I've been looking at various threads on getting DHCP clients on a VLAN behind a CRS switch to work correctly and I'll admit that I'm a bit lost now. Here's an image that shows my network setup between a CRS-309 and a CCR-1009:
I had a lot of teething troubles getting basic connectivity working (which I posted on another thread) but that is resolved now. My current symptoms are a client PC connected via SFP-1 to the CRS is not able to get a DHCP address from a VLAN interface on the CCR-1009. Based on pcunite's thread here, I've configured the bridge on the CRS & CCR as follows:
CRS config:
Code: Select all
/interface bridge
add name=bridge1 protocol-mode=mstp vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1 pvid=104
add bridge=bridge1 interface=sfp-sfpplus8
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus8 vlan-ids=104
/ip address
add address=192.168.88.20/24 interface=bridge1 network=192.168.88.0
/ip route
add distance=1 gateway=192.168.88.3
/system routerboard settings
set boot-os=router-os
Code: Select all
/interface bridge
add admin-mac=4C:5E:0C:03:20:22 auto-mac=no fast-forward=no name=\
"Direct Clients Bridge" protocol-mode=mstp vlan-filtering=yes
/interface bridge port
add bridge="Direct Clients Bridge" interface="ether1-switch master"
add bridge="Direct Clients Bridge" interface=ether2
add bridge="Direct Clients Bridge" interface=ether3
add bridge="Direct Clients Bridge" interface=ether4
add bridge="Direct Clients Bridge" interface=sfp-sfpplus1
/interface bridge vlan
add bridge="Direct Clients Bridge" tagged="sfp-sfpplus1,Direct Clients Bridge,\
ether1-switch master,ether2,ether3,ether4" vlan-ids=104
/ip neighbor discovery-settings
set discover-interface-list=!WAN-All
/interface detect-internet
set detect-interface-list=WAN-All internet-interface-list=WAN-Native \
lan-interface-list=LAN wan-interface-list=WAN-All
/interface vrrp
add authentication=ah comment="VLAN 1 Network" interface=\
"Home Network Trunk Ports" name=mgmt-net-vrrp priority=250 version=2 \
vrid=48
/interface vrrp
add authentication=ah interface=dmz-net name=dmz-net-vrrp priority=250 \
version=2 vrid=122
add authentication=ah interface=iot-net name=iot-net-vrrp priority=250 \
version=2 vrid=50
add authentication=ah interface=lab-vlan name=lab-vlan-vrrp priority=250 \
version=2 vrid=54
add authentication=ah interface=others-net name=others-net-vrrp priority=250 \
version=2 vrid=75
add authentication=ah interface=server-net name=server-net-vrrp on-master=\
" /system script run force-update-odns" priority=250 version=2 vrid=20
add authentication=ah interface=trusted-clients-net name=trusted-clients-vrrp \
priority=250 version=2 vrid=104
/interface vlan
add comment="DMZ Network" interface="Home Network Trunk Ports" name=dmz-net \
vlan-id=122
add comment="Guest network" disabled=yes interface="Home Network Trunk Ports" \
name=guest-net vlan-id=90
add comment="IOT Devices Network" interface="Home Network Trunk Ports" name=\
iot-net vlan-id=50
add comment="Lab Network" interface="Home Network Trunk Ports" name=lab-vlan \
vlan-id=54
add comment="Untrusted Client(s) network" interface=\
"Home Network Trunk Ports" name=others-net vlan-id=75
add comment="Server network" interface="Home Network Trunk Ports" name=\
server-net vlan-id=20
add comment="\"Trusted\" clients network" interface=\
"Home Network Trunk Ports" name=trusted-clients-net vlan-id=104
/interface list
add name=WAN-All
add name=LAN
add name=WAN-Native
/ip dhcp-server option
add code=15 name=labdomain value="'lab.domain.tld'"
add code=119 name=domainsearch value=\
"s'srv.domain.tld,clients.domain.tld,lab.domain.tld'"
add code=15 name=clientdomain value="'clients.domain.tld'"
add code=15 name=srvdomain value="'srv.domain.tld'"
add code=15 name=mgmtdomain value="'mgmt.domain.tld'"
add code=15 name=iotdomain value="'iot.domain.tld'"
/ip dhcp-server option sets
add name=lab-dhcp-options options=labdomain,domainsearch
add name=client-dhcp-options options=clientdomain,domainsearch
add name=srv-dhcp-options options=srvdomain,domainsearch
add name=mgmt-dhcp-options options=mgmtdomain
/system logging action
add disk-file-count=4 disk-file-name=disk1/log disk-lines-per-file=2000 name=\
sdcard target=disk
/interface list member
add interface=ether8-gateway list=WAN-All
add interface="Direct Clients Bridge" list=LAN
add interface="Home Network Trunk Ports" list=LAN
add interface=dmz-net list=LAN
add interface="ether1-switch master" list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=guest-net list=LAN
add interface=iot-net list=LAN
add interface=others-net list=LAN
add interface=server-net list=LAN
add interface=trusted-clients-net list=LAN
add interface=lab-vlan list=LAN
add interface=dmz-net-vrrp list=LAN
add interface=iot-net-vrrp list=LAN
add interface=mgmt-net-vrrp list=LAN
add interface=others-net-vrrp list=LAN
add interface=server-net-vrrp list=LAN
add interface=lab-vlan-vrrp list=LAN
add interface=trusted-clients-vrrp list=LAN
add interface=l2tp-evpn-IN list=WAN-All
add interface=l2tp-evpn-US list=WAN-All
add interface=ether8-gateway list=WAN-Native
/ip address
add address=192.168.88.3/24 comment="Address for directly attached clients" \
interface="Direct Clients Bridge" network=192.168.88.0
add address=192.168.48.1/24 comment="Management network" interface=\
"Home Network Trunk Ports" network=192.168.48.0
add address=192.168.54.1/24 comment="Lab Network" interface=lab-vlan network=\
192.168.54.0
add address=192.168.20.1/24 comment="Server Network" interface=server-net \
network=192.168.20.0
add address=192.168.50.1/24 comment="IOT Network" interface=iot-net network=\
192.168.50.0
add address=192.168.75.1/24 comment="Untrusted Clients" interface=others-net \
network=192.168.75.0
add address=192.168.90.1/24 comment="Guest Network (Inactive)" disabled=yes \
interface=guest-net network=192.168.90.0
add address=192.168.104.1/24 comment="Trusted Clients" interface=\
trusted-clients-net network=192.168.104.0
add address=192.168.122.1/24 comment="DMZ Network" interface=dmz-net network=\
192.168.122.0
add address=192.168.54.254 interface=lab-vlan-vrrp network=192.168.54.254
add address=192.168.20.254 interface=server-net-vrrp network=192.168.20.254
add address=192.168.48.254 interface=mgmt-net-vrrp network=192.168.48.254
add address=192.168.50.254 interface=iot-net-vrrp network=192.168.50.254
add address=192.168.75.254 interface=others-net-vrrp network=192.168.75.254
add address=192.168.104.254 interface=trusted-clients-vrrp network=\
192.168.104.254
add address=192.168.122.254 interface=dmz-net-vrrp network=192.168.122.254
add address=192.168.50.19 disabled=yes interface=iot-net network=\
192.168.50.19
add address=192.168.75.19 disabled=yes interface=others-net network=\
192.168.75.19
/ip arp
add address=192.168.48.255 comment="Broadcast MAC for WOL" interface=\
"Home Network Trunk Ports" mac-address=FF:FF:FF:FF:FF:FF
add address=192.168.48.51 interface="Home Network Trunk Ports" mac-address=\
FC:EC:DA:3A:96:66
add address=192.168.48.50 interface="Home Network Trunk Ports" mac-address=\
FC:EC:DA:3A:9A:8B
/ip dhcp-client
add disabled=no interface=ether8-gateway use-peer-dns=no use-peer-ntp=no
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN-All
add action=drop chain=input comment="Block Winbox connections on WAN" \
dst-port=8291 in-interface=ether8-gateway protocol=tcp
add action=drop chain=input comment=\
"Block Mikrotik Bandwidth Test connections on WAN" dst-port=2000 \
in-interface=ether8-gateway protocol=tcp
add action=drop chain=input comment="Drop inbound TCP DNS" dst-port=53 \
in-interface=ether8-gateway protocol=tcp
add action=drop chain=input comment=\
"Drop all packets which does not have unicast source IP address" \
src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet whi\
ch should not exist in public network" in-interface-list=WAN-All \
src-address-list=NotPublic
add action=fasttrack-connection chain=forward connection-state=\
established,related dst-address-list=!External-Client src-address-list=\
!External-Client
add action=drop chain=forward log-prefix=DMZ protocol=tcp src-address=\
192.168.122.90 src-port=!443
add action=drop chain=forward comment="Drop all packets from public internet w\
hich should not exist in public network" in-interface-list=WAN-All \
src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets in local network which\
\_does not have local network address" in-interface-list=LAN src-address=\
!192.168.0.0/16
add action=drop chain=forward comment=\
"Block IOT Traffic to critical LAN Segments" connection-state=\
invalid,new,untracked dst-address-list=Sensitive-Internal in-interface=\
iot-net log=yes log-prefix=iot-drop src-mac-address=!90:DD:5D:CA:59:A7
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="drop all from WAN" in-interface=\
ether8-gateway
/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=others-net-vrrp \
new-connection-mark=non-trusted passthrough=yes
# guest-net not ready
add action=mark-connection chain=prerouting in-interface=guest-net \
new-connection-mark=non-trusted passthrough=yes
add action=mark-connection chain=prerouting comment=\
"DNS Mark for fast.com (MyRepublic)" dst-port=53 layer7-protocol=\
Netflix-Fast log-prefix=nflx-fast new-connection-mark=nflx-fast \
passthrough=yes protocol=udp src-address-list=Client-LAN
add action=mark-connection chain=prerouting comment=\
"DNS Mark for Netflix Domains" dst-port=53 layer7-protocol=Netflix \
log-prefix=nflx-conn new-connection-mark=nflx-conn passthrough=yes \
protocol=udp src-address-list=Client-LAN
add action=mark-connection chain=prerouting comment=\
"DNS Mark for Netflix Domains" dst-port=53 layer7-protocol=Netflix \
log-prefix=nflx-conn new-connection-mark=nflx-conn passthrough=yes \
protocol=tcp src-address-list=Client-LAN
add action=mark-connection chain=prerouting comment=\
"DNS Mark for IOT Devices" dst-address=!192.168.50.19 dst-port=53 \
in-interface=iot-net-vrrp layer7-protocol=!Netflix log-prefix=iot-dns \
new-connection-mark=iot-dns passthrough=yes protocol=udp src-address=\
!192.168.50.19 src-address-list=""
add action=mark-connection chain=prerouting comment=\
"DNS Mark for IOT Devices" dst-address=!192.168.50.19 dst-port=53 \
in-interface=iot-net-vrrp layer7-protocol=!Netflix new-connection-mark=\
iot-dns passthrough=yes protocol=tcp src-address=!192.168.50.19 \
src-address-list=""
add action=mark-connection chain=prerouting comment=\
"DNS Mark for Lab Devices" dst-address=!192.168.54.230 dst-port=53 \
in-interface=lab-vlan-vrrp log-prefix=lab-dns new-connection-mark=lab-dns \
passthrough=yes protocol=udp src-address-list=!Lab-Whitelist
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN-All
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 in-interface=\
ether8-gateway protocol=tcp to-addresses=192.168.48.100 to-ports=32400
add action=dst-nat chain=dstnat comment="Forward to jumphost SSL Multiplexer" \
dst-port=443 in-interface=ether8-gateway protocol=tcp to-addresses=\
192.168.122.90 to-ports=443
add action=dst-nat chain=dstnat comment="Forward to jumphost UDP OpenVPN " \
dst-port=1194 in-interface=ether8-gateway log-prefix=udp-vpn protocol=udp \
to-addresses=192.168.122.91 to-ports=1194
add action=dst-nat chain=dstnat comment="Redirect IOT UDP DNS to PiHole" \
connection-mark=iot-dns dst-port=53 log-prefix=iot-dns-nat protocol=udp \
to-addresses=192.168.50.19 to-ports=53
add action=masquerade chain=srcnat comment="Redirect IOT UDP DNS to PiHole" \
connection-mark=iot-dns dst-address=192.168.50.19 dst-port=53 log-prefix=\
iot-dns-masq protocol=udp src-address=192.168.50.0/24
add action=dst-nat chain=dstnat comment="Redirect IOT TCP DNS to PiHole" \
connection-mark=iot-dns dst-port=53 log-prefix=iot-dns-nat protocol=tcp \
to-addresses=192.168.50.19 to-ports=53
add action=masquerade chain=srcnat comment="Redirect IOT TCP DNS to PiHole" \
connection-mark=iot-dns dst-address=192.168.50.19 dst-port=53 log-prefix=\
iot-dns-masq protocol=tcp src-address=192.168.50.0/24
add action=dst-nat chain=dstnat comment="Redirect Lab UDP DNS to PiHole" \
connection-mark=lab-dns dst-port=53 log-prefix=lab-dns-nat protocol=udp \
to-addresses=192.168.54.230 to-ports=53
add action=masquerade chain=srcnat comment="Redirect Lab UDP DNS to PiHole" \
connection-mark=lab-dns dst-address=192.168.54.230 dst-port=53 \
log-prefix=lab-dns-masq protocol=udp src-address=192.168.54.0/24
add action=dst-nat chain=dstnat comment=\
"Redirect UDP DNS for Netflix to Express VPN Mediastreamer" \
connection-mark=nflx-conn dst-port=53 protocol=udp to-addresses=\
85.203.37.1 to-ports=53
add action=dst-nat chain=dstnat comment=\
"Redirect TCP DNS for Netflix to Express VPN Mediastreamer" \
connection-mark=nflx-conn dst-port=53 protocol=tcp to-addresses=\
85.203.37.1 to-ports=53
add action=dst-nat chain=dstnat comment=Steam_Big-Rig dst-port=27015-27030 \
in-interface=ether8-gateway port="" protocol=tcp to-addresses=\
192.168.104.101 to-ports=27015-27030
add action=dst-nat chain=dstnat comment=Steam_Big-Rig dst-port=27000-27030 \
in-interface=ether8-gateway protocol=udp to-addresses=192.168.104.101 \
to-ports=27000-27030
add action=dst-nat chain=dstnat comment=Steam_Big-Rig dst-port=3478 \
in-interface=ether8-gateway protocol=udp to-addresses=192.168.104.101 \
to-ports=3478
/ip route
add comment="VPN TCP" distance=1 dst-address=192.168.126.0/24 gateway=\
192.168.48.174
add comment="VPN UDP" distance=1 dst-address=192.168.166.0/24 gateway=\
192.168.48.174
Does anybody have any suggestions on what I'm doing wrong?