CAPsMAN and guestwifi, no internet on guestwifi

RouterOS Wireless Networking
1

Hi,

I have been browsing internet and this forum for at least a week now but havent been able to find out and solve my issue.

I am using an RB2011UAS-2HnD and two times mAP lite.

i configured:

DHCP client on Ethernet1 (named as WAN)
Bridge “main”
IP adresses 10.10.10.0/24
DHCP pool0 for 10.10.10.2 - 10.10.10.254
Gateway 10.10.10.1
all Lan ports mapped to Main
NAT srcnet masquerade rule created

Bridge “guest”
IP adresses 10.10.20.0/24
DHCP pool1 for 10.10.20.2 - 10.10.20.254
gateway 10.10.20.1
out interface “WAN”
NAT srcnet masquerade rule created

CAPsMan configuration1 mapped to datapath1 which is mapped to Main bridge with ssid “wifi”
CAPsman configuration2 mapped to datapath2 which is mapped to Guest bridge with ssid “wifiguests”

What is working correct:
Internet connectivity over LAN
Internet connectivity over WLAN “wifi”
connect to WLAN “wifiguests” & get IP adress

What is not working:
Connect to internet from “wifiguests”

I hope someone is able to help me out.

2

Please post export of nat rules. In similar configuration I have only one nat rule, not 2, perhaps there is something wrong.

3

Hi, i took an export of complete firewall settings.
Evreything on IP address range 10.10.10.0/24 is working fine. 10.10.20.0/24 does not have internet access

# aug/22/2017 09:06:55 by RouterOS 6.40.1
# software id = 7YSF-D0R9
#
# model = 2011UAS-2HnD
# serial number = ***************
/ip firewall address-list
add address=10.10.10.4 list=Allow_Email
/ip firewall filter
add action=accept chain=input src-address=127.0.0.1
add action=drop chain=input comment="drop all invalid conections" \
    connection-state=invalid
add action=reject chain=output dst-port=110,995,143,993,25,465,587 log=yes \
    log-prefix=rejectports out-interface=WAN protocol=tcp reject-with=\
    icmp-network-unreachable src-address-list=!Allow_Email
add action=reject chain=forward dst-port=110,995,143,993,25,465,587 log=yes \
    log-prefix=rejectports out-interface=WAN protocol=tcp reject-with=\
    icmp-network-unreachable src-address-list=!Allow_Email
add action=accept chain=input comment="Allow all establised connections" \
    connection-state=established
add action=accept chain=input in-interface=!WAN src-address=10.10.10.0/24
add action=accept chain=input in-interface=!WAN src-address=10.10.20.0/24
add action=drop chain=input comment="Drop all" log=yes log-prefix=\
    dropallinput
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN src-address=\
    10.10.20.0/24
add action=masquerade chain=srcnat src-address=10.10.10.0/24
4

Try below rule

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN src-address=10.10.10.0/24

5

I changed this rule but unfortunately no effect.
Still no internet on guest wifi.
I can see traffic on the bridge but its not connecting to internet at all.

6

Try these rules

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
add action=masquerade chain=srcnat out-interface=main
add action=masquerade chain=srcnat out-interface=guest

7

You need only one rule in nat chain srcnat.

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN

Just curiosity - there are any dropped connections in output chain (rule with many email related ports)? IMHO this rule is useless.

8

Hi Karlis,

changing the NAT has no effect.

about the rules in fw, if i clean the address list, my main pc is not able to send email anymore. then i will see dropped packets.
Reason i put the rule in, is that i was blocked by my internet provider because of bulk email being send from my IP adres.

br hans

9

IP > Addresses
10.10.10.1/24
10.10.20.1/24

Instead of 10.10.20.0/24 and 10.10.10.0/24

10

this is what i have already

/ip address
add address=10.10.10.1/24 interface=woodynet network=10.10.10.0
add address=10.10.20.1/24 interface=guests network=10.10.20.0
11

Did you check your IP > Router List

guests route should look like

Dst. Address 10.10.20.1/24
Gateway guests reachable
Pref. Source 10.10.20.1

12

it looks almost the same, but as 10.10.10.0/24 is working correct i assume 10.10.20.0/24 setting is correct as well

13

What exactlynot working? http? ping to 8.8.8.8? ping to external ip of router? everything?

14

Hi Karlis,

thanks for the suggestions to test.
Ping 8.8.8.8 is working fine
Ping WAN (public) IP address is working fine

also i tried to ping some other IP adresses (of commonly used websites) this is working fine as well
As soon as i try to ping a url, i recieve an error.
“temporary failure in name resolution”

Do i need to define a dns for my guest network?
Where do i need to do this?

br hans

15

in my DHCP i have nothing configured

i tried to put here 8.8.8.8 to test but its not helping

16

I had issues before with the router not picking up dns settings from ISP
Check to see if the input fields are empty or contain DNS IP’s

Go to IP > DNS

You should have DNS IP addresses in the dynamic input fields, maybe update the router to the lastest bugfix if the inputs are empty

System > Packages > Check for updates > Channel > Bugfix only

17

Hi Flynno

This is not the issue, DNS is picked up correctly.

The 10.10.10.0/24 network is working fine.
The issue is related ONLY to the 10.10.20.0/24 network which i want to use for guests wifi access limited to internet only.

DNS:

DHCP CLIENT:

18

Is the master interface of the guest network set to the main in capsman see image
CAPSMAN.jpg

19

sure thats done
i can ping ip adresses from guests wifi as well.

20

Looks like it is solved.

i found a message in internet about teh src-address for nat to be 0.0.0.0/0

this solved the issue