Community discussions

MikroTik App
 
button
just joined
Topic Author
Posts: 12
Joined: Mon May 02, 2022 1:18 am

DHCP working only in few VLANS

Thu May 05, 2022 10:54 am

Hello everyone in my first topic,

I try to setup my small network with some VLANs. In every VLAN should run a DHCP-Server. Devices that have a wired connection at the managed switch are getting an IP. If I connect to the Wifi the device don't get any IP. Please help me to get started and to understand the problem and how to run the DHCP-Server on all interfaces.

Greets
button
/interface bridge
add igmp-snooping=yes ingress-filtering=no name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] advertise=100M-half,100M-full,1000M-half,1000M-full comment=WAN
set [ find default-name=ether2 ] advertise=100M-half,100M-full,1000M-half,1000M-full comment=AP_1_CAP_ac
set [ find default-name=ether3 ] comment=AP_2_CAP_lite
set [ find default-name=ether5 ] comment=Power-LAN
set [ find default-name=ether6 ] advertise=1000M-half,1000M-full comment="to HP1810"
set [ find default-name=sfp-sfpplus1 ] comment=sfp-sfpplus1 name=sfp1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
add listen-port=13232 mtu=1420 name=wireguard2
/interface vlan
add interface=BR1 name=VLAN1 vlan-id=1
add interface=BR1 name=VLAN10_admin vlan-id=10
add interface=BR1 name=VLAN20_mobiles vlan-id=20
add interface=BR1 name=VLAN30_iot vlan-id=30
add interface=BR1 name=VLAN40_smarthome vlan-id=40
add interface=BR1 name=VLAN50_entertain vlan-id=50
add interface=BR1 name=VLAN60_guest vlan-id=60
add interface=BR1 name=VLAN90_pis vlan-id=90
/caps-man configuration
add country=germany datapath.bridge=BR1 .local-forwarding=yes multicast-helper=full name=cfg2-mobiles security.authentication-types=wpa2-psk \
    .encryption=aes-ccm .group-encryption=aes-ccm ssid=harryklein
/interface list
add name=WAN
add name=VLAN
/caps-man configuration
add country=germany datapath.bridge=BR1 .interface-list=VLAN .local-forwarding=yes .vlan-id=10 .vlan-mode=no-tag multicast-helper=full name=\
    cfg1-admin security.authentication-types=wpa2-psk .encryption=aes-ccm .group-encryption=aes-ccm ssid=a
add country=germany datapath.bridge=BR1 .interface-list=VLAN .local-forwarding=yes .vlan-id=60 .vlan-mode=no-tag multicast-helper=full name=\
    cfg6-guest security.authentication-types=wpa2-psk .encryption=aes-ccm .group-encryption=aes-ccm ssid=b
add country=germany datapath.bridge=BR1 .interface-list=VLAN .local-forwarding=yes .vlan-id=1 .vlan-mode=use-tag multicast-helper=full name=\
    cfg4-smarthome security.authentication-types=wpa2-psk .encryption=aes-ccm .group-encryption=aes-ccm ssid=c
add country=germany datapath.bridge=BR1 .interface-list=VLAN .local-forwarding=yes .vlan-id=30 .vlan-mode=no-tag multicast-helper=full name=\
    cfg3-iot security.authentication-types=wpa2-psk .encryption=aes-ccm .group-encryption=aes-ccm ssid=d
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=42 name=ntp-srv value="'130.149.17.21'"
/ip pool
add name=POOL01 ranges=192.168.1.2-192.168.1.254
add name=POOL10 ranges=192.168.10.2-192.168.10.254
add name=POOL20 ranges=192.168.20.2-192.168.20.254
add name=POOL30 ranges=192.168.30.2-192.168.30.254
add name=POOL40 ranges=192.168.40.2-192.168.40.254
add name=POOL50 ranges=192.168.50.2-192.168.50.254
add name=POOL90 ranges=192.168.90.2-192.168.90.254
add name=POOL60 ranges=192.168.60.2-192.168.60.254
/ip dhcp-server
add address-pool=POOL01 interface=BR1 name=DHCP-SRV1
add address-pool=POOL10 interface=VLAN10_admin name=VLAN10_DHCP
add address-pool=POOL20 interface=VLAN20_mobiles name=VLAN20_DHCP
add address-pool=POOL30 interface=VLAN30_iot name=VLAN30_DHCP
add address-pool=POOL40 interface=VLAN40_smarthome name=VLAN40_DHCP
add address-pool=POOL50 interface=VLAN50_entertain name=VLAN50_DHCP
add address-pool=POOL90 interface=VLAN90_pis name=VLAN90_DHCP
add address-pool=POOL60 interface=VLAN60_guest name=VLAN60_DHCP
/user group
add name=homeassistant policy=\
    local,read,test,api,!telnet,!ssh,!ftp,!reboot,!write,!policy,!winbox,!password,!web,!sniff,!sensitive,!romon,!dude,!rest-api
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1-admin name-format=identity slave-configurations=\
    cfg6-guest,cfg4-smarthome,cfg3-iot,cfg2-mobiles
/interface bridge port
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
add bridge=BR1 interface=ether5
add bridge=BR1 interface=ether6
add bridge=BR1 interface=ether7
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=*2000010
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp1 vlan-ids=10
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp1 vlan-ids=20
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp1 vlan-ids=30
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp1 vlan-ids=40
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp1 vlan-ids=50
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp1 vlan-ids=60
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp1 vlan-ids=90
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp1 vlan-ids=99
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN wan-interface-list=WAN
/interface list member
add interface=ether1 list=WAN
add interface=VLAN20_mobiles list=VLAN
add interface=VLAN50_entertain list=VLAN
add interface=VLAN30_iot list=VLAN
add interface=VLAN40_smarthome list=VLAN
add interface=VLAN10_admin list=VLAN
add interface=VLAN90_pis list=VLAN
add interface=VLAN60_guest list=VLAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
(.......)
/ip address
add address=192.168.98.1/24 interface=wireguard1 network=192.168.98.0
add address=192.168.99.1/24 interface=wireguard2 network=192.168.99.0
add address=192.168.1.1/24 interface=BR1 network=192.168.1.0
add address=192.168.10.1/24 interface=VLAN10_admin network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20_mobiles network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30_iot network=192.168.30.0
add address=192.168.40.1/24 interface=VLAN40_smarthome network=192.168.40.0
add address=192.168.50.1/24 interface=VLAN50_entertain network=192.168.50.0
add address=192.168.90.1/24 interface=VLAN90_pis network=192.168.90.0
add address=192.168.60.1/24 interface=VLAN60_guest network=192.168.60.0
add address=192.168.2.1/24 interface=BR1 network=192.168.2.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server config
set store-leases-disk=immediately
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.10.0/24 dns-server=192.168.1.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.1.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.1.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.1.1 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=192.168.1.1 gateway=192.168.50.1
add address=192.168.60.0/24 dns-server=192.168.1.1 gateway=192.168.60.1
add address=192.168.90.0/24 dns-server=192.168.1.1 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.1,1.1.1.1
/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=input comment="allow ICMP" in-interface=ether1 in-interface-list=WAN protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=ether1 in-interface-list=WAN port=8291 protocol=tcp
add action=accept chain=input comment="allow WAN-SSH" in-interface=ether1 in-interface-list=WAN port=22 protocol=tcp
add action=accept chain=input comment="allow WAN-wireguard" in-interface=ether1 in-interface-list=WAN port=13231 protocol=udp
add action=accept chain=input comment=wireguard1 dst-port=13231 protocol=udp
add action=accept chain=input comment=wireguard2 dst-port=13232 protocol=udp
add action=drop chain=input comment="block everything else" in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ip traffic-flow
set enabled=yes
You do not have the required permissions to view the files attached to this post.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: DHCP working only in few VLANS

Thu May 05, 2022 5:14 pm

On a quick look, I don't see anything that jumps out at me as a problem. Note that I have never used a bridge in RouterOS so there could be something I missed there. I also have never used WiFi in RouterOS. My current best guess is something in the WiFi is not configured correctly for what LAN shows up on the WiFi - just a guess.

BTW, for a new person, you did a great post. You included a network drawing and at least an extract of your config (and even got that into a code block). You did however not tell us what hardware is involved, nor ROS version. Trust me, you did FAR better than most people for your first post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DHCP working only in few VLANS

Thu May 05, 2022 5:48 pm

(1) Get rid of defining vlan1, its the default native vlan on the bridge and does not need to be identified, nor should be used to carry data........
If you need another vlan, then call it vlan100 etc......

(2) Do not use IP Firewall on bridge.........This is rarely used/required and should only be done by advanced users for specific reasons........
/interface bridge settings
set use-ip-firewall-for-vlan=yes

(3) SHould be your trusted interface, or admin interface as all smart devices should get IP address from this subnet.
Have no idea what *2000000000 means??
/ip neighbor discovery-settings
set discover-interface-list=*2000010 should be list=Trusted

(4) Known to cause issues, best to turn OFF, unless absolutely essential to some functionality
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN wan-interface-list=WAN

(5) Add interface and interface list member as follows
/interface list
add name=WAN
add name=VLAN

add name=Trusted
/interface list member
add interface=ether1 list=WAN
add interface=VLAN20_mobiles list=VLAN
add interface=VLAN50_entertain list=VLAN
add interface=VLAN30_iot list=VLAN
add interface=VLAN40_smarthome list=VLAN
add interface=VLAN10_admin list=VLAN
add interface=VLAN90_pis list=VLAN
add interface=VLAN60_guest list=VLAN

add interface=VLAN10_admin list=Trusted


(6) FIX VLAN1 recommendations....IF YOU NEED IT, otherwise get rid of all associated settings!! ( pool and dhcp server-network stays the same )
/interface vlan
add interface=BR1 name=VLAN100 vlan-id=100
/ip dhcp-server
add address-pool=POOL01 interface=VLAN100 name=DHCP-SRV1
/ip address
add address=192.168.1.1/24 interface=VLAN100 network=192.168.1.0

(7) DANGER you are letting external access directly to your WINBOX BAD BAD IDEA!! Also changing default port to something like 11238 would be smart.
add action=accept chain=input comment="allow Winbox" in-interface=ether1 in-interface-list=WAN port=8291 protocol=tcp

Should be: (you could source address list to limit it specific IP addresses as well!!)
add action=accept chain=input comment="allow Winbox" in-interface-list=Trusted port=8291 protocol=tcp

(8) DANGER, same for SSH.

(9) Useless rule you already have the two required for the input chain.
add action=accept chain=input comment="allow WAN-wireguard" in-interface=ether1 in-interface-list=WAN port=13231 protocol=udp

Only need
add action=accept chain=input comment=wireguard1 dst-port=13231 protocol=udp in-interface-list=WAN
add action=accept chain=input comment=wireguard2 dst-port=13232 protocol=udp in-interface-list=WAN

(10) Missing some input chain rules and some forward chain rules...........
Read this to get the idea.
viewtopic.php?t=180838

(11) Interface Bridge Ports and Bridgevlans (ETHER4) .................. it seems to be ether4 is NOT a trunk port, which vlan is running on it........ assuming 50?
If so then.......
add bridge=BR1 interface=ether4 pvid=50

If so then
Remove ether 4 from all tagged settings !!
PLUS this line would be:
add bridge=BR1 tagged=BR1,ether2,ether3,ether5,ether6,ether7,sfp1 untagged=ether4 vlan-ids=50

(12) Read this for Vlans...............
viewtopic.php?t=143620

(13) Read this if you simply want to setup your two capac type units WITHOUT capsman (not required and makes life overly complex)
This is much simpler......
viewtopic.php?t=182276
Last edited by anav on Thu May 05, 2022 5:57 pm, edited 2 times in total.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: DHCP working only in few VLANS

Thu May 05, 2022 5:51 pm

What is the configuration on the APs? With CAPsMAN local-forwarding=yes the datapath.bridge= specifies the name of the bridge on the AP NOT on the controller. The bridge names on the AP and controller can be the same or different, you just have to use the correct name if they are different.

There may be issues for devices using the 192.168.1.0/24 subnet as you have a mixed use of tagged and untagged for VLAN ID 1. It is the default PVID for bridge-to-CPU port as well as any interfaces added under /interface bridge port, so unless you understand exactly the implications you should not attempt to use it tagged. Options are:

Use another PVID which is not 1.
Use the default PVID 1 untagged for the bridge ports (remove the /interface vlan with vlan-id=1, attach the IP address and services directly to BR1, set CAPsMAN vlan-mode=no-tag for SSID(s) attached to that network).
Change the default pvid= to something else on the bridge ports, not forgetting the bridge-to-CPU port, so it does not conflict.
Disable any PVID on the bridge ports and bridge-to-CPU port with ingress-filtering=yes frame-types=admit-only-vlan-tagged (this may break communications with the APs depending on how they are configured).
 
button
just joined
Topic Author
Posts: 12
Joined: Mon May 02, 2022 1:18 am

Re: DHCP working only in few VLANS

Fri May 06, 2022 4:36 pm

On a quick look, I don't see anything that jumps out at me as a problem. Note that I have never used a bridge in RouterOS so there could be something I missed there. I also have never used WiFi in RouterOS. My current best guess is something in the WiFi is not configured correctly for what LAN shows up on the WiFi - just a guess.
Thank you. Great guess. I looked into the settings of the CAP an I found the error in my configuration. There was missing a bridge. Unfortunately I don't know why.
BTW, for a new person, you did a great post. You included a network drawing and at least an extract of your config (and even got that into a code block). You did however not tell us what hardware is involved, nor ROS version. Trust me, you did FAR better than most people for your first post.
Involved hardware:
Modem: AVM Fritzbox7490
Router: Mikrotik5009 ROS: 7.2.3
AP: Mikrotik CAPac ROS: 7.2.3
2nd switch: HP 1810
Last edited by button on Fri May 06, 2022 5:20 pm, edited 1 time in total.
 
button
just joined
Topic Author
Posts: 12
Joined: Mon May 02, 2022 1:18 am

Re: DHCP working only in few VLANS

Fri May 06, 2022 5:12 pm

(1) Get rid of defining vlan1, its the default native vlan on the bridge and does not need to be identified, nor should be used to carry data........
If you need another vlan, then call it vlan100 etc......
To get started I followed a german tutorial. This tut started with to create the VLAN1. Is there no need to or is it not "good"?
https://administrator.de/tutorial/mikro ... html#toc-4
(2) Do not use IP Firewall on bridge.........This is rarely used/required and should only be done by advanced users for specific reasons........
/interface bridge settings
set use-ip-firewall-for-vlan=yes
check.

(3) SHould be your trusted interface, or admin interface as all smart devices should get IP address from this subnet.
Have no idea what *2000000000 means??
/ip neighbor discovery-settings
set discover-interface-list=*2000010 should be list=Trusted
Seems to be a display or output-error.

(4) Known to cause issues, best to turn OFF, unless absolutely essential to some functionality
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN wan-interface-list=WAN
Check.

(5) Add interface and interface list member as follows
/interface list
add name=WAN
add name=VLAN

add name=Trusted
/interface list member
add interface=ether1 list=WAN
add interface=VLAN20_mobiles list=VLAN
add interface=VLAN50_entertain list=VLAN
add interface=VLAN30_iot list=VLAN
add interface=VLAN40_smarthome list=VLAN
add interface=VLAN10_admin list=VLAN
add interface=VLAN90_pis list=VLAN
add interface=VLAN60_guest list=VLAN

add interface=VLAN10_admin list=Trusted

Check.


(6) FIX VLAN1 recommendations....IF YOU NEED IT, otherwise get rid of all associated settings!! ( pool and dhcp server-network stays the same )
/interface vlan
add interface=BR1 name=VLAN100 vlan-id=100
/ip dhcp-server
add address-pool=POOL01 interface=VLAN100 name=DHCP-SRV1
/ip address
add address=192.168.1.1/24 interface=VLAN100 network=192.168.1.0
Don't need more VLANs at this time.


(7) DANGER you are letting external access directly to your WINBOX BAD BAD IDEA!! Also changing default port to something like 11238 would be smart.
add action=accept chain=input comment="allow Winbox" in-interface=ether1 in-interface-list=WAN port=8291 protocol=tcp

Should be: (you could source address list to limit it specific IP addresses as well!!)
add action=accept chain=input comment="allow Winbox" in-interface-list=Trusted port=8291 protocol=tcp
The Mikrotik is behind another router. The Ports are not exposed to the internet. Only the wireguard-ports are exposed to the internet.


(9) Useless rule you already have the two required for the input chain.
add action=accept chain=input comment="allow WAN-wireguard" in-interface=ether1 in-interface-list=WAN port=13231 protocol=udp

Only need
add action=accept chain=input comment=wireguard1 dst-port=13231 protocol=udp in-interface-list=WAN
add action=accept chain=input comment=wireguard2 dst-port=13232 protocol=udp in-interface-list=WAN
Done.

(10) Missing some input chain rules and some forward chain rules...........
Read this to get the idea.
viewtopic.php?t=180838

(11) Interface Bridge Ports and Bridgevlans (ETHER4) .................. it seems to be ether4 is NOT a trunk port, which vlan is running on it........ assuming 50?
If so then.......
add bridge=BR1 interface=ether4 pvid=50

If so then
Remove ether 4 from all tagged settings !!
PLUS this line would be:
add bridge=BR1 tagged=BR1,ether2,ether3,ether5,ether6,ether7,sfp1 untagged=ether4 vlan-ids=50

(12) Read this for Vlans...............
viewtopic.php?t=143620

(13) Read this if you simply want to setup your two capac type units WITHOUT capsman (not required and makes life overly complex)
This is much simpler......
viewtopic.php?t=182276
Of course simpler, but wanted to try to have no config or settings on the CAPs itself. Would be nice to have only one config for all devices.

Thank you very much for your time, hints and ideas.
Last edited by button on Fri May 06, 2022 5:21 pm, edited 1 time in total.
 
button
just joined
Topic Author
Posts: 12
Joined: Mon May 02, 2022 1:18 am

Re: DHCP working only in few VLANS

Fri May 06, 2022 5:17 pm

What is the configuration on the APs? With CAPsMAN local-forwarding=yes the datapath.bridge= specifies the name of the bridge on the AP NOT on the controller. The bridge names on the AP and controller can be the same or different, you just have to use the correct name if they are different.
There is only a dropdown-menu with the locally defined names of the bridge. I can't choose the name of the bridge of the AP.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: DHCP working only in few VLANS

Fri May 06, 2022 7:01 pm

I'm misremembering where things should go. On the controller under /caps-man configuration the datapath.bridge= setting should be left blank/unset. On the CAP under /interface wireless cap the bridge= setting should be the name of the bridge on the CAP.
 
button
just joined
Topic Author
Posts: 12
Joined: Mon May 02, 2022 1:18 am

Re: DHCP working only in few VLANS

Wed May 11, 2022 5:58 pm

Checked the settings again an again. Now I found a solution. I added the wlan interfaces to the bridge on the caps-HW.

Who is online

Users browsing this forum: cmmike and 36 guests