Mikrotik - RouterOS - Dual WAN DHCP & Routing Issues
Mikrotik - RouterOS - Dual WAN DHCP & Routing Issues
Hello, I'm facing some challenges with the switchover from pfSense to RouterOS. The new RB5009UPr+S is working, but the configuration isn't behaving as expected. My home setup closely matches the diagram you provided. Issues include DHCP only supplying a few clients—maybe it's a forgotten 'route' entry? It doesn't show my switches or APs IP addresses, even though they're DHCP-enabled. WAN access is unstable; I can ping any WAN address from Mikrotik but DNS isn't working. I'm trying to set up Dual WAN with Vodafone on VLAN 103, using NAT for that link, and directing traffic via a specific rule. The line "Any device on VLAN 103 given from DHCP pool X.X.3.X..." needs clarification. Currently, 101 and 103 are cross-talking. I'm sure this stems from my own missteps—sorry for the errors. Any guidance would be greatly appreciated.
You see a reference to an unreachable private IP address because you're using a static DNS entry. This can cause confusion since VLAN interfaces are typically linked through a bridge rather than directly connected. It affects DHCP broadcasts on the bridge, which might be the intended behavior. Have you rebooted the router? Configuration changes can sometimes get stuck. You shouldn't rely on a Vodafone interface for VLAN 103—NAT won't work with IPv6 anyway. Try resetting and starting fresh with just one WAN interface and one VLAN, then add the second VLAN and adjust routing accordingly.
@heimdali You mentioned an unreachable private IP reference—ignore that. The defcon line had extra text I omitted. It shouldn’t block functionality except for DNS lookups handled by the router. Clients get 1.1.1.1 via DHCP.
I’m puzzled why all VLAN interfaces are linked to a bridge port. Bridges typically connect devices like hubs do, which isn’t ideal for many VLANs. Trunking VLAN traffic through the switch bridge seems simpler. I’d prefer doing it directly on an interface port, but I want the flexibility to add more switches without reconfiguring VLAN settings each time. (Bridging offers a solution.)
What effect does this have on DHCP broadcasts on the bridge? The DHCP server is tied to the VLAN tag on the bridge.
Have you rebooted the router? Yes
Maybe reset it and try again with just one WAN interface and one VLAN—hope that works. I’d rather do this only if necessary, as I’m not in a hurry to replace it. I’m currently using pfSense, but the setup is mostly in place. It feels like something’s missing to enable proper WAN routing.
Typically, you attach a VLAN interface to a network card rather than a bridge interface. The network card can manage the separation of VLANs internally, which helps prevent them from interacting directly. Connecting all VLANs to the same bridge interface seems risky to me. If you need to link a switch to a new VLAN, add that VLAN to the network card and set up a trunk port on the switch to carry the new VLAN along with existing ones. Then use another port as an uplink to the additional switch. This approach matches what you described in your diagram. Using a bridge interface wouldn’t solve the issue—it could complicate things further. Is this a specific requirement for your setup? And are the broadcast packets and DHCP requests already tagged with the VLAN information? This bridge setup can indeed make things confusing, so it’s worth clarifying each step. What happens if you try to connect to the WAN? Understanding whether your connections are unstable might help. Also, check your routing table—there may be several configurations to adjust. It seems like you’re dealing with multiple possibilities, so simplifying one at a time would make progress. Where are the VLANs positioned in your diagram? There appear to be two branches but only three VLANs, which is unusual.
Apologies for the delay; I've been collaborating with someone who's assisting me. It turns out there was just one main issue—related to the WAN Lists. Each Ethernet port functions independently and can carry its own VLAN tag, but it can't be grouped together. Solution: Use a bridge. Bridges (groups of shared ports) can also receive VLAN tags, allowing me to add devices like an access point or another switch in the same VLAN. This way, I can share routing responsibilities through the switch chip instead of the router's CPU handling everything. Assigning each port its own dedicated VLAN would be scalable, but it becomes impractical with many ports and VLANs. If I had 100 VLANs on just 8 ports, it would be overwhelming. Bridges hide the ports as separate interfaces, which helps. You might find this video useful for clarity. The process typically follows: Client request → VLAN → Bridge → DHCP Server → Lease assignment. Alternatively, it could be: Client request → VLAN → Ethernet Port → DHCP Server → Lease assignment. My routing table seems correct, but I was puzzled by the abstracted interface lists due to limited experience. It's not worth risking by resetting everything; the setup was mostly correct, yet the confusion led me astray. Just needed someone with expertise to review my configuration and point out the issue clearly. WAN connectivity from the router to WAN is present, but LAN-to-WAN and LAN-to-WAN connections didn't behave as expected. The two ISPs each have multiple VLANs on the LAN side—three suffice for separating IoT, guests, and a dedicated ISP VLAN. Thank you, I'm glad this clarifies things. Feel free to ask any questions.