Hello everyone!
Can someone help me in solving my problem?
Problem:
When I try to access internet from devices connected to wAP I can’t. I’m pretty sure that is something simple.
Diagram:
Requirements:
- LAN must be able to access LAN computers and internet.
- LAN ether5 AP must be able to access internet. Connected clients/customers do not have to see each other.
- LAN connection must be separated by AP connection. There must be no connection / routing between the two connections.
- Prevent Ping and traceroute from one network to another.
Network devices: router:hAP ac and AP:wAP
Below is the code:
/interface ethernet
set [ find default-name=ether1 ] advertise=100M-half,100M-full,1000M-half,1000M-full name=ether1w
set [ find default-name=ether2 ] advertise=100M-half,100M-full,1000M-half,1000M-full name=ether2-master
set [ find default-name=ether3 ] advertise=100M-half,100M-full,1000M-half,1000M-full master-port=ether2-master name=ether3
set [ find default-name=ether4 ] advertise=100M-half,100M-full,1000M-half,1000M-full master-port=ether2-master name=ether4
set [ find default-name=ether5 ] advertise=100M-half,100M-full,1000M-half,1000M-full loop-protect=on name=ether5ap
/interface bridge
add name=bridge-wAP
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=bridge-wAP name=LAN-wAP
/ip pool
add name=dhcp ranges=192.168.10.101-192.168.10.254
add name=Pool-wAP ranges=192.168.20.11-192.168.20.20
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=Pool-wAP disabled=no interface=bridge-wAP name=Guests
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf disabled=yes interface=fo1
add auto-isolate=yes bridge=bridge-wAP comment=bridge-wAP interface=ether5ap
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1w list=WAN
add comment=Guests interface=bridge-wAP list=LAN-wAP
/ip address
add address=192.168.10.30/24 comment=defconf interface=ether2-master network=192.168.10.0
add address=192.168.20.5/24 comment=Guests interface=bridge-wAP network=192.168.20.0
add address=<ISP-IPassigned> interface=ether1w network=<isp-assigned>
/ip dhcp-server network
add address=192.168.20.0/24 comment=Guests dns-server=192.168.20.5 gateway=192.168.20.5
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.30 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="blck access from 20-2-10" connection-state=established,related,new dst-address=192.168.20.0/24 src-address=192.168.10.0/24
add action=drop chain=forward comment="blck access from 10-2-20" connection-state=established,related,new dst-address=192.168.10.0/24 src-address=192.168.20.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1w src-address=192.168.10.0/24
add action=masquerade chain=srcnat out-interface=ether1w src-address=192.168.20.0/24
/ip route
add distance=1 gateway=<ISP-IPassigned>
Thank you.