I’ve been unable to get wireless devices to talk to wired devices in my home/office LAN and I suspect I’ve got the wireless bridging set up wrong. Or perhaps something else in my firewall rules, etc.
My main router is an hAP-AC. WAN connection is on Ethernet port 1. Ethernet ports 2-5 go to the wired LAN connections. SFP1 has a fiber optic connector to an RB3011 which provides connectivity to my rack equipment. I have two wireless SSIDs; my main network (Mentor) and my guest network (Acolyte). I have three servers, two with static IP addresses accessible from the outside, and the usual list of computers, printers, smart phones, etc. One of the servers is on the rack downstream of the RB3011; this is my immediate priority (I would like to use it for backups of my smartphone). I would like for the servers to be able to see smartphones and such on the main wireless network and vice versa, but I want the guest network to have access to the outside Internet only…with DNS filtering after I purchase an appropriate subscription.
I’m still new at setting all this up. I have tried checking the Wiki, but I’m still not able to glean a whole lot from it. Some basic help and guidance is appreciated. Thanks!
Create a bridge on Hap AC and assign ports 2 - 5, SFP and both WLAN’s to this bridge.
Assign an IP address, i.e. 192.168.1.1/24 to the bridge which will become the gateway address of the devices on the LAN.
Create DHCP and scope i.e. 192.168.1.10 - 192.168.1.100 and attach it to the bridge
Create the home SSID’s on the WLAN’s
Create a bridge on RB3011 and make all ports, including SFP’s on that device members of the bridge
Assign management IP ie 192.168.1.2/24 to bridge
This will then be your LAN all devices will have layer 2 access to each other.
Create virtual WLAN’s and assign different IP subnet to it, i.e. 192.168.10.1/24 with DHCP and scopes in that range and restrict access with firewall filter rules
One for your main LAN and main WIFI (192.168.1.0/24) LAN_Bridge
One for your guest WIFI (192.168.10.0/24) GWifi_Bridge
Each with its own DHCP scheme.
I am not sure why one would want to setup the managed switch in any capacity like assigning a bridge two it?
In this case just assign a static LANIP to it and leave it set to defaults which hopefully is a normal managed switch with every port available and nothing special setup.
Two SSIDs, one for the main lan wifi and one for the guest wifi.
One masquerade rule for outgoing traffic.
The IP route rules nothing special that I can see here… if only one WAN, then the default route should work.
In this way all MAIN lan traffic will be accessible via layer2.
The only thing to ensure is that the LAN to guestwifi and guestwifi to LAN traffic is blocked at layer 3.
(two options, drop everything approach and its done, or allow approach and create IP Filter rule blocking cross talk between bridges)
/ip firewall filter
Sob approach - block all
{INPUT}
add action=accept chain=input comment="Accept Good Traffic"
\ connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="ALLOW list access to Router (all ports)"
\ src-address-list=allow
{allows admin access on the internal router side to access router - need to create address list}
add action=accept chain=input in-interface=LAN protocol=tcp dst-port=53
add action=accept chain=input in-interface=LAN protocol=udp dst-port=53
add action=accept chain=input comment="Allow PING" protocol=icmp
add action=drop chain=input comment="Drop everything else for INPUT CHAIN"
{FORWARD}
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface=mainLAN out-interface=WAN
add action=accept chain=forward in-interface=guestLAN out-interface=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=log chain=forward log-prefix="this would be dropped" comment="Too see what is being dropped"
add action=drop chain=forward comment="Drop everything else for FORWARD CHAIN"
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for All Users" \
ipsec-policy=out,none out-interface WAN
add action=dstnat - port forwarding rules as required here**
add chain=dstnat protocol=udp dst-port=53 action=redirect
add chain=dstnat protocol=tcp dst-port=53 action=redirect
{forces all users to use DNS settings in router}