Hi,
After reading a lot and trying a lot of configs, i´m still not able to configure my hotspot network.
RB5009 v7.14.2 manages all the configurations (VLAN, Captive Portal, Login, Paypal)
hAP ax^3 are used to access the VLAN where the hotspot is supposed to work.
How can I start to do troubleshooting?
Some help?
Thanks
To start off could you kindly attach a network diagram (is there an external radius server, vlans, etc.)?
This is my network:
Everything is ok except the Hotspot.
RB5009 has User Manager and Radius to Hotspot.
RB5009 Configuration:
# 2024-04-04 22:27:19 by RouterOS 7.14.2
# software id = F6E9-5B20
#
# model = RB5009UG+S+
# serial number = HEK08S69E2Y
/container mounts
add dst=/etc/pihole name=etc_pihole src=/disk1/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=/disk1/etc-dnsmasq.d
add dst=/mosquitto/config name=msqt_config src=/usb1/mosquitto_mounted
/interface bridge
add admin-mac=48:A9:8A:E7:23:D4 auto-mac=no igmp-snooping=yes name=bridge \
port-cost-mode=short vlan-filtering=yes
add igmp-snooping=yes name=docker port-cost-mode=short
/interface ovpn-server
add name=Ricardo_OVPN user=Ricardo
/interface ethernet
set [ find default-name=ether1 ] name=ether1_Livingroom
set [ find default-name=ether4 ] name=ether4_Corridor
set [ find default-name=ether6 ] name=ether6_Bedroom2/3
set [ find default-name=ether7 ] name=ether7_Bedroom1
set [ find default-name=ether8 ] name=ether8_ONT
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wifi
add channel.band=2ghz-ax .skip-dfs-channels=all configuration.mode=ap .ssid=\
"ASUS RT-AX88U" .tx-power=40 datapath.bridge=bridge name=cap-wifi1 \
radio-mac=48:A9:8A:BC:93:DC security.authentication-types=\
wpa2-psk,wpa3-psk .wps=disable
add channel.band=5ghz-ax .skip-dfs-channels=all configuration.country=\
Portugal .mode=ap .ssid="ASUS RT-AX88U 5G" .tx-power=40 datapath.bridge=\
bridge name=cap-wifi2 radio-mac=48:A9:8A:BC:93:DB \
security.authentication-types=wpa2-psk,wpa3-psk .wps=disable
/interface veth
add address=192.168.3.2/24 gateway=192.168.3.1 gateway6="" name=veth1_pihole
add address=192.168.3.3/24 disabled=yes gateway=192.168.3.1 gateway6="" name=\
veth2_mosquitto
add address=192.168.3.4/24 disabled=yes gateway=192.168.3.1 gateway6="" name=\
veth3_ha
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard
/interface vlan
add interface=bridge name=guest_vlan vlan-id=10
add arp=proxy-arp interface=bridge name=hotspot_vlan vlan-id=40
add interface=bridge name=iot_vlan vlan-id=20
add interface=ether8_ONT name=iptv_vlan vlan-id=105
add interface=bridge name=mgmt_vlan vlan-id=30
add interface=ether8_ONT name=voip_vlan vlan-id=101
add interface=ether8_ONT name=wan_vlan vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no name=channel1 skip-dfs-channels=all width=\
20/40mhz
add band=5ghz-ax disabled=no name=channel2 skip-dfs-channels=all width=\
20/40/80mhz
/interface wifi datapath
add bridge=bridge disabled=no name=admin1
add bridge=bridge disabled=no name=guest1 vlan-id=10
add bridge=bridge disabled=no name=iot1 vlan-id=20
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp name=\
admin1 wps=disable
add authentication-types=wpa2-eap,wpa3-psk disabled=no encryption=ccmp name=\
iot1
add authentication-types=wpa2-eap,wpa3-psk disabled=no encryption=ccmp name=\
guest1
/iot lora servers
add address=eu.mikrotik.thethings.industries name=TTN-EU protocol=UDP
add address=us.mikrotik.thethings.industries name=TTN-US protocol=UDP
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/iot mqtt brokers
add address=192.168.1.22 client-id=Router name=Broker password="=tdJM89HEK" \
username=thing0
add address=192.168.1.22 client-id=Router name=BrokerSSL password=\
"=tdJM89HEK" port=8883 ssl=yes username=thing0
/ip hotspot user profile
add !idle-timeout name=default-trial rate-limit=1M/1M
/ip hotspot profile
set [ find default=yes ] dns-name=hotspot.wifi.pt hotspot-address=\
192.168.20.1 login-by=http-chap,http-pap,trial name=hotspot1 \
trial-uptime-limit=5m trial-user-profile=default-trial use-radius=yes
/ip ipsec policy group
add name=ike2_policies
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2 pfs-group=\
modp2048
/ip pool
add name=guest_pool ranges=192.168.2.150-192.168.2.250
add name=docker_pool ranges=192.168.3.100-192.168.3.250
add name=lan_pool ranges=192.168.0.150-192.168.0.250
add name=iot_pool ranges=192.168.1.150-192.168.1.250
add name=ike2_pool ranges=192.168.5.100-192.168.5.250
add name=wireguard ranges=192.168.4.100-192.168.4.250
add name=openvpn_pool ranges=192.168.6.100-192.168.6.250
add name=mgmt_pool ranges=192.168.10.50-192.168.10.250
add name=hotspot_pool ranges=192.168.20.50-192.168.20.250
/ip dhcp-server
add address-pool=guest_pool interface=guest_vlan lease-time=1d name=\
guest_dhcp
add address-pool=lan_pool interface=bridge lease-time=1d name=lan_dhcp
add address-pool=iot_pool interface=iot_vlan lease-time=1d name=iot_dhcp
add address-pool=mgmt_pool interface=mgmt_vlan lease-time=1d name=mgmt_dhcp
add add-arp=yes address-pool=hotspot_pool always-broadcast=yes interface=\
hotspot_vlan name=hotspot_dhcp
/ip hotspot
add address-pool=hotspot_pool addresses-per-mac=1 interface=hotspot_vlan \
name=server1
/ip hotspot user profile
set [ find default=yes ] address-pool=hotspot_pool mac-cookie-timeout=1d \
parent-queue=none rate-limit=100M/50M shared-users=unlimited
/ip ipsec mode-config
add address-pool=ike2_pool address-prefix-length=32 name=ike2_conf
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
add local-address=192.168.6.1 name=openvpn remote-address=openvpn_pool \
use-ipv6=no
/queue simple
add max-limit=90M/450M name=local target=bridge
add max-limit=50M/200M name=iot target=iot_vlan
/queue type
add kind=pcq name=pcq-download-guest pcq-classifier=dst-address pcq-rate=50M
add kind=pcq name=pcq-upload-guest pcq-classifier=src-address pcq-rate=10M
/queue simple
add max-limit=10M/100M name=guest queue=pcq-upload-guest/pcq-download-guest \
target=guest_vlan
/user-manager limitation
add name=lim1 rate-limit-rx=50B rate-limit-tx=10B
/user-manager profile
add name="30 Days 10M/50M" name-for-users="Option 1" price=1 validity=4w2d
/user-manager user
add name=admin
add name=rcarreira88
/user-manager user group
set [ find default-name=default ] attributes=\
Mikrotik-Advertise-URL:hotspot.wifi.pt
/container
add envlist=pihole_envs interface=veth1_pihole mounts=\
etc_pihole,dnsmasq_pihole root-dir=/disk1/pihole start-on-boot=yes
add interface=veth2_mosquitto logging=yes mounts=msqt_config root-dir=\
/usb1/mosquitto start-on-boot=yes
/container config
set registry-url=https://registry-1.docker.io tmpdir=/disk1/pull
/container envs
add key=TZ name=pihole_envs value=Europe/Lisbon
add key=WEBPASSWORD name=pihole_envs value=64311729
add key=DNSMASQ_USER name=pihole_envs value=root
/interface bridge port
add bridge=bridge interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether4_Corridor internal-path-cost=10 path-cost=\
10
add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether6_Bedroom2/3 internal-path-cost=10 \
path-cost=10
add bridge=bridge interface=ether7_Bedroom1 internal-path-cost=10 path-cost=\
10
add bridge=bridge interface=ether1_Livingroom internal-path-cost=10 \
path-cost=10
add bridge=docker interface=veth1_pihole internal-path-cost=10 path-cost=10
add bridge=docker interface=veth2_mosquitto
add bridge=docker disabled=yes interface=veth3_ha
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge tagged=\
bridge,ether1_Livingroom,ether4_Corridor,ether6_Bedroom2/3 vlan-ids=10
add bridge=bridge tagged="bridge,ether1_Livingroom,ether4_Corridor,ether6_Bedr\
oom2/3,ether7_Bedroom1" vlan-ids=20
add bridge=bridge tagged=bridge,ether1_Livingroom,ether4_Corridor vlan-ids=30
add bridge=bridge tagged=bridge,ether4_Corridor vlan-ids=40
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
all wan-interface-list=all
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=bridge list=LAN
add interface=wan_vlan list=WAN
add interface=iptv_vlan list=WAN
add interface=voip_vlan list=WAN
add interface=guest_vlan list=LAN
add interface=iot_vlan list=LAN
add interface=docker list=LAN
add interface=wireguard list=LAN
add interface=ether1_Livingroom list=LAN
add interface=ether4_Corridor list=LAN
add interface=ether6_Bedroom2/3 list=LAN
add interface=ether7_Bedroom1 list=LAN
/interface ovpn-server server
set auth=sha256 certificate=server_openvpn cipher=aes256-cbc default-profile=\
openvpn enabled=yes port=11945 redirect-gateway="" \
require-client-certificate=yes
/interface wifi capsman
set ca-certificate=auto certificate=auto interfaces=bridge package-path=\
/usb1.part1/upgrade require-peer-certificate=yes upgrade-policy=\
suggest-same-version
/interface wireguard peers
add allowed-address=192.168.4.2/32 client-address=0.0.0.0/0 comment=uleFone \
interface=wireguard public-key=\
"O2ohqgnnC5s3b6U5eJPwrUBkYrsdQHMU8RlJSGnDajo="
add allowed-address=192.168.4.3/32 client-address=192.168.0.0/24 comment=\
Hutcher interface=wireguard public-key=\
"OGdzmokuWO3x7h0Gwx4jmLSRZiTThLoWlTuPTxHivVg="
add allowed-address=192.168.4.4/32 client-address=0.0.0.0/0 comment=\
Hidromarinha interface=wireguard public-key=\
"i+a+VI3bB5OTnV71PAatkg+seAQocU/wpQMNJ13ySy4="
add allowed-address=192.168.4.5/32 client-address=0.0.0.0/0 comment=\
"Travel Router" interface=wireguard public-key=\
"evN70ZUjYBF7ldCKKR92353w7cbXGcfK6NDAyeYTIh4="
add allowed-address=192.168.4.6/32 client-address=0.0.0.0/0 comment=Fletcher \
interface=wireguard public-key=\
"pTigZD1KlJTeUxX5iQ5br+RTmiBuXgR7QP52sGoMyVo="
/iot mqtt subscriptions
add broker=Broker qos=2 topic=cmnd/router/COMMAND
/ip address
add address=192.168.0.1/24 interface=bridge network=192.168.0.0
add address=192.168.2.1/24 interface=guest_vlan network=192.168.2.0
add address=192.168.3.1/24 interface=docker network=192.168.3.0
add address=192.168.1.1/24 interface=iot_vlan network=192.168.1.0
add address=192.168.4.1/24 interface=wireguard network=192.168.4.0
add address=192.168.10.1/24 interface=mgmt_vlan network=192.168.10.0
add address=192.168.20.1/24 interface=hotspot_vlan network=192.168.20.0
add address=192.168.100.1/24 interface=loopback network=192.168.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=30m
/ip dhcp-client
add interface=wan_vlan
add add-default-route=special-classless default-route-distance=210 interface=\
iptv_vlan use-peer-dns=no use-peer-ntp=no
add add-default-route=special-classless default-route-distance=110 interface=\
voip_vlan use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.51 comment="Bathroom Google Assistant" mac-address=\
D4:F5:47:0C:E7:94 server=iot_dhcp
add address=192.168.1.31 client-id=1:b8:27:eb:43:73:b4 comment=\
"Bedroom 1 Hyperion" mac-address=B8:27:EB:43:73:B4 server=iot_dhcp
add address=192.168.1.35 client-id=1:e8:48:b8:7a:72:10 comment=\
"Bedroom1 Camera" mac-address=E8:48:B8:7A:72:10 server=iot_dhcp
add address=192.168.1.82 comment="Bedroom 2 Heating" mac-address=\
98:F4:AB:F2:77:DD server=iot_dhcp
add address=192.168.1.55 comment="Bathroom Fan" mac-address=EC:FA:BC:9C:79:86 \
server=iot_dhcp
add address=192.168.1.140 comment="Corridor Light" mac-address=\
98:F4:AB:D0:E4:97 server=iot_dhcp
add address=192.168.1.100 comment="Hall Light" mac-address=98:F4:AB:D0:AD:46 \
server=iot_dhcp
add address=192.168.1.56 comment="Bathroom Heater" mac-address=\
68:C6:3A:D5:E7:F0 server=iot_dhcp
add address=192.168.1.54 comment="Bathroom Bathtub Light 2" mac-address=\
3C:61:05:D2:97:FD server=iot_dhcp
add address=192.168.1.46 comment="Livingroom Lights" mac-address=\
98:F4:AB:F2:E2:F8 server=iot_dhcp
add address=192.168.1.33 comment="Bedroom 1 Light" mac-address=\
2C:F4:32:68:92:6E server=iot_dhcp
add address=192.168.1.53 comment="Bathroom Bathtub Light 1" mac-address=\
80:7D:3A:05:1F:E4 server=iot_dhcp
add address=192.168.1.81 comment="Bedroom 2 Light" mac-address=\
DC:4F:22:76:C3:97 server=iot_dhcp
add address=192.168.1.52 comment="Bathroom Lights" mac-address=\
8C:AA:B5:05:B2:6C server=iot_dhcp
add address=192.168.1.70 comment="Toilet Lights" mac-address=\
98:F4:AB:F2:BE:96 server=iot_dhcp
add address=192.168.1.91 comment="Bedroom 3 Light" mac-address=\
48:3F:DA:A0:C3:AE server=iot_dhcp
add address=192.168.1.92 comment="Bedroom 3 Heating" mac-address=\
34:94:54:78:45:E8 server=iot_dhcp
add address=192.168.1.27 comment="Building Lock" mac-address=\
A4:CF:12:B9:D4:8D server=iot_dhcp
add address=192.168.1.66 comment="Kitchen Water Kettle" mac-address=\
34:94:54:75:AC:8E server=iot_dhcp
add address=192.168.1.65 comment="Kitchen Coffee Machine" mac-address=\
2C:F4:32:68:C5:A0 server=iot_dhcp
add address=192.168.1.57 comment="Bathroom Airwick" mac-address=\
18:FE:34:FA:F7:28 server=iot_dhcp
add address=192.168.1.71 comment="Toilet Fan" mac-address=EC:FA:BC:4F:A4:F1 \
server=iot_dhcp
add address=192.168.1.32 comment="Bedroom 1 Google Assistant" mac-address=\
7C:D9:5C:56:B6:4A server=iot_dhcp
add address=192.168.1.28 comment="Garage Gate" mac-address=C4:4F:33:C3:64:EE \
server=iot_dhcp
add address=192.168.1.26 comment="Stairwell Light" mac-address=\
DC:4F:22:76:99:0A server=iot_dhcp
add address=192.168.0.15 comment="uleFone Armor 21" mac-address=\
00:A8:6F:EE:53:D8 server=lan_dhcp
add address=192.168.1.62 comment="Kitchen Table Light 2" mac-address=\
10:52:1C:E8:18:E7 server=iot_dhcp
add address=192.168.1.47 client-id=1:28:6d:97:c6:55:fc comment=\
"Livingroom AC" mac-address=28:6D:97:C6:55:FC server=iot_dhcp
add address=192.168.1.64 comment="Kitchen Table Light 4" mac-address=\
10:52:1C:E8:58:29 server=iot_dhcp
add address=192.168.1.111 comment="Pantry Hot Water Valve" mac-address=\
18:FE:34:F4:B7:9C server=iot_dhcp
add address=192.168.1.105 comment="Entryway Light" mac-address=\
2C:F4:32:68:8E:E0 server=iot_dhcp
add address=192.168.1.68 comment="Kitchen Cabinet Light" mac-address=\
7C:9E:BD:F1:AA:6C server=iot_dhcp
add address=192.168.1.63 comment="Kitchen Table Light 3" mac-address=\
98:F4:AB:F0:73:3A server=iot_dhcp
add address=192.168.1.61 comment="Kitchen Table Light 1" mac-address=\
10:52:1C:E8:58:F0 server=iot_dhcp
add address=192.168.1.60 comment="Kitcher Ceiling Light" mac-address=\
98:F4:AB:D0:AA:DE server=iot_dhcp
add address=192.168.1.67 comment="Kitchen Dish Washer" mac-address=\
98:F4:AB:F3:0B:3F server=iot_dhcp
add address=192.168.1.41 client-id=1:b8:27:eb:d9:ef:db comment=\
"Livingroom Hyperion" mac-address=B8:27:EB:D9:EF:DB server=iot_dhcp
add address=192.168.1.48 client-id=1:5c:6b:d7:7:6f:65 comment=\
"Livingroom Vacuum Cleaner" mac-address=5C:6B:D7:07:6F:65 server=iot_dhcp
add address=192.168.1.42 comment="Livingroom Google Assistant" mac-address=\
D4:F5:47:32:2D:9A server=iot_dhcp
add address=192.168.1.39 client-id=1:7c:87:ce:c8:57:7c comment=\
"Bedroom 1 NSPanel" mac-address=7C:87:CE:C8:57:7C server=iot_dhcp
add address=192.168.1.25 client-id=1:c0:6:c3:fd:b2:83 comment="Garage Camera" \
mac-address=C0:06:C3:FD:B2:83 server=iot_dhcp
add address=192.168.1.110 comment="Pantry Washing Machine" mac-address=\
70:2C:1F:43:50:6C server=iot_dhcp
add address=192.168.1.83 comment="Bedroom 2 Heater" mac-address=\
64:90:C1:9E:02:D3 server=iot_dhcp
add address=192.168.1.93 comment="Bedroom 3 Heater" mac-address=\
64:90:C1:7C:F0:CA server=iot_dhcp
add address=192.168.0.21 comment="Synology Diskstation" mac-address=\
00:11:32:E2:5A:BE server=lan_dhcp
add address=192.168.0.23 comment="Garage PC Fletcher" mac-address=\
AC:FD:CE:5D:1F:C4 server=lan_dhcp
add address=192.168.1.30 comment="Bedroom 1 TV" mac-address=E4:7D:BD:60:79:E9 \
server=iot_dhcp
add address=192.168.1.37 comment="Bedroom 1 AC" mac-address=88:57:1D:09:C8:C3 \
server=iot_dhcp
add address=192.168.1.130 comment="Building Entrance Mailbox" mac-address=\
44:17:93:EB:0E:C8 server=iot_dhcp
add address=192.168.0.10 client-id=1:58:0:e3:53:23:77 comment=\
"Bedroom 1 PC Stinger" mac-address=58:00:E3:53:23:77 server=lan_dhcp
add address=192.168.0.36 client-id=1:30:5a:3a:3:97:8b comment=\
"Bedroom 1 PC Hutcher" mac-address=30:5A:3A:03:97:8B server=lan_dhcp
add address=192.168.1.40 comment="Livingroom TV" mac-address=\
D0:66:7B:E2:C9:63 server=iot_dhcp
add address=192.168.1.50 comment="Bathroom TV" mac-address=D4:5E:EC:BC:61:72 \
server=iot_dhcp
add address=192.168.2.10 client-id=1:d4:5e:ec:bc:61:71 comment="Bedroom 2 TV" \
mac-address=D4:5E:EC:BC:61:71 server=guest_dhcp
add address=192.168.1.34 client-id=1:40:4c:ca:f7:8f:58 comment=\
"Bedroom 1 SmartPlug" mac-address=40:4C:CA:F7:8F:58 server=iot_dhcp
add address=192.168.1.106 client-id=1:c:b8:15:79:57:30 comment=\
"Entryway Doorbell" mac-address=0C:B8:15:79:57:30 server=iot_dhcp
add address=192.168.1.43 client-id=1:40:4c:ca:f7:96:18 comment=\
"Livingroom Smartplug" mac-address=40:4C:CA:F7:96:18 server=iot_dhcp
add address=192.168.1.69 comment="Kitchen Airfryer" mac-address=\
3C:61:05:F2:9D:93 server=iot_dhcp
add address=192.168.1.58 comment="Bathroom Towel Heater" mac-address=\
EC:FA:BC:D7:7E:08 server=iot_dhcp
add address=192.168.2.23 client-id=1:9c:5a:81:e9:d0:66 comment=\
"Bedroom 3 Smartphone" mac-address=9C:5A:81:E9:D0:66 server=guest_dhcp
add address=192.168.1.120 client-id=1:c0:6:c3:fd:a8:3a comment="Attic Camera" \
mac-address=C0:06:C3:FD:A8:3A server=iot_dhcp
add address=192.168.2.22 client-id=1:2c:3b:70:c8:b8:17 comment=\
"Bedroom 3 Laptop" mac-address=2C:3B:70:C8:B8:17 server=guest_dhcp
add address=192.168.0.2 client-id=1:48:a9:8a:e0:ee:88 comment=\
"Hall Access Point" mac-address=48:A9:8A:E0:EE:88 server=lan_dhcp
add address=192.168.2.20 client-id=1:d4:5e:ec:bc:61:74 comment="Bedroom 3 TV" \
mac-address=D4:5E:EC:BC:61:74 server=guest_dhcp
add address=192.168.0.16 client-id=1:a8:9c:ed:7f:41:b comment=\
"Xiaomi Mi Note 10" mac-address=A8:9C:ED:7F:41:0B server=lan_dhcp
add address=192.168.1.24 comment="Garage Google Assistant" mac-address=\
6C:5A:B5:54:F0:E1 server=iot_dhcp
add address=192.168.0.41 client-id=1:58:2f:f7:a6:93:a8 comment=\
"Vodafone IPTV Box" mac-address=58:2F:F7:A6:93:A8 server=lan_dhcp
add address=192.168.1.38 comment="Bedroom 1 Bedlamp" mac-address=\
DC:4F:22:9A:88:34 server=iot_dhcp
add address=192.168.1.15 client-id=1:0:a8:6f:ee:53:d8 comment=\
"uleFone Armor 21" mac-address=00:A8:6F:EE:53:D8 server=iot_dhcp
add address=192.168.1.101 comment="Hall Thermostat" mac-address=\
2C:F4:32:08:3B:7F server=iot_dhcp
add address=192.168.1.23 client-id=1:d8:3a:dd:96:99:5e comment=\
"Raspberry PI 4" mac-address=D8:3A:DD:96:99:5E server=iot_dhcp
add address=192.168.1.22 client-id=1:b8:27:eb:62:26:31 comment=\
"Raspberry PI 3" mac-address=B8:27:EB:62:26:31 server=iot_dhcp
add address=192.168.1.45 client-id=1:98:fc:84:e6:c:f8 comment=\
"Livigroom Xiaomi MI Box S 4K" mac-address=98:FC:84:E6:0C:F8 server=\
iot_dhcp
add address=192.168.2.16 client-id=1:72:d7:3f:1a:1b:90 comment=\
"Bedroom 2 Olayiwola iPhone" mac-address=72:D7:3F:1A:1B:90 server=\
guest_dhcp
add address=192.168.0.3 client-id=1:48:a9:8a:bc:93:d6 comment=\
"Livingroom Access Point" mac-address=48:A9:8A:BC:93:D6 server=lan_dhcp
add address=192.168.2.24 client-id=1:da:7c:89:6c:99:c0 comment=\
"Bedroom 3 Smartphone" mac-address=DA:7C:89:6C:99:C0 server=guest_dhcp
add address=192.168.1.16 client-id=1:a8:9c:ed:7f:41:b comment=\
"Xiaomi Mi Note 10" mac-address=A8:9C:ED:7F:41:0B server=iot_dhcp
add address=192.168.1.49 comment="Livingroom Heater" mac-address=\
CC:B5:D1:73:68:EA server=iot_dhcp
add address=192.168.0.5 client-id=1:78:9a:18:4:53:94 comment="Attic STA AP" \
mac-address=78:9A:18:04:53:94 server=lan_dhcp
add address=192.168.0.4 client-id=1:48:a9:8a:bc:95:11 comment=\
"Garage Access Point" mac-address=48:A9:8A:BC:95:11 server=lan_dhcp
add address=192.168.2.18 client-id=1:88:1c:95:12:45:f9 comment=\
"Bedroom 2 Olayiwola Smartphone Android" mac-address=88:1C:95:12:45:F9 \
server=guest_dhcp
add address=192.168.2.14 client-id=1:94:65:9c:8d:ce:71 comment=\
"Bedroom 2 Olayiwola PC" mac-address=94:65:9C:8D:CE:71 server=guest_dhcp
add address=192.168.0.6 client-id=1:18:d6:c7:dd:c:ac comment=\
"Bedroom 1 Switch" mac-address=18:D6:C7:DD:0C:AC server=lan_dhcp
add address=192.168.0.7 client-id=1:18:d6:c7:b8:cf:1c comment=\
"Bedroom 2 Switch" mac-address=18:D6:C7:B8:CF:1C server=lan_dhcp
add address=192.168.2.8 client-id=1:0:a8:6f:ee:53:d8 comment=\
"uleFone 21 Armor" mac-address=00:A8:6F:EE:53:D8 server=guest_dhcp
add address=192.168.2.12 client-id=1:de:2c:7c:fd:f5:f1 comment=Olayiwola \
mac-address=DE:2C:7C:FD:F5:F1 server=guest_dhcp
add address=192.168.2.151 client-id=1:76:63:5e:44:2a:68 comment=\
"Bedroom 2 Ibrahims" mac-address=76:63:5E:44:2A:68 server=guest_dhcp
add address=192.168.2.150 client-id=1:d4:1b:81:f:45:69 comment=\
"Bedroom 2 Ibrahims" mac-address=D4:1B:81:0F:45:69 server=guest_dhcp
add address=192.168.2.25 client-id=1:aa:2c:7b:6c:61:37 comment="Bedroom 3 PC" \
mac-address=AA:2C:7B:6C:61:37 server=guest_dhcp
add address=192.168.2.11 client-id=1:0:e0:4c:68:11:dc comment=\
"Bedroom 2 Wall LAN Port" mac-address=00:E0:4C:68:11:DC server=guest_dhcp
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.3.2 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.3.2 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=192.168.3.2 gateway=192.168.4.1
add address=192.168.5.0/24 dns-server=192.168.3.2 gateway=192.168.5.1
add address=192.168.6.0/24 dns-server=192.168.3.2 gateway=192.168.6.1
add address=192.168.10.0/24 dns-server=1.1.1.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=1.1.1.1 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=192.168.3.2,1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.2.0/24 list=guest
add address=192.168.0.0/24 list=lan
add address=192.168.1.0/24 list=iot
add address=hek08s69e2y.sn.mynetname.net list=WAN
add address=192.168.5.0/24 list=ikev2
add address=192.168.4.0/24 list=wireguard
add address=192.168.3.0/24 list=docker
add address=192.168.6.0/24 list=openvpn
add address=192.168.20.0/24 list=hotspot
add address=192.168.10.0/24 list=mgmt
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="IP Services HTTP" disabled=yes \
dst-port=80 protocol=tcp
add action=accept chain=input comment="allow WireGuard Client to Login" \
dst-port=13231 protocol=udp
add action=accept chain=input comment="allow OpenVPN" disabled=yes dst-port=\
11945 log=yes protocol=tcp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 \
protocol=udp
add action=accept chain=input comment="allow IPsec NAT" disabled=yes \
dst-port=4500 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="iptv: Accept IGMP" connection-state="" \
dst-address=224.0.0.0/4 dst-address-list="" in-interface=iptv_vlan \
protocol=igmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=\
"iptv: Accept and forward udp multicast iptv traffic" connection-state=\
established,related,new,untracked dst-address=224.0.0.0/4 in-interface=\
iptv_vlan protocol=udp
add action=accept chain=forward in-interface=bridge out-interface=iot_vlan
add action=accept chain=forward comment=\
"Allow Access from Openhab to uleFone" dst-address=192.168.0.15 \
src-address=192.168.1.22
add action=drop chain=forward comment="Disable Garage Camera Internet Access" \
disabled=yes out-interface=wan_vlan src-address=192.168.1.25
add action=drop chain=forward comment=\
"Disable Bedroom Camera Internet Access" disabled=yes out-interface=\
wan_vlan src-address=192.168.1.35
add action=drop chain=forward comment="Disable Attic Camera Internet Access" \
disabled=yes out-interface=wan_vlan src-address=192.168.1.120
add action=drop chain=forward comment="Block Access from Hidromarinha to LAN" \
dst-address-list=lan src-address=192.168.4.4
add action=drop chain=forward comment="Block Access from Hidromarinha to IOT" \
dst-address-list=iot src-address=192.168.4.4
add action=drop chain=forward comment=\
"Block Access from Hidromarinha to GUEST" dst-address-list=guest \
src-address=192.168.4.4
add action=drop chain=forward comment="Block Access from IOT to LAN" \
dst-address-list=lan src-address-list=iot
add action=drop chain=forward comment="Block Access from GUEST to LAN" \
dst-address-list=lan src-address-list=guest
add action=drop chain=forward comment="Block Access from GUEST to IOT" \
in-interface=guest_vlan out-interface=iot_vlan
add action=drop chain=forward comment="Block Access from Hotspot to Home" \
disabled=yes in-interface=hotspot_vlan out-interface=!wan_vlan
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade traffic to WAN" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port Forwarding from WAN to openHab" \
dst-port=8443 in-interface-list=WAN protocol=tcp to-addresses=\
192.168.1.22 to-ports=8443
add action=masquerade chain=srcnat comment=\
"Allow internet access to Container" src-address=192.168.3.0/24
add action=masquerade chain=srcnat comment="Masquerade trafic from HOTSPOT" \
src-address=192.168.20.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip hotspot walled-garden
add dst-host=www.paypalobject.com
/ip ipsec identity
add auth-method=digital-signature certificate=server_ikev2 generate-policy=\
port-strict mode-config=ike2_conf peer=ike2 policy-template-group=\
ike2_policies
/ip ipsec policy
add dst-address=192.168.5.0/24 group=ike2_policies proposal=ike2 src-address=\
0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.0.0/24 port=2222
set www-ssl address=192.168.0.0/24 certificate=\
letsencrypt-autogen_2024-04-04T05:00:34Z disabled=no
set api address=192.168.0.0/24,192.168.4.0/24
set winbox address=192.168.0.0/24,192.168.4.0/24 port=38627
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set host-key-size=8192 strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add name=Jose profile=openvpn service=ovpn
add name=Pedro profile=openvpn service=ovpn
add name=Sergio profile=openvpn service=ovpn
add name=Ricardo profile=openvpn service=ovpn
/radius
add address=127.0.0.1 service=hotspot
/radius incoming
set accept=yes
/routing igmp-proxy
set query-interval=30s quick-leave=yes
/routing igmp-proxy interface
add interface=bridge
add alternative-subnets=10.2.0.0/18,224.0.0.0/4,10.56.192.0/19 interface=\
iptv_vlan upstream=yes
/system clock
set time-zone-name=Europe/Lisbon
/system identity
set name=Router
/system logging
add action=disk prefix=-> topics=hotspot,info,debug
/system note
set note=Router show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pt.pool.ntp.org
/tool e-mail
set from=rcarreira88@hotmail.com port=587 server=smtp.office365.com tls=\
starttls user=rcarreira88@hotmail.com
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes
/user aaa
set use-radius=yes
/user-manager
set certificate=*0 enabled=yes
/user-manager advanced
set paypal-allow=yes paypal-currency=EUR paypal-use-sandbox=yes \
web-private-username=devil
/user-manager profile-limitation
add limitation=lim1 profile="30 Days 10M/50M"
/user-manager router
add address=127.0.0.1 name=router
/user-manager user-profile
add profile="30 Days 10M/50M" user=admin
add profile="30 Days 10M/50M" user=rcarreira88
hAP ax^3 Configuration:
# 2024-04-05 05:02:22 by RouterOS 7.14.1
# software id = ZN17-EIED
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HEK08M426XD
/interface bridge
add igmp-snooping=yes ingress-filtering=no name=bridge port-cost-mode=short \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_router
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] name=ether5_garage
/interface vlan
add interface=bridge name=mgmt_vlan vlan-id=30
/interface list
add name=WAN
add name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2427 name=2G_channel \
skip-dfs-channels=all width=20/40mhz
add band=5ghz-ax disabled=no frequency=5240 name=5G_channel \
skip-dfs-channels=all width=20/40/80mhz
/interface wifi datapath
add bridge=bridge disabled=no name=guest1 vlan-id=10
add bridge=bridge disabled=no name=iot1 vlan-id=20
add bridge=bridge disabled=no name=admin1
add bridge=bridge client-isolation=no disabled=no name=hotspot1 vlan-id=40
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp name=\
admin1 wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp name=\
guest1 wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp name=\
iot1 wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp name=\
hotspot1
/interface wifi configuration
add channel=2G_channel datapath=admin1 disabled=no mode=ap name=admin_2G \
security=admin1 ssid="ASUS RT-AC88U" tx-power=30
add channel=5G_channel datapath=admin1 disabled=no mode=ap name=admin_5G \
security=admin1 ssid="ASUS RT-AC88U" tx-power=30
add channel=2G_channel datapath=iot1 disabled=no mode=ap name=iot_2G \
security=iot1 ssid="ASUS RT-AC87U" tx-power=30
add channel=5G_channel datapath=iot1 disabled=no mode=ap name=iot_5G \
security=iot1 ssid="ASUS RT-AC87U" tx-power=30
add channel=2G_channel datapath=guest1 disabled=no mode=ap name=guest_2G \
security=guest1 ssid="Asus Network" tx-power=30
add channel=5G_channel datapath=guest1 disabled=no mode=ap name=guest_5G \
security=guest1 ssid="Asus Network" tx-power=30
add antenna-gain=0 channel=5G_channel datapath=hotspot1 disabled=no mode=ap \
name=hotspot_5G security=hotspot1 ssid="Leiria Hotspot" tx-power=30
add antenna-gain=0 channel=2G_channel datapath=hotspot1 disabled=no mode=ap \
name=hotspot_2G security=hotspot1 ssid="Leiria Hotspot" tx-power=30
/interface wifi
set [ find default-name=wifi2 ] channel=2G_channel channel.frequency=2427 \
configuration=admin_2G configuration.mode=ap disabled=no name=wifi1_admin
add channel.frequency=2427 configuration=guest_2G configuration.mode=ap \
disabled=no mac-address=4A:A9:8A:E0:EE:8E master-interface=wifi1_admin \
name=wifi1_guest
add channel.frequency=2427 configuration=hotspot_2G configuration.mode=ap \
disabled=no mac-address=4A:A9:8A:E0:EE:90 master-interface=wifi1_admin \
name=wifi1_hotspot
add channel.frequency=2427 configuration=iot_2G configuration.mode=ap \
disabled=no mac-address=4A:A9:8A:E0:EE:8D master-interface=wifi1_admin \
name=wifi1_iot
set [ find default-name=wifi1 ] channel=5G_channel channel.frequency=5240 \
configuration=admin_5G configuration.mode=ap .tx-power=30 disabled=no \
name=wifi2_admin
add channel.frequency=5240 configuration=guest_5G configuration.mode=ap \
disabled=no mac-address=4A:A9:8A:E0:EE:91 master-interface=wifi2_admin \
name=wifi2_guest
add channel.frequency=5240 configuration=hotspot_5G configuration.mode=ap \
disabled=no mac-address=4A:A9:8A:E0:EE:8F master-interface=wifi2_admin \
name=wifi2_hotspot
add channel.frequency=5240 configuration=iot_5G configuration.mode=ap \
disabled=no mac-address=4A:A9:8A:E0:EE:8D master-interface=wifi2_admin \
name=wifi2_iot
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge interface=ether1_router internal-path-cost=10 path-cost=10
add bridge=bridge disabled=yes interface=ether2 internal-path-cost=10 \
path-cost=10
add bridge=bridge disabled=yes interface=ether3 internal-path-cost=10 \
path-cost=10
add bridge=bridge disabled=yes interface=ether4 internal-path-cost=10 \
path-cost=10
add bridge=bridge interface=ether5_garage internal-path-cost=10 path-cost=10
add bridge=bridge interface=wifi1_admin internal-path-cost=10 path-cost=10
add bridge=bridge interface=wifi2_admin internal-path-cost=10 path-cost=10
add bridge=bridge interface=wifi1_guest internal-path-cost=10 path-cost=10 \
pvid=10
add bridge=bridge interface=wifi1_iot internal-path-cost=10 path-cost=10 \
pvid=20
add bridge=bridge interface=wifi2_iot internal-path-cost=10 path-cost=10 \
pvid=20
add bridge=bridge interface=wifi1_hotspot pvid=40
add bridge=bridge interface=wifi2_hotspot pvid=40
add bridge=bridge interface=wifi2_guest internal-path-cost=10 path-cost=10 \
pvid=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge tagged=ether1_router,wifi1_guest,wifi2_guest vlan-ids=10
add bridge=bridge tagged=ether1_router,ether5_garage,wifi1_iot,wifi2_iot \
vlan-ids=20
add bridge=bridge tagged=bridge,ether1_router,ether5_garage vlan-ids=30
add bridge=bridge tagged=\
ether1_router,ether5_garage,wifi1_hotspot,wifi2_hotspot vlan-ids=40
/interface wifi cap
set caps-man-addresses=192.168.0.1 certificate=request discovery-interfaces=\
bridge enabled=yes lock-to-caps-man=yes
/ip dhcp-client
add interface=bridge
add interface=mgmt_vlan
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl address=192.168.0.0/24 disabled=no
set api disabled=yes
set winbox address=192.168.0.0/24,192.168.4.0/24,192.168.10.0/24 port=38627
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=Europe/Lisbon
/system identity
set name="Corridor AP"
/system note
set show-at-login=no
/system ntp client servers
add address=pt.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
The only “issue” I see is that you’ve set up pvids for the wifis in /interface bridge port on the hAP ax^3 given it’s not necessary because you’ve already done it by specifying VLAN IDs in the wifi datapaths. Maybe there’s something else problematic which I can’t see or am overlooking, so any second opinion would be appreciated
Changed that. Thanks
Hotspot is still not working.
While we wait to be joined by @mkx or @Anav, it would be wise to blend out some sensitive information such as serial number, Wireguard keys, etc.
Nah, not my piece of pie. There are too many buzzwords in the thread title which I don’t do (hotspot, radius, …).
Maybe it´s some routing or firewall problem?
Everything else is fine.