Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

dhcp in vlans not working on CCR2004  [SOLVED]

Post Reply
 
plum
just joined
Topic Author
Posts: 13
Joined: Mon May 22, 2017 3:40 pm

dhcp in vlans not working on CCR2004

Sat Oct 29, 2022 8:17 pm

Hi guys

I am sorry to use up your precious time, I couldn't figure out what is wrong with my new setup
I got a new CCR2004-16G-2S+ and decided to start from scratch. I followed the vlan guide here (because CCR2004 has two switch chips), which doesn't show how to add DHCP servers, so I interpolated it from an old bridge-in-bridge setup on my RB2011. The RB2011 worked with bridge-in-bridge, so the DHCPs were attached to a bridge, while here they are attached to a ethernet vlan (maybe that is wrong?)

only the vlan-99 dhcp works (on a vlan 99 port, e.g. ether15), probably because in this vlan the bridge is part of the bridge's vlan?
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether16 vlan-ids=99
I took that from a "how to setup a mgmt vlan", but I wouldn't really need it, a fixed config-port (like the default ether15) is fine for my setup.


here is the full config:
Code: Select all
# oct/29/2022 18:53:35 by RouterOS 7.6
# software id = KYH4-C65G
#
# model = CCR2004-16G-2S+
# serial number = HD4087F88JA
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-outside
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1-outside
set [ find default-name=sfp-sfpplus2 ] name=sfp-sfpplus2-trunk

/interface vlan
add interface=bridge1 name=vlan-01-default vlan-id=1
add interface=bridge1 name=vlan-20-dmz vlan-id=20
add interface=bridge1 name=vlan-40-intern vlan-id=40
add interface=bridge1 name=vlan-80-guest vlan-id=80
add interface=bridge1 name=vlan-99-mgmt vlan-id=99

/ip pool
add name=dhcp_pool-20 ranges=192.168.20.100-192.168.20.254
add name=dhcp_pool-40 ranges=192.168.40.100-192.168.40.254
add name=dhcp_pool-99 ranges=192.168.99.100-192.168.99.254
add name=dhcp_pool-80 ranges=192.168.80.100-192.168.80.254
/ip dhcp-server
add address-pool=dhcp_pool-40 interface=vlan-40-intern lease-time=15m name=dhcp40
add address-pool=dhcp_pool-20 interface=vlan-20-dmz lease-time=15m name=dhcp20
add address-pool=dhcp_pool-80 interface=vlan-80-guest lease-time=15m name=dhcp80
add address-pool=dhcp_pool-99 disabled=yes interface=vlan-99-mgmt lease-time=15m name=dhcp99

/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether2 trusted=yes
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether3 trusted=yes
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether4 trusted=yes
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp-sfpplus2-trunk trusted=yes
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=40
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=40
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=40
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=40
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=40
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether10 pvid=40
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether11 pvid=20
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether12 pvid=20
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether13 pvid=80
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether14 pvid=80
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether16 pvid=99


/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus2-trunk,ether2,ether3,ether4 untagged=ether11,ether12 vlan-ids=20
add bridge=bridge1 tagged=sfp-sfpplus2-trunk,ether2,ether3,ether4 untagged=ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=40
add bridge=bridge1 tagged=sfp-sfpplus2-trunk,ether2,ether3,ether4 untagged=ether13,ether14 vlan-ids=80
add bridge=bridge1 tagged=bridge1 untagged=ether16 vlan-ids=99

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether15 network=192.168.88.0
add address=192.168.99.1/24 interface=vlan-99-mgmt network=192.168.99.0
add address=192.168.40.1/24 interface=vlan-40-intern network=192.168.40.0
add address=192.168.80.1/24 interface=vlan-80-guest network=192.168.80.0
add address=192.168.20.1/24 interface=vlan-20-dmz network=192.168.20.0
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0

/ip dhcp-client
add interface=ether1-outside
add interface=sfp-sfpplus1-outside

/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
add address=192.168.80.0/24 dns-server=192.168.80.1 gateway=192.168.80.1
add address=192.168.99.0/24 gateway=192.168.99.1

/ip firewall filter
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop access to clients behind NAT from WAN, drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1-outside
add action=accept chain=forward comment="accept all outgoing traffic" disabled=yes out-interface=ether1-outside

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-outside

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
Thanks in advance for any input!
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13130
Joined: Thu Mar 03, 2016 10:23 pm

Re: dhcp in vlans not working on CCR2004  [SOLVED]

Sat Oct 29, 2022 8:24 pm

You have to add bridge1 interface as tagged port to all relevant VLANs under /interface bridge vlan.
Top
 
plum
just joined
Topic Author
Posts: 13
Joined: Mon May 22, 2017 3:40 pm

Re: dhcp in vlans not working on CCR2004

Sat Oct 29, 2022 8:43 pm

You have to add bridge1 interface as tagged port to all relevant VLANs under /interface bridge vlan.
Thanks a lot, you nailed it!
I don't understand why the bridge would need to be part of each vlan for dhcp to work, but whatever - it works :)
Top
 
tdw
Forum Guru
Forum Guru
Posts: 2084
Joined: Sat May 05, 2018 11:55 am

Re: dhcp in vlans not working on CCR2004

Sat Oct 29, 2022 8:53 pm

See viewtopic.php?t=173692
Top
 
DoubleDB
newbie
Posts: 31
Joined: Thu Feb 20, 2020 12:53 am

Re: dhcp in vlans not working on CCR2004

Thu Aug 22, 2024 11:01 pm

How did you manage to make it work on CCR2004?

I've created a bridge:
name="bridge2-nordvpn" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=D4:01:C3:81:6C:7A protocol-mode=none fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m vlan-filtering=no dhcp-snooping=no port-cost-mode=long mvrp=no

Added an interface-vlan to one of the ports that I need the vlan on (ether3):
name="ether3-vlan555" mtu=1500 l2mtu=1592 mac-address=D4:01:C3:81:6C:7A arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m vlan-id=555 interface=ether3 use-service-tag=no mvrp=no

Added the intrerface to bridge2-nordvpn:
interface=ether3-vlan555 bridge=bridge2-nordvpn priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no


But.. for some reason the client tagged on vlan 555 on ether3 doesn't get an IP address from the DHCP server running on bridge2-nordvpn.
Exact same setup worked fine on hAp ac2.

Also, tried adding to bridge vlans - bridge2-nordvpn on vlan 555 as tagged - no difference whatsoever.

Tried adding a separate port and managed to get it to get an IP address from the DHCP server when on vlan 555, but at the same time - the vlan interface on ether3 that was in the same bridge - still doesn't get an IP.
Top
Post Reply
  4. RouterOS
  5. Beginner Basics