Community discussions

MikroTik App
  4. RouterOS
  5. General

VLAN filtering blocks DHCP Client on trunk port  [SOLVED]

Post Reply
 
jfh
just joined
Topic Author
Posts: 5
Joined: Mon Dec 04, 2023 9:17 pm
Location: Quebec, CA

VLAN filtering blocks DHCP Client on trunk port

Fri Apr 12, 2024 4:42 pm

Hello all,
This is my first post, there I said it. And I am relatively new to the Mikrotik products although I've been reading up quite a bit on these forums and documentation as well a few well done videos.

My setup wanted is as follows :
Trunk port on port 1 which has access to the rest of my network
MGT VLAN is 1000 and I will require access to multiple VLAN which I plan on configuring the access ports to match depending on the tests required.
My MGT VLAN will give me a DHCP lease on my Bridge-LAN interface but as soon I as activate VLAN filtering it stops and falls in searching...
I've left out port 8 from the BridgeLAN puposefully to avoid getting locked out...

Any guidance this groupe can offer would be greatly appreciated...

Update : I am successfully able to switch rapidly by simply changing the /interface bridge port pvid section... I've updated my config below... unfortunately I still have issues with when activating the vlan-filtering (which is required for my access ports to get an IP), the DHCP client looses its IP and can no longer access the router through the trunk management interface.

Here is part of the config which I believe is relevant :
Product is : RB5009UG+S+
Code: Select all
/interface bridge
add admin-mac=FF:FF:FF:FF:FF:FF auto-mac=no ingress-filtering=no name=Bridge-LAN pvid=1000 vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] comment="WAN Port" name=ether1_WAN
set [ find default-name=ether2 ] comment="Labo Port"
set [ find default-name=ether3 ] comment="Labo Port"
set [ find default-name=ether4 ] comment="Labo Port" disabled=yes
set [ find default-name=ether5 ] comment="Labo Port" disabled=yes
set [ find default-name=ether6 ] comment="Labo Port" disabled=yes
set [ find default-name=ether7 ] comment="Labo Port" disabled=yes
set [ find default-name=ether8 ] comment="ADMN Port" name=ether8_ADMIN

/interface vlan
add comment="VLAN 1000 MGT" interface=Bridge-LAN name=MGMT vlan-id=1000

#I've setup two ports (2&3) with VLAN for testing purposes
/interface bridge port
add bridge=Bridge-LAN comment="WANPort" interface=ether1_WAN
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=13
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=14
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether4
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether5
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether6
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether7

#I've taken the liberty to predefine the VLAN so that I only need to play in the above section 
/interface bridge vlan
add bridge=Bridge-LAN comment="MGT" tagged=Bridge-LAN vlan-ids=1000
add bridge=Bridge-LAN comment="VLAN test1" tagged=Bridge-LAN,ether1_WAN vlan-ids=13
add bridge=Bridge-LAN comment="VLAN test2" tagged=Bridge-LAN,ether1_WAN vlan-ids=14
add bridge=Bridge-LAN comment="VLAN test3" tagged=Bridge-LAN,ether1_WAN vlan-ids=15
add bridge=Bridge-LAN comment="VLAN test4" tagged=Bridge-LAN,ether1_WAN vlan-ids=16
add bridge=Bridge-LAN comment="VLAN test5" tagged=Bridge-LAN,ether1_WAN vlan-ids=17
add bridge=Bridge-LAN comment="VLAN test6" tagged=Bridge-LAN,ether1_WAN vlan-ids=18
add bridge=Bridge-LAN comment="VLAN test7" tagged=Bridge-LAN,ether1_WAN vlan-ids=19

#My network admin has locked in the MAC with a specific IP lease so it remains the same but we still need to configure in DHCP mode
/ip dhcp-client
add interface=Bridge-LAN
Last edited by jfh on Fri Apr 12, 2024 11:38 pm, edited 1 time in total.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11746
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN configuration with active changes

Fri Apr 12, 2024 7:12 pm

You have a number of errors in VLAN-related config. I suggest you to go through the definitive guide to ROS VLANing.

BTW, I don't think FF:FF:FF:FF:FF:FF is a valid MAC address for bridge.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19624
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: VLAN configuration with active changes

Fri Apr 12, 2024 8:06 pm

Clearly 'hiding' the true mac address............ Perhaps you prefer

"FU:FU:FU:FU:FU:FU" "=)
Top
 
jfh
just joined
Topic Author
Posts: 5
Joined: Mon Dec 04, 2023 9:17 pm
Location: Quebec, CA

Re: VLAN filtering blocks DHCP Client on trunk port

Fri Apr 12, 2024 11:42 pm

Yes indeed, MAC has been changed.

I'll re-take a look at the link you mentionned although I did go through it a few times.

I've changed the header to be more specific. After testing, I am able to get my access ports to work properly. The only issue I seem to have seems to be the DHCP client drops the connection once I activate the vlan filtering.

I'll pay close attention to this versus the link you sent me.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11746
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN filtering blocks DHCP Client on trunk port  [SOLVED]

Sat Apr 13, 2024 10:12 am

I'll pay close attention to this versus the link you sent me.

In particular pay attention to these details:
  • bridge CPU-facing port VLAN membership has to be configured explicitly as well
  • frame-types, tagged/untagged and PVID properties have to be consistent
  • distinction between different properties of bridge (i.e. some are about "switch-like entity" and some are about "CPU interface"), all mixed on bridge creation stanza.
    Luckily properties about "CPU-facing port" are not interleaved with before mentiobed ones, they are with the rest of pirts)
  • I suggest to go all-VLAN internally (i.e. no pvid/untagged on bridge), it makes config more uniform and thus slightly less confusing
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11746
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN configuration with active changes

Sat Apr 13, 2024 10:15 am

Clearly 'hiding' the true mac address............ Perhaps you prefer

"FU:FU:FU:FU:FU:FU" "=)
Yup, I figured as much. But every time I see somebody playing this game (not knowing that MAC addresses are almost the least sensitive information a config can contain), I always wonder what else might be altered in posted config ... making it irrelevant for the problem presented.
Top
 
jfh
just joined
Topic Author
Posts: 5
Joined: Mon Dec 04, 2023 9:17 pm
Location: Quebec, CA

Re: VLAN configuration with active changes

Mon Apr 15, 2024 3:50 pm

Clearly 'hiding' the true mac address............ Perhaps you prefer

"FU:FU:FU:FU:FU:FU" "=)
Yup, I figured as much. But every time I see somebody playing this game (not knowing that MAC addresses are almost the least sensitive information a config can contain), I always wonder what else might be altered in posted config ... making it irrelevant for the problem presented.
Noted ;-) Should have put something more obvious... DE:AD:BE:EF:F0:0D
Top
 
jfh
just joined
Topic Author
Posts: 5
Joined: Mon Dec 04, 2023 9:17 pm
Location: Quebec, CA

Re: VLAN filtering blocks DHCP Client on trunk port

Mon Apr 15, 2024 8:40 pm

In particular pay attention to these details:
  • bridge CPU-facing port VLAN membership has to be configured explicitly as well
  • frame-types, tagged/untagged and PVID properties have to be consistent
  • distinction between different properties of bridge (i.e. some are about "switch-like entity" and some are about "CPU interface"), all mixed on bridge creation stanza.
    Luckily properties about "CPU-facing port" are not interleaved with before mentiobed ones, they are with the rest of pirts)
  • I suggest to go all-VLAN internally (i.e. no pvid/untagged on bridge), it makes config more uniform and thus slightly less confusing
Just a quick update that I seem to have gotten everything to work :-)
Thank you for your help and guidance. The above linked discussion was very instructive and the sample config switch file particularly usefull.

While my configuration was wrong I also had other issues upstream to resolve which I'll share if ever this can help others. If for whatever reason you see other improvements in my configs, please mention so I can learn.

For starters I noticed in the following table (https://help.mikrotik.com/docs/display/ ... Offloading) there were caveats with the VLAN filtering with the swtich chips inside the RB5009, so I had another produc on hand, the CRS326 and this is what the following functionnal configs are related to. I'll try later on with the RB5009 since I need to reproduce similarly the same thing...

My issues upstream were the following. I had multiple VLAN configured to my trunk port and had a default one of 1000. Unfortunately, the default VLAN was not automatically tagged by the upstream router which probably meant I lost packets once I activated the VLAN filtering. So PVID set on the outgoing trunked port on the upstream router. Once that resolved, I also had to tag them to VLAN1000 for my DHCP client to work (hope I used the correct terms) so I also had to tweak the DHCP client configs and to which interface it was locked into (Was previously on the Bridge-LAN which didn't work and then moved to the MGMT_VLAN)

My config file as it is now and works :
Code: Select all
/interface bridge
add admin-mac=DE:AD:BE:EF:F0:0D auto-mac=no frame-types=admit-only-vlan-tagged name=Bridge-LAN protocol-mode=none pvid=1000 vlan-filtering=yes

/interface ethernet
#Trying here to load distribute the switch chips amongts all the access ports used
set [ find default-name=ether1 ] comment="Trunk Port" name=ether1_TRUNK_Port
set [ find default-name=ether2 ] comment="Labo Port" disabled=yes
set [ find default-name=ether3 ] comment="Labo Port" disabled=yes
set [ find default-name=ether4 ] comment="Labo Port - Station 16"
set [ find default-name=ether5 ] comment="Labo Port - Station 01"
set [ find default-name=ether6 ] comment="Labo Port - Station 06"
set [ find default-name=ether7 ] comment="Labo Port - Station 11"
set [ find default-name=ether8 ] comment="Labo Port" disabled=yes
set [ find default-name=ether9 ] comment="Labo Port - Station 02"
set [ find default-name=ether10 ] comment="Labo Port - Station 07"
set [ find default-name=ether11 ] comment="Labo Port - Station 12"
set [ find default-name=ether12 ] comment="Labo Port" disabled=yes
set [ find default-name=ether13 ] comment="Labo Port - Station 03"
set [ find default-name=ether14 ] comment="Labo Port - Station 08"
set [ find default-name=ether15 ] comment="Labo Port - Station 13"
set [ find default-name=ether16 ] comment="Labo Port" disabled=yes
set [ find default-name=ether17 ] comment="Labo Port - Station 04"
set [ find default-name=ether18 ] comment="Labo Port - Station 09"
set [ find default-name=ether19 ] comment="Labo Port - Station 14"
set [ find default-name=ether20 ] comment="Labo Port" disabled=yes
set [ find default-name=ether21 ] comment="Labo Port - Station 05"
set [ find default-name=ether22 ] comment="Labo Port - Station 10"
set [ find default-name=ether23 ] comment="Labo Port - Station 15"
set [ find default-name=ether24 ] comment="Labo Port" name=ether24_ADMIN_Port
set [ find default-name=sfp-sfpplus1 ] comment="SFP Link" disabled=yes
set [ find default-name=sfp-sfpplus2 ] comment="SFP Link" disabled=yes

/interface vlan
add comment="VLAN 1000" interface=Bridge-LAN name=MGMT_VLAN vlan-id=1000
/interface list
add name=MGMT_LIST

/interface bridge port
add bridge=Bridge-LAN comment="Trunk Port" frame-types=admit-only-vlan-tagged interface=ether1_TRUNK_Port
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether2
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether3
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=13
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=13
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=13
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=13
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether8
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=14
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether10 pvid=14
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether11 pvid=14
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether12
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether13 pvid=13
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether14 pvid=13
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether15 pvid=13
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether16
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether17 pvid=15
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether18 pvid=15
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether19 pvid=15
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether20
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether21 pvid=13
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether22 pvid=13
add bridge=Bridge-LAN comment="Labo Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether23 pvid=13
/ip neighbor discovery-settings
set discover-interface-list=MGMT_LIST
/interface bridge vlan
add bridge=Bridge-LAN tagged=Bridge-LAN,ether1_TRUNK_Port vlan-ids=1000
add bridge=Bridge-LAN tagged=ether1_TRUNK_Port vlan-ids=13
add bridge=Bridge-LAN tagged=ether1_TRUNK_Port vlan-ids=14
add bridge=Bridge-LAN tagged=ether1_TRUNK_Port vlan-ids=15

/interface list member
add interface=ether24_ADMIN_Port list=MGMT_LIST
add interface=MGMT_VLAN list=MGMT_LIST
/ip dhcp-client
add interface=MGMT_VLAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Toronto
/system identity
set name=MySwitch
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/system routerboard settings
set boot-os=router-os enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=MGMT_LIST
/tool mac-server mac-winbox
set allowed-interface-list=MGMT_LIST
Top
 
jfh
just joined
Topic Author
Posts: 5
Joined: Mon Dec 04, 2023 9:17 pm
Location: Quebec, CA

Re: VLAN filtering blocks DHCP Client on trunk port

Tue Apr 16, 2024 4:46 pm

RB5009 similar config as above works fine.

I also tried on an hAP ax³ (C53UiG+5HPaxD2HPaxD) but so far there seems to be issues... after a few seconds/minutes, the device kicks me out through the MAC addressing or resets itself but I do have access to it the MGT vlan but not via a MAC access. Strange..

I will keep you posted on any findings on my end.
Top
Post Reply

Who is online

Users browsing this forum: Anime4000, desaram, KoenraadL, ppptran, Reinis, roe1974, sijiancha and 63 guests
  4. RouterOS
  5. General