Community discussions

MikroTik App
 
kaaPe
just joined
Topic Author
Posts: 6
Joined: Tue Feb 28, 2023 2:03 pm

VLAN - no ip but dhcp lease offered for wifi interface on ap

Wed Mar 15, 2023 10:40 am

Hey guys,

I'm trying to extend my VLAN configuration on my main router which has worked standalone with access ports in the past by adding a second router to extend the wifi signal and make use of the ethernet ports on another floor. Everything is working on my main router and I have managed to get access to the VLANs by connecting to the ethernet ports on the second router. However, when I connect to any wireless interface on my second router, I can see that a DHCP lease is being offered on the main router, but the ip address is never assigned. So I assume that the request is reaching the dhcp server, but somehow the response is not getting back to the device.

I have already discovered similar problems in this forum, but none of the solutions worked for me.

Can anyone please help me figure out, what I have done wrong in my configuration?

This should illustrate what I am trying to set up.
Yellow: WAN
Orange: MGMT VLAN (99)
Blue: HOME VLAN (10)
Green: Guest VLAN (20)
Red: IOT VLAN (30)
Purple: TRUNK Port
network.jpg
Maybe my problems are with the bridge VLAN tagging, as I don't quite understand how it's done yet, even after reading the well described posts.
VLAN tagging on main router:
router_bridge_vlan.jpg


VLAN tagging on ap router:
ap_bridge_vlan.jpg
When I'm connecting to the wireless interface I can see a registration and on the main router a offered dhcp lease.
Wifi directly on my main router works well.
(I just see, that I messed up the images and the registration is not aligning with the corresponding dhcp lease offer. But still this happening)
ap_wifi-registration.jpg
dhcp_offered.jpg
You do not have the required permissions to view the files attached to this post.
 
kaaPe
just joined
Topic Author
Posts: 6
Joined: Tue Feb 28, 2023 2:03 pm

Re: VLAN - no ip but dhcp lease offered for wifi interface on ap

Thu Mar 16, 2023 2:54 pm

I played around with the vlan configuration and managed to get access with a new virtual wireless interface on the 99 mgmt vlan. After this worked, I added the bridge as tagged to all my bridge vlan table entries within my AP (rb4011). Now everything works, but either I'm stupid, totally blind or I don't understand why this configuration works.
bridge_vlan_table_ap.jpg
You do not have the required permissions to view the files attached to this post.
Last edited by kaaPe on Thu Mar 16, 2023 3:18 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN - no ip but dhcp lease offered for wifi interface on ap

Fri Mar 17, 2023 3:40 pm

So the AX3 is your main router and the RB4011 is WHAT? Supposed to be a AP/Switch or another router ( do you really want double NAT )???
 
kaaPe
just joined
Topic Author
Posts: 6
Joined: Tue Feb 28, 2023 2:03 pm

Re: VLAN - no ip but dhcp lease offered for wifi interface on ap

Fri Mar 17, 2023 3:55 pm

So the AX3 is your main router and the RB4011 is WHAT? Supposed to be a AP/Switch or another router ( do you really want double NAT )???
The RB4011 should not be used as a router. I called it a "router" because it is sold as a router, but I just want to use it as a Dumb AP/Switch to have the Ethernet ports and multiple wireless interfaces available and append them to my VLAN configuration to communicate with the AX3.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN - no ip but dhcp lease offered for wifi interface on ap

Fri Mar 17, 2023 4:37 pm

Okay so you want it as a dumb switch which tells me you only have one subnet coming into it and its feeding a bunch of dumb devices on one subnet.
In other words, as always I never trust what people say/write, I only go by the evidence
and your diagrams and config support the fact that the RB4011 is indeed carrying multiple vlans and thus is acting like a SMART AP/Switch.! :-)

(1) Need only one Interface List and only one member!
/interface list
add comment=defconf name=BASE

and CORRESPONDING list!
/interface list member
add interface=BASE_VLAN list=BASE


(2) Why is wlan2 not set for frame-types=admit-priority-and-untagged??

(3) What is fast-leave on IOTWIFI never seen that before???

(4) Why get fancy on this rule...... never seen it with the "EXTRA" ??
/ip neighbor discovery-settings
set discover-interface-list=BASE lldp-med-net-policy-vlan=1


(5) Did you really name your ether10 simply 10 ??
/interface bridge vlan
add bridge=bridge-vlan tagged=ether1-trunk untagged=wlan1,wlan2,ether2-pc,ether3-dockingstation,ether4-nas,ether5-laptop,ether6 vlan-ids=10
add bridge=bridge-vlan tagged=ether1-trunk untagged=wifi-guest,ether7-guest vlan-ids=20
add bridge=bridge-vlan tagged=ether1-trunk untagged=wifi-iot,ether8-iot vlan-ids=30
add bridge=bridge-vlan tagged=ether1-trunk,bridge-vlan untagged=ether9,10 vlan-ids=99

(6) Modify these two items to the following......
/ip dns
set allow-remote-requests=yes servers=192.168.99.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.99.1

(7) Remove this legacy lingering default static entry!
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan


(8) Modify to/tool mac-server
set allowed-interface-list=none { because mac-server by itself is not a secure access method }
/tool mac-server mac-winbox
set allowed-interface-list=BASE { good }

(9) If you have the ax3 as both an NTP client (from internet) and NTP server to downstream smart devices then add the following as well.

/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.99.1
 
kaaPe
just joined
Topic Author
Posts: 6
Joined: Tue Feb 28, 2023 2:03 pm

Re: VLAN - no ip but dhcp lease offered for wifi interface on ap

Tue Mar 21, 2023 12:28 pm

Thank you for taking time and checking my configuration.

(1) check
(2) check
(3) check, maybe I clicked within the UI on it
(4) check
(5) check
(6) I can't get rid of the entries.
/ip route
add disabled=no distance=1 dst-address="" gateway=192.168.0.1 routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address="" gateway=192.168.0.1 routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address="" gateway=192.168.0.1 routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address="" gateway=192.168.0.1 routing-table=main suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.99.1
I can't find them in the route section.
/ip/route> print detail
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, y - copy; H - hw-offloaded; + - ecmp 
 0  As   dst-address=0.0.0.0/0 routing-table=main pref-src="" gateway=192.168.99.1 immediate-gw=192.168.99.1%BASE_VLAN distance=1 scope=30 target-scope=10 suppress-hw-offload=no 

DAc   dst-address=192.168.99.0/24 routing-table=main gateway=BASE_VLAN immediate-gw=BASE_VLAN distance=0 scope=10 suppress-hw-offload=no local-address=192.168.99.2%BASE_VLAN
(7) check
(8) check
(9) check

------
With this bridge vlan tagging it's still working for vlan10, vlan30 and vlan99.
Clients which are connected to vlan-20-guest does not get an ip address back if the bridge is not tagged but the lease is offered on the main router.
I left the bridge tagging in place to give clients on these vlans an ip address, and used the guest vlan to test if any changes would make it work.
/interface bridge vlan
add bridge=bridge-vlan tagged=ether1-trunk,bridge-vlan untagged=wifi1,wifi2,ether2-pc,ether3-dockingstation,ether4-nas,ether5-laptop,ether6,ether9 vlan-ids=10
add bridge=bridge-vlan tagged=ether1-trunk untagged=wifi-guest,ether7-guest vlan-ids=20
add bridge=bridge-vlan tagged=ether1-trunk,bridge-vlan untagged=wifi-iot,ether8-iot vlan-ids=30
add bridge=bridge-vlan tagged=ether1-trunk,bridge-vlan untagged=ether10-mgmt vlan-ids=99
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN - no ip but dhcp lease offered for wifi interface on ap

Tue Mar 21, 2023 1:50 pm

TWO THINGS to fix.

(1) FIX the interface bridge vlan rules --> only the BASE vlan, where the AP/Switch gets its IP address from (.99) needs the bridge to be tagged!!
From
/interface bridge vlan
add bridge=bridge-vlan tagged=ether1-trunk,bridge-vlan untagged=wifi1,wifi2,ether2-pc,ether3-dockingstation,ether4-nas,ether5-laptop,ether6,ether9 vlan-ids=10
add bridge=bridge-vlan tagged=ether1-trunk untagged=wifi-guest,ether7-guest vlan-ids=20
add bridge=bridge-vlan tagged=ether1-trunk,bridge-vlan untagged=wifi-iot,ether8-iot vlan-ids=30
add bridge=bridge-vlan tagged=ether1-trunk,bridge-vlan untagged=ether10-mgmt vlan-ids=99

TO:
/interface bridge vlan
add bridge=bridge-vlan tagged=ether1-trunk untagged=wifi1,wifi2,ether2-pc,ether3-dockingstation,ether4-nas,ether5-laptop,ether6,ether9 vlan-ids=10
add bridge=bridge-vlan tagged=ether1-trunk untagged=wifi-guest,ether7-guest vlan-ids=20
add bridge=bridge-vlan tagged=ether1-trunk untagged=wifi-iot,ether8-iot vlan-ids=30
add bridge=bridge-vlan tagged=ether1-trunk,bridge-vlan untagged=ether10-mgmt vlan-ids=99


(2) Somehow you should get rid of these entries..............
/ip route
add disabled=no distance=1 dst-address="" gateway=192.168.0.1 routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address="" gateway=192.168.0.1 routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address="" gateway=192.168.0.1 routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address="" gateway=192.168.0.1 routing-table=main suppress-hw-offload=no

add disabled=no dst-address=0.0.0.0/0 gateway=192.168.99.1 { This is the Right Entry }
 
kaaPe
just joined
Topic Author
Posts: 6
Joined: Tue Feb 28, 2023 2:03 pm

Re: VLAN - no ip but dhcp lease offered for wifi interface on ap

Tue Mar 21, 2023 2:32 pm

(1) Now I have removed the bridge vlan from vlan10 and vlan30. I know this should be the correct configuration, but I can't get an IP address if I don't tag them.
/interface bridge vlan
add bridge=bridge-vlan tagged=ether1-trunk untagged=wifi1,wifi2,ether2-pc,ether3-dockingstation,ether4-nas,ether5-laptop,ether6,ether9 vlan-ids=10
add bridge=bridge-vlan tagged=ether1-trunk untagged=wifi-guest,ether7-guest vlan-ids=20
add bridge=bridge-vlan tagged=ether1-trunk untagged=wifi-iot,ether8-iot vlan-ids=30
add bridge=bridge-vlan tagged=ether1-trunk,bridge-vlan untagged=ether10-mgmt vlan-ids=99
(2) I was able to get rid of it by resetting the configuration and reloading without these entries.

With the current upload (ap.rsc), I'm only getting IP addresses if I'm connected through an Ethernet port. All wireless interfaces are not resolving. However, I can see on the router that the dhcp server has been requested to provide an address.
home-dhcp offering lease 192.168.0.236 for D2:3C:05:FC:73:F6 without success
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN - no ip but dhcp lease offered for wifi interface on ap

Tue Mar 21, 2023 2:51 pm

(1) Remove bridge1

/interface bridge
add ingress-filtering=no name=bridge-vlan protocol-mode=none vlan-filtering=yes
add name=bridge1


(2) Confirm the iot and guest WIRED gets addresses ( ether8 and ether7). If they DO then (4) is correct.
If they do not then perhaps (5) is the answer.

(3) Add to the config
/tool mac-server mac-winbox
set allowed-interface-list=BASE


(4) CONCLUSION: There is nothing on the config I can see that is preventing the guest and iot wifi from pulling IP addresses. I would double check the wifi settings. I would also entertain, removing the virtual WLANS (REMOVE) and then put them back in, reboot the AP device and see if that fixes it.
The config is good!

(5) If you reach here, then the next place to look is UP ONE ROUTER. I suspect that you are NOT getting tagged vlans coming into ether1 for vlan20 or vlan30.

a. Confirm wifi IOT and wifi GUEST work on MAIN Router, if so then.
b. Post --> /interface bridge port and /interface bridge vlan from UP ROUTER.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN - no ip but dhcp lease offered for wifi interface on ap  [SOLVED]

Tue Mar 21, 2023 3:07 pm

One bug on devices that can offload VLANs to swtich chips (and RB4011 is one of them) on one and and have more than one switch chip (RB4011 is one of them) on the other hand: if VLANs span anything but single switch chip, then bridge port has to be tagged member of that VLAN even if device does not have to interact with that traffic on IP level. In your particular case this affects both traffic between ether ports managed by different switch chips (ether1-5 and ether6-10) as well as any wireless traffic.

So add "bridge-vlan" as tagged port to all relevant VLANs under /interface/bridge/vlan.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN - no ip but dhcp lease offered for wifi interface on ap

Tue Mar 21, 2023 3:11 pm

Wait, so you are saying that both switch chips need the bridge to be tagged for every vlan??
and what does switch chip have to do with WIFI Bridge ports ur killen me............

In that case, it explains why the OP had success tagging when it seemed illogical.
MKX I could kiss you, well you know what I mean, metaphorically and no tongue!!!
Last edited by anav on Tue Mar 21, 2023 3:16 pm, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN - no ip but dhcp lease offered for wifi interface on ap

Tue Mar 21, 2023 3:14 pm

It's been explained that when they first implemented L2 HW offload, they implemented it so that CPU-switch interconnect will only pass VLANs of which bridge interface is member (either tagged or untagged). And it worked perfectly because those devices were wired-only devices with single switch chip (i.e. CRS3xx).

The concept hit the wall with enabling HW offload on RB4011 which has two switch chips (and wireless). And CPU-switch interconnect carries more than only traffic between ROS (the L3 entity) and the rest of network, it also carries traffic passing between ethernet ports on different switch chips or traffic between wireless interfaces and ethernet ports.
I think MT promised to think about it, but currently the official solution is to work around it by declaring bridge as tagged (or untagged) member of all VLANs which have to break out of single switch chip.
Last edited by mkx on Tue Mar 21, 2023 3:17 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN - no ip but dhcp lease offered for wifi interface on ap

Tue Mar 21, 2023 3:16 pm

It's been explained that when they first implemented L2 HW offload, they implemented it so that CPU-switch interconnect will only pass VLANs of which bridge interface is member (either tagged or untagged). And it worked perfectly because those devices were wired-only devices with single switch chip (i.e. CRS3xx).

The concept hit the wall with enabling HW offload on RB4011 which has two switch chips (and wireless). I think MT promised to think about it, but currently the official solution is to work around it by declaring bridge as tagged (or untagged) member of all VLANs which have to break out of single switch chip.
Okay but only for RB4011 correct.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN - no ip but dhcp lease offered for wifi interface on ap

Tue Mar 21, 2023 3:18 pm

My apologies to the OP. This should work.
/interface bridge vlan
add bridge=bridge-vlan tagged=ether1-trunk,bridge-vlan untagged=wifi1,wifi2,ether2-pc,ether3-dockingstation,ether4-nas,ether5-laptop,ether6,ether9 vlan-ids=10
add bridge=bridge-vlan tagged=ether1-trunk,bridge-vlan untagged=wifi-guest,ether7-guest vlan-ids=20
add bridge=bridge-vlan tagged=ether1-trunk,bridge-vlan untagged=wifi-iot,ether8-iot vlan-ids=30
add bridge=bridge-vlan tagged=ether1-trunk,bridge-vlan untagged=ether10-mgmt vlan-ids=99
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN - no ip but dhcp lease offered for wifi interface on ap

Tue Mar 21, 2023 3:18 pm

Okay but only for RB4011 correct.

Well, OP's ap.rsc mentions it's from RB4011 ... hence my post is highly relevant in this thread.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN - no ip but dhcp lease offered for wifi interface on ap

Tue Mar 21, 2023 3:22 pm

Okay but only for RB4011 correct.

Well, OP's ap.rsc mentions it's from RB4011 ... hence my post is highly relevant in this thread.
Yes, but it was not in my applicable useful article yet AP SWITCH SETUP, so it couldnt be true. Now that its added, I believe you. ;-PP
...
rb4.JPG
You do not have the required permissions to view the files attached to this post.
 
kaaPe
just joined
Topic Author
Posts: 6
Joined: Tue Feb 28, 2023 2:03 pm

Re: VLAN - no ip but dhcp lease offered for wifi interface on ap

Tue Mar 21, 2023 4:20 pm

@anav @mkx

Thank you for helping me understand why it worked the way it did. I just wanted to check that I hadn't done something completely wrong.

Who is online

Users browsing this forum: BioMax, hatred, mtkvvv and 42 guests