Community discussions

MikroTik App
 
cevers
just joined
Topic Author
Posts: 2
Joined: Thu Jun 09, 2022 10:48 am

VLAN DHCP Server invalid with new setup

Sat Aug 27, 2022 3:25 pm

I'm trying to setup a routerboard so that 1 of the ports is a trunk port for 2 vlans. Following different tutorials i always end up with invalid DHCP servers for the VLAN's.
The router in question:
RB 3011 UiAS-RM RouterOS version 7.4.1

So far i have setup:
- Eth1 is an DHCP Client and is connected to my other router so it has internet
- Eth2 is in a bridge and has a DHCP Server, that ports works fine and i'm using it to setup the Router via WinBox
- Eth3 is the Vlan trunk port (for vlan 10 and 20) Its those vlans which have an invalid DHCP Server.

I will connect a sfp switch (also mikrotik) to eth3 to divide the network.
my config:
# aug/27/2022 14:22:45 by RouterOS 7.4.1
# software id = S9S1-TLZQ
#
# model = RB3011UiAS
# serial number = 
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-mangement
set [ find default-name=ether3 ] name=ether3-vlan
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=ether3-vlan name=vlan10 vlan-id=10
add interface=ether3-vlan name=vlan20 vlan-id=20
/interface list
add name=WAN
add name=LAN
add name=DISCOVER
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_vlan10 ranges=10.0.10.20-10.0.10.200
add name=dhcp_pool_vlan20 ranges=10.0.20.20-10.0.20.200
add name=dhcp_pool_lan ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=dhcp_pool_vlan10 interface=vlan10 lease-time=30m name=\
    dhcpvlan10
add address-pool=dhcp_pool_vlan20 interface=vlan20 lease-time=30m name=\
    dhcpvlan20
add address-pool=dhcp_pool_lan interface=bridge lease-time=30m name=dhcplan
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge interface=ether3-vlan trusted=yes
add bridge=bridge interface=ether2-mangement
/ip neighbor discovery-settings
set discover-interface-list=DISCOVER
/interface list member
add interface=ether1-wan list=WAN
add interface=ether2-mangement list=LAN
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=bridge list=DISCOVER
/ip address
add address=10.0.10.1/24 interface=vlan10 network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20 network=10.0.20.0
add address=10.0.0.1/24 interface=bridge network=10.0.0.0
/ip dhcp-client
add interface=ether1-wan
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.0.0.1
add address=10.0.10.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.0.20.1
/ip firewall address-list
add address=10.0.0.0/24 list=Management
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="drop vlan to vlan" in-interface=\
    all-vlan out-interface=all-vlan
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Amsterdam

Any pointers on what i frelled up?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN DHCP Server invalid with new setup

Sat Aug 27, 2022 3:56 pm

You can't use ether port as bridge piort and as interface (vlan interfaces) at the same time.

I suggest you to go through this thread, it describes nicely how vlans should be done in ROS.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN DHCP Server invalid with new setup

Sat Aug 27, 2022 7:24 pm

(1) As stated, this is wrong just remove ether3 from the bridge...........
/interface bridge port
add bridge=bridge interface=ether3-vlan trusted=yes

WIth that done it should work.

(2) You should keep filter chains together, much easier to read..........
This is a silly rule.........
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN


Its trying to do two things and it sorta accomplishes the goal.
Much better is the clearer approach and more comprehensive two rules.
add action=accept chain=input comment="allow LAN to Router" \
in-interface-list=LAN
add action=drop chain=input comment="drop all else"

The effect is the same in that LAN traffic is permitted with an allow statement (clear) single rule single function.........
And, both WAN to router and any other potential traffic behind the router not described by LAN interface list is also blocked.

(3) Same with this default rule.............. good at start but should be modified at some point to be better.
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


Instead, make the rule clear and allow the right traffic.
add action=drop chain=forward comment="allow port forwarding" connection-nat-state=dstnat
and then
add action=drop chain=forward comment="drop all else"

So you have a clear single function rule and the last rule drops all WAN to LAN, LAN to WAN and LAN to LAN traffic COLD.
For this reason one often has to add any implied rules/traffic you may not have realized is allowed.........
Typically, internet traffic.

You will note to with the drop all rule at the end you no longer need this silly rule.............
add action=drop chain=forward comment="drop vlan to vlan" in-interface=\
all-vlan out-interface=all-vlan


FIXED..........
/ip firewall filter
{input chain}
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow LAN to Router" \
    in-interface-list=LAN
add action=drop chain=input comment="drop all else"
{forward chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow dst-nat" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
 
cevers
just joined
Topic Author
Posts: 2
Joined: Thu Jun 09, 2022 10:48 am

Re: VLAN DHCP Server invalid with new setup

Sun Aug 28, 2022 11:21 pm

Thanks, with all this i have been able to figure out how to get the trunk vlan + dhcp servers working for the router in combination with the MikroTik CRS305-1G-4S+IN switch.
The switch itself i just switched to the switchos (i said switch alot now :D ) and just assigned the vlan to the ports. Very easy setup.

For the firewall i will read up more on that, but thats the default firewall in the router when i did the first setup and didnt touch it yet.

Who is online

Users browsing this forum: Amazon [Bot], anav and 35 guests