Community discussions

MikroTik App
 
ignas
just joined
Topic Author
Posts: 1
Joined: Sat Sep 04, 2021 12:34 am

VLAN configuration issue

Sat Sep 04, 2021 12:43 am

Hi,

I've recently bought the new CCR2004-16G-2S+ router. I have no experience with Mikrotik and routers in general so I've been reading documentation. At the moment I have WAN on port 1 and bridge spanning all other ports. Everything works as expected.

Now I'd like to add VLAN to one of the ports (#4). I'd like device on that port to be isolated from the rest of the network. However that port never receives address from DHCP server. Setting IP address manually doesn't work either. What's wrong with my config?
# *** by RouterOS 7.0.4
# software id = ***
#
# model = CCR2004-16G-2S+
# serial number = ***
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no full-duplex=no speed=\
    100Mbps
/interface list
add name=lan1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp1 ranges=192.168.88.100-192.168.88.254
/ip dhcp-server
add address-pool=dhcp1 interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4 pvid=20
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=lan1
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether4 vlan-ids=20
/interface list member
add interface=bridge1 list=lan1
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=jump chain=input in-interface=ether1 jump-target=icmp protocol=\
    icmp
add action=drop chain=input in-interface=ether1
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface=ether1
add action=accept chain=icmp icmp-options=0:0 protocol=icmp
add action=accept chain=icmp icmp-options=3:0 protocol=icmp
add action=accept chain=icmp icmp-options=3:1 protocol=icmp
add action=accept chain=icmp icmp-options=3:4 protocol=icmp
add action=accept chain=icmp icmp-options=8:0 protocol=icmp
add action=accept chain=icmp icmp-options=11:0 protocol=icmp
add action=accept chain=icmp icmp-options=12:0 protocol=icmp
add action=drop chain=icmp protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=***
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=lan1
/tool mac-server mac-winbox
set allowed-interface-list=lan1
/tool mac-server ping
set enabled=no
Thank you!
Ignas
 
rooin
newbie
Posts: 47
Joined: Tue Feb 22, 2011 10:44 am

Re: VLAN configuration issue

Fri Dec 24, 2021 3:46 am

Searching for other information on the CCR2004 I stumbled upon your unanswered post, an since I have been dealing with the 2004 myself recently I will try an help you get things straightened out.

If you are isolating ether4 in vlan20 with pvid, you need to create a vlan interface 20 (with IP), attached to your bridge1 and create a DHCP server on that Vlan20 interface to answer DHCP requests.
You have to treat vlan20 as its own separate layer2 network and as such is requires its own IP, gateway, DHCP, etc.

Hope this helps.

Who is online

Users browsing this forum: BinaryTB, Bing [Bot] and 79 guests