DHCP problem on AP in VLAN tutorial

shettie · Sat Jul 23, 2022 5:11 pm

Hello guys,

I really need some help implementing a very basic VLAN setup with my Mikrotik hardware, just to have a starting point for own customizations.

My problem: Clients, connected via access point don't get any IP address from the DHCP server on the router.

Target:

Switch with a separate router (RoaS)
Access Point(s) connected to the router and/or switch
Using VLANs to seperate groups of devices (Base/Mgmt, Internal, IoT, Guest)

Hardware for testing:

RB750GL (router), Current Firmware 6.49.6
RBmAP2nd (access point), Current Firmware 6.49.6

That's quite old hardware which should be replaced, when I have a working example.

As a base and starting point, I use @pcunites tutorial for VLANs (see viewtopic.php?t=143620), which @anav often named the 'goldstandard'. And by the way, it's quite nice documented. Makes sense for me.

basic_vlan_scenario.png

So in my config you'll see, I kept almost everything and just made some adaptions due to my hardware setup and added an access ports in order to deny being locked out.

Progress on Router:
- `ether1` is WAN (connected to separate Internet Router, not important now)
- `ether2` is trunk (connected to AP)
- `ether3` is trunk
- `ether4` is trunk
- `ether5` access port for VLAN_BLUE
- When I connect my notebook to `ether5`, it receives a DHCP Address like 10.0.10.254. That's good
- In Winbox I can ping AP (192.168.0.3) via interface BASE

Router Setup Script (used after config reset)

router_default.rsc

Progress on AP:
- `ether1` is trunk (connected to router)
- `ether2` is access port for VLAN_BLUE
- When I connect my notebook to `ether2`, it **does not** receive a DHCP Address
- When I connect to wlan1 (blue), I can connect, but it also **does not** receive a DHCP Address
- In Winbox I can ping router (192.168.0.1) via interface BASE

AP Setup Script (used after config reset)

AccessPoint_default.rsc

Now, I read for days in this and other forums without any progress -- I'm going crazy very soon. And I am wondering whether it's me or the hardware which causes the issues. I read old hardware might not be able use `bridge vlan filtering`...but I don't know if this is the case for me. Yeah, most probably it is my fault, although 99% of it the scripts is just copied from the tutorial.

Can you please have a look and give me a hint? I don't know how to debug this.
The AP's Log shows when a client connects, everything seems fine, but it doesn't get IPs from the DHCP server when I connect to the AP. In fact, using the current script also the MAC access to the AP is blocked. I don't know why, but I know how to reset the config.

The Router's Log says...nothing.

bpwl · Sat Jul 23, 2022 9:21 pm

Where is "interface BASE???

It looks like the connection between RB750GL and RBmap2nd is broken.

Torch or sniff those ethernet interfaces.

With a broken ethernet connection between RB750GL and RBmap2nd
- Wifi connection (registration) to RBmap2nd is no problem.
- no DHCP will be received.
- no communication will be possible from a RBmap2nd wifi to the RB750GL or internet. (Test with static IP addresses on client).
Where is Winbox connected? Where is Interface BASE ???? Does this connection have to use the RB750GL-RBmap2nd link?

anav · Sun Jul 24, 2022 5:01 am

Put in the complete export config (for both) not the presentation which has nothing to do with troubleshooting and I will have a look.
Just be sure to hide any real Public IPs........

bpwl · Sun Jul 24, 2022 12:02 pm

It's all in there @anav

AFAIK . *.RSC files for both, and troubleshooting steps done so far.

"In Winbox: ping 192.168.0.x via Interface BASE ... working". PING from where, and what is the path? Winbox itself has no PING AFAIK.

anav · Sun Jul 24, 2022 4:48 pm

Sorry bpwl, I have my standards, I can quickly read and understand a normal config outlay.
Also ensures nothing missing and easily detectable......
It hurts my head to look at it in a non standard way.
Fill your boots then, Im outta here.

shettie · Sun Jul 24, 2022 5:49 pm

I'm greatful for your response

By now, I am one step ahead. Maybe not towards the solution, but discovering the problem.

@bpwl

It looks like the connection between RB750GL and RBmap2nd is broken.

Ha, right. From my given information that could be a reason for my problem. But both devices are located next to each other and the cable seems alright.

With Interface Base I mean the BASE_VLAN, which I selected in the Ping-Tool as Interface in Winbox. So both devices are able to communicate with each other.

This way I was able to ping
- the access point (192.168.0.3) from the router, and
- the router (192.168.0.1) from the access point (see screenshots)

winbox_ping_router-to-ap.png

winbox_ping_ap-to-router.png

Regarding my step ahead discovering the problem:
I changed the PVID of the Acces Ports (ether2 and wlan1) on the AP from VLAN_BLUE (PVID 10) to VLAN_BASE (PVID 99), which is the management VLAN suggested by @pcunite.
Having this, I recognized that clients connect by either ether2 and/or wlan1 (by BLUE_SSID, I didn't change the name to BASE_SSID for the test) receive IPs from the BASE_DHCP.

So, there are somehow problems with BLUE_VLAN, RED_VLAN and GREEN_VLAN. But I don't get the reason. If you have more questions, I'll try to answer them.

@anav thanks for having a look to my configs. I'm adding the exports.

Router Export:

router_export.rsc

Access Point Export:
- Working for PVID 99 (VLAN_BASE) on ether2 and wlan1
- Not working for the other PVIDs

ap_export_working.rsc

I hope my descriptions are clear enough to understand

Sun Jul 24, 2022 6:53 pm

my suggestion is to use bridge host table in router and access-point to see if the mac-address, vlan, and interface relationship is correct

there you will see where your setup is working wrong and focus your efforts to resolve

pd. i take a quick view on your initial configs and failed to spot the problem

anav · Sun Jul 24, 2022 7:18 pm

(1) Typically BASE vlan (which all managed devices should have their IP address from ( aka any devices down the line from the router that are managed - smart switches, smart APs etc.)
/ip neighbor discovery-settings
set discover-interface-list=BASE

(2) To make clear and simplify.
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,ether3,ether4 untagged=ether5 vlan-ids=10
add bridge=BR1 tagged=BR1,ether2,ether3,ether4 vlan-ids=20,30,99

(3) Firewall rules need work......

/ip firewall filter
add action=accept chain=input comment="Allow Estab, Related & Untracked" \
    connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN etc.)" dst-address=127.0.0.1
add chain=accept chain=input  in-interface-list=BASE protocol=tcp dst-ports=xxxx,yyyy {winbox port & SSH port if required etc..)
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ {and NTP *** services if required etc}
dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop

(4) Add
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

++++++++++++++++++++++++++++++++++++++++++++++++++++++
Access point....... This is where your problems will really be solved.........

A. You have ether2 blue vlan with pvid of 99, blue vlan is vlan10 BLUE, not BASE.
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=10 not=99

B. Same for WLAN1, you have it set to pvid of 99, and yet on the diagram its blue vlan 10!!!!
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan1 pvid=10 not =99

Fixed with all other minor points done in the fix..........
....................

/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=auto mode=ap-bridge \
    ssid=BLUE_SSID
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
/interface list
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa2-pre-shared-key=password
add authentication-types=wpa2-psk mode=dynamic-keys name=GREEN_PROFILE \
    supplicant-identity=MikroTik wpa2-pre-shared-key=password
add authentication-types=wpa2-psk mode=dynamic-keys name=RED_PROFILE \
    supplicant-identity=MikroTik wpa2-pre-shared-key=password
/interface wireless
add disabled=no mac-address=76:4D:28:03:E6:9F master-interface=wlan1 name=\
    wlan2 security-profile=GREEN_PROFILE ssid=GREEN_SSID
add disabled=no mac-address=76:4D:28:03:E6:A0 master-interface=wlan1 name=\
    wlan3 security-profile=RED_PROFILE ssid=RED_SSID
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan3 pvid=30
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99
add bridge=BR1 taggged=BR1  untagged=ether2,WLAN1  vlan-ids=10
add bridge=BR1 tagged=BR1  untagged=WLAN2 vlan-ids=20
add bridge=BR1 tagged=BR1  untagged=WLAN3  vlan-ids=30
/interface list member
add interface=BASE_VLAN list=BASE
/ip dns
set allow-remote-requests=yes servers=192.168.0.1 comment="dns through trusted subnet gateway"
/ip address
add address=192.168.0.3/24 interface=BASE_VLAN network=192.168.0.0
/ip route
add distance=1 gateway=192.168.0.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/system identity
set name=AccessPoint

bpwl · Sun Jul 24, 2022 9:39 pm

Fully agree with @anav that the real untouched simultaneous taken export is a better starting point, than the applied config RSC files.

Because what got executed? Was there some error while applying? What else is defined in the config?
Some other things can be very important , like FW settings, bridge STP actions, etc etc.
And while troubleshooting, some things are easily changed in one place, forgetting to adapt all the rest of the setup.

Still cannot lay the finger on the cause of the missing DHCP lease. Next Step there normally is to give your client a static IP address in VLAN10 range, and ping the DHCP server and defined Gateway, using a VLAN10 IP address for the router. (Avoiding possible (forbidden) interVLAN routing for now).

The PING test from AP to Router over VLAN 99 is a bid off topic, as the AP has a VLAN interface for VLAN99 (and an IP address), but not for VLAN10. (AP Doesn't have to, as AP is not part in the VLAN10 communication. But as such the AP cannot do tests in VLAN10.)
The PING test proves indeed that ether-link must be OK.

shettie · Mon Jul 25, 2022 11:55 pm

Thanks again for your advices. Unfortunately, I don't make any progress and getting frustrated.

@anav: I'm happy that you had a look to the config. I think your comments are very useful, especially when my setup is basically running (regarding (1), (2), (3), and (4)). Your comment regarding the Access Point: Yes, you are absolutely right, PVID 10 and 99 are exchanged. But as I said, I changed the PVID of the BLUE_SSID from 10 to 99 for debugging purposes. I wanted to show you, that my clients can connect to the VLAN_BASE, but to no other VLANs. So, that did not resolve my problem here.

To simplify things one more time, now I almost use the bare examples from @pcunite.

I only skipped not existing ports, because my router is smaller. That means, no access ports on the router (only trunk)
I changed wlan1 of the Access Point to use PVID 99 (BASE_VLAN), which enables me to connect to one of the SSIDs and use Winbox on the devices. Just for testing.
No WAN connected

Anything else is exactly the tutorial. However, it is the same behaviour

To summarize my problem:

If I assign access ports on the router, my clients are able to connect to the ports, and gain the right DHCP addresses.
If I assign PVID 99 (which is BASE_VLAN) to a physical or wlan access port on the Access Point, then the clients connecting to that port will receive a DHCP address (from 192.168.0.0/24).
If I assign any other PVID beside BASE_VLAN (so GREEN, RED, BLUE) to an access port on the Access Point. My clients are totally ignored, and won't gain a DHCP address.

@bpwl

Still cannot lay the finger on the cause of the missing DHCP lease. Next Step there normally is to give your client a static IP address in VLAN10 range, and ping the DHCP server and defined Gateway, using a VLAN10 IP address for the router. (Avoiding possible (forbidden) interVLAN routing for now).

Right, I forgot about that. Assume, I connect to GREEN_VLAN, via GREEN_SSID. I should get an IP address from 10.0.20.0/24, which does not work (I would get something like 169.254.65.x). Even using the static address 10.0.20.5, I am not able to ping the gateway which would be 10.0.20.1.

@chechito

my suggestion is to use bridge host table in router and access-point to see if the mac-address, vlan, and interface relationship is correct

there you will see where your setup is working wrong and focus your efforts to resolve

That's a nice hint, I fount this https://help.mikrotik.com/docs/display/ ... ehosttable. To use the tool, I connected my notebook to the BASE_VLAN (which I used via wlan1). I opened a Winbox session to the router and the access point.

When I try to connect with my smartphone to GREEN_SSID (which is wlan2), I see its MAC Address on the Access Point
But I won't see it on the router.

View on the access point

[admin@AccessPoint] > /interface bridge host print where !local
Flags: X - disabled, I - invalid, D - dynamic, L - local, E - external 
 #       MAC-ADDRESS        VID ON-INTERFACE                                  BRIDGE                       AGE                 
 0   D   xx:xx:xx:xx:D5:E8     20 wlan2                                       BR1                          1s       <<<----- Smartphone
 1   D   yy:yy:yy:yy:A9:D4     99 wlan1                                       BR1                          14s      <<<----- Notebook
 2   D   zz:zz:zz:zz:FA:D7     99 ether1                                      BR1                          14s      <<<----- Router

View on the router

[admin@Router] > /interface bridge host print where !local
Flags: X - disabled, I - invalid, D - dynamic, L - local, E - external 
 #       MAC-ADDRESS        VID ON-INTERFACE                              BRIDGE                             AGE                 
 0   D   ww:ww:ww:ww:E6:9C   99 ether3                                    BR1                                38s       <<<---- Access Point
 1   D   yy:yy:yy:yy:A9:D4   99 ether3                                    BR1                                1s        <<<---- Notebook

I even deactivated the firewall rules for testing purposes, having no effect. So, I can only conclude to this:

@pcunites tutorial has been reviewed >100 times. There should not be a mistake, which causes my problem
Since 2019, there could have been a change to the RouterOS behaviour, which requires a specific command, that is not yet in the tutorial. But that sounds also unlikely to me.
There is still an error in my config somehow, but I wouldn't understand where and why.
Maybe my hardware is too old...Could this be the reason? But why whould PVID99 work then. Makes no sense to me.

I can attach my latest, reduced export, one more time.

bpwl · Tue Jul 26, 2022 1:21 am

Looks like only VLAN=99 is allowed on the AP.

/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99

Would expect

/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99
add bridge=BR1 tagged=ether1 vlan-ids=10
add bridge=BR1 tagged=ether1 vlan-ids=20
add bridge=BR1 tagged=ether1 vlan-ids=30

The untagged are added automatically based on PVID
3 last lines can be combined, "add bridge=BR1 tagged=ether1 vlan-ids=10,20,30" just as @anav told you for the router

Also missing ... if GREEN is used on ether2 as access (just as WLAN2)

/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=20

anav · Tue Jul 26, 2022 2:45 am

I always include the untagged ports in the /interface bridge vlan as it becomes clearer especially when there is an error in thinking and the bridge ports and bridge vlans dont match!!
Think of it as cross-checking the config. Its critical for new users and I still prefer it that way. Will take a look at the configs shortly

In conclusion, follow the setup I gave you, it works.
Whatever you are doing does not.
Since your latest config is useless as you did not include missing firewall rules and the ones you do have are all disabled I dont see the point of further assistance until you make a real effort.
Finally your funny or clever hacking of your own config to demonstrate what amounts to squat, is a waste of time.

Get to a proper config and it will work.

bpwl · Tue Jul 26, 2022 10:56 am

@anav: I don't like those automagically additions of the untagged ports. But the wiki keeps repeating this functionality, and it really happens.
At least the automagic additions are visible in ROS.

How they implement the HW-offloading,? Didn't find it. The switch chip manufacturer documentation explains how this can be done. But it is not visible in ROS, AFAIK.

This VLAN problem, and lengthy debugging is quite human. Once you are convinced something has no impact at all, you could delete it , tell nobody, and keep looking for a cause, nobody finds.
Deleting the VLAN 10,20,30 on the AP bridge, probably based on some comment about no need to tag the bridge for them, after applying and sharing the modified PCUNITE RSC setup, creates a hidden root cause.

Old enough in IT, to have a case where every-one in the team was convinced a specific change would not impact the network, and see the production plant go down.

shettie · Tue Jul 26, 2022 12:34 pm

@anav:

I always include the untagged ports in the /interface bridge vlan as it becomes clearer especially when there is an error in thinking and the bridge ports and bridge vlans dont match!!
Think of it as cross-checking the config. Its critical for new users and I still prefer it that way. Will take a look at the configs shortly

Nothing wrong with that approach, I understand. For the first step, I just wanted to stay as close as possible to the tutorial, for me, that made things easier/clearer. Sorry.

In conclusion, follow the setup I gave you, it works.
Whatever you are doing does not.
Since your latest config is useless as you did not include missing firewall rules and the ones you do have are all disabled I dont see the point of further assistance until you make a real effort.
Finally your funny or clever hacking of your own config to demonstrate what amounts to squat, is a waste of time.

Get to a proper config and it will work.

Well, I knew there is something wrong, that's why I am happy, to get your assistance. Anyway, it's not that I simply ignored your configs. I tried the steps on the router, and they did not work. And deactivating the firewall rules were just a debugging step, cause I thought a firewall rule can cause more problems in the first place. Maybe your AP config already solved everything, but not when I tried to integrate it in my config

@bpwl:

Looks like only VLAN=99 is allowed on the AP.
Code: Select all
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99
Would expect
Code: Select all
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99
add bridge=BR1 tagged=ether1 vlan-ids=10
add bridge=BR1 tagged=ether1 vlan-ids=20
add bridge=BR1 tagged=ether1 vlan-ids=30
The untagged are added automatically based on PVID

Uh, bingo -- that's mindblowing

After adding your lines to the Access Point, everything works as expected. With and without all the firewall rules on the router.

However, I don't understand, why the VLANs have not been set. They should have been there, as they are in @pcunite's tutorial setup script. But they are different there. He is using `set` instead of `add`:

# Snippet from the AP tutorial

# egress behavior
/interface bridge vlan

# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
set bridge=BR1 tagged=ether1 [find vlan-ids=10]
set bridge=BR1 tagged=ether1 [find vlan-ids=20]
set bridge=BR1 tagged=ether1 [find vlan-ids=30]
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99

I did a fresh setup and executed these lines again. They did not make any changes to the system, at least not in the logs, but they also did not cause errors. Do you know, why the tutorial uses `set` together with `[find vlan-ids=10]`?

However, I'm feeling so relieved. Having a working basic setup is absolutely great.
And yes, back to your first replies, it makes a lot of sense to use the export instead of the config script

I'm going to explore the setup and whether everything is really working in the evening. Thanks so far for helping me out here

Tue Jul 26, 2022 12:45 pm

@shettie
FWIW when I was first toying with VLAN setup on Hex and AC3, the examples from that tutorial did not work for me either.
Even a simple copy/paste gave me errors.

I was able to get everything working using those examples as guideline, though.
Difference ROS6 / ROS7 ? I don't know for sure and really did not spend enough time to search in depth where the problems came from.

DHCP problem on AP in VLAN tutorial [SOLVED]

DHCP problem on AP in VLAN tutorial

Re: DHCP problem on AP in VLAN tutorial

Re: DHCP problem on AP in VLAN tutorial

Re: DHCP problem on AP in VLAN tutorial

Re: DHCP problem on AP in VLAN tutorial

Re: DHCP problem on AP in VLAN tutorial

Re: DHCP problem on AP in VLAN tutorial

Re: DHCP problem on AP in VLAN tutorial

Re: DHCP problem on AP in VLAN tutorial

Re: DHCP problem on AP in VLAN tutorial

Re: DHCP problem on AP in VLAN tutorial [SOLVED]

Re: DHCP problem on AP in VLAN tutorial

Re: DHCP problem on AP in VLAN tutorial

Re: DHCP problem on AP in VLAN tutorial

Re: DHCP problem on AP in VLAN tutorial

Who is online