Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Voice VLAN / DHCP issues

Post Reply
 
TheBenM
just joined
Topic Author
Posts: 5
Joined: Wed Oct 13, 2021 3:08 am

Voice VLAN / DHCP issues

Wed Oct 13, 2021 4:16 am

Hello

Not a newbie to networking (although it's still a bit of a weak point for me) but definitely a newbie to Mikrotik, and I'm struggling a bit to get a config working on an RB2011 - can anyone advise?

Basically my scenario is - I'm setting up a test environment for a new phone system. I have an RB2011 plugged into an HP 2530 managed switch. I need two VLANs, a default VLAN 1 (192.168.1.0/24) and a voice VLAN 30 (192.168.30.0/24) with the default VLAN traffic untagged and voice VLAN tagged. I also need DHCP on both networks, with phones getting an IP address on VLAN 30 (using option 156) and anything else getting an IP address on the default VLAN. The switch has both VLANs configured on the ports I'm using, and is set to tag VLAN 30 traffic, and has the IP address of the router set as a DHCP helper for that voice VLAN - it's actually using an old config from our production network so I'm fairly sure it should work.

The config in the router that I have now _almost_ works. I can plug a PC into the switch or the router, get an IP on the default VLAN, and I can ping the router on both it's IP addresses. However, from the switch I can't ping the router on it's VLAN 30 IP address, and if I plug a phone into the switch it gets an IP on the default VLAN, so either DHCP on VLAN 30 isn't working (quite possible) or the lack of comms between switch and router is causing it to fail, I'm not sure. Either way, I'm a little stumped.

Copy of config is below. Can anyone see any glaring errors? Thanks in advance.
Code: Select all
# oct/13/2021 12:03:03 by RouterOS 6.48.5
# software id = 1UE5-M0GP
#
# model = RB2011UiAS
# serial number = E7E20E4B75FB
/interface bridge
add admin-mac=2C:C8:1B:74:8D:18 auto-mac=no comment=defconf name=Bridge
/interface vlan
add interface=Bridge name="Default VLAN" vlan-id=1
add interface=Bridge name=Voice vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=156 name="IP Phone Boot Server" value="'configServers=\"update.sky.shor\
    etel.com.au\",cloudDomain=\"sky.shoretel.com.au\",country=8,language=23,laye\
    r2tagging=1,vlanid=30'"
/ip dhcp-server option sets
add name="Voice VLAN options" options="IP Phone Boot Server"
/ip pool
add name=voice_dhcp_pool ranges=192.168.30.50-192.168.30.200
add name=default_dhcp_pool ranges=192.168.1.50-192.168.1.100
/ip dhcp-server
add address-pool=voice_dhcp_pool dhcp-option-set="Voice VLAN options" disabled=\
    no interface=Bridge name="Voice DHCP" relay=192.168.1.250
add address-pool=default_dhcp_pool disabled=no interface=Bridge name=\
    "Default DHCP"
/interface bridge port
add bridge=Bridge comment=defconf interface=ether2
add bridge=Bridge comment=defconf interface=ether3
add bridge=Bridge comment=defconf interface=ether4
add bridge=Bridge comment=defconf interface=ether5
add bridge=Bridge comment=defconf interface=ether6
add bridge=Bridge comment=defconf interface=ether7
add bridge=Bridge comment=defconf interface=ether8
add bridge=Bridge comment=defconf interface=ether9
add bridge=Bridge comment=defconf interface=ether10
add bridge=Bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=Bridge tagged=Bridge,ether2,ether3,ether4,ether5 vlan-ids=30
add bridge=Bridge untagged=Bridge vlan-ids=1
/interface ethernet switch vlan
add independent-learning=no ports=ether2,ether3,ether4,ether5 switch=switch1 \
    vlan-id=1
add independent-learning=no ports=ether2,ether3,ether4,ether5 switch=switch1 \
    vlan-id=30
/interface list member
add comment=defconf interface=Bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.250/24 interface=Bridge network=192.168.1.0
add address=192.168.30.250/24 interface=Bridge network=192.168.30.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.250 gateway=192.168.1.250 \
    netmask=24
add address=192.168.30.0/24 comment=defconf dns-server=192.168.30.250 gateway=\
    192.168.30.250 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.250 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/system clock
set time-zone-name=Australia/Hobart
/system identity
set name=nmc-mitel
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
tdw
Forum Guru
Forum Guru
Posts: 1847
Joined: Sat May 05, 2018 11:55 am

Re: Voice VLAN / DHCP issues

Wed Oct 13, 2021 5:10 pm

You have a mix of incomplete VLAN-aware bridge setup plus some ethernet switch setup, use one or the other.

Unless you particularly need wire-speed connectivity between ports with the same VLAN ID on a switch chip it is best to use a VLAN-aware bridge, see viewtopic.php?t=143620, viewtopic.php?f=2&t=173692 and https://help.mikrotik.com/docs/display/ ... NFiltering. For hardware switching see https://help.mikrotik.com/docs/display/ ... NFiltering and https://help.mikrotik.com/docs/display/ ... witchchips.
Top
 
TheBenM
just joined
Topic Author
Posts: 5
Joined: Wed Oct 13, 2021 3:08 am

Re: Voice VLAN / DHCP issues

Thu Oct 14, 2021 2:18 am

You have a mix of incomplete VLAN-aware bridge setup plus some ethernet switch setup, use one or the other.

Unless you particularly need wire-speed connectivity between ports with the same VLAN ID on a switch chip it is best to use a VLAN-aware bridge, see viewtopic.php?t=143620, viewtopic.php?f=2&t=173692 and https://help.mikrotik.com/docs/display/ ... NFiltering. For hardware switching see https://help.mikrotik.com/docs/display/ ... NFiltering and https://help.mikrotik.com/docs/display/ ... witchchips.
Thanks - yeah, point taken. I did intend to set it up using a VLAN-aware bridge as that seemed the best option after reading the doco, but then I couldn't get it to work and started tinkering with things!

Thanks for the links. Based on a little skim and your post above I removed all the switch configuration stuff and then started looking at the bridge configuration again - looks as if my mistakes were pretty simple, because it seems like I've managed to get it working now - result!

Simple mistakes, I think:
- I didn't have vlan filtering turned on on the bridge interface in the config above (I had tried turning this on previously with no luck, because of the other misconfigurations)
- I had the IP address of the Voice VLAN assigned to the bridge, instead of to the Voice VLAN
- I had a DHCP server misconfiguration too, I had the Voice DHCP server assigned to the bridge, instead of the voice VLAN

Once I changed those two things and turned VLAN filtering on, everything seems to be communicating across VLANs successfully, phones successfully get an IP address (and the config that comes with it) on VLAN 30, other devices on the default VLAN as expected.

Hopefully this isn't terribly wrong now - here's the working config. If there are major issues with what I've done I'd love to know, but it does seem to work like it should :)

Thanks again.
Code: Select all
/interface bridge
add admin-mac=2C:C8:1B:74:8D:18 auto-mac=no comment=defconf name=Bridge \
    vlan-filtering=yes
/interface vlan
add interface=Bridge name="Default VLAN" vlan-id=1
add interface=Bridge name=Voice vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=156 name="IP Phone Boot Server" value="'configServers=\"update.sky.shor\
    etel.com.au\",cloudDomain=\"sky.shoretel.com.au\",country=8,language=23,laye\
    r2tagging=1,vlanid=30'"
/ip dhcp-server option sets
add name="Voice VLAN options" options="IP Phone Boot Server"
/ip pool
add name=voice_dhcp_pool ranges=192.168.30.50-192.168.30.200
add name=default_dhcp_pool ranges=192.168.1.248/31
/ip dhcp-server
add address-pool=voice_dhcp_pool dhcp-option-set="Voice VLAN options" disabled=\
    no interface=Voice name="Voice DHCP"
add address-pool=default_dhcp_pool disabled=no interface=Bridge name=\
    "Default DHCP"
/interface bridge port
add bridge=Bridge comment=defconf interface=ether2
add bridge=Bridge comment=defconf interface=ether3
add bridge=Bridge comment=defconf interface=ether4
add bridge=Bridge comment=defconf interface=ether5
add bridge=Bridge comment=defconf interface=ether6
add bridge=Bridge comment=defconf interface=ether7
add bridge=Bridge comment=defconf interface=ether8
add bridge=Bridge comment=defconf interface=ether9
add bridge=Bridge comment=defconf interface=ether10
add bridge=Bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=Bridge tagged=Bridge,ether2,ether3,ether4,ether5 vlan-ids=30
add bridge=Bridge untagged=Bridge,ether2,ether3,ether4,ether5 vlan-ids=1
/interface list member
add comment=defconf interface=Bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.250/24 interface=Bridge network=192.168.1.0
add address=192.168.30.250/24 interface=Voice network=192.168.30.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.250 gateway=192.168.1.250 \
    netmask=24
add address=192.168.30.0/24 comment=defconf dns-server=192.168.30.250 gateway=\
    192.168.30.250 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.250 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/system clock
set time-zone-name=Australia/Hobart
/system identity
set name=nmc-mitel
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@nmc-mitel] > export
# oct/14/2021 10:11:16 by RouterOS 6.48.5
# software id = 1UE5-M0GP
#
# model = RB2011UiAS
# serial number = E7E20E4B75FB
/interface bridge
add admin-mac=2C:C8:1B:74:8D:18 auto-mac=no comment=defconf name=Bridge \
    vlan-filtering=yes
/interface vlan
add interface=Bridge name="Default VLAN" vlan-id=1
add interface=Bridge name=Voice vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=156 name="IP Phone Boot Server" value="'configServers=\"update.sky.shor\
    etel.com.au\",cloudDomain=\"sky.shoretel.com.au\",country=8,language=23,laye\
    r2tagging=1,vlanid=30'"
/ip dhcp-server option sets
add name="Voice VLAN options" options="IP Phone Boot Server"
/ip pool
add name=voice_dhcp_pool ranges=192.168.30.50-192.168.30.200
add name=default_dhcp_pool ranges=192.168.1.248/31
/ip dhcp-server
add address-pool=voice_dhcp_pool dhcp-option-set="Voice VLAN options" disabled=\
    no interface=Voice name="Voice DHCP"
add address-pool=default_dhcp_pool disabled=no interface=Bridge name=\
    "Default DHCP"
/interface bridge port
add bridge=Bridge comment=defconf interface=ether2
add bridge=Bridge comment=defconf interface=ether3
add bridge=Bridge comment=defconf interface=ether4
add bridge=Bridge comment=defconf interface=ether5
add bridge=Bridge comment=defconf interface=ether6
add bridge=Bridge comment=defconf interface=ether7
add bridge=Bridge comment=defconf interface=ether8
add bridge=Bridge comment=defconf interface=ether9
add bridge=Bridge comment=defconf interface=ether10
add bridge=Bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=Bridge tagged=Bridge,ether2,ether3,ether4,ether5 vlan-ids=30
add bridge=Bridge untagged=Bridge,ether2,ether3,ether4,ether5 vlan-ids=1
/interface list member
add comment=defconf interface=Bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.250/24 interface=Bridge network=192.168.1.0
add address=192.168.30.250/24 interface=Voice network=192.168.30.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.250 gateway=192.168.1.250 \
    netmask=24
add address=192.168.30.0/24 comment=defconf dns-server=192.168.30.250 gateway=\
    192.168.30.250 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.250 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/system clock
set time-zone-name=Australia/Hobart
/system identity
set name=nmc-mitel
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
tdw
Forum Guru
Forum Guru
Posts: 1847
Joined: Sat May 05, 2018 11:55 am

Re: Voice VLAN / DHCP issues

Thu Oct 14, 2021 2:49 am

Almost, add interface=Bridge name="Default VLAN" vlan-id=1 is unnecessary as it isn't referenced anywhere. Both bridge ports and the bridge itself have a default pvid=1 which does not appear in the compact form (the default) of /export.

The add bridge=Bridge untagged=Bridge,ether2,ether3,ether4,ether5 vlan-ids=1 is not incorrect, but it is optional as untagged memberships will be added dynamically from the port and bridge pvid=1 settings.

You might want to review the firewall rules, in particular add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN which prevents anything not in the LAN interface list from accessing the Mikrotik itself (not traffic forwarded though it)
Top
 
TheBenM
just joined
Topic Author
Posts: 5
Joined: Wed Oct 13, 2021 3:08 am

Re: Voice VLAN / DHCP issues

Thu Oct 14, 2021 4:07 am

Thanks so much tdw!

Understood on those extraneous lines. I guess I'm used to having to define even the default VLAN and assign it to ports like I do on our managed switches. I might remove those for clarity though - we have other VLANs on our production network but I don't need this router to know about them.

As far as reviewing that firewall rule; that is what we want isn't it? We don't want people being able to access the router from the WAN interface (I do sometimes setup remote management of routers, but wasn't intending to do so with this one). Unless I've misunderstood you? I typically don't lock down access from the LAN side other than with a strong password. Perhaps I should.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11592
Joined: Thu Mar 03, 2016 10:23 pm

Re: Voice VLAN / DHCP issues

Thu Oct 14, 2021 8:29 am

As far as reviewing that firewall rule; that is what we want isn't it? We don't want people being able to access the router from the WAN interface ...


WAN interface and !LAN interface is not the same in your case ... you've got interface Voice which is neither WAN nor LAN. And DHCP server for voice VLAN says phones should be using router as their DNS server which means you should be allowing DNS requests from that VLAN interface. Perhaps something in line of /ip firewall filter rule
Code: Select all
add chain=input action=accept comment="allow DNS requests (both TCP and UDP) from everywhere except WAN" dst-port=53 in-interface-list=!WAN
placed just above the ultimate "chain=input action=drop in-interface-list=!LAN" ...
Top
 
TheBenM
just joined
Topic Author
Posts: 5
Joined: Wed Oct 13, 2021 3:08 am

Re: Voice VLAN / DHCP issues

Thu Oct 14, 2021 12:03 pm

As far as reviewing that firewall rule; that is what we want isn't it? We don't want people being able to access the router from the WAN interface ...
WAN interface and !LAN interface is not the same in your case ... you've got interface Voice which is neither WAN nor LAN. And DHCP server for voice VLAN says phones should be using router as their DNS server which means you should be allowing DNS requests from that VLAN interface. Perhaps something in line of /ip firewall filter rule

Ahhh I gotcha, thanks. I was thinking of management access, couldn't see any other reason why one would need to access the router's IP. DNS didn't even occur to me, on our production network (as mentioned this is just a test environment right now) DNS, and DHCP for that matter, is handled by Windows DCs. But as this is physically segregated from our production network, I needed the router to do those jobs for now and DHCP will get switched off when I move the router onto the main network.

Also, I assumed that since the Voice VLAN was a sub interface of the bridge, and the bridge is the LAN, and DNS was working from the default VLAN, that it should also work from the Voice VLAN. Hadn't actually tested. And you know what they say about assumptions.....

Anyway, enough blathering - just thanks. I'll add that rule - I'm planning on doing some testing tomorrow and connecting the phones up to the cloud management so they certainly need DNS and if it doesn't work I'll soon find out!
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11592
Joined: Thu Mar 03, 2016 10:23 pm

Re: Voice VLAN / DHCP issues

Thu Oct 14, 2021 3:52 pm

Also, I assumed that since the Voice VLAN was a sub interface of the bridge, and the bridge is the LAN
No, firewall interface lists are about interfaces which bear IP setup (i.e. IP address). Doesn't care about physical layout, it's pure about "logical" interface. And in your case it's Voice interface and it doesn't matter what kind of interface that is and where it might be "anchored". Current implementation of ROS doesn't contain any magic, only pure diligence :wink:
Top
 
TheBenM
just joined
Topic Author
Posts: 5
Joined: Wed Oct 13, 2021 3:08 am

Re: Voice VLAN / DHCP issues

Fri Oct 15, 2021 12:36 am

Also, I assumed that since the Voice VLAN was a sub interface of the bridge, and the bridge is the LAN
No, firewall interface lists are about interfaces which bear IP setup (i.e. IP address). Doesn't care about physical layout, it's pure about "logical" interface. And in your case it's Voice interface and it doesn't matter what kind of interface that is and where it might be "anchored". Current implementation of ROS doesn't contain any magic, only pure diligence :wink:
Thankyou - that makes perfect sense.

I'm a jack of all trades IT guy... networking has never been my strong suit, I only know just enough to get by. Tinkered with Cisco, Procurve/Aruba, Ubiquiti/Unifi and various other things over the years but this is my first foray into Mikrotik. Seems super powerful, but just not very intuitive!
Top
Post Reply

Who is online

Users browsing this forum: llamajaja and 19 guests
  4. RouterOS
  5. Beginner Basics