Community discussions

MikroTik App
 
RodoggA
just joined
Topic Author
Posts: 10
Joined: Sun Feb 12, 2023 1:35 pm

Cannot get out to internet or reach DHCP server

Sun Apr 23, 2023 4:06 am

Hi Everyone,

I've recently set up my Mikrotik after running into some issues.
This is what I'm trying to achieve:
image.png
My Issue
My Endpoints are unable to reach the DHCP server.
If I log into the downstream Cisco switch, I can ping the gateway from the switch. (This gateway is also my DHCP server)

If I set a static IP on the endpoint, I can reach the gateway but not get out to the internet.
If I log into the downstream switch, I'm unable to get out to the internet from the switch, giving me the feeling that I'm running into issues with my Bridge Configuration.
I can ping 8.8.8.8 from the Mikrotik terminal, so I know the Mikrotik has internet access.

Initially, someone suggested it may be a NAT issue. I checked out the NAT documentation https://help.mikrotik.com/docs/display/ ... Masquerade and I feel that my masquerade rule should do the trick.

I'm sure it's something simple that I've overlooked. Any pointers in the right direction would be appreciated.
/interface bridge
add admin-mac=18:FD:74:BB:C2:B1 auto-mac=no comment=defconf name=LAN-BR
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Australia .mode=ap .ssid=SGC disabled=no
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Australia .mode=ap .ssid=SGC disabled=no
/interface vlan
add interface=ether2 name="VLAN199  - Data" vlan-id=199
add interface=ether2 name="VLAN200 - Server" vlan-id=200
add interface=ether2 name="VLAN201 - Management" vlan-id=201
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.199.100-192.168.199.200
add name=dhcp_server ranges=192.168.200.100-192.168.200.200
add name=dhcp_management ranges=192.168.201.100-192.168.201.200
/ip dhcp-server
add add-arp=yes address-pool=dhcp interface=LAN-BR lease-time=8h name=\
    dhcp_server_data
/interface bridge port
add bridge=LAN-BR comment=defconf interface=ether2
add bridge=LAN-BR comment=defconf interface=ether3
add bridge=LAN-BR comment=defconf interface=ether4
add bridge=LAN-BR comment=defconf interface=ether5
add bridge=LAN-BR comment=defconf interface=wifi1
add bridge=LAN-BR comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=LAN-BR list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=LAN-BR \
    network=192.168.88.0
add address=192.168.199.254/24 interface="VLAN199  - Data" network=\
    192.168.199.0
add address=192.168.200.254/24 interface="VLAN200 - Server" network=\
    192.168.200.0
add address=192.168.201.254/24 interface="VLAN201 - Management" network=\
    192.168.201.0
add address=192.168.199.254/24 interface=LAN-BR network=192.168.199.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.199.200 client-id=1:b4:2e:99:31:84:2 mac-address=\
    B4:2E:99:31:84:02 server=dhcp_server_data
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
add address=192.168.199.0/24 dns-server=192.168.199.254 gateway=192.168.199.254 \
    netmask=24
add address=192.168.200.0/24 dns-server=192.168.200.254 gateway=192.168.200.254 \
    netmask=24
add address=192.168.201.0/24 dns-server=192.168.201.254 gateway=192.168.201.254 \
    netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.199.254 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment=\
    "Allow data and server VLANs to communicate" dst-address=192.168.200.0/24 \
    src-address=192.168.199.0/24
add action=accept chain=forward comment=\
    "Allow data and server VLANs to communicate" dst-address=192.168.199.0/24 \
    src-address=192.168.200.0/24
add action=accept chain=forward comment=\
    "Allow access to management network from IP address 192.168.199.200" \
    dst-address=192.168.201.0/24 src-address=192.168.199.200
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=LAN-BR type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Australia/Perth
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
You do not have the required permissions to view the files attached to this post.
 
RodoggA
just joined
Topic Author
Posts: 10
Joined: Sun Feb 12, 2023 1:35 pm

Re: Cannot get out to internet or reach DHCP server

Sun Apr 23, 2023 10:52 am

Hi Everyone,

I've recently set up my Mikrotik after running into some issues.
This is what I'm trying to achieve:
image.png

My Issue
My Endpoints are unable to reach the DHCP server.
If I log into the downstream Cisco switch, I can ping the gateway from the switch. (This gateway is also my DHCP server)

If I set a static IP on the endpoint, I can reach the gateway but not get out to the internet.
If I log into the downstream switch, I'm unable to get out to the internet from the switch, giving me the feeling that I'm running into issues with my Bridge Configuration.
I can ping 8.8.8.8 from the Mikrotik terminal, so I know the Mikrotik has internet access.

Initially, someone suggested it may be a NAT issue. I checked out the NAT documentation https://help.mikrotik.com/docs/display/ ... Masquerade and I feel that my masquerade rule should do the trick.

I'm sure it's something simple that I've overlooked. Any pointers in the right direction would be appreciated.
/interface bridge
add admin-mac=18:FD:74:BB:C2:B1 auto-mac=no comment=defconf name=LAN-BR
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Australia .mode=ap .ssid=SGC disabled=no
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Australia .mode=ap .ssid=SGC disabled=no
/interface vlan
add interface=ether2 name="VLAN199  - Data" vlan-id=199
add interface=ether2 name="VLAN200 - Server" vlan-id=200
add interface=ether2 name="VLAN201 - Management" vlan-id=201
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.199.100-192.168.199.200
add name=dhcp_server ranges=192.168.200.100-192.168.200.200
add name=dhcp_management ranges=192.168.201.100-192.168.201.200
/ip dhcp-server
add add-arp=yes address-pool=dhcp interface=LAN-BR lease-time=8h name=\
    dhcp_server_data
/interface bridge port
add bridge=LAN-BR comment=defconf interface=ether2
add bridge=LAN-BR comment=defconf interface=ether3
add bridge=LAN-BR comment=defconf interface=ether4
add bridge=LAN-BR comment=defconf interface=ether5
add bridge=LAN-BR comment=defconf interface=wifi1
add bridge=LAN-BR comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=LAN-BR list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=LAN-BR \
    network=192.168.88.0
add address=192.168.199.254/24 interface="VLAN199  - Data" network=\
    192.168.199.0
add address=192.168.200.254/24 interface="VLAN200 - Server" network=\
    192.168.200.0
add address=192.168.201.254/24 interface="VLAN201 - Management" network=\
    192.168.201.0
add address=192.168.199.254/24 interface=LAN-BR network=192.168.199.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.199.200 client-id=1:b4:2e:99:31:84:2 mac-address=\
    B4:2E:99:31:84:02 server=dhcp_server_data
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
add address=192.168.199.0/24 dns-server=192.168.199.254 gateway=192.168.199.254 \
    netmask=24
add address=192.168.200.0/24 dns-server=192.168.200.254 gateway=192.168.200.254 \
    netmask=24
add address=192.168.201.0/24 dns-server=192.168.201.254 gateway=192.168.201.254 \
    netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.199.254 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment=\
    "Allow data and server VLANs to communicate" dst-address=192.168.200.0/24 \
    src-address=192.168.199.0/24
add action=accept chain=forward comment=\
    "Allow data and server VLANs to communicate" dst-address=192.168.199.0/24 \
    src-address=192.168.200.0/24
add action=accept chain=forward comment=\
    "Allow access to management network from IP address 192.168.199.200" \
    dst-address=192.168.201.0/24 src-address=192.168.199.200
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=LAN-BR type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Australia/Perth
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I've made the switch an L2 Switch. The switch is no longer performing routing. The Mikrotik should now handle all the routing.
 
LikeMyFloydPink
just joined
Posts: 14
Joined: Mon May 30, 2022 9:00 pm
Location: South Carolina

Re: Cannot get out to internet or reach DHCP server

Sun Apr 23, 2023 12:09 pm

First of all, and of note:
I can't speak authoritatively regarding the MikroTik specific nuances - as I am less than a year into my own MT endeavor. However, I can advise you - with some degree of accuracy - in areas less specific to MikroTik - but come down to basic troubleshooting/networking fundamentals. That being said - couple of questions:
  • Do you have access to the Property owner Router?
  • Is the L2 switch a Managed switch or a dumb (unmanaged) switch?
  • I just went back and looked and you state the switch is a L3 Cisco but then state you "made it a L2 switch" - so is it Cisco as well?
  • You are aware of the potential doubleNAT situation, correct?
If you can get back to me on the above we can go from there.

EDIT: At any point, did you try to simply put a basic config on the MikroTik and try to connect from a single client? (as in not trying to do everything all at once with vlans, etc...)
 
sid5632
Long time Member
Long time Member
Posts: 552
Joined: Fri Feb 17, 2017 6:05 pm

Re: Cannot get out to internet or reach DHCP server

Sun Apr 23, 2023 12:34 pm

You need to change ether2 to the bridge in the "Interface vlan" section.
You need to add an "interface bridge vlan" section.
You need to enable vlan-filtering on the bridge.

You didn't say what interface was connected to what (so it had to be inferred), nor what device type you have got.

Ignore the chatbot.
 
RodoggA
just joined
Topic Author
Posts: 10
Joined: Sun Feb 12, 2023 1:35 pm

Re: Cannot get out to internet or reach DHCP server

Sun Apr 23, 2023 1:53 pm

First of all, and of note:
I can't speak authoritatively regarding the MikroTik specific nuances - as I am less than a year into my own MT endeavor. However, I can advise you - with some degree of accuracy - in areas less specific to MikroTik - but come down to basic troubleshooting/networking fundamentals. That being said - couple of questions:
  • Do you have access to the Property owner Router?
  • Is the L2 switch a Managed switch or a dumb (unmanaged) switch?
  • I just went back and looked and you state the switch is a L3 Cisco but then state you "made it a L2 switch" - so is it Cisco as well?
  • You are aware of the potential doubleNAT situation, correct?
If you can get back to me on the above we can go from there.

EDIT: At any point, did you try to simply put a basic config on the MikroTik and try to connect from a single client? (as in not trying to do everything all at once with vlans, etc...)
1. I have access to the property Owners Router
2. Managed Switch
3. Yep, Cisco Switch
4. Yeah I am, I did the research on double-natting, and while there are some potential issues that can be caused, I could not find anything saying you shouldn't do it. There is a lot of mixed messaging when it comes to double natting
 
RodoggA
just joined
Topic Author
Posts: 10
Joined: Sun Feb 12, 2023 1:35 pm

Re: Cannot get out to internet or reach DHCP server

Sun Apr 23, 2023 2:03 pm

You need to change ether2 to the bridge in the "Interface vlan" section.
You need to add an "interface bridge vlan" section.
You need to enable vlan-filtering on the bridge.

You didn't say what interface was connected to what (so it had to be inferred), nor what device type you have got.

Ignore the chatbot.
I have a Mikrotik hapX ac2.

Up stream on ether 1 is the property owners router.

Downstream of my Mikrotik on ether2 is a Cisco L2 or L3 switch (I'm going to use it as an L2 Switch) The switch will have all my endpoints connected. (PC, NAS, Physcial Server with VM's)
I've updated the interface assignments of VLANs to my LAN-BR bridge.

For the interface bridge VLAN. Can you please elaborate a bit more for that on me?

For the VLAN filtering, I did try following this on their documentation https://help.mikrotik.com/docs/display/ ... witchchips But I had some complications. That could have been due to poor configuration on my side.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5324
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Cannot get out to internet or reach DHCP server

Sun Apr 23, 2023 3:20 pm

I have a Mikrotik hapX ac2.
You have WHAT ?

It's hAP AC2 or AX2.
hAPx AC2 I don't know.

Post full config between code quotes, leave out serial number.
 
RodoggA
just joined
Topic Author
Posts: 10
Joined: Sun Feb 12, 2023 1:35 pm

Re: Cannot get out to internet or reach DHCP server

Sun Apr 23, 2023 3:40 pm

I have a Mikrotik hapX ac2.
You have WHAT ?

It's hAP AC2 or AX2.
hAPx AC2 I don't know.

Post full config between code quotes, leave out serial number.
It's the hAP ax2
# apr/23/2023 02:44:15 by RouterOS 7.7
# software id = VN5I-LJSX
#
# model = C52iG-5HaxD2HaxD
/interface bridge
add admin-mac=18:FD:74:BB:C2:B1 auto-mac=no comment=defconf name=LAN-BR
add name=VLAN-BR
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.country=Australia .mode=ap .ssid=SGC disabled=no
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country=Australia .mode=ap .ssid=SGC disabled=no
/interface vlan
add interface=LAN-BR name="VLAN199  - Data" vlan-id=199
add interface=LAN-BR name="VLAN200 - Server" vlan-id=200
add interface=LAN-BR name="VLAN201 - Management" vlan-id=201
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.199.100-192.168.199.200
add name=dhcp_server ranges=192.168.200.100-192.168.200.200
add name=dhcp_management ranges=192.168.201.100-192.168.201.200
/ip dhcp-server
add address-pool=dhcp interface=LAN-BR lease-time=8h name=dhcp_server_data
add address-pool=dhcp_server interface="VLAN200 - Server" name=dhcp_server_server
add address-pool=dhcp_management interface="VLAN201 - Management" name=dhcp_server_management
/interface bridge port
add bridge=LAN-BR comment=defconf interface=ether2
add bridge=LAN-BR comment=defconf interface=ether3
add bridge=LAN-BR comment=defconf interface=ether4
add bridge=LAN-BR comment=defconf interface=ether5
add bridge=LAN-BR comment=defconf interface=wifi1
add bridge=LAN-BR comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=LAN-BR list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=LAN-BR network=192.168.88.0
add address=192.168.199.254/24 interface="VLAN199  - Data" network=192.168.199.0
add address=192.168.200.254/24 interface="VLAN200 - Server" network=192.168.200.0
add address=192.168.201.254/24 interface="VLAN201 - Management" network=192.168.201.0
add address=192.168.199.254/24 interface=LAN-BR network=192.168.199.0
add address=192.168.1.253 disabled=yes interface=VLAN-BR network=192.168.1.0
add address=192.168.1.254/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=LAN-BR
/ip dhcp-server lease
add address=192.168.199.200 client-id=1:b4:2e:99:31:84:2 mac-address=B4:2E:99:31:84:02 server=dhcp_server_data
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.199.0/24 dns-server=192.168.1.1 gateway=192.168.199.254 netmask=24
add address=192.168.200.0/24 dns-server=192.168.200.254 gateway=192.168.200.254 netmask=24
add address=192.168.201.0/24 dns-server=192.168.201.254 gateway=192.168.201.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.199.254 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward in-interface=LAN-BR out-interface=ether1
add action=accept chain=forward comment="Allow data and server VLANs to communicate" dst-address=192.168.200.0/24 src-address=192.168.199.0/24
add action=accept chain=forward comment="Allow data and server VLANs to communicate" dst-address=192.168.199.0/24 src-address=192.168.200.0/24
add action=accept chain=forward comment="Allow access to management network from IP address 192.168.199.200" dst-address=192.168.201.0/24 src-address=192.168.199.200
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=LAN-BR type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Australia/Perth
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

 
sid5632
Long time Member
Long time Member
Posts: 552
Joined: Fri Feb 17, 2017 6:05 pm

Re: Cannot get out to internet or reach DHCP server

Sun Apr 23, 2023 11:22 pm

For the interface bridge VLAN. Can you please elaborate a bit more for that on me?

For the VLAN filtering, I did try following this on their documentation https://help.mikrotik.com/docs/display/ ... witchchips But I had some complications. That could have been due to poor configuration on my side.
It's all on here: https://help.mikrotik.com/docs/display/ ... VLAN+Table

You've also got duplicate IP addresses:
/ip address
add address=192.168.199.254/24 interface="VLAN199  - Data" network=192.168.199.0
add address=192.168.199.254/24 interface=LAN-BR network=192.168.199.0
You need to delete (or disable) the second of these.
 
RodoggA
just joined
Topic Author
Posts: 10
Joined: Sun Feb 12, 2023 1:35 pm

Re: Cannot get out to internet or reach DHCP server

Mon Apr 24, 2023 2:47 pm

For the interface bridge VLAN. Can you please elaborate a bit more for that on me?

For the VLAN filtering, I did try following this on their documentation https://help.mikrotik.com/docs/display/ ... witchchips But I had some complications. That could have been due to poor configuration on my side.
It's all on here: https://help.mikrotik.com/docs/display/ ... VLAN+Table

You've also got duplicate IP addresses:

/ip address
add address=192.168.199.254/24 interface="VLAN199  - Data" network=192.168.199.0
add address=192.168.199.254/24 interface=LAN-BR network=192.168.199.0
You need to delete (or disable) the second of these.
Awesome, Thanks. I've gone ahead and read the linked documentation and here is my updated implementation.
# apr/24/2023 01:40:52 by RouterOS 7.7
# software id = VN5I-LJSX
#
# model = C52iG-5HaxD2HaxD
/interface bridge
add admin-mac=18:FD:74:BB:C2:B1 auto-mac=no comment=defconf name="LAN_BRIDGE > SGCSW01"
/interface ethernet
set [ find default-name=ether2 ] name="ether2 - SGCSW01"
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.country=Australia .mode=ap .ssid=SGC
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country=Australia .mode=ap .ssid=SGC
/interface vlan
add interface="ether2 - SGCSW01" name="VLAN199  - Data" vlan-id=199
add interface="ether2 - SGCSW01" name="VLAN200 - Server" vlan-id=200
add interface="ether2 - SGCSW01" name="VLAN201 - Management" vlan-id=201
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.199.100-192.168.199.200
add name=dhcp_server ranges=192.168.200.100-192.168.200.200
add name=dhcp_management ranges=192.168.201.100-192.168.201.200
/ip dhcp-server
add address-pool=dhcp interface="LAN_BRIDGE > SGCSW01" lease-time=8h name=dhcp_server_data
add address-pool=dhcp_server interface="VLAN200 - Server" name=dhcp_server_server
add address-pool=dhcp_management interface="VLAN201 - Management" name=dhcp_server_management
/interface bridge port
add bridge="LAN_BRIDGE > SGCSW01" comment=defconf interface="ether2 - SGCSW01"
add bridge="LAN_BRIDGE > SGCSW01" comment=defconf interface=ether3
add bridge="LAN_BRIDGE > SGCSW01" comment=defconf interface=ether4
add bridge="LAN_BRIDGE > SGCSW01" comment=defconf interface=ether5
add bridge="LAN_BRIDGE > SGCSW01" comment=defconf disabled=yes interface=wifi1
add bridge="LAN_BRIDGE > SGCSW01" comment=defconf disabled=yes interface=wifi2
add bridge="LAN_BRIDGE > SGCSW01" interface="VLAN199  - Data" pvid=199
add bridge="LAN_BRIDGE > SGCSW01" interface="VLAN200 - Server" pvid=200
add bridge="LAN_BRIDGE > SGCSW01" interface="VLAN201 - Management" pvid=201
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge="LAN_BRIDGE > SGCSW01" tagged="ether2 - SGCSW01" untagged=ether1 vlan-ids=199
add bridge="LAN_BRIDGE > SGCSW01" tagged="ether2 - SGCSW01" untagged=ether1 vlan-ids=200
add bridge="LAN_BRIDGE > SGCSW01" tagged="ether2 - SGCSW01" untagged=ether1 vlan-ids=201
/interface list member
add comment=defconf interface="LAN_BRIDGE > SGCSW01" list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.200.254/24 interface="VLAN200 - Server" network=192.168.200.0
add address=192.168.201.254/24 interface="VLAN201 - Management" network=192.168.201.0
add address=192.168.199.254/24 interface="LAN_BRIDGE > SGCSW01" network=192.168.199.0
add address=192.168.1.254/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf interface="LAN_BRIDGE > SGCSW01"
/ip dhcp-server network
add address=192.168.199.0/24 dns-server=192.168.1.1 gateway=192.168.199.254 netmask=24
add address=192.168.200.0/24 dns-server=192.168.200.254 gateway=192.168.200.254 netmask=24
add address=192.168.201.0/24 dns-server=192.168.201.254 gateway=192.168.201.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.199.254 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward in-interface="LAN_BRIDGE > SGCSW01" out-interface=ether1
add action=accept chain=forward comment="Allow data and server VLANs to communicate" dst-address=192.168.200.0/24 src-address=192.168.199.0/24
add action=accept chain=forward comment="Allow data and server VLANs to communicate" dst-address=192.168.199.0/24 src-address=192.168.200.0/24
add action=accept chain=forward comment="Allow access to management network from IP address 192.168.199.200" dst-address=192.168.201.0/24 src-address=192.168.199.200
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface="LAN_BRIDGE > SGCSW01" type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/system clock
set time-zone-name=Australia/Perth
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Before proceeding with enabling vlan filtering on the bridge using the below command, can someone please verify the below behavior:

Traffic coming in on ether1 is from the upstream home router, which is unaware of vlans, so all the traffic will be untagged. Do I need to think about any additional considerations before turning on the filtering and is there something I should add to ensure I'll be able to get back into the router once vlan filtering is enabled?

The command for turning on filtering.
/interface/bridge/ set "LAN_BRIDGE > SGCSW01" vlan-filtering=yes pvid=199,200,201
 
sid5632
Long time Member
Long time Member
Posts: 552
Joined: Fri Feb 17, 2017 6:05 pm

Re: Cannot get out to internet or reach DHCP server

Mon Apr 24, 2023 4:06 pm

You need to add the bridge itself as a tagged item in the "/interface bridge vlan" entries.
Why have you got a dhcp-client on the bridge?
The enable command is just "/interface/bridge/ set "LAN_BRIDGE > SGCSW01" vlan-filtering=yes".
And as the guide says, you should be doing this configuration using a non-bridged port to prevent lockout.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Cannot get out to internet or reach DHCP server  [SOLVED]

Mon Apr 24, 2023 5:05 pm

(1) Really dislike the convoluted name you have for bridge, I mean really?? -->name="LAN_BRIDGE > SGCSW01"

I would change it............. to Bridge but made it a bit fancy for ya..........
/interface bridge
add admin-mac=18:FD:74:BB:C2:B1 auto-mac=no comment=defconf name=LBridge-SG1

(2) More to the point you need to add the last step of vlan setup which is set vlan-filtering=YES on the bridge settings itself.

(3) Now I see the problem you want to attach all the vlans to ether2.......... Just not the way I do business ...........
Would set them to the bridge...... I would say your confused and mix up the two approaches
In fact its not clear why you even have a bridge...........?
Your interface bridge ports and interface bridge vlans are also screwed. Another case of blind copying and pasting without knowing really whats going on.
The WAN part of the setup is bizarre as you treat it like a LAN in the bridge vlan settings...... wrongo
Including the fact that you have manually entered in a WANIP address but also have IP DHCP Client settings enabled its one or the other.
The address method is fine for statically setting the IP for the MT............

Why the UPNP??? removed for now,
Firewall rules disorganized...........

Why do you have two vlans for servers and data when they both have access to the other..........
Just to be clear, are you saying both ORIGINATE traffic to the other, ( start a session ) ???
Remember that return traffic is automatically permitted so if for example you meant only data vlan needs access to server vlan, then only one rule is needed ????
I will assume that is the case because servers should not for the most part be originating traffic ....

All smart devices behind MT should get an IP from vlan201 subnet.
+++++++++++++++++++++++
Okay will be nice and fix it for ya as there are to many errors to discuss................

THIS IS THE WAY............. to quote my almost two grand daughter.

Before you start, suggest you take one unused port OFF the bridge if one is available and follow this while doing the change --> viewtopic.php?t=181718
/interface bridge
add admin-mac=18:FD:74:BB:C2:B1 auto-mac=no comment=defconf name="LAN_BRIDGE > SGCSW01"  vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name="ether2 - SGCSW01"
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.country=Australia .mode=ap .ssid=SGC
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country=Australia .mode=ap .ssid=SGC
/interface ethernet
set [ find default-name=ether2 ] name="ether2 - SGCSW01"
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.country=Australia .mode=ap .ssid=SGC
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country=Australia .mode=ap .ssid=SGC
/interface vlan
add interface="LAN_BRIDGE > SGCSW01"name="VLAN199  - Data" vlan-id=199
add interface="LAN_BRIDGE > SGCSW01" name="VLAN200 - Server" vlan-id=200
add interface="LAN_BRIDGE > SGCSW01" name="VLAN201 - Management" vlan-id=201
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/ip pool
add name=dhcp ranges=192.168.199.100-192.168.199.200
add name=dhcp_server ranges=192.168.200.100-192.168.200.200
add name=dhcp_management ranges=192.168.201.100-192.168.201.200
/ip dhcp-server
add address-pool=dhcp interface="VLAN199  - Data"  lease-time=8h name=dhcp_server_data
add address-pool=dhcp_server interface="VLAN200 - Server" name=dhcp_server_server
add address-pool=dhcp_management interface="VLAN201 - Management" name=dhcp_server_management
/interface bridge port
add bridge="LAN_BRIDGE > SGCSW01" ingress-filtering=yes frame-types=admit-only-vlan-tagged  interface="ether2 - SGCSW01"
add bridge="LAN_BRIDGE > SGCSW01" ingress-filtering=yes frame-types=admit-priority-and-untagged  interface=ether3  pvid=199
add bridge="LAN_BRIDGE > SGCSW01" ingress-filtering=yes frame-types=admit-priority-and-untagged  interface=ether4 pvid=199
add bridge="LAN_BRIDGE > SGCSW01" ingress-filtering=yes frame-types=admit-priority-and-untagged  interface=ether5 pvid=199
add bridge="LAN_BRIDGE > SGCSW01" ingress-filtering=yes frame-types=admit-priority-and-untagged  disabled=yes interface=wifi1 pvid=199
add bridge="LAN_BRIDGE > SGCSW01" ingress-filtering=yes frame-types=admit-priority-and-untagged  disabled=yes interface=wifi2 pvid=199
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge="LAN_BRIDGE > SGCSW01"   tagged="LAN_BRIDGE > SGCSW01","ether2 - SGCSW01"  vlan-ids=200,201
add bridge="LAN_BRIDGE > SGCSW01"   tagged="LAN_BRIDGE > SGCSW01","ether2 - SGCSW01" untagged=ether3,ether4,ethe5, wifi1,wifi2  vlan-ids=199
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface="VLAN199  - Data"  list=LAN
add interface="VLAN200 - Server"  list=LAN
add interface="VLAN201 - Management" list=LAN
add interface="VLAN201 - Management" list=MGMT
/ip address
add address=192.168.200.254/24 interface="VLAN200 - Server" network=192.168.200.0
add address=192.168.201.254/24 interface="VLAN201 - Management" network=192.168.201.0
add address=192.168.199.254/24 interface="VLAN199  - Data" network=192.168.199.0
add address=192.168.1.254/24 interface=ether1 network=192.168.1.0
/ip dhcp-server network
add address=192.168.199.0/24 dns-server=192.168.199.1 gateway=192.168.199.254 netmask=24
add address=192.168.200.0/24 dns-server=192.168.200.254 gateway=192.168.200.254 netmask=24
add address=192.168.201.0/24 dns-server=192.168.201.254 gateway=192.168.201.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip firewall address list
add address=adminDesktop-IP  list=AUTHORIZED    {  192.168.199.200 ? }
add address=adminLaptop-IP  list=AUTHORIZED
add address=adminSmartphone/Ipad  list=AUTHORIZED
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access"  src-address-list=AUTHORIZED
add action=accept chain=input comment="user access to services" in-interface-list=LAN dst-port=53,123 protocol=udp
add action=accept chain=input comment="user access to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input comment="temp allow all from LAN" in-interface-list=LAN  { remove when above rules are in place }
add action=drop chain=input comment="drop all else"  {  last rule to implement }
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow data vlan to server vlan"  in-interface="VLAN199  - Data"  out-interface="VLAN200 - Server"
add action=accept chain=forward comment="Admin access to mgmt vlan"  src-address=192.168.199.200 dst-address=192.168.201.0/24 
add action=accept chain=forward comment="port forwarding"  connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main
/system clock
set time-zone-name=Australia/Perth
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
 
RodoggA
just joined
Topic Author
Posts: 10
Joined: Sun Feb 12, 2023 1:35 pm

Re: Cannot get out to internet or reach DHCP server

Mon Apr 24, 2023 7:13 pm

(1) Really dislike the convoluted name you have for bridge, I mean really?? -->name="LAN_BRIDGE > SGCSW01"

I would change it............. to Bridge but made it a bit fancy for ya..........
/interface bridge
add admin-mac=18:FD:74:BB:C2:B1 auto-mac=no comment=defconf name=LBridge-SG1

(2) More to the point you need to add the last step of vlan setup which is set vlan-filtering=YES on the bridge settings itself.

(3) Now I see the problem you want to attach all the vlans to ether2.......... Just not the way I do business ...........
Would set them to the bridge...... I would say your confused and mix up the two approaches
In fact its not clear why you even have a bridge...........?
Your interface bridge ports and interface bridge vlans are also screwed. Another case of blind copying and pasting without knowing really whats going on.
The WAN part of the setup is bizarre as you treat it like a LAN in the bridge vlan settings...... wrongo
Including the fact that you have manually entered in a WANIP address but also have IP DHCP Client settings enabled its one or the other.
The address method is fine for statically setting the IP for the MT............

Why the UPNP??? removed for now,
Firewall rules disorganized...........

Why do you have two vlans for servers and data when they both have access to the other..........
Just to be clear, are you saying both ORIGINATE traffic to the other, ( start a session ) ???
Remember that return traffic is automatically permitted so if for example you meant only data vlan needs access to server vlan, then only one rule is needed ????
I will assume that is the case because servers should not for the most part be originating traffic ....

All smart devices behind MT should get an IP from vlan201 subnet.
+++++++++++++++++++++++
Okay will be nice and fix it for ya as there are to many errors to discuss................

THIS IS THE WAY............. to quote my almost two grand daughter.

Before you start, suggest you take one unused port OFF the bridge if one is available and follow this while doing the change --> viewtopic.php?t=181718
/interface bridge
add admin-mac=18:FD:74:BB:C2:B1 auto-mac=no comment=defconf name="LAN_BRIDGE > SGCSW01"  vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name="ether2 - SGCSW01"
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.country=Australia .mode=ap .ssid=SGC
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country=Australia .mode=ap .ssid=SGC
/interface ethernet
set [ find default-name=ether2 ] name="ether2 - SGCSW01"
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.country=Australia .mode=ap .ssid=SGC
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country=Australia .mode=ap .ssid=SGC
/interface vlan
add interface="LAN_BRIDGE > SGCSW01"name="VLAN199  - Data" vlan-id=199
add interface="LAN_BRIDGE > SGCSW01" name="VLAN200 - Server" vlan-id=200
add interface="LAN_BRIDGE > SGCSW01" name="VLAN201 - Management" vlan-id=201
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/ip pool
add name=dhcp ranges=192.168.199.100-192.168.199.200
add name=dhcp_server ranges=192.168.200.100-192.168.200.200
add name=dhcp_management ranges=192.168.201.100-192.168.201.200
/ip dhcp-server
add address-pool=dhcp interface="VLAN199  - Data"  lease-time=8h name=dhcp_server_data
add address-pool=dhcp_server interface="VLAN200 - Server" name=dhcp_server_server
add address-pool=dhcp_management interface="VLAN201 - Management" name=dhcp_server_management
/interface bridge port
add bridge="LAN_BRIDGE > SGCSW01" ingress-filtering=yes frame-types=admit-only-vlan-tagged  interface="ether2 - SGCSW01"
add bridge="LAN_BRIDGE > SGCSW01" ingress-filtering=yes frame-types=admit-priority-and-untagged  interface=ether3  pvid=199
add bridge="LAN_BRIDGE > SGCSW01" ingress-filtering=yes frame-types=admit-priority-and-untagged  interface=ether4 pvid=199
add bridge="LAN_BRIDGE > SGCSW01" ingress-filtering=yes frame-types=admit-priority-and-untagged  interface=ether5 pvid=199
add bridge="LAN_BRIDGE > SGCSW01" ingress-filtering=yes frame-types=admit-priority-and-untagged  disabled=yes interface=wifi1 pvid=199
add bridge="LAN_BRIDGE > SGCSW01" ingress-filtering=yes frame-types=admit-priority-and-untagged  disabled=yes interface=wifi2 pvid=199
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge="LAN_BRIDGE > SGCSW01"   tagged="LAN_BRIDGE > SGCSW01","ether2 - SGCSW01"  vlan-ids=200,201
add bridge="LAN_BRIDGE > SGCSW01"   tagged="LAN_BRIDGE > SGCSW01","ether2 - SGCSW01" untagged=ether3,ether4,ethe5, wifi1,wifi2  vlan-ids=199
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface="VLAN199  - Data"  list=LAN
add interface="VLAN200 - Server"  list=LAN
add interface="VLAN201 - Management" list=LAN
add interface="VLAN201 - Management" list=MGMT
/ip address
add address=192.168.200.254/24 interface="VLAN200 - Server" network=192.168.200.0
add address=192.168.201.254/24 interface="VLAN201 - Management" network=192.168.201.0
add address=192.168.199.254/24 interface="VLAN199  - Data" network=192.168.199.0
add address=192.168.1.254/24 interface=ether1 network=192.168.1.0
/ip dhcp-server network
add address=192.168.199.0/24 dns-server=192.168.199.1 gateway=192.168.199.254 netmask=24
add address=192.168.200.0/24 dns-server=192.168.200.254 gateway=192.168.200.254 netmask=24
add address=192.168.201.0/24 dns-server=192.168.201.254 gateway=192.168.201.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip firewall address list
add address=adminDesktop-IP  list=AUTHORIZED    {  192.168.199.200 ? }
add address=adminLaptop-IP  list=AUTHORIZED
add address=adminSmartphone/Ipad  list=AUTHORIZED
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access"  src-address-list=AUTHORIZED
add action=accept chain=input comment="user access to services" in-interface-list=LAN dst-port=53,123 protocol=udp
add action=accept chain=input comment="user access to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input comment="temp allow all from LAN" in-interface-list=LAN  { remove when above rules are in place }
add action=drop chain=input comment="drop all else"  {  last rule to implement }
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow data vlan to server vlan"  in-interface="VLAN199  - Data"  out-interface="VLAN200 - Server"
add action=accept chain=forward comment="Admin access to mgmt vlan"  src-address=192.168.199.200 dst-address=192.168.201.0/24 
add action=accept chain=forward comment="port forwarding"  connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main
/system clock
set time-zone-name=Australia/Perth
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
Thank you so much.
Networking is a skill I have only very recently started exploring. So picking up and understanding the technical concepts from the documentation is a massive WIP as I continue to grasp the basics.
Looking at the commands you outlined and the trunking side of things I got from the documentation, I understand where I went wrong.

As I expected, my bridge was my issue.
Regarding my interface justification, I've considered ether1 as my WAN, and then ether2-5 is my LAN. Anything downstream of the MK, I've considered LAN.

Preventing Lockout:
Super Awesome. I've implemented this on my MGMT Network and it is something I'll definitely reference for future implementations. I'm also going to run through other useful articles. Considering how early I am into my networking journey, any best practices I can learn early, the easier my life will be.

Why do I have the bridge?
From what I've come to understand about Mikrotik is that the bridge is what is equivalent to a "trunk" port, and trunks are required to encapsulate the dot1q headers. But you know this.
Since I've got the Cisco switch downstream and a physical host, I want to build on this to get it to a stage where I can tinker and develop my skills not only across Networking but general system admin task.

It's not perfect, and I still have a long way to go with my professional development. I appreciate you and what you've done.
Any advice you general guidance you have will be amazing.

Who is online

Users browsing this forum: own3r1138 and 44 guests