i've configured my Capsman Wifi Wave 2 in order to have 2 different SSIDs and in the datapath i've inserted the bridge that it must use.
The final result i would like it to have 2 SSIDs that assign IPs from a different pool, the issue is that with the attached configuration both SSIDs assign IP from the same pool (local).
Could you please help me fixing that?
Thank you
Code: Select all
# 2024-03-25 15:30:29 by RouterOS 7.14.1
# software id = **ELIDED**
#
# model = RBD53iG-5HacD2HnD
# serial number = **ELIDED**
/interface bridge
add name=iot_bridge
add name=local port-cost-mode=short
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wifi datapath
add bridge=local disabled=no name=LOCAL
add bridge=iot_bridge disabled=no name=IOT
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
name="Main WiFi Security"
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=no ft-over-ds=no \
name="Guest WiFi Security"
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=\
"Main WiFi Security (No FR)"
/interface wifi configuration
add country=Italy datapath=LOCAL disabled=no name="WIFI - MAIN" security=\
"Main WiFi Security" security.ft=yes .ft-over-ds=yes ssid=WIFI
add country=Italy datapath=LOCAL disabled=no name="WIFI - IOT DEVICES" \
security="Main WiFi Security (No FR)" ssid=WIFI_IOT
/ip pool
add name=dhcp_pool0 ranges=10.40.1.1-10.40.10.254
add name=iot_pool ranges=10.42.1.1-10.42.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=local name=dhcp1
add address-pool=iot_pool interface=iot_bridge name=iot_dhcp
/ip smb users
set [ find default=yes ] disabled=yes
/queue type
add kind=pcq name=pcq_voip_upload pcq-classifier=src-address
add kind=pcq name=pcq_voip_download pcq-classifier=dst-address
add kind=pcq name=pcq_default_upload pcq-classifier=src-address
add kind=pcq name=pcq_default_download pcq-classifier=dst-address
/queue tree
add comment="VoIP Upload Priority on Local Bridge" name=voip_upload_local \
packet-mark=voip_pkt parent=local priority=1 queue=pcq_voip_upload
add comment="VoIP Download Priority on Local Bridge" name=voip_download_local \
packet-mark=voip_pkt parent=local priority=1 queue=pcq_voip_download
add comment="VoIP Upload Priority on IoT Bridge" name=voip_upload_iot \
packet-mark=voip_pkt parent=local priority=1 queue=pcq_voip_upload
add comment="VoIP Download Priority on IoT Bridge" name=voip_download_iot \
packet-mark=voip_pkt parent=local priority=1 queue=pcq_voip_download
/ip smb
set enabled=no
/interface bridge port
add bridge=local interface=ether2 internal-path-cost=10 path-cost=10
add bridge=local interface=ether3 internal-path-cost=10 path-cost=10
add bridge=local interface=ether4 internal-path-cost=10 path-cost=10
add bridge=local interface=ether5 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/interface detect-internet
set detect-interface-list=all
/interface wifi capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\
no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
"MOOX - MAIN" slave-configurations="MOOX - IOT DEVICES"
/interface wireguard peers **ELIDED**
/ip address
add address=10.40.0.1/16 interface=local network=10.40.0.0
add address=10.39.0.10/24 interface=ether1 network=10.39.0.0
add address=10.41.0.1/24 interface=wireguard1 network=10.41.0.0
add address=10.42.1.1/24 interface=iot_bridge network=10.42.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server lease **ELIDED**
/ip dhcp-server network
add address=10.40.0.0/16 dns-server=1.1.1.1,1.0.0.1 gateway=10.40.0.1
add address=10.42.1.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.42.1.1
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=10.40.0.0/16 list=LAN_and_VPN_Clients
add address=10.41.0.0/24 list=LAN_and_VPN_Clients
add address=10.40.1.200 list=Allowed_to_IOT_Devices
add address=10.40.1.201 list=Allowed_to_IOT_Devices
add address=10.40.1.202 list=Allowed_to_IOT_Devices
add address=10.40.1.10 list=Allowed_to_IOT_Devices
add address=PRIVACY list=VOIP_Servers
add address=PRIVACY list=VOIP_Servers
add address=10.40.0.0/16 list=ALL_clients
add address=10.41.0.0/24 list=ALL_clients
add address=10.42.0.0/24 list=ALL_clients
/ip firewall filter
add action=accept chain=input comment=\
"Allow established and related connections" connection-state=\
established,related
add action=accept chain=forward comment=\
"Allow established and related connections" connection-state=\
established,related
add action=accept chain=input comment="Allow ICMP for LAN and VPN" protocol=\
icmp src-address-list=ALL_clients
add action=accept chain=input comment="Allow WireGuard connections" dst-port=\
13231 protocol=udp
add action=accept chain=forward comment="Allow HTTP to specific host" \
dst-address=10.40.0.10 dst-port=80 protocol=tcp
add action=accept chain=forward comment="Allow HTTPS to specific host" \
dst-address=10.40.0.10 dst-port=443 protocol=tcp
add action=accept chain=input comment="Allow input from LAN and VPN Clients" \
src-address-list=ALL_clients
add action=accept chain=forward comment=\
"Allow VPN clients to access internet" out-interface=ether1 src-address=\
10.41.0.0/24
add action=accept chain=forward comment="Allow VPN client to access LAN" \
dst-address=10.40.0.0/16 src-address=10.41.0.0/24
add action=accept chain=forward comment=\
"Allow IOT Clients to access selected LAN IP" dst-address-list=\
Allowed_to_IOT_Devices src-address=10.42.1.0/24
add action=accept chain=forward comment=\
"Allow IOT Clients to communicate each other" dst-address=10.42.1.0/24 \
src-address=10.42.1.0/24
add action=drop chain=forward comment=\
"IOT Clients cannot access to other LAN resources" disabled=yes \
dst-address-list=LAN_and_VPN_Clients src-address=10.42.1.0/24
add action=drop chain=input comment=\
"Drop all other input not explicitly allowed"
add action=drop chain=forward comment=\
"Drop forward from WAN not destined to NAT" connection-nat-state=!dstnat \
connection-state=new in-interface=!local
/ip firewall mangle
add action=mark-packet chain=prerouting comment="Mark VoIP Packets UDP" \
new-packet-mark=voip_pkt passthrough=no protocol=udp src-port=5060,5061
add action=mark-packet chain=prerouting comment="Mark VoIP Packets UDP" \
dst-port=5060,5061 new-packet-mark=voip_pkt passthrough=no protocol=udp
add action=mark-packet chain=prerouting comment="Mark VoIP Packets TCP" \
new-packet-mark=voip_pkt passthrough=no protocol=tcp src-port=5060,5061
add action=mark-packet chain=prerouting comment="Mark VoIP Packets TCP" \
dst-port=5060,5061 new-packet-mark=voip_pkt passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="Mark VoIP Packets IP" \
new-packet-mark=voip_pkt passthrough=no src-address-list=VOIP_Servers
add action=mark-packet chain=prerouting comment="Mark VoIP Packets IP" \
dst-address-list=VOIP_Servers new-packet-mark=voip_pkt passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade for Internet access" \
out-interface=ether1
add action=masquerade chain=srcnat comment=\
"Masquerade for IOT internet access" out-interface=ether1 src-address=\
10.42.1.0/24
add action=dst-nat chain=dstnat comment="Port forward for specific service" \
dst-port=7573-7575 protocol=tcp to-addresses=10.40.5.101 to-ports=\
7573-7575
add action=dst-nat chain=dstnat comment="HTTP port forward" dst-port=80 \
in-interface=ether1 protocol=tcp to-addresses=10.40.0.10 to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS port forward" dst-port=443 \
in-interface=ether1 protocol=tcp to-addresses=10.40.0.10 to-ports=443
/ip route
add gateway=10.39.0.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.40.0.0/16,10.41.0.0/24
set api disabled=yes
set winbox address=10.40.0.0/16,10.41.0.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
