Can't get DHCP with WLAN when using bridge VLAN filtering

LFHarada · April 3, 2024, 4:46pm

Hi everyone, i’m implementing the new (to me) Bridge VLAN Filtering in my network, as they say it’s the best practice to use this VLAN method. Ok, everything was working fine, i can get IP addresses when connected to the ethernet ports, but when i was configuring the WLANs, i couldn’t get IP addresses.

My equipment:

Mikrotik RouterBOARD RB3011UiAS-RM @ RouterOS v7.15beta9
Mikrotik hAP AC3 (RBD53iG-5HacD2HnD) @ RouterOS v7.15beta9
Mikrotik Cloud Smart Switch CSS326-24G-2S+

Notes:

I didn’t configured CAPsMAN for a single reason, in the day i was configuring everything, i’ve seen on Mikrotik’s wiki that VLANs don’t work with WPA3 as can be seen in the Datapath Properties section of this page: https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-Datapathproperties.

“802.11ac chipsets do not support this type of VLAN tagging , but they can be configured as VLAN access ports in bridge settings.”

I can’t get DHCP only from WLAN, LAN is working fine
Each SSID is configured as a access port
I’m using my hAP AC3 as my RADIUS server (with UserMan)
I’m using WPA3 EAP-TTLS for some networks, and WPA3 PSK for others
Questions:
- Is it possible do assign dynamic VLANs in some other way? Have one SSID to rule them all and depending on the user that logs in, a different VLAN will be assigned, then they’ll get DHCP from that respective network?
If no, it’s possible to limit the SSID that an user can connect? Ex.: User1 can connect only to SSID1 and User2 only connects to SSID2 and SSID3 for example.
Does Mikrotik have some form of PPSK?
Also, internet is kinda slow, i mean, it’s working, but when i load a page, the loading lasts for about 10s, i don’t really know what is causing this performance issue.
Can you guys take a look and help me? Even a direction to follow would be very helpful, thanks in advance.

RB3011UiAS-RM Config

[Prometheus@MikroTik-RB3011UiAS-RM] > export
# 2024-04-03 13:30:30 by RouterOS 7.15beta9
# software id = 73G8-DCW6
#
# model = RB3011UiAS
# serial number = XXXXXXXXXXXX

/disk
set usb1 media-interface=none media-sharing=no
add media-interface=none media-sharing=no parent=usb1 partition-number=1 partition-offset=512 partition-size="62 058 921 472" type=partition

/interface bridge
add frame-types=admit-only-vlan-tagged name=BRIDGE-VLAN-SW1 vlan-filtering=yes
add frame-types=admit-only-vlan-tagged name=BRIDGE-VLAN-SW2 vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] comment="ISP ONT | Primary WAN Link | Auth: | ISP: Algar Telecom | Type: Fiber | Rx: 600 Mbps | Tx: 300 Mbps "
set [ find default-name=ether2 ] comment="Backup WAN Link | Auth: N/A | ISP: N/A | Type: N/A | Rx: N/A | Tx: N/A | Future Implementation | Disabled for Port Security" disabled=yes
set [ find default-name=ether3 ] comment="Main Management Interface"
set [ find default-name=ether4 ] comment="Backup Management Interface"
set [ find default-name=ether5 ] comment="Connection Between Switch Chips | Hardware Limitation | Connected to Ether6"
set [ find default-name=ether6 ] comment="Connection Between Switch Chips | Hardware Limitation | Connected to Ether5"
set [ find default-name=ether7 ] comment="Downlink | Trunk | Mikrotik CSS326-24G-2S+RM"
set [ find default-name=ether8 ] comment="Disabled for Port Security" disabled=yes
set [ find default-name=ether9 ] comment="Disabled for Port Security" disabled=yes
set [ find default-name=ether10 ] comment="Downlink | Trunk | Mikrotik hAP-AC3 (RBD53iG-5HacD2HnD)" poe-out=off
set [ find default-name=sfp1 ] comment="Disabled for Port Security" disabled=yes

/interface pppoe-client
add add-default-route=yes comment="Main WAN Link | Auth: | ISP: Algar Telecom | Type: Fiber | Rx: 600 Mbps | Tx: 300 Mbps " disabled=no interface=ether1 max-mru=1492 max-mtu=1492 name=PPPoE-AlgarTelecom use-peer-dns=yes user=algar

/interface vlan
add interface=BRIDGE-VLAN-SW2 name=VLAN10-TrustedNetwork vlan-id=10
add interface=BRIDGE-VLAN-SW2 name=VLAN20-FamilyNetwork vlan-id=20
add interface=BRIDGE-VLAN-SW2 name=VLAN30-LegacyNetwork vlan-id=30
add interface=BRIDGE-VLAN-SW2 name=VLAN40-GuestsNetwork vlan-id=40
add interface=BRIDGE-VLAN-SW2 name=VLAN50-IoTNetwork vlan-id=50
add interface=BRIDGE-VLAN-SW2 name=VLAN60-StreamingNetwork vlan-id=60
add interface=BRIDGE-VLAN-SW2 name=VLAN70-PrintersNetwork vlan-id=70
add interface=BRIDGE-VLAN-SW2 name=VLAN80-VoIPNetwork vlan-id=80
add interface=BRIDGE-VLAN-SW2 name=VLAN90-SecurityNetwork vlan-id=90
add interface=BRIDGE-VLAN-SW2 name=VLAN99-ManagementNetwork vlan-id=99
add interface=BRIDGE-VLAN-SW2 name=VLAN100-ServersNetwork vlan-id=100
add interface=BRIDGE-VLAN-SW2 name=VLAN200-WireguardNetwork vlan-id=200
add interface=BRIDGE-VLAN-SW2 name=VLAN255-DemilitarizedNetworkNetwork vlan-id=255

/interface list
add name=WAN
add name=LAN
add name=Management

/ip pool
add name=POOL-PTP-Ether2 ranges=192.168.0.2-192.168.0.254
add name=POOL-VLAN10-TrustedNetwork ranges=10.0.10.2-10.0.10.254
add name=POOL-VLAN20-FamilyNetwork ranges=10.0.20.2-10.0.20.254
add name=POOL-VLAN30-LegacyNetwork ranges=10.0.30.2-10.0.30.254
add name=POOL-VLAN40-GuestsNetwork ranges=10.0.40.2-10.0.40.254
add name=POOL-VLAN50-IoTNetwork ranges=10.0.50.2-10.0.50.254
add name=POOL-VLAN60-StreamingNetwork ranges=10.0.60.2-10.0.60.254
add name=POOL-VLAN70-PrintersNetwork ranges=10.0.70.2-10.0.70.254
add name=POOL-VLAN80-VoIPNetwork ranges=10.0.80.2-10.0.80.254
add name=POOL-VLAN90-SecurityNetwork ranges=10.0.90.2-10.0.90.254
add name=POOL-VLAN99-ManagementNetwork ranges=10.0.99.2-10.0.99.254
add name=POOL-VLAN100-ServersNetwork ranges=10.0.100.2-10.0.100.254
add name=POOL-VLAN200-WireguardNetwork ranges=10.0.200.2-10.0.200.254
add name=POOL-VLAN255-DemilitarizedNetwork ranges=10.0.255.2-10.0.255.254

/ip dhcp-server
add address-pool=POOL-VLAN10-TrustedNetwork comment="DHCP Server for Trusted Network" interface=VLAN10-TrustedNetwork name=DHCPv4-VLAN10-TrustedNetwork
add address-pool=POOL-VLAN20-FamilyNetwork comment="DHCP Server for Family Network" interface=VLAN20-FamilyNetwork name=DHCPv4-VLAN20-FamilyNetwork
add address-pool=POOL-VLAN30-LegacyNetwork comment="DHCP Server for Legacy Network" interface=VLAN30-LegacyNetwork name=DHCPv4-VLAN30-LegacyNetwork
add address-pool=POOL-VLAN40-GuestsNetwork comment="DHCP Server for Guests Network" interface=VLAN40-GuestsNetwork name=DHCPv4-VLAN40-GuestsNetwork
add address-pool=POOL-VLAN50-IoTNetwork comment="DHCP Server for IoT Network" interface=VLAN50-IoTNetwork name=DHCPv4-VLAN50-IoTNetwork
add address-pool=POOL-VLAN60-StreamingNetwork comment="DHCP Server for Streaming Network" interface=VLAN60-StreamingNetwork name=DHCPv4-VLAN60-StreamingNetwork
add address-pool=POOL-VLAN70-PrintersNetwork comment="DHCP Server for Printers Network" interface=VLAN70-PrintersNetwork name=DHCPv4-VLAN70-PrintersNetwork
add address-pool=POOL-VLAN80-VoIPNetwork comment="DHCP Server for VoIP Network" interface=VLAN80-VoIPNetwork name=DHCPv4-VLAN80-VoIPNetwork
add address-pool=POOL-VLAN90-SecurityNetwork comment="DHCP Server for Security Network" interface=VLAN90-SecurityNetwork name=DHCPv4-VLAN90-SecurityNetwork
add address-pool=POOL-VLAN99-ManagementNetwork comment="DHCP Server for Management Network" interface=VLAN99-ManagementNetwork name=DHCPv4-VLAN99-ManagementNetwork
add address-pool=POOL-VLAN100-ServersNetwork comment="DHCP Server for Servers Network" interface=VLAN100-ServersNetwork name=DHCPv4-VLAN100-ServersNetwork
add address-pool=POOL-VLAN200-WireguardNetwork comment="DHCP Server for Wireguard Network" interface=VLAN200-WireguardNetwork name=DHCPv4-VLAN200-WireguardNetwork
add address-pool=POOL-VLAN255-DemilitarizedNetwork comment="DHCP Server for Demilitarized Network" interface=VLAN255-DemilitarizedNetworkNetwork name=DHCPv4-VLAN255-DemilitarizedNetwork

/port
set 0 name=serial0

/user-manager user group
set [ find default-name=default ] inner-auths=peap-mschap2 outer-auths=eap-tls

/interface bridge port
add bridge=BRIDGE-VLAN-SW2 frame-types=admit-only-vlan-tagged interface=ether7
add bridge=BRIDGE-VLAN-SW2 frame-types=admit-only-vlan-tagged interface=ether10
add bridge=BRIDGE-VLAN-SW1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=99
add bridge=BRIDGE-VLAN-SW1 interface=ether4 pvid=99
add bridge=BRIDGE-VLAN-SW1 interface=ether5
add bridge=BRIDGE-VLAN-SW2 interface=ether6

/interface bridge vlan
add bridge=BRIDGE-VLAN-SW2 tagged=ether7,ether10 vlan-ids=10
add bridge=BRIDGE-VLAN-SW2 tagged=ether7,ether10 vlan-ids=20
add bridge=BRIDGE-VLAN-SW2 tagged=ether7,ether10 vlan-ids=30
add bridge=BRIDGE-VLAN-SW2 tagged=ether7,ether10 vlan-ids=40
add bridge=BRIDGE-VLAN-SW2 tagged=ether7,ether10 vlan-ids=50
add bridge=BRIDGE-VLAN-SW2 tagged=ether7,ether10 vlan-ids=60
add bridge=BRIDGE-VLAN-SW2 tagged=ether7,ether10 vlan-ids=70
add bridge=BRIDGE-VLAN-SW2 tagged=ether7,ether10 vlan-ids=80
add bridge=BRIDGE-VLAN-SW2 tagged=ether7,ether10 vlan-ids=90
add bridge=BRIDGE-VLAN-SW2 tagged=ether6,ether7,ether10,BRIDGE-VLAN-SW2 vlan-ids=99
add bridge=BRIDGE-VLAN-SW2 tagged=ether7,ether10 vlan-ids=100
add bridge=BRIDGE-VLAN-SW2 tagged=ether7,ether10 vlan-ids=200
add bridge=BRIDGE-VLAN-SW2 tagged=ether7,ether10 vlan-ids=255
add bridge=BRIDGE-VLAN-SW1 tagged=ether5,BRIDGE-VLAN-SW1 untagged=ether3,ether4 vlan-ids=99

/interface list member
add interface=PPPoE-AlgarTelecom list=WAN
add interface=ether2 list=WAN
add interface=ether3 list=Management
add interface=ether4 list=Management
add interface=VLAN99-ManagementNetwork list=Management
add interface=VLAN10-TrustedNetwork list=LAN
add interface=VLAN20-FamilyNetwork list=LAN
add interface=VLAN30-LegacyNetwork list=LAN
add interface=VLAN40-GuestsNetwork list=LAN
add interface=VLAN50-IoTNetwork list=LAN
add interface=VLAN60-StreamingNetwork list=LAN
add interface=VLAN70-PrintersNetwork list=LAN
add interface=VLAN80-VoIPNetwork list=LAN
add interface=VLAN90-SecurityNetwork list=LAN
add interface=VLAN100-ServersNetwork list=LAN
add interface=VLAN200-WireguardNetwork list=LAN
add interface=VLAN255-DemilitarizedNetworkNetwork list=LAN

/ip address
add address=10.0.10.1/24 comment="IP Address for VLAN 10" interface=VLAN10-TrustedNetwork network=10.0.10.0
add address=10.0.20.1/24 comment="IP Address for VLAN 20" interface=VLAN20-FamilyNetwork network=10.0.20.0
add address=10.0.30.1/24 comment="IP Address for VLAN 30" interface=VLAN30-LegacyNetwork network=10.0.30.0
add address=10.0.40.1/24 comment="IP Address for VLAN 40" interface=VLAN40-GuestsNetwork network=10.0.40.0
add address=10.0.50.1/24 comment="IP Address for VLAN 50" interface=VLAN50-IoTNetwork network=10.0.50.0
add address=10.0.60.1/24 comment="IP Address for VLAN 60" interface=VLAN60-StreamingNetwork network=10.0.60.0
add address=10.0.70.1/24 comment="IP Address for VLAN 70" interface=VLAN70-PrintersNetwork network=10.0.70.0
add address=10.0.80.1/24 comment="IP Address for VLAN 80" interface=VLAN80-VoIPNetwork network=10.0.80.0
add address=10.0.90.1/24 comment="IP Address for VLAN 90" interface=VLAN90-SecurityNetwork network=10.0.90.0
add address=10.0.99.1/24 comment="IP Address for VLAN 99" interface=VLAN99-ManagementNetwork network=10.0.99.0
add address=10.0.100.1/24 comment="IP Address for VLAN 100" interface=VLAN100-ServersNetwork network=10.0.100.0
add address=10.0.200.1/24 comment="IP Address for VLAN 200" interface=VLAN200-WireguardNetwork network=10.0.200.0
add address=10.0.255.1/24 comment="IP Address for VLAN 255" interface=VLAN255-DemilitarizedNetworkNetwork network=10.0.255.0

/ip dhcp-server network
add address=10.0.10.0/24 comment="Trusted Network" dns-server=94.140.14.14,94.140.14.14 gateway=10.0.10.1 netmask=24
add address=10.0.20.0/24 comment="Family Network" dns-server=94.140.14.15,94.140.15.16 gateway=10.0.20.1
add address=10.0.30.0/24 comment="Legacy Network" dns-server=94.140.14.15,94.140.15.16 gateway=10.0.30.1
add address=10.0.40.0/24 comment="Guests Network" dns-server=94.140.14.15,94.140.15.16 gateway=10.0.40.1
add address=10.0.50.0/24 comment="IoT Network" dns-server=94.140.14.14,94.140.15.15 gateway=10.0.50.1
add address=10.0.60.0/24 comment="Streaming Network" dns-server=94.140.14.14,94.140.15.15 gateway=10.0.60.1
add address=10.0.70.0/24 comment="Printers Network" dns-server=94.140.14.14,94.140.15.15 gateway=10.0.70.1
add address=10.0.80.0/24 comment="VoIP Network" dns-server=94.140.14.14,94.140.15.15 gateway=10.0.80.1
add address=10.0.90.0/24 comment="Security Network" dns-server=94.140.14.14,94.140.15.15 gateway=10.0.90.1
add address=10.0.99.0/24 comment="Management Network" dns-server=94.140.14.14,94.140.15.15 gateway=10.0.99.1
add address=10.0.100.0/24 comment="Servers Network" dns-server=1.1.1.1,1.0.0.1 gateway=10.0.100.1
add address=10.0.200.0/24 comment="Wireguard Network" dns-server=1.1.1.1,1.0.0.1 gateway=10.0.200.1
add address=10.0.255.0/24 comment="Demilitarized Network" dns-server=1.1.1.1,1.0.0.1 gateway=10.0.255.1

/ip dns
set cache-size=4096KiB servers=1.1.1.1,1.0.0.1

/ip firewall address-list
add address=0.0.0.0/8 comment="RFC6890/RFC1122 - Section 3.2.1.3" list=no_forward_ipv4
add address=169.254.0.0/16 comment="RFC6890/RFC3927 - Link Local" list=no_forward_ipv4
add address=224.0.0.0/4 comment=Multicast list=no_forward_ipv4
add address=255.255.255.255 comment="RFC6890/RFC0919 - Section 7 - Limited Broadcast" list=no_forward_ipv4
add address=127.0.0.0/8 comment="RFC6890/RFC1122 - Section 3.2.1.3 - Loopback" list=bad_ipv4
add address=192.0.0.0/24 comment="RFC6890 - Section 2.1 - IETF Protocol Assignments" list=bad_ipv4
add address=192.0.2.0/24 comment="RFC6890/RFC5737 - TEST-NET-1" list=bad_ipv4
add address=198.51.100.0/24 comment="RFC6890/RFC5737 - TEST-NET-2" list=bad_ipv4
add address=203.0.113.0/24 comment="RFC6890/RFC5737 - TEST-NET-3" list=bad_ipv4
add address=240.0.0.0/4 comment="RFC6890/RFC1112 - Reserved" list=bad_ipv4
add address=224.0.0.0/4 comment=Multicast list=bad_src_ipv4
add address=255.255.255.255 comment="RFC6890/RFC0919 - Section 7 - Limited Broadcast" list=bad_src_ipv4
add address=0.0.0.0/8 comment="RFC6890/RFC1122 - Section 3.2.1.3" list=bad_dst_ipv4
add address=224.0.0.0/4 comment=Multicast list=bad_dst_ipv4

/ip firewall filter
add action=fasttrack-connection chain=forward comment=Fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Accept all that matches IPSec policy" disabled=yes ipsec-policy=in,ipsec
add action=add-src-to-address-list address-list=1111 address-list-timeout=30s chain=input comment="Port Knocking - Step 01" dst-port=1111 in-interface-list=WAN protocol=tcp
add action=add-src-to-address-list address-list=2001 address-list-timeout=30s chain=input comment="Port Knocking - Step 02" dst-port=2001 in-interface-list=WAN protocol=tcp src-address-list=1111
add action=add-src-to-address-list address-list=secured address-list-timeout=30m chain=input comment="Port Knocking - Step 03" dst-port=3011 in-interface-list=WAN protocol=tcp src-address-list=2001
add action=accept chain=input comment="Port Knocking - Accept" in-interface-list=WAN src-address-list=secured
add action=drop chain=input comment=Blacklist disabled=yes in-interface-list=WAN src-address-list=blacklist
add action=add-src-to-address-list address-list=blacklist address-list-timeout=16h40m chain=input comment=Blacklist disabled=yes dst-port=666 in-interface-list=WAN protocol=tcp
add action=add-src-to-address-list address-list=blacklist address-list-timeout=1m chain=input comment=Blacklist disabled=yes dst-port=21,22,23,8291,10000-60000 in-interface-list=WAN protocol=tcp src-address-list=!secured
add action=add-src-to-address-list address-list=bruteforce_blacklist address-list-timeout=1d chain=input comment=Blacklist connection-state=new dst-port=22 protocol=tcp src-address-list=connection3
add action=add-src-to-address-list address-list=connection3 address-list-timeout=1h chain=input comment="Third attempt" connection-state=new dst-port=22 protocol=tcp src-address-list=connection2,!secured
add action=add-src-to-address-list address-list=connection2 address-list-timeout=15m chain=input comment="Second attempt" connection-state=new dst-port=22 protocol=tcp src-address-list=connection1
add action=add-src-to-address-list address-list=connection1 address-list-timeout=5m chain=input comment="First attempt" connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input comment="Accept traffic not from blacklist" dst-port=22 protocol=tcp src-address-list=!bruteforce_blacklist
add action=accept chain=input comment="Accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="Accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="Drop all traffic not coming from management interfaces" in-interface-list=!Management
add action=accept chain=forward comment="Accept all that matches IPSec policy" disabled=yes ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment=Fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="Drop bad forward IPs" dst-address-list=no_forward_ipv4

/ip firewall nat
add action=accept chain=srcnat comment="Accept all that matches IPSec policy" disabled=yes ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="NAT Masquerade" out-interface-list=WAN

/ip firewall raw
add action=accept chain=prerouting comment="Enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="Accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="Drop bogon IP's" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="Drop bogon IP's" dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="Drop bogon IP's" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="Drop bogon IP's" dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="Drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="Drop forward to local lan from WAN" disabled=yes dst-address=192.168.88.0/24 in-interface-list=WAN
add action=drop chain=prerouting comment="Drop bad UDP" port=0 protocol=udp
add action=jump chain=prerouting comment="Jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="Jump to TCP chain" jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment="Accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="Accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment="Accept everything else from Management" in-interface-list=Management
add action=drop chain=prerouting comment="Drop the rest"
add action=drop chain=bad_tcp comment="TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="TCP port 0 drop" port=0 protocol=tcp
add action=accept chain=icmp4 comment="Echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="Net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="Host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="Protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="Port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="Fragmentation needed" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment=Echo icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="Time exceeded " icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="Drop other icmp" protocol=icmp

/ip service
set telnet disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/system clock
set time-zone-name=America/Sao_Paulo

/system identity
set name=MikroTik-RB3011UiAS-RM

/system note
set show-at-login=no

/system ntp client
set enabled=yes

/system ntp client servers
add address=200.160.7.186
add address=201.49.148.135
add address=200.186.125.195
add address=200.20.186.76

/system package update
set channel=testing
set auto-upgrade=yes

/tool romon
set enabled=yes id=00:00:00:00:30:11

/user-manager
set certificate=CA-CERTIFICATE

hAP AC3 Config

[Prometheus@MikroTik hAP-AC3] > export
# 1970-01-02 11:08:47 by RouterOS 7.15beta9
# software id = IETE-65SI
#
# model = RBD53iG-5HacD2HnD
# serial number = XXXXXXXXXXX

/interface bridge
add frame-types=admit-only-vlan-tagged name=BRIDGE vlan-filtering=yes

/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-n .skip-dfs-channels=all .width=20/40mhz configuration.country=Brazil .hide-ssid=no .mode=ap .ssid="LFH - Management" disabled=no name=VLAN99-Management-2.4GHz security.authentication-types=wpa3-eap .disable-pmkid=yes .eap-methods=ttls .encryption=ccmp,ccmp-256 .ft=no .ft-over-ds=no .wps=\
    disable
set [ find default-name=wifi2 ] channel.band=5ghz-ac .skip-dfs-channels=all .width=20/40/80mhz configuration.country=Brazil .hide-ssid=no .mode=ap .ssid="LFH - Management" disabled=no name=VLAN99-Management-5.8GHz security.authentication-types=wpa3-eap .disable-pmkid=yes .eap-methods=tls .encryption=ccmp,ccmp-256 .ft=no .ft-over-ds=no \
    .wps=disable

/interface wifi configuration
add channel.skip-dfs-channels=all country=Brazil disabled=no mode=ap name=Preset-EAP-TTLS security.authentication-types=wpa3-eap .disable-pmkid=yes .eap-methods=ttls .encryption=ccmp,ccmp-256 .ft=no .ft-over-ds=no .wps=disable
add channel.skip-dfs-channels=all country=Brazil disabled=no mode=ap name=Preset-PSK security.authentication-types=wpa3-psk .disable-pmkid=yes .eap-methods=ttls .encryption=ccmp,ccmp-256 .ft=no .ft-over-ds=no .wps=disable

/interface wifi
add configuration=Preset-EAP-TTLS configuration.mode=ap .ssid="LFH - Trust" disabled=no mac-address=1A:FD:74:XX:XX:XX master-interface=VLAN99-Management-2.4GHz name=VLAN10-TrustedNetwork-2.4GHz security.eap-methods=ttls
add configuration=Preset-EAP-TTLS configuration.mode=ap .ssid="LFH - Trust" disabled=no mac-address=1A:FD:74:XX:XX:XX master-interface=VLAN99-Management-5.8GHz name=VLAN10-TrustedNetwork-5.8GHz security.eap-methods=ttls
add configuration=Preset-EAP-TTLS configuration.mode=ap .ssid="LFH - Family" disabled=no mac-address=1A:FD:74:XX:XX:XX master-interface=VLAN99-Management-2.4GHz name=VLAN20-FamilyNetwork-2.4GHz security.authentication-types=wpa3-eap .eap-methods=ttls .encryption=ccmp,ccmp-256
add configuration=Preset-EAP-TTLS configuration.mode=ap .ssid="LFH - Family" disabled=no mac-address=1A:FD:74:XX:XX:XX master-interface=VLAN99-Management-5.8GHz name=VLAN20-FamilyNetwork-5.8GHz security.authentication-types=wpa3-eap .eap-methods=ttls .encryption=ccmp,ccmp-256
add configuration=Preset-PSK configuration.mode=ap .ssid="LFH - Guests" disabled=no mac-address=1A:FD:74:XX:XX:XX master-interface=VLAN99-Management-2.4GHz name=VLAN40-GuestsNetwork-2.4GHz security.authentication-types=wpa3-psk .eap-methods=ttls .encryption=ccmp,ccmp-256
add configuration=Preset-PSK configuration.mode=ap .ssid="LFH - Guests" disabled=no mac-address=1A:FD:74:XX:XX:XX master-interface=VLAN99-Management-5.8GHz name=VLAN40-GuestsNetwork-5.8GHz security.authentication-types=wpa3-psk .eap-methods=ttls .encryption=ccmp,ccmp-256
add configuration=Preset-PSK configuration.mode=ap .ssid="LFH - IoT" disabled=no mac-address=1A:FD:74:XX:XX:XX master-interface=VLAN99-Management-2.4GHz name=VLAN50-IoTNetwork-2.4GHz security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp,ccmp-256
add configuration=Preset-PSK configuration.mode=ap .ssid="LFH - IoT" disabled=no mac-address=1A:FD:74:XX:XX:XX master-interface=VLAN99-Management-5.8GHz name=VLAN50-IoTNetwork-5.8GHz security.authentication-types=wpa2-psk,wpa3-psk .eap-methods=ttls .encryption=ccmp,ccmp-256

/user-manager profile
add name=EAP-TTLS name-for-users=EAP-TTLS validity=unlimited

/user-manager user
add name=Prometheus shared-users=2
add name=LucasFigueiraHarada shared-users=2

/user-manager user group
set [ find default-name=default ] outer-auths=eap-tls,eap-ttls,eap-peap,eap-mschap2

/interface bridge port
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether1
add bridge=BRIDGE frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=99
add bridge=BRIDGE frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=99
add bridge=BRIDGE frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=99
add bridge=BRIDGE frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=99
add bridge=BRIDGE frame-types=admit-only-untagged-and-priority-tagged interface=VLAN40-GuestsNetwork-2.4GHz pvid=40
add bridge=BRIDGE frame-types=admit-only-untagged-and-priority-tagged interface=VLAN40-GuestsNetwork-5.8GHz pvid=40
add bridge=BRIDGE frame-types=admit-only-untagged-and-priority-tagged interface=VLAN10-TrustedNetwork-2.4GHz pvid=10
add bridge=BRIDGE frame-types=admit-only-untagged-and-priority-tagged interface=VLAN10-TrustedNetwork-5.8GHz pvid=10
add bridge=BRIDGE frame-types=admit-only-untagged-and-priority-tagged interface=VLAN20-FamilyNetwork-2.4GHz pvid=20
add bridge=BRIDGE frame-types=admit-only-untagged-and-priority-tagged interface=VLAN20-FamilyNetwork-5.8GHz pvid=20
add bridge=BRIDGE frame-types=admit-only-untagged-and-priority-tagged interface=VLAN99-Management-2.4GHz pvid=99
add bridge=BRIDGE frame-types=admit-only-untagged-and-priority-tagged interface=VLAN99-Management-5.8GHz pvid=99

/interface bridge vlan
add bridge=BRIDGE tagged=ether1 untagged=ether2,ether3,ether4,ether5,VLAN99-Management-2.4GHz,VLAN99-Management-5.8GHz vlan-ids=99
add bridge=BRIDGE tagged=ether1 untagged=VLAN40-GuestsNetwork-2.4GHz,VLAN40-GuestsNetwork-5.8GHz vlan-ids=40
add bridge=BRIDGE tagged=ether1 untagged=VLAN20-FamilyNetwork-2.4GHz,VLAN20-FamilyNetwork-5.8GHz vlan-ids=20
add bridge=BRIDGE tagged=ether1 untagged=VLAN10-TrustedNetwork-2.4GHz,VLAN10-TrustedNetwork-5.8GHz vlan-ids=10

/radius
add address=127.0.0.1 service=hotspot,wireless,ipsec,dot1x

/system identity
set name="MikroTik hAP-AC3"

/system note
set show-at-login=no

/system package update
set channel=testing

/system routerboard settings
set auto-upgrade=yes

/tool romon
set enabled=yes id=00:00:00:00:AC:03

/user-manager
set certificate=SERVER-CERTIFICATE enabled=yes

/user-manager router
add address=127.0.0.1 name=hAP-AC3

/user-manager user-profile
add profile=EAP-TTLS user=Prometheus
add profile=EAP-TTLS user=LucasFigueiraHarada

llamajaja · April 3, 2024, 5:25pm

Use code quotes to shorten up the view on the config. ( black square with white brackets inside )

ONE BRIDGE – ah okay using fact it has two chips…
USE THIS REF: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Dont see any wireguard settings??

All one needs to on bridge itself is adjust name if so desired and turn on bridge vlan filtering as a last step… remove bit in orange.
/interface bridge
add frame-types=admit-only-vlan-tagged name=BRIDGE-VLAN-SW1 vlan-filtering=yes
add frame-types=admit-only-vlan-tagged name=BRIDGE-VLAN-SW2 vlan-filtering=yes[/i]
Why two management ports 3,4 why not take ether4 and make it an OFF BRIDGE access???
If the bridge gets hosed somehow, both will be fubared, much better to have alternate emerg access, (which is also useful for any major config changes actually)
/interface bridge port
add bridge=BRIDGE-VLAN-SW1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=99
add bridge=BRIDGE-VLAN-SW1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=99 { unless removed for offbridge access }
add bridge=BRIDGE-VLAN-SW1 interface=ether5
add bridge=BRIDGE-VLAN-SW2 interface=ether6
add bridge=BRIDGE-VLAN-SW2 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether7
add bridge=BRIDGE-VLAN-SW2 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether10
/interface bridge vlan
add bridge=BRIDGE-VLAN-SW2 tagged=BRIDGE-VLAN-SW2,ether7,ether10 vlan-ids=10,20,30,40,50,60,70,80,90,100,200,255
add bridge=BRIDGE-VLAN-SW2 tagged=BRIDGE-VLAN-SW2,ether6,ether7,ether10 vlan-ids=99
add bridge=BRIDGE-VLAN-SW1 tagged=BRIDGE-VLAN-SW1,ether5 untagged=ether3,ether4 vlan-ids=99
/interface list member ( ether3,4 entries were bogus, forgot to add mgmt to LAN list as well )
add interface=PPPoE-AlgarTelecom list=WAN
add interface=ether2 list=WAN
add interface=VLAN10-TrustedNetwork list=LAN
add interface=VLAN20-FamilyNetwork list=LAN
add interface=VLAN30-LegacyNetwork list=LAN
add interface=VLAN40-GuestsNetwork list=LAN
add interface=VLAN50-IoTNetwork list=LAN
add interface=VLAN60-StreamingNetwork list=LAN
add interface=VLAN70-PrintersNetwork list=LAN
add interface=VLAN80-VoIPNetwork list=LAN
add interface=VLAN90-SecurityNetwork list=LAN
add interface=VLAN99-ManagementNetwork list=LAN
add interface=VLAN100-ServersNetwork list=LAN
add interface=VLAN200-WireguardNetwork list=LAN
add interface=VLAN255-DemilitarizedNetworkNetwork list=LAN
add interface=futureWireguard list=LAN
add interface=VLAN99-ManagementNetwork list=Management
Firewall rules are bloated IMHO, KISS is what I recommend and organized clear rules ( keeping chains together etc…) are easy to troubleshoot, and modify later.
Why are you port knocking, removed, USE WG.

/ip firewall address-list { based on fixed static DHCP leases mostly }
add address=10.0.99.X/32 list=Authorized comment=“admin wired connection”
add address=10.0.99.Y/32 list=Authorized comment=“admin wifi connection”
add address=10.0.10.Z/32 list=Authorized comment=“admin on trusted network”
add address=10.0.2.A/32 list=Authorized comment='admin remote laptop wireguard"
add address=10.0.2.B/32 list=Authorized comment='admin remote smartphone wireguard"
/ip firewall filter
add action=accept chain=input comment=“Accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“Drop invalid” connection-state=invalid
add action=accept chain=input comment="Accept ICMP " protocol=icmp
add action=accept chain=input comment=“wireguard handshake” dst-port=15427 protocol=udp { future wireguard }
add action=accept chain=input comment=“allow admin access” src-address-list=Authorized
add action=accept chain=input comment=“DNS & NTP services for LAN” dst-port=53,123 protocol=udp in-interface=list=LAN
add action=accept chain=input comment=“DNS services for LAN” dst-port=53 protocol=tcp in-interface=list=LAN
add action=drop chain=input comment=“Drop all else” { put this as last rule so dont lock yourself out }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=Fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“Accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“Drop invalid” connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required }
add action=accept chain=forward comment=“admin vlan access” in-interface-list=Management out-interface-list=LAN
add action=drop chain=forward comment=“drop all else”

Remove all other blocking rules for now, raw, etc, … could add some back later.

LFHarada · April 3, 2024, 6:01pm

Didn’t understood what u mean, I’m using two bridges in the RB3011 due to a hardware limitation, it have two switch chips, each handling 5 physical interfaces. I don’t really know if you’re talking about them.

For devices that have multiple switch chips (for example, RB2011, RB3011, RB1100), each switch chip is only able to switch VLAN traffic between ports that are on the same switch chip, VLAN filtering will not work on a hardware level between ports that are on different switch chips, this means you should not add all ports to a single bridge if you are intending to use VLAN filtering using the switch chip, VLANs between switch chips will not get filtered. You can connect a single cable between both switch chips to work around this hardware limitation, another option is to use Bridge VLAN Filtering, but it disables hardware offloading (and lowers the total throughput). See > https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching

Sure, I’ll take a look when i get home
I didn’t finished all my config yet, i still have a lot to do
Okay, I’ll do it
That’s a really nice advice, I’ll implement that

Ill take a further look in 6 and 7 too when i get home.

llamajaja · April 3, 2024, 6:21pm

keep your 5,6 as is, I had forg0tten about two chips, so two bridges should work.

llamajaja · April 3, 2024, 6:24pm

hapac3 ( and technically the CRS3 switch is pretty much identical in approach setup minus wifi. )

Remove frame types…here
/interface bridge
add frame-types=admit-only-vlan-tagged name=BRIDGE vlan-filtering=yes
Need only to define one VLAN, and this is where the HAP gets its own IP address!!!
add interface=BRIDGE name=VLAN99-MGMT vlan-id=99

Add the following
/ip address
add address=10.0.99.X/24 comment=“IP Address for VLAN 99” interface=VLAN99-MGMT network=10.0.99.0

will finish later…

anav · April 3, 2024, 8:23pm

Why so many management ports on hapaC?? take ether5 off bridge and also make this an emergency access port.
/interface bridge port
add bridge=BRIDGE ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 comment=“trunk from Router”
add bridge=BRIDGE ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=99
add bridge=BRIDGE ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=99
add bridge=BRIDGE ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=99
add bridge=BRIDGE ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=VLAN40-GuestsNetwork-2.4GHz pvid=40
add bridge=BRIDGE ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=VLAN40-GuestsNetwork-5.8GHz pvid=40
add bridge=BRIDGE ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=VLAN10-TrustedNetwork-2.4GHz pvid=10
add bridge=BRIDGE ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=VLAN10-TrustedNetwork-5.8GHz pvid=10
add bridge=BRIDGE ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=VLAN20-FamilyNetwork-2.4GHz pvid=20
add bridge=BRIDGE ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=VLAN20-FamilyNetwork-5.8GHz pvid=20
add bridge=BRIDGE ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=VLAN99-Management-2.4GHz pvid=99
add bridge=BRIDGE ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=VLAN99-Management-5.8GHz pvid=99

6_. /interface bridge vlan ( only need bridge tagged for management vlan)
add bridge=BRIDGE tagged=BRIDGE,ether1 untagged=ether2,ether3,ether4,VLAN99-Management-2.4GHz,VLAN99-Management-5.8GHz vlan-ids=99
add bridge=BRIDGE tagged=ether1 untagged=VLAN40-GuestsNetwork-2.4GHz,VLAN40-GuestsNetwork-5.8GHz vlan-ids=40
add bridge=BRIDGE tagged=ether1 untagged=VLAN20-FamilyNetwork-2.4GHz,VLAN20-FamilyNetwork-5.8GHz vlan-ids=20
add bridge=BRIDGE tagged=ether1 untagged=VLAN10-TrustedNetwork-2.4GHz,VLAN10-TrustedNetwork-5.8GHz vlan-ids=10_

LFHarada · April 4, 2024, 8:05am

Thanks to llamajaja and anav for the help, everything is working now haha

Also, is there any way of assign dynamic VLANs in some other way? I mean only one SSID and depending on the user that logs in, a different VLAN/Network will be assigned, then they’ll get DHCP from that respective network.
Ex.:

LFHarada can connect only to LFH - Trusted
Girlfriend, Mother, Brother can connect only to LFH - Family

Also, does Mikrotik have some form of PPSK?

Originally i was planning on doing only two SSIDs:

SSID: LFH - EAP
Auth Type: WPA3-EAP
Cipher: CCMP, CCMP-256
EAP: TTLS
VLAN99 - Admin
VLAN10 - LFHarada
VLAN20 - Mother, Brother, Girlfirend
VLAN40 - Guests

SSID: LFH - PPSK
Auth Type: WPA3-PSK???
Cipher: CCMP, CCMP-256
VLAN50 - IoTPassword
VLAN60 - Streaming Password

If it’s not possible, can i limit the SSIDs that an user can connect?
Ex:
Admin can connect to everything
LFHarada can connect only to LFH - Trusted
And so on

anav · April 4, 2024, 10:07am

one ssid per vlan, thus depending upon which SSID they sign into determines which vlan they get connected to.