Hello, guys!
I’m sorry about this post, but I’m still puzzled with some of Mikrotik configuration intricacies.
My problem is that on my pretty straightforward 3VLAN setup my CRS328-24P-4S+ in not pinging the internet, while all the connected clients are getting the access without any problems. Another weird part is when I’m enabling/disabling the DHCP Snooping on the primary bridge I can ping the internet for a short time. But in about 3 minutes it stops working. I thoroughly checked all the possible options but I’m clearly missing out on something. It’s either the switch or the RB4011 router configuration.
Here’s the Switch configuration:
# jul/08/2020 13:39:35 by RouterOS 6.46.6
# software id = CQKD-RULL
#
# model = CRS328-24P-4S+
# serial number = A3A40AXXXXXX
/interface bridge
add add-dhcp-option82=yes admin-mac=74:4D:28:A5:60:F5 auto-mac=no comment=\
defconf dhcp-snooping=yes name=bridge
add name=bridge_vlan10
add name=bridge_vlan20
add name=bridge_vlan30
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=ether11 ] speed=100Mbps
set [ find default-name=ether12 ] speed=100Mbps
set [ find default-name=ether13 ] speed=100Mbps
set [ find default-name=ether14 ] speed=100Mbps
set [ find default-name=ether15 ] speed=100Mbps
set [ find default-name=ether16 ] speed=100Mbps
set [ find default-name=ether17 ] speed=100Mbps
set [ find default-name=ether18 ] speed=100Mbps
set [ find default-name=ether19 ] speed=100Mbps
set [ find default-name=ether20 ] speed=100Mbps
set [ find default-name=ether21 ] speed=100Mbps
set [ find default-name=ether22 ] speed=100Mbps
set [ find default-name=ether23 ] speed=100Mbps
set [ find default-name=ether24 ] speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] speed=10Gbps
set [ find default-name=sfp-sfpplus2 ] speed=10Gbps
set [ find default-name=sfp-sfpplus3 ] speed=10Gbps
set [ find default-name=sfp-sfpplus4 ] speed=10Gbps
/interface vlan
add interface=bridge name=vlan10_operation vlan-id=10
add interface=bridge name=vlan20_cctv vlan-id=20
add interface=bridge name=vlan30_hotspot vlan-id=30
/interface ovpn-client
add certificate=cert_export_CA.crt_0 connect-to=b86809xxxxxx.sn.mynetname.net \
mac-address=C1:1E:EC:2A:75:DA name=xxxxxx password=xxxxxx \
user=aStudio-switch
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=sfp-sfpplus1 trusted=yes
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
add bridge=bridge_vlan20 comment="Bridging vlan20 here" interface=vlan20_cctv
add bridge=bridge_vlan20 comment="vlan20_cctv port" interface=ether24
add bridge=bridge_vlan20 comment="vlan20_cctv port" interface=ether23
add bridge=bridge_vlan20 comment="vlan20_cctv port" interface=ether22
add bridge=bridge_vlan20 comment="vlan20_cctv port" interface=ether21
add bridge=bridge_vlan20 comment="vlan20_cctv port" interface=ether20
add bridge=bridge_vlan20 comment="vlan20_cctv port" interface=ether19
add bridge=bridge_vlan20 comment="vlan20_cctv port" interface=ether18
add bridge=bridge_vlan20 comment="vlan20_cctv port" interface=ether17
add bridge=bridge_vlan20 comment="vlan20_cctv port" interface=ether16
add bridge=bridge_vlan20 comment="vlan20_cctv port" interface=ether15
add bridge=bridge_vlan20 comment="vlan20_cctv port" interface=ether14
add bridge=bridge_vlan20 comment="vlan20_cctv port" interface=ether13
add bridge=bridge_vlan10 comment="Bridging vlan10 here" interface=\
vlan10_operation
add bridge=bridge_vlan10 comment="vlan10_operation port" interface=ether12
add bridge=bridge_vlan10 comment="vlan10_operation port" interface=ether11
add bridge=bridge_vlan10 comment=defconf interface=ether3
add bridge=bridge_vlan10 comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge_vlan30 interface=vlan30_hotspot
add bridge=bridge_vlan30 interface=ether10
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
/ip dhcp-client
add disabled=no interface=bridge_vlan10
add disabled=no interface=bridge_vlan20
add disabled=no interface=bridge_vlan30
add disabled=no interface=bridge
/ip dns
set servers=8.8.8.8
/ip route
add distance=1 gateway=10.0.0.1
/system clock
set time-zone-name=America/Toronto
/system identity
set name=HeadSwitch
/system routerboard settings
set boot-os=router-os
/system scheduler
add interval=2d name="Reboot Scedule" on-event="system reboot" policy=reboot \
start-date=apr/08/2020 start-time=04:20:00
/system swos
set allow-from-ports="p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p\
17,p18,p19,p20,p21,p22,p23,p24,p25,p26,p27,p28" identity=MikroTik \
static-ip-address=192.168.88.5
/system watchdog
set automatic-supout=no watchdog-timer=no
And the Router Config
# jul/08/2020 13:41:20 by RouterOS 6.46.3
# software id = SIUN-XZ19
#
# model = RB4011iGS+
# serial number = B8FF0BXXXXXX
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2457 name=\
hotspot_2g_ch10 tx-power=30
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2412 name=\
operation_2g_ch1 tx-power=30
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5220 name=\
operation_5g_ch44 tx-power=30
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5305 name=\
operation_5g_ch149 tx-power=30
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2437 name=\
operation_2g_ch6 tx-power=30
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2472 name=\
hotspot_2g_ch13 tx-power=30
/interface bridge
add admin-mac=C4:AD:34:20:B1:47 auto-mac=no comment=defconf name=bridge
add name=bridge_vlan10_operation
add name=bridge_vlan20_cctv
add name=bridge_vlan30_hotspot
/interface vlan
add interface=bridge name=vlan10_operation vlan-id=10
add interface=bridge name=vlan20_cctv vlan-id=20
add interface=bridge name=vlan30_hotspot vlan-id=30
add disabled=yes interface=bridge name=vlan35 use-service-tag=yes vlan-id=35
/caps-man datapath
add bridge=bridge_vlan10_operation client-to-client-forwarding=yes \
local-forwarding=yes name=datapath_operation
add bridge=bridge_vlan30_hotspot name=datapath_hotspot
/caps-man configuration
add channel=operation_2g_ch6 datapath=datapath_hotspot mode=ap \
multicast-helper=full name=hotspot_front ssid="a-studio beauty"
add channel=operation_2g_ch6 datapath=datapath_hotspot mode=ap \
multicast-helper=full name=hotspot_back ssid="a-studio beauty"
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=operation \
passphrase=meadowGreenLush13
/caps-man configuration
add channel=operation_2g_ch1 datapath=datapath_operation mode=ap \
multicast-helper=full name=operation_2_front security=operation ssid=\
constellation
add channel=operation_2g_ch1 datapath=datapath_operation mode=ap \
multicast-helper=full name=operation_2_back security=operation ssid=\
constellation
add channel=operation_5g_ch44 datapath=datapath_operation mode=ap \
multicast-helper=full name=operation_5_back security=operation ssid=\
"constellation 5"
add channel=operation_5g_ch44 datapath=datapath_operation mode=ap \
multicast-helper=full name=operation_5_front security=operation ssid=\
"constellation 5"
/interface ovpn-client
add add-default-route=yes certificate=cert_export_client1.crt_0 cipher=aes128 \
connect-to=b86809xxxxxx.sn.mynetname.net mac-address=02:C9:64:2B:F3:09 \
name=mothershipUplink password=xxxxxx user=xxxxxx
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLANS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add dns-name=astudiohot.spot hotspot-address=10.30.0.1 http-cookie-lifetime=\
1d name=hsprof1 rate-limit=2m/5m
/ip hotspot
add disabled=no interface=bridge_vlan30_hotspot name=hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] mac-cookie-timeout=1d rate-limit=512k/512k \
shared-users=unlimited
add mac-cookie-timeout=1d name=guest shared-users=unlimited \
transparent-proxy=yes
/ip pool
add name=lan_pool ranges=10.0.1.1-10.0.1.254
add name=operation_pool ranges=10.10.1.1-10.10.1.254
add name=guest_pool ranges=10.30.0.2-10.30.1.254
add name=ovpn ranges=13.13.13.3-13.13.13.12
add name=cctv_pool ranges=10.20.0.25-10.20.0.30
/ip dhcp-server
add address-pool=lan_pool disabled=no interface=bridge name=dhcp_bridge
add address-pool=operation_pool disabled=no interface=bridge_vlan10_operation \
name=dhcp_vlan10_operation
add address-pool=guest_pool disabled=no interface=bridge_vlan30_hotspot name=\
dhcp_vlan30_hotspot
add address-pool=cctv_pool disabled=no interface=bridge_vlan20_cctv name=\
dhcp_cctv
/ppp profile
add bridge=bridge dns-server=13.13.13.13 local-address=ovpn name=open_vpn \
remote-address=ovpn use-compression=no use-encryption=required
/interface pppoe-client
add add-default-route=yes interface=vlan35 name=pppoe-out1 password=Canada01 \
profile=default-encryption user=b12cbwrh
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes \
require-peer-certificate=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=operation_2_back \
name-format=identity radio-mac=74:4D:28:BC:2A:59 slave-configurations=\
hotspot_back
add action=create-dynamic-enabled master-configuration=operation_5_back \
name-format=identity radio-mac=74:4D:28:BC:2A:5A
add action=create-dynamic-enabled master-configuration=operation_2_front \
name-format=identity radio-mac=74:4D:28:BC:43:3B slave-configurations=\
hotspot_front
add action=create-dynamic-enabled master-configuration=operation_5_front \
name-format=identity radio-mac=74:4D:28:BC:43:3C
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge_vlan10_operation interface=vlan10_operation
add bridge=bridge_vlan30_hotspot interface=vlan30_hotspot
add bridge=bridge_vlan20_cctv interface=vlan20_cctv
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set default-profile=open_vpn enabled=yes ipsec-secret=12345678 use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set certificate=server cipher=blowfish128,aes128,aes192,aes256 \
default-profile=open_vpn enabled=yes netmask=27 \
require-client-certificate=yes
/ip address
add address=10.0.0.1/23 comment=defconf interface=bridge network=10.0.0.0
add address=10.10.0.1/23 interface=bridge_vlan10_operation network=10.10.0.0
add address=10.20.0.1/27 interface=bridge_vlan20_cctv network=10.20.0.0
add address=10.30.0.1/23 interface=bridge_vlan30_hotspot network=10.30.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
add disabled=no
/ip dhcp-server lease
add address=10.10.1.1 client-id=1:34:7e:5c:13:ba:a8 comment="Sonos Front" \
mac-address=34:7E:5C:13:BA:A8 server=dhcp_vlan10_operation
add address=10.10.1.14 client-id=1:34:7e:5c:13:b9:ca comment="Sonos Back" \
mac-address=34:7E:5C:13:B9:CA server=dhcp_vlan10_operation
add address=10.0.1.251 client-id=1:74:4d:28:bc:43:39 comment="Front Desk AP" \
mac-address=74:4D:28:BC:43:39 server=dhcp_bridge
add address=10.0.1.250 client-id=1:74:4d:28:bc:2a:57 comment=\
"Back Hallway AP" mac-address=74:4D:28:BC:2A:57 server=dhcp_bridge
/ip dhcp-server network
add address=10.0.0.0/23 gateway=10.0.0.1
add address=10.10.0.0/23 gateway=10.10.0.1
add address=10.20.0.0/27 gateway=10.20.0.1
add address=10.30.0.0/23 gateway=10.30.0.1
add address=13.13.13.0/27 comment=open_vpn dns-server=13.13.13.13 gateway=\
13.13.13.13 netmask=27
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=OpenVPN dst-port=1701 protocol=tcp
add action=accept chain=input comment=OpenVPN dst-port=1194 protocol=tcp
add action=accept chain=input comment="Remote Management" dst-port=8291 \
protocol=tcp
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN src-address=10.0.0.0/23
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
out-interface-list=WAN src-address=10.30.0.0/23
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
out-interface-list=WAN src-address=10.20.0.0/27
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
out-interface-list=WAN src-address=10.10.0.0/23
/ip hotspot user
add name=astudio password=beauty profile=guest
/ip route
add comment=mothershipLAN distance=1 dst-address=4.4.4.0/23 gateway=\
mothershipUplink
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=xxxx password=xxxxx profile=open_vpn service=ovpn
add name=xxxxx password=password service=l2tp
/system clock
set time-zone-name=America/Toronto
/system identity
set name=A-Studio
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
This is driving me nuts. It all seems correct on the surface and I read a hell lot of tutorials and examples. Still not getting it.
Thank you all upfront.
