remaining sensitive information such as serial number, WiFi passwords, public IP address) and copy-paste it here inside code block ([] icon in button ribbon when editing a post).
 
cwm9
just joined
Topic Author
Posts: 18
Joined: Sun Mar 12, 2023 7:35 pm

Re: Trying to create DHCP server on VLAN

Wed Aug 30, 2023 10:21 am

Thanks. Unfortunately, unplugging and replugging did not get me a new IP. I just get error messages that the DHCP server is unreachable.

Here's my redacted configuration:
# 2023-08-29 21:06:53 by RouterOS 7.11
# software id = Z8XQ-IISM
#
# model = RB5009UPr+S+
# serial number = {redacted}
/interface bridge
add admin-mac={redacted} auto-mac=no comment=defconf name=mainBridge \
    vlan-filtering=yes
/interface vlan
add interface=mainBridge name=VLAN_Interface vlan-id=2
/disk
set usb1 type=hardware
set usb2 type=hardware
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ike2_ipsec_policy_group
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
    VPN_Profile_Phase_1
/ip ipsec peer
add exchange-mode=ike2 name=ike2-vpn-peer passive=yes profile=\
    VPN_Profile_Phase_1
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=VPN_Proposal_Phase_2 pfs-group=none
/ip pool
add name=main_dhcp_ip_pool ranges=192.168.1.100-192.168.1.254
add name=inbound_vpn_ip_pool ranges=10.0.10.3-10.0.10.254
add name=vlan_dhcp_pool ranges=192.168.102.100-192.168.102.254
/ip dhcp-server
add address-pool=main_dhcp_ip_pool interface=mainBridge lease-time=10m name=\
    defconf
add address-pool=vlan_dhcp_pool interface=VLAN_Interface name=VLAN_HDCP
/ip ipsec mode-config
add address-pool=inbound_vpn_ip_pool address-prefix-length=32 name=\
    ike2-ipsec-configuration split-dns="" split-include=192.168.1.2/32
/user-manager user
add attributes=Framed-IP-Address:10.0.10.2 name={redacted}
/interface bridge port
add bridge=mainBridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=2
add bridge=mainBridge comment=defconf interface=ether3
add bridge=mainBridge comment=defconf interface=ether4
add bridge=mainBridge comment=defconf interface=ether5
add bridge=mainBridge comment=defconf interface=ether6
add bridge=mainBridge comment=defconf interface=ether7
add bridge=mainBridge comment=defconf interface=ether8
add bridge=mainBridge comment=defconf interface=sfp-sfpplus1
	Also tried
	add bridge=mainBridge interface=VLAN_Interface pvid=2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=mainBridge untagged=ether3,ether2 vlan-ids=2
	Alternatively tried
	add bridge=mainBridge untagged=ether3,ether2,mainBridge vlan-ids=2
/interface list member
add comment=defconf interface=mainBridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=mainBridge network=\
    192.168.1.0
add address=192.168.102.1/24 interface=VLAN_Interface network=192.168.102.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input dst-address=192.168.102.1 in-interface=\
    VLAN_Interface
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=80 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=4500,500 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=\
    ether1 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=!1301-65535
add action=change-mss chain=forward in-interface=ether1 new-mss=clamp-to-pmtu \
    passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1301-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Google assistant" dst-port=81 \
    in-interface-list=WAN protocol=tcp to-addresses=18.168.1.2 to-ports=80
add action=dst-nat chain=dstnat comment=Plex dst-port=32500 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.1.2 to-ports=\
    32400
add action=dst-nat chain=dstnat comment=Calibre dst-port=1234 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.1.2 to-ports=1234
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.1.116 to-ports=\
    25565
/ip ipsec identity
add auth-method=eap-radius certificate=\
    letsencrypt-autogen_2023-08-04T23:24:58Z generate-policy=port-override \
    mode-config=ike2-ipsec-configuration peer=ike2-vpn-peer \
    policy-template-group=ike2_ipsec_policy_group
/ip ipsec policy
add dst-address=10.0.10.0/24 group=ike2_ipsec_policy_group proposal=\
    VPN_Proposal_Phase_2 src-address=0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl certificate=letsencrypt-autogen_2023-08-04T23:24:58Z
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/radius
add address=127.0.0.1 service=ipsec
/system clock
set time-zone-name={redacted}
/system leds settings
set all-leds-off=after-1min
/system logging
add topics=ipsec,!debug
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user-manager
set certificate=letsencrypt-autogen_2023-08-04T23:24:58Z enabled=yes
/user-manager router
add address=127.0.0.1 name=router
 
erlinden
Forum Guru
Forum Guru
Posts: 2585
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Trying to create DHCP server on VLAN

Wed Aug 30, 2023 10:30 am

I see that you configure eth2 with pvid, but eth3 not. While both are configured on the /bridge/port/vlan. Think you should at least have this corrected. Besides that, I don't see any reason why it is not working. Anything in the log?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12908
Joined: Thu Mar 03, 2016 10:23 pm

Re: Trying to create DHCP server on VLAN

Wed Aug 30, 2023 12:11 pm

With regard to VLAN ID 2:
  1. don't add VLAN interface (anchored on the bridge) back to bridge, that would create a nasty loop (and is detected as error in most recent ROS versions)
  2. add pvid to ether3 if you want to make that port untagged member of VLAN 2
  3. the show stopper: add mainBridge interface to list of tagged ports:
    /interface/bridge/vlan
    set [ find vlan-id=2 ] tagged=mainBridge
    
    This interface needs to be tagged member of VLAN 2 as you are creating vlan interface VLAN_Interface anchored to mainBridge interface

Yes, it does sound confusing, but bridge has multiple personalities. You can find out more by going through this great tutorial.

A note: MAC access for management of device (great as backup access using winbox - MAC connectivity) is only allowed via interfaces, members of LAN interface list. The same interface list is used quite extensively in firewall config. However, interface list membership has to be maintained manually. So you may want to add the VLAN_Interface interface to that interface list. After you get your VLAN setup up to speed (and you verify it does work as intended), you will probably want to remove mainBridge interface from that list.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21818
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Trying to create DHCP server on VLAN

Wed Aug 30, 2023 5:21 pm

Hint, do all your vlan and bridge configuration OFF BRIDGE.
Take an unused port give its own IP address like 192.168.55.1/24 interface=etherX network=192.168.55.0
Then change ipv4 setting on your computer to anything within the subnet 192.168.55.XX and you will have access........

viewtopic.php?t=181718
 
cwm9
just joined
Topic Author
Posts: 18
Joined: Sun Mar 12, 2023 7:35 pm

Re: Trying to create DHCP server on VLAN

Wed Aug 30, 2023 5:32 pm

Sorry for the delayed reply, it was my bedtime. 4:29AM here =)

erlinden/mkx:

The reason I have both ether2 and ether3 that way is because during testing I've been moving my ethernet cable back and forth between the two cables. I can set the PVID of ether2 to 2, lose connection, move my cable to ether3, set ether2 back to pvid 1, make some changes, then set ether3 to pvid 2 to test again, then repeat the other direction.

mkx:

Thanks for smacking me on the head, I should have done that first. I checked the log. I'm getting "defconf offering lease 192.168.1.251 for [my mac address]". For whatever reason, my packets are arriving at 192.168.1.0/24 and not 192.168.102.0/24.

mkx:

Thanks. I didn't originally have the port added, but when it didn't work I went ahead an added it wondering if that might fix it. I've taken it out. Just to be clear, I removed:
/interface bridge port
add bridge=mainBridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=2
I have added
/interface/bridge/vlan
set [ find vlan-id=2 ] tagged=mainBridge
but I am still getting "defconf offering lease 192.168.1.251 for [my mac address]". (It's still seeing Ether2 on the 192.168.1.0/24 subnet instead of 192.168.102.0/24 subnet).
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12908
Joined: Thu Mar 03, 2016 10:23 pm

Re: Trying to create DHCP server on VLAN

Wed Aug 30, 2023 6:14 pm

A few things:
  • you don't have dhcp network settings for either IP subnets ... I wonder how any of DHCP clients can get usable lease?
  • why this firewall rule?
    add action=drop chain=input dst-address=192.168.102.1 in-interface=VLAN_Interface
  • I already mentioned importance of LAN interface list ... and this firewall rule is one of those places:
    add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
  • etc.

If you haven't already, you may want to read this nice tutorial about VLANs in ROS (hopefully you do understand basic principles of VLANs).
 
cwm9
just joined
Topic Author
Posts: 18
Joined: Sun Mar 12, 2023 7:35 pm

Re: Trying to create DHCP server on VLAN

Wed Aug 30, 2023 6:47 pm

  • you don't have dhcp network settings for either IP subnets ... I wonder how any of DHCP clients can get usable lease?
I thought I did? Did I mess up and these are not the appropriate settings, or perhaps you just missed them?

/ip pool
add name=main_dhcp_ip_pool ranges=192.168.1.100-192.168.1.254
add name=vlan_dhcp_pool ranges=192.168.102.100-192.168.102.254
/ip dhcp-server
add address-pool=main_dhcp_ip_pool interface=mainBridge lease-time=10m name=\
defconf
add address-pool=vlan_dhcp_pool interface=VLAN_Interface name=VLAN_HDCP
  • why this firewall rule?
    add action=drop chain=input dst-address=192.168.102.1 in-interface=VLAN_Interface
I wanted to see if the problem was that ingress traffic from was not making it to the VLAN_Interface or if it was because the defconf DHCP server was responding on VLAN_Interface. It seems like the traffic is not ever making it VLAN_Interface. I don't know if this is because the traffic is not getting tagged or because tagged traffic is not being directed to VLAN_Interface. After adding this, defconf is still responding to the DHCP request instead of VLAN_HDCP so AFAIK traffic is never making it to VLAN_Interface. Regardless, it was just a debugging thought. I've removed it.
  • I already mentioned importance of LAN interface list ... and this firewall rule is one of those places:
    add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
I tried disabling that rule, but nothing changed. I went ahead and added VLAN_Interface to LAN, but that didn't change the behavior either. I'm a bit confused by this: if the VLAN_Interface is on mainBridge, do I still have to add VLAN_Interface to LAN?

Yes, I did find and read that tutorial, but I'm still having problems. =( I'm starting to think there is something more basic that is wrong because the traffic just doesn't ever make it to VLAN_Interface. In fact, I just now pulled up the Interface List window and notice that there is 0 data flowing thorough VLAN_Interface, but I don't know why. When I ping 192.168.102.1, it works, which is bizzare, especially because the traffic still shows as zero even while the pinging is working.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12908
Joined: Thu Mar 03, 2016 10:23 pm

Re: Trying to create DHCP server on VLAN

Wed Aug 30, 2023 7:54 pm

  • you don't have dhcp network settings for either IP subnets ... I wonder how any of DHCP clients can get usable lease?
I thought I did?
It should be under /ip dhcp-server network ...

I'm a bit confused by this: if the VLAN_Interface is on mainBridge, do I still have to add VLAN_Interface to LAN?
When talking about firewall, only interfaces with assigned IP addresses matter ... In your case that's interface named VLAN_Interface for traffic in VLAN 2 and interface named mainBridge for traffic in VLAN 1 (default config has pvid=1 all over the place a d if you don't override this with some other settings, then whatever might seem untagged is actually VLAN 1). Interface list membership is not inherited, if you anchor vlan interface to another (trunk) interface, without explicit configuration it isn't member of any interface list.

The confusion comes because bridge has multiple personalities (read more about bridge mysteries).

When I ping 192.168.102.1, it works, which is bizzare, especially because the traffic still shows as zero even while the pinging is working.
This doesn't mean anything, router will reply when any of its IP addresses are pinged, ingress interface doesn't matter. However, properly working VLAN setup would end up with DHCP lease for intended VLAN/IP subnet. But incomplete DHCP setup may create confusion about the actual problem.
 
cwm9
just joined
Topic Author
Posts: 18
Joined: Sun Mar 12, 2023 7:35 pm

Re: Trying to create DHCP server on VLAN

Wed Aug 30, 2023 10:59 pm

It should be under /ip dhcp-server network ...
Ah, sorry, I do have that entry already. I must have accidentally deleted when doing reactions.

here it is:

/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
192.168.1.1 netmask=24
add address=192.168.102.0/24 dns-server=192.168.102.1 gateway=192.168.102.1
Interface list membership is not inherited, if you anchor vlan interface to another (trunk) interface, without explicit configuration it isn't member of any interface list.
Ah, that's a huge misunderstanding on my part! Thanks!
The confusion comes because bridge has multiple personalities (read more about bridge mysteries).
I did read that, to be honest I'm still trying to wrap my head around it, but if I understand correctly, tagged traffic from the router has to egress to the
built in switch before it can egress to an Ethernet port, and that's why it's required, yes?
Last edited by cwm9 on Wed Aug 30, 2023 11:08 pm, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12908
Joined: Thu Mar 03, 2016 10:23 pm

Re: Trying to create DHCP server on VLAN

Wed Aug 30, 2023 11:05 pm

Does the second entry (which is for VLAN 2) have netmask defined? It's not shown in your latest post ...

I must say that it's a RPITA working through this thread ... with you either not providing information or redacting too much (one example is bridge MAC ... not necessary to redsct it since nobody can use unless they are already connected to your LAN ... this particular example doesn't really matter but does illustrate your will to hide things which you don't know whether they're important or not). I'm slowly loosing all good will to help you in this thread.
 
cwm9
just joined
Topic Author
Posts: 18
Joined: Sun Mar 12, 2023 7:35 pm

Re: Trying to create DHCP server on VLAN

Wed Aug 30, 2023 11:13 pm

Good catch, it was missing! I think there is a change in behavior, but I'm on my phone and it might take me bit to figure out if this fixes it.

edit: spoke too soon when I originally wrote no change in behavior, it just took a bit for the computer to retry properly.
Last edited by cwm9 on Wed Aug 30, 2023 11:17 pm, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12908
Joined: Thu Mar 03, 2016 10:23 pm

Re: Trying to create DHCP server on VLAN  [SOLVED]

Wed Aug 30, 2023 11:15 pm

I did read that, to be honest I'm still trying to wrap my head around it, but if I understand correctly, tagged traffic from the router has to egress to the
built in switch before it can egress to an Ethernet port, and that's why it's required, yes?
The concept of bridge in ROS has nothing to do with hardware ... it's the same also on devices without switch chips (e.g. CCR1xxx). So you have to try to understand the concept. And layering (e.g. port vs. interface), the two major functions of bridge (interface which allows CPU to interact with connected devices vs. switch-like device which connects ports), the different details of each of these functions, how they interact, what part of bridge config is actually about which detail. Etc.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12908
Joined: Thu Mar 03, 2016 10:23 pm

Re: Trying to create DHCP server on VLAN

Wed Aug 30, 2023 11:17 pm

Good catch, it was missing! But sadly, no change in behavior.

So if you plug your PC to ether2 (or ether3), which is configured with pvid=2, verify what do DHCP settings look like? Are values as they should be? Ideally you should run wireshark on your PC and capture packets belonging to DHCP handshake.
 
cwm9
just joined
Topic Author
Posts: 18
Joined: Sun Mar 12, 2023 7:35 pm

Re: Trying to create DHCP server on VLAN

Wed Aug 30, 2023 11:19 pm

I might have spoken too soon, I think there is a change but I'm out on the town and remoting in by phone so it might take me a bit to figure out whats going on exactly.

edit: behavior changes, but still not what's expected. it got an IP, but was 192.254.64.71?

I can't do more until I get home.

thanks for all your help so far, you helped me understand some critical things already.
 
cwm9
just joined
Topic Author
Posts: 18
Joined: Sun Mar 12, 2023 7:35 pm

Re: Trying to create DHCP server on VLAN

Thu Aug 31, 2023 1:01 am

Unfortunately, I was mistaken. There was no change in behavior. When I released my HDCP hold and tried to renew it I still got "unable to contact your DHCP server. Request has timed out" and defconf (the wrong DHCP server) is still trying to offer leases without success.

Somehow traffic is not getting routed to the VLAN from ether2 properly =(

And yes, if I switch to ether3 with PVID=1, I get an IP from DHCP defconf exactly as expected, on the correct subnet 192.168.1.1/24 no problems, but as soon as I switch it to PVID=2 it fails out and can't reach the DHCP server on VLAN 2, but instead the request goes to VLAN 1 and the response is never recieved because port 2/3 isn't configured to egress VLAN 1 traffic.

On a lark, I tagged ether2 and ether3 for VLAN 1, and yes, I then get the reply from the VLAN 1 HDCP server and am assigned a VLAN 1 IP even though the port is marked PVID 2 for ingress. (?!)

The egress portion appears to work, it's the ingress that's messed up, and I have no idea why.
 
cwm9
just joined
Topic Author
Posts: 18
Joined: Sun Mar 12, 2023 7:35 pm

Re: Trying to create DHCP server on VLAN

Thu Aug 31, 2023 4:05 am

Ah, I figured it out! You're a life saver. Thanks so much for the help.

It was stupid. I thought I added the bridge as tagged to VLAN1 and VLAN2, but when I checked again it was added as UNTAGGED egress!

But one thing still eludes me. I thought that setting the tagging option set egress from the router to the switch, but the behavior seems to imply it also set the egress from the switch to the router! That was surprising. Anyway, it's now working properly.

Thank you so much for you help, I was really going crazy trying to figure this out on my own. You certainly pointed out enough flaws in what I was doing! All those little mistakes added up, but with this exercise I feel like I have a much better understanding of how everything works.

Kudos!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12908
Joined: Thu Mar 03, 2016 10:23 pm

Re: Trying to create DHCP server on VLAN

Thu Aug 31, 2023 7:06 am

But one thing still eludes me.

I can't comment on this dilemma as you didn't show which change did the trick ... so I can only guess what you mean by your explanation.
 
cwm9
just joined
Topic Author
Posts: 18
Joined: Sun Mar 12, 2023 7:35 pm

Re: Trying to create DHCP server on VLAN

Sun Sep 03, 2023 9:07 pm

Sorry, I mean that when I realized I didn't have mainBridge marked for tagged VLAN2 egress, I initially tried marking mainBridge for both tagged VLAN2 egress _AND_ tagged VLAN1 egress.

That didn't work either, and I'm guessing that by marking mainBridge tagged for VLAN1 egress, the mainBridge switch must be handing the mainBridge interface tagged packets and the mainBridge interface must not be stripping the tags causing the DHCP server not to see them.

I.E., with mainBridge tagged for VLAN1 and ether 4 set for untagged VLAN1 and with PVID 1, this is what I *think* must be going on:

DHCP Server -> (untagged) -> mainBridge interface -> (tagged VLAN1) -> mainBridge switch -> (tagged VLAN1) -> ether4 -> (untagged) -> client

client -> (untagged) -> ether4 -> (tagged VLAN1) -> (mainBridge switch) -> (tagged VLAN1) -> mainBridge intreface -> (tagged VLAN1 ?) -> DHCP Server doesn't get the packet


This surprised me because the mainBridge interface is set to PVID 1, so I expected VLAN1 tags to be stripped on ingress, but things were clearly not working this way.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12908
Joined: Thu Mar 03, 2016 10:23 pm

Re: Trying to create DHCP server on VLAN

Sun Sep 03, 2023 9:18 pm

PVID setting works for ingress (adds tag to untagged frames passing between CPU and bridge via mainBridge port) ... so DHCP server -> mainBridge.
For egress, it's tagged/untagged under bridge/vlan ... so replies from DHCP clients went tagged out of mainBridge port towards CPU. So you'd have to use vlan interface with vlan-id=1 and bind DHCP server (and IP address and everything else) to that vlan interface.
 
cwm9
just joined
Topic Author
Posts: 18
Joined: Sun Mar 12, 2023 7:35 pm

Re: Trying to create DHCP server on VLAN

Mon Sep 04, 2023 3:08 am

Ah, yes, that makes sense. Even though VLAN 1 is default, without setting mainBridge as tagged it appears untagged on mainBridge; if I set mainBridge as tagged for VLAN1 I have to actually create a VLAN1 interface to untag the packet.

Creating a VLAN1 makes extra work for the router since it now has to tag and then immediately untag the packet on the way to the DHCP server, which, for a default LAN probably doesn't make any sense.

Thank you for all the info, I really feel much better informed on this topic now.

Who is online

Users browsing this forum: hpeters and 25 guests