Hi folks,
I have
- A CRS326 as my main ‘router’
- a CSS610 as switch and for POE
- HAP/WAP/CAP AC as switch and for WIFI
Until now everything worked as expected. Now I updated all ROS and migrated to the new wifi capsman to make use of fast roaming. Now I cannot connect to my WIFI-Devices from VLAN 100. I bet there are other improvements or common errors hidden in my config too (I look at you, bridge PVID).
I hope you can help me. Thanks in advance, Hypernia
CRS326:
# 2025-02-04 19:58:22 by RouterOS 7.17.1
# software id = 0W7J-R7C0
#
# model = CRS326-24G-2S+
# serial number = 763C08E550B9
/interface bridge
add admin-mac=CC:2D:E0:D2:24:09 auto-mac=no comment="defconf, Prio 2000 um Root zu sein " name=bridge1 priority=0x2000 vlan-filtering=yes
/interface vlan
add interface=ether19 name="vlan7 (Telekom)" vlan-id=7
add interface=bridge1 name="vlan100 (Heim)" vlan-id=100
add interface=bridge1 name="vlan200 (Gast)" vlan-id=200
add interface=bridge1 name="vlan300 (Server)" vlan-id=300
add interface=bridge1 name="vlan400 (IoT)" vlan-id=400
/caps-man configuration
add channel.band=5ghz-a/n/ac country=etsi datapath.bridge=bridge1 .client-to-client-forwarding=yes .vlan-id=100 .vlan-mode=use-tag name=cfg_HaHo_5GHz security.authentication-types=wpa2-psk ssid=HaHo
add channel.band=5ghz-a/n/ac country=etsi datapath.bridge=bridge1 .vlan-id=200 .vlan-mode=use-tag name=cfg_TPH_5Ghz security.authentication-types=wpa2-psk ssid=TPH
add channel.band=2ghz-b/g/n country=etsi datapath.bridge=bridge1 .vlan-id=100 .vlan-mode=use-tag name=cfg_HaHo_2.4GHz security.authentication-types=wpa2-psk ssid=HaHo_2.4
add channel.band=2ghz-b/g/n country=etsi datapath.bridge=bridge1 .vlan-id=200 .vlan-mode=use-tag name=cfg_TPH_2.4 security.authentication-types=wpa2-psk ssid=TPH
/interface pppoe-client
add add-default-route=yes disabled=no interface="vlan7 (Telekom)" max-mtu=1500 name=pppoe-telekom-fiber user=123@t-online.de
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi datapath
add bridge=bridge1 name=datapathHeim vlan-id=100
add bridge=bridge1 client-isolation=yes disabled=no name=datapathGast vlan-id=200
add bridge=bridge1 name=datapath1
/interface wifi security
add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes name=secHAHO
add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes name=secTPH
/interface wifi configuration
add datapath=datapath1 disabled=no name=cfgHAHO security=secHAHO security.ft=yes .ft-over-ds=yes .ft-preserve-vlanid=no ssid=HaHo
add datapath=datapath1 disabled=no name=cfgTPH security=secTPH security.ft=yes .ft-over-ds=yes .ft-preserve-vlanid=no ssid=TPH
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Gast-Profil supplicant-identity=""
/ip pool
add name=default-dhcp ranges=10.0.1.10-10.0.1.254
add name=Gast-DHCP ranges=10.0.2.10-10.0.2.254
add name=Server-DHCP ranges=10.0.3.10-10.0.3.254
add name=IoT-DHCP ranges=10.0.4.10-10.0.4.254
/ip dhcp-server
add address-pool=default-dhcp interface="vlan100 (Heim)" name=Heim-DHCP
add address-pool=Gast-DHCP interface="vlan200 (Gast)" name=Gast-DHCP
add address-pool=Server-DHCP interface="vlan300 (Server)" name=Server-DHCP
add address-pool=IoT-DHCP interface="vlan400 (IoT)" name=IoT-DHCP
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/queue simple
add comment="Gast-VLAN (haupts\EF\BF\BDchlich) im Upload auf < 100 % einschr\EF\BF\BDnken; Stand 2021-01-29: 100 Mbit/s Download, 4,5 Mbit/s Upload" max-limit=35M/80M name=Gast-Queue target="vlan200 (Gast),vlan200 (Gast)"
add disabled=yes dst=ether1 max-limit=2M/2M name=Test-Queue target=100.0.1.100/32
/system logging action
set 1 disk-lines-per-file=5000
/caps-man manager
set ca-certificate=auto certificate=auto
/caps-man provisioning
add action=create-dynamic-enabled comment=5GHz hw-supported-modes=ac,an,a master-configuration=cfg_HaHo_5GHz name-format=prefix name-prefix=5GHz- slave-configurations=cfg_TPH_5Ghz
add action=create-dynamic-enabled comment=2.4GHz hw-supported-modes=gn master-configuration=cfg_HaHo_2.4GHz name-format=prefix name-prefix=2.4GHz- slave-configurations=cfg_TPH_2.4
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=100
add bridge=bridge1 interface=ether3 pvid=100
add bridge=bridge1 interface=ether4 pvid=100
add bridge=bridge1 interface=ether5 pvid=100
add bridge=bridge1 interface=ether6 pvid=100
add bridge=bridge1 interface=ether7 pvid=100
add bridge=bridge1 interface=ether8 pvid=100
add bridge=bridge1 interface=ether9 pvid=100
add bridge=bridge1 interface=ether10 pvid=100
add bridge=bridge1 interface=ether11 pvid=100
add bridge=bridge1 interface=ether12 pvid=100
add bridge=bridge1 interface=ether13 pvid=100
add bridge=bridge1 interface=ether14 pvid=100
add bridge=bridge1 interface=ether15 pvid=100
add bridge=bridge1 interface=ether16 pvid=100
add bridge=bridge1 interface=ether17 pvid=300
add bridge=bridge1 interface=ether18 pvid=100
add bridge=bridge1 interface=ether21 pvid=300
add bridge=bridge1 interface=ether22 pvid=100
add bridge=bridge1 interface=ether23 pvid=100
add bridge=bridge1 interface=ether24 pvid=100
add bridge=bridge1 interface=sfp-sfpplus1 pvid=100
add bridge=bridge1 interface=ether1 pvid=100
add bridge=bridge1 interface=ether20 multicast-router=disabled pvid=100
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-redirects=no accept-router-advertisements=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=100
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=200
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=300
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=400
/interface list member
add interface=bridge1 list=LAN
add interface=ether19 list=WAN
add interface="vlan200 (Gast)" list=LAN
add interface="vlan300 (Server)" list=LAN
add interface="vlan400 (IoT)" list=LAN
add interface="vlan100 (Heim)" list=LAN
/interface ovpn-server server
add mac-address=FE:CD:C9:0F:09:C0 name=ovpn-server1
/interface wifi capsman
set enabled=yes interfaces="vlan100 (Heim)" package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfgHAHO slave-configurations=cfgTPH supported-bands=5ghz-ac
add action=create-dynamic-enabled disabled=no master-configuration=cfgHAHO slave-configurations=cfgTPH supported-bands=2ghz-n
/ip address
add address=100.0.1.1/24 interface="vlan100 (Heim)" network=100.0.1.0
add address=10.0.2.1/24 interface="vlan200 (Gast)" network=10.0.2.0
add address=10.0.3.1/24 interface="vlan300 (Server)" network=10.0.3.0
add address=10.0.4.1/24 interface="vlan400 (IoT)" network=10.0.4.0
add address=10.0.1.1/24 interface="vlan100 (Heim)" network=10.0.1.0
/ip dhcp-client
add add-default-route=no interface=ether19
/ip dhcp-server lease
add address=10.0.1.10 client-id=1:48:a9:8a:95:a8:b2 comment="Mikrotik CSS610 8P" mac-address=48:A9:8A:95:A8:B2 server=Heim-DHCP
add address=10.0.1.24 client-id=1:78:9A:18:9E:63:19 comment="Mikrotik wAP AC Garage" mac-address=78:9A:18:9E:63:19 server=Heim-DHCP
add address=10.0.1.20 client-id=1:48:8F:5A:C7:E9:89 comment="Mikrotik hAP AC\EF\BF\BD Keller" mac-address=48:8F:5A:C7:E9:89 server=Heim-DHCP
add address=10.0.1.21 client-id=1:48:8F:5A:5F:E3:FB comment="Mikrotik hAP AC\EF\BF\BD Wohnzimmer" mac-address=48:8F:5A:5F:E3:FB server=Heim-DHCP
add address=10.0.1.23 client-id=1:78:9a:18:c1:da:1c comment="Mikrotik cAP AC OG" mac-address=78:9A:18:C1:DA:1C server=Heim-DHCP
/ip dhcp-server network
add address=10.0.1.0/24 comment=Heim-Netzwerk dns-server=8.8.8.8 gateway=10.0.1.1
add address=10.0.2.0/24 comment=Gast-Netzwerk dns-server=8.8.8.8 gateway=10.0.2.1
add address=10.0.3.0/24 comment=Server-Netzwerk dns-server=10.0.3.10 gateway=10.0.3.1
add address=10.0.4.0/24 comment=IoT-Netzwerk dns-server=10.0.3.10 gateway=10.0.4.1
/ip dns
set allow-remote-requests=yes servers=10.0.3.10,fe80::d103:7c63:3e44:4b45
/ip dns static
add address=100.0.1.1 name=router.lan type=A
/ip firewall address-list
add address=apialgo.doorbird.net list="Doorbird.net Domains"
add address=doorbird.net list="Doorbird.net Domains"
/ip firewall filter
add action=accept chain=forward comment=TEST in-interface-list=LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Alles erlaubt aus Heim-VLAN" in-interface="vlan100 (Heim)"
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Test: Alles erlauben aus LAN" disabled=yes src-address=10.0.0.0/16
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Loopback erlaubt fuer Cap in Capsman " dst-address-type=local src-address-type=local
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="DNS-UDP-Anfragen an Odroid erlauben" dst-address=10.0.3.10 dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=forward comment="DNS-TCP-Anfragen an Odroid erlauben" dst-address=10.0.3.10 dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=forward comment="Drop Inter-VLAN-Routing" in-interface=all-vlan out-interface=all-vlan
add action=drop chain=forward comment="Internet f\C3\BCr IoT verbieten" in-interface="vlan400 (IoT)" out-interface=pppoe-telekom-fiber
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=pppoe-telekom-fiber src-address=10.0.0.0/16
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip proxy access
add action=deny comment="block telnet & spam e-mail relaying"
add action=deny comment="allow CONNECT only to SSL ports 443 [https] and 563 [snews]" method=CONNECT
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ip upnp
set allow-disable-external-interface=yes
/ip upnp interfaces
add disabled=yes interface=bridge1 type=internal
add disabled=yes interface=ether20 type=external
add disabled=yes interface="vlan7 (Telekom)" type=external
/ipv6 address
add from-pool=pool-ipv6 interface="vlan100 (Heim)"
add from-pool=pool-ipv6 interface="vlan200 (Gast)"
add from-pool=pool-ipv6 interface="vlan300 (Server)"
add from-pool=pool-ipv6 interface="vlan400 (IoT)"
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-telekom-fiber pool-name=pool-ipv6 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=hypernia.spdns.de list=Odroid
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="TEST: Alles zum Odroid erlauben" disabled=yes dst-address-list=Odroid
add action=accept chain=forward comment="Aus Heimnetz alles erlauben" in-interface="vlan100 (Heim)"
add action=drop chain=forward comment="Inter-VLAN-Routing unterbinden" in-interface=all-vlan out-interface=all-vlan
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] interface="vlan100 (Heim)"
add hop-limit=64 interface="vlan200 (Gast)"
add hop-limit=64 interface="vlan300 (Server)"
add hop-limit=64 interface="vlan400 (IoT)"
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name="MikroTik CRS326 Router"
/system logging
add action=disk topics=firewall
add action=echo topics=firewall
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
The CSS610 has the sfp+ as trunk and VLAN 100 as Default for SFP and the HAP/WAP/CAP-Devices.
This is one config of an HAP AC (CAPs and WAP are built analogue):
/interface bridge
add admin-mac=48:8F:5A:C7:E9:89 auto-mac=no name=bridge1 pvid=100 vlan-filtering=yes
/interface wifi
# managed by CAPsMAN 10.0.1.1, traffic processing on CAP
# mode: AP, SSID: HaHo, channel: 2412/n/Ce
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN 10.0.1.1, traffic processing on CAP
# mode: AP, SSID: HaHo, channel: 5500/ac/Ceee/D
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN 10.0.1.1, traffic processing on CAP
# mode: AP, SSID: TPH
add configuration.mode=ap disabled=no mac-address=4A:8F:5A:C7:E9:95 master-interface=wifi1 name=wifi21
# managed by CAPsMAN 10.0.1.1, traffic processing on CAP
# mode: AP, SSID: TPH
add configuration.mode=ap disabled=no mac-address=4A:8F:5A:C7:E9:96 master-interface=wifi2 name=wifi22
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether1 pvid=100
add bridge=bridge1 interface=wifi1 pvid=100
add bridge=bridge1 interface=wifi2 pvid=100
add bridge=bridge1 interface=wifi21 pvid=200
add bridge=bridge1 interface=wifi22 pvid=200
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=wifi1,wifi2 vlan-ids=100
add bridge=bridge1 tagged=ether1,bridge1 untagged=wifi21,wifi22 vlan-ids=200
/interface ovpn-server server
add mac-address=FE:88:62:0D:E2:0B name=ovpn-server1
/interface wifi cap
set caps-man-addresses=10.0.1.1 discovery-interfaces=ether1 enabled=yes slaves-static=yes
/ip dhcp-client
add interface=bridge1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name="Mikrotik hAP AC\B2 Keller"
/system note
set show-at-login=no