Hi,
I successfully setup on my Mikrotik two network SSIDs that are on separate VLANS and associated with different DHCP servers (all defined with the Mikrotik). This is working as expected.
SSID: Work
VLAN: 1
DHCP: 192.168.16.x
SSID: Guest
VLAN: 20
DHCP: 192.168.25.x
This is working as expected.
I want to extend my range using a Cisco Aironet AP in Autonomous mode.
I setup the VLANS (1 is native). My problem is that When a device connects to Guest is it not getting an IP address in the 192.168.25.0 range.
Is there a tutorial I can follow to achieve this?
So…you want to configure the Cisco AiroNet? Can you please share your routers config (/export hide-sensitive file=anythingyoulike)?
The Cisco is connected through a swtich.
I would like to point out that currently the Cisco is assigning IP addresses from the Mikrotik DHCP server for the native VLAN.
Thanks
# dec/21/2020 11:37:42 by RouterOS 6.47.3
# software id = 0E9A-7W1F
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = xxxxxxx580DC
/interface bridge
add admin-mac=xxxxxxx:E4:59 auto-mac=no comment=defconf name=bridge
add name=bridge_vlan20_2.4
add name=bridge_vlan20_5.0
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
country=<cntry> default-forwarding=no disabled=no frequency=auto \
installation=indoor mode=ap-bridge ssid=WORKNET-AP station-roaming=\
enabled wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-eCee country= default-forwarding=no disabled=no \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
WORKNET-AP station-roaming=enabled wireless-protocol=802.11
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=security passphrase=xxxxxx
/caps-man configuration
add channel.band=2ghz-b/g/n channel.control-channel-width=20mhz \
channel.extension-channel=XX country=<cntry> \
datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes \
name=cfg-2ghz security=security ssid=WORKNET-AP
add channel.band=5ghz-a/n/ac channel.control-channel-width=20mhz \
channel.extension-channel=XXXX country=<cntry> \
datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes \
name=cfg-5ghz-ac security=security ssid=WORKNET-AP
add channel.band=5ghz-a/n channel.control-channel-width=20mhz \
channel.extension-channel=XX country=<cntry> \
datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes \
name=cfg-5ghz-an security=security ssid=WORKNET-AP
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
xxxxxx wpa2-pre-shared-key=xxxxxx
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
profile supplicant-identity=MikroTik wpa-pre-shared-key=\
Keyboard-Mouse-Monitor wpa2-pre-shared-key=Keyboard-Mouse-Monitor
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
guest_wifi supplicant-identity="" wpa2-pre-shared-key=\
Keyboard-Mouse-Monitor
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=xx:xx:xx:xx:E4:5E \
master-interface=wlan1 multicast-buffering=disabled name=Guest_wlan_2.4 \
security-profile=guest_wifi ssid=GUESTNET-AP vlan-id=20 vlan-mode=\
use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=xx:xx:xx:xx:E4:5D \
master-interface=wlan2 multicast-buffering=disabled name=Guest_wlan_5.0 \
security-profile=guest_wifi ssid=GUESTNET-AP vlan-id=20 vlan-mode=\
use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=Guest_wlan_2.4 name=vlan20_2.4 vlan-id=20
add interface=Guest_wlan_5.0 name=vlan20_5.0 vlan-id=20
/ip pool
add name=dhcp ranges=192.168.16.20-192.168.16.99
add name=vpn_pool ranges=192.168.88.2-192.168.88.82
add name=dhcp_pool2 ranges=192.168.25.20-192.168.25.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool2 disabled=no interface=bridge_vlan20_2.4 \
lease-time=5m name=dhcp_vlan20
/ppp profile
add comment="OpenVPN pool" dns-server=192.168.88.1 local-address=192.168.88.1 \
name=vpn_profile remote-address=vpn_pool use-upnp=no
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
cfg-2ghz name-format=prefix-identity name-prefix=2ghz
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
cfg-5ghz-ac name-format=prefix-identity name-prefix=5ghz-ac
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
cfg-5ghz-an name-format=prefix-identity name-prefix=5ghz-an
/interface bridge filter
add action=drop chain=forward in-interface=Guest_wlan_2.4
add action=drop chain=forward out-interface=Guest_wlan_2.4
# no interface
add action=drop chain=forward in-interface=*A
# bad packet mark
add action=drop chain=forward dst-mac-address=\
00:00:00:00:00:00/FF:FF:FF:FF:FF:FF ingress-priority=0 mac-protocol=ip \
out-interface=Guest_wlan_5.0 packet-mark="" src-mac-address=\
00:00:00:00:00:00/FF:FF:FF:FF:FF:FF
# no interface
add action=drop chain=forward out-interface=*A
/interface bridge host
add bridge=bridge interface=ether3 mac-address=xx:xx:xx:xx:21:33
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge_vlan20_2.4 interface=Guest_wlan_2.4
add bridge=bridge interface=*A
add bridge=bridge_vlan20_2.4 interface=vlan20_2.4
add bridge=bridge_vlan20_2.4 interface=vlan20_5.0
add bridge=bridge_vlan20_5.0 interface=Guest_wlan_5.0
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes ipsec-secret=xxxxxxxxxxxxxxxxxxxxxx \
use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_WAN list=WAN
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 default-profile=vpn_profile \
enabled=yes require-client-certificate=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireless cap
set bridge=bridge interfaces=wlan2,wlan1
/ip address
add address=192.168.16.1/24 comment=defconf interface=ether2 network=\
192.168.16.0
add address=xxx.yyy.zzz.180/27 interface=ether1_WAN network=xxx.yyy.zzz.160
add address=192.168.25.1/24 interface=bridge_vlan20_2.4 network=192.168.25.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1_WAN
/ip dhcp-server lease
add address=192.168.16.150 client-id=VideoDoor comment="VDB" \
mac-address=xx:xx:xx:xx:10:14 server=defconf
/ip dhcp-server network
add address=192.168.16.0/24 comment=defconf gateway=192.168.16.1 netmask=24
add address=192.168.25.0/24 comment="Guest Network" gateway=192.168.25.1
add address=192.168.87.0/24 comment=vpn dns-server=192.168.89.1 gateway=\
192.168.89.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9,8.8.8.8
/ip dns static
add address=192.168.16.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="allow OpenVPN" dst-port=1194 protocol=\
tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input icmp-options=8:0-255 in-interface=ether1_WAN \
protocol=icmp
add action=drop chain=input src-address=92.63.194.7
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.16.0/24 src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP dst-address=xxx.yyy.zzz.180 \
dst-port=80 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=HTTPS dst-address=xxx.yyy.zzz.180 \
dst-port=443 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=SFTP dst-address=xxx.yyy.zzz.180 \
dst-port=5552 protocol=tcp to-addresses=192.168.16.5 to-ports=22
add action=dst-nat chain=dstnat comment=Plex dst-address=xxx.yyy.zzz.180 \
dst-port=52400 protocol=tcp to-addresses=192.168.16.8 to-ports=32400
add action=dst-nat chain=dstnat comment=uT disabled=yes dst-address=\
xxx.yyy.zzz.180 dst-port=46978 protocol=tcp to-addresses=192.168.16.9 \
to-ports=46978
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip route
add distance=1 gateway=xxx.yyy.zzz.161
/ppp profile
set *FFFFFFFE dns-server=192.168.16.1 local-address=192.168.89.1 \
remote-address=*6
/ppp secret
add name=aaaabonn password=xxxxxxxxxxxxxxxxxxxxxx \
profile=vpn_profile service=ovpn
add name=aaaaie password=yyyyyyyyyyyyyyyyyyyyy profile=\
vpn_profile service=ovpn
/system clock
set time-zone-name=Europe/<cntry>
/system logging
add topics=dhcp
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
tdw
December 21, 2020, 3:33pm
4
The bridge and VLAN setup is horrible and has several of the errors described here https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration .
The simplest method would be to use a single VLAN-aware bridge - there is a good primer on Mikrotik VLANs http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 and there are skeleton examples in the Wiki.
If you need wire-speed switching between ethernet ports on the hAP AC lite you can use a single non-VLAN-aware bridge and configure the switch chip, but be aware that the switch chip does not support hybrid ports.
Thanks for the input. I was following online guides
I will reset it and try to find a document I can follow.
tdw
December 21, 2020, 4:07pm
6
Unfortunately many third-party blogs and videos are outdated (mostly by firmware changes such as the introduction of VLAN-aware bridges), less than optimal or insecure. The guide in my previous post is a good starting point, MUM (Mikrotik User Meeting) presentations are also a good source. The Mikrotik Wiki and help pages provide example code fragments rather than complete configurations, and there will be other posts doing similar in the forums.
If you start with the default configuration (which uses VLAN 1 as native) all you should have to do is set the bridge to be VLAN-aware, add VLAN interface / IP address / DHCP server / bridge VLAN and updated firewall as required.
If you are only using Mikrotik WiFi on the hAP AC lite itself it is far easier to configure the wlan interfaces directly rather than using CAPsMAN.
Unfortunately many third-party blogs and videos are outdated (mostly by firmware changes such as the introduction of VLAN-aware bridges), less than optimal or insecure. The guide in my previous post is a good starting point, MUM (Mikrotik User Meeting) presentations are also a good source. The Mikrotik Wiki and help pages provide example code fragments rather than complete configurations, and there will be other posts doing similar in the forums.
If you start with the default configuration (which uses VLAN 1 as native) all you should have to do is set the bridge to be VLAN-aware, add VLAN interface / IP address / DHCP server / bridge VLAN and updated firewall as required.
If you are only using Mikrotik WiFi on the hAP AC lite itself it is far easier to configure the wlan interfaces directly rather than using CAPsMAN.
I restored the backup to what it was before the changes. I will try to follow the guides you suggested. I would ideally like to use both the Mikrotik itself and the Cisco since I need to cover a considerably large area.
tdw
December 21, 2020, 5:15pm
8
Using the WiFi on the Mikrotik itself doesn't require CAPsMAN, just configure the wlan interfaces directly
Hi,
I studied the page at http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 and focused on Router-Switch-AP (all in one) section which applies to me. As I need only Guest access only on Wifi, I dropped the changes related to the physical ports.
My Mikrotik has both 2.4 and 5GHz antennas. Do the lines below mean that each antenna will be dedicated to a different VLAN?
# Blue SSID
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
[b]/interface wireless set [ find default-name=wlan1 ] ssid=BLUE frequency=auto mode=ap-bridge disabled=no[/b]
# Green SSID
/interface wireless security-profiles add name=guest authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
[b]/interface wireless add name=wlan2 ssid=GREEN master-interface=wlan1 security-profile=guest disabled=no[/b]
I’ve enabled the openvpn service and would like access using this service to be on VLAN 10. Where would I specify this setting please?
My final question is related to an AP I have. It supports VLANS (Cisco Autonomous mode). On this device if I set the corresponding VLANS I would expect the Mikrotik to issue the DHCP addresses based on the VLAN reference (10 and 20 for BLUE and GREEN).?
Thanks for all the help
tdw
December 23, 2020, 11:16am
10
You will need a hybrid port with main network untagged and guest network tagged to support your Cisco AP.
Also, my Mikrotik has both 2.4 and 5GHz antennas. Do the lines below mean that each antenna will be dedicated to a different VLAN?
No. The example is for a device with a single radio with a secondary SSID ... name=wlan2 ssid=GREEN master-interface=wlan1 ...
If both radios on your Mikrotik are guest only attach both of them to the guest network, however if you wish to have main and guest on both radios you would have
# Blue SSID
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="mainpassword"
/interface wireless set [ find default-name=wlan1 ] ssid=BLUE frequency=auto mode=ap-bridge disabled=no
/interface wireless set [ find default-name=wlan2 ] ssid=BLUE frequency=auto mode=ap-bridge disabled=no
# Green SSID
/interface wireless security-profiles add name=guest authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="guestpassword"
/interface wireless add name=wlan3 ssid=GREEN master-interface=wlan1 security-profile=guest disabled=no
/interface wireless add name=wlan4 ssid=GREEN master-interface=wlan2 security-profile=guest disabled=no
and add update the bridge configuration accordingly. You don't have to call the additional interfaces wlan3 and wlan4 , they could be something which reflects them being secondary interfaces such as wlan1-guest and wlan2-guest
Thank you @tdw . I hope to share the script with my particular case after I get it to work.
Even though the sample has it commented, what is the purpose of admin (vlan 99)? Wouldn’t vlan-10 be sufficient?
Also I have port forwarding. corresponds to my ISP public (fixed) ip
/ip firewall nat
add action=dst-nat chain=dstnat comment=Plex dst-address=<public IP address> \
dst-port=52400 protocol=tcp to-addresses=192.168.16.8 to-ports=32400
My reasoning tells me that dst-address would stay unchanged but how to I tell mikrotik to add the tag 10?
Thank you again.
I think I found the answer in the same page you shared under the Firewall Customizations: section.
# Optional: Allow all VLANs to access a server (or printer) listening on Port 80 in the RED_VLAN
# add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface=RED_VLAN dst-port=80 protocol=tcp comment="Allow access to Server on RED_VLAN"
In my case the in-interface would be the BRIDGE out-interface would be BLUE
I plan to try this over next few days and will report (have only the one Mikrotik).
tdw
December 24, 2020, 1:33pm
13
I believe it is to separate management from all user device traffic, there isn't an issue with having a combined 'trusted device and management' network and just separating untrusted / guest devices - it depends on your risk analysis / level of paranoia.
Also I have port forwarding. corresponds to my ISP public (fixed) ip. My reasoning tells me that dst-address would stay unchanged but how to I tell mikrotik to add the tag 10?
The dst-nat rule changes the IP and port at layer 3, it doesn't care about VLANs. After NAT the packets are routed to the matching subnet which in this case happens be on a VLAN interface.
I think I found the answer in the same page you shared under the Firewall Customizations: section. In my case the in-interface would be the BRIDGE out-interface would be BLUE
That example is to allow a device on any VLAN access a specific service on RED_VLAN. You don't need additional firewall rules for external dst-nat access, the replies are handled by the established,related rule, only if you wish to allow specific VLAN-to-VLAN traffic.
Thanks.
I plan to try this out 27th and will report back
Hello and happy holidays.
# dec/27/2020 13:42:00 by RouterOS 6.47.3
# software id = 0E9A-7W1F
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 665805B580DC
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Connected to ISP"
set [ find default-name=ether2 ] comment="Connected to Cisco AP"
set [ find default-name=ether3 ] comment="Connected to LAN Switch"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=malta disabled=no frequency=2442 mode=ap-bridge ssid=SOHO-AP
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-eCee country=malta disabled=no frequency=5260 mode=ap-bridge \
ssid=SOHO-AP
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=GUEST_VLAN vlan-id=20
add interface=BR1 name=SOHO_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Base \
supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=E6:8D:8C:D6:E4:5F master-interface=wlan1 name=\
wlan1-admin security-profile=Base ssid=BASE
add disabled=no mac-address=E6:8D:8C:D6:E4:5E master-interface=wlan1 name=\
wlan1-guest security-profile=guest ssid=HOMENET-GUEST
add disabled=no mac-address=E6:8D:8C:D6:E4:60 master-interface=wlan2 name=\
wlan2-admin security-profile=Base ssid=BASE
add disabled=no mac-address=E6:8D:8C:D6:E4:5D master-interface=wlan2 name=\
wlan2-guest security-profile=guest ssid=HOMENET-GUEST
/ip pool
add name=SOHO_POOL ranges=192.168.16.20-192.168.16.99
add name=GUEST_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
add address-pool=SOHO_POOL disabled=no interface=SOHO_VLAN name=SOHO_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
/ppp profile
set *0 use-upnp=no
set *FFFFFFFE use-upnp=no
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan1-guest pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan2-guest pvid=20
add bridge=BR1 interface=wlan1-admin pvid=99
add bridge=BR1 interface=wlan2-admin pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether4,wlan1,wlan2 vlan-ids=\
10
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-guest,wlan2-guest vlan-ids=20
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-admin,wlan2-admin vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=SOHO_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes \
require-client-certificate=yes
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=xxx.yyy.zzz.180/27 comment="ISP Configuration" interface=\
ether1 network=xxx.yyy.zzz.160
add address=192.168.16.1/24 interface=SOHO_VLAN network=192.168.16.0
add address=10.0.20.1/24 interface=GUEST_VLAN network=10.0.20.0
/ip dhcp-server network
add address=10.0.20.0/24 comment="Guest Subnet" dns-server=192.168.0.1 \
gateway=10.0.20.1
add address=192.168.16.0/24 comment="SOHO Subnet" dns-server=192.168.0.1 \
gateway=192.168.16.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9,8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow OpenVPN (OVPN)" dst-port=1194 \
protocol=tcp
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.16.0/24 src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP dst-address=xxx.yyy.zzz.180 \
dst-port=80 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=HTTPS dst-address=xxx.yyy.zzz.180 \
dst-port=443 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=SFTP dst-address=xxx.yyy.zzz.180 \
dst-port=5552 protocol=tcp to-addresses=192.168.16.5 to-ports=22
add action=dst-nat chain=dstnat comment=Plex dst-address=xxx.yyy.zzz.180 \
dst-port=52400 protocol=tcp to-addresses=192.168.16.8 to-ports=32400
/ip route
add comment="ISP gateway" distance=1 gateway=xxx.yyy.zzz.161
/ppp secret
add comment="IP Address Assigned to user" local-address=192.168.16.1 name=\
chribonn remote-address=192.168.16.240 service=ovpn
add local-address=192.168.16.1 name=connie remote-address=192.168.16.241 \
service=ovpn
/system clock
set time-zone-name=Europe/Malta
/system identity
set name=RouterSwitchAP
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
I followed the scripts suggested here and I can confirm that the VLANed network is functional.
I experienced the following two glitches:
Traffic (/ip firewall nat ) doesn’t seem to be routing correctly. I tried both with the Hairpin NAT setting enabled and disabled.
I reconfigured Open VPN (OVPN) functionality. Two users would connect and should join the SOHO_Network. I tried setting them to acquire IP addresses outside the scope given by the DHCP server. 192.168.16.240 and 192.168.16.242. Here again I was not successful. I must admit in my existing Mikrotik config VPN clients had their own VPN pool.
The OpenVPN topic is the least problematic of the two and I can always attempt to revert back to the setup I had.
Thanks for everything.
Hello,
I have been trying to figure out the blocking issues. As I mentioned the OpenVPN is the less important so I will put it aside.
Digging a bit I discovered that I had to add Filter Rules to my NAT entries. Initially I set the In Interface to ether1 , this being the port connected to my ISP’s bridged modem, Access from outside is working but if I attempt to access the same ports from within my network it fails.
From the outside: https://www.domain.com https://www.domain.com https:// does not work
I did two things (which did not work) that are in the included Mikrotik script:
I set Hairpin NAT in /IP Firewall NAT
I changed all the port forwarding to from ether1 to all ethernet . My reasoning is that when I am within my network I was not coming in from either1 (the outside).
Thank you as always
# dec/28/2020 15:25:00 by RouterOS 6.47.3
# software id = 0E9A-7W1F
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 665805B580DC
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Connected to ISP"
set [ find default-name=ether2 ] comment="Connected to Cisco AP"
set [ find default-name=ether3 ] comment="Connected to LAN Switch"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=malta disabled=no frequency=2442 mode=ap-bridge ssid=SOHO-AP
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-eCee country=malta disabled=no frequency=5260 mode=ap-bridge \
ssid=SOHO-AP
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=GUEST_VLAN vlan-id=20
add interface=BR1 name=SOHO_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Base \
supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=E6:8D:8C:D6:E4:5F master-interface=wlan1 name=\
wlan1-admin security-profile=Base ssid=BASE
add disabled=no mac-address=E6:8D:8C:D6:E4:5E master-interface=wlan1 name=\
wlan1-guest security-profile=guest ssid=HOMENET-GUEST
add disabled=no mac-address=E6:8D:8C:D6:E4:60 master-interface=wlan2 name=\
wlan2-admin security-profile=Base ssid=BASE
add disabled=no mac-address=E6:8D:8C:D6:E4:5D master-interface=wlan2 name=\
wlan2-guest security-profile=guest ssid=HOMENET-GUEST
/ip pool
add name=SOHO_POOL ranges=192.168.16.20-192.168.16.99
add name=GUEST_POOL ranges=10.0.20.2-10.0.20.254
add name=VPN_POOL ranges=192.168.89.2-192.168.89.254
/ip dhcp-server
add address-pool=SOHO_POOL disabled=no interface=SOHO_VLAN name=SOHO_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
/ppp profile
set *0 use-upnp=no
set *FFFFFFFE use-upnp=no
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan1-guest pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan2-guest pvid=20
add bridge=BR1 interface=wlan1-admin pvid=99
add bridge=BR1 interface=wlan2-admin pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether4,wlan1,wlan2 vlan-ids=\
10
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-guest,wlan2-guest vlan-ids=20
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-admin,wlan2-admin vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=SOHO_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 require-client-certificate=yes
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=xxx.yyy.zzz.180/27 comment="ISP Configuration" interface=\
ether1 network=xxx.yyy.zzz.160
add address=192.168.16.1/24 interface=SOHO_VLAN network=192.168.16.0
add address=10.0.20.1/24 interface=GUEST_VLAN network=10.0.20.0
/ip dhcp-server network
add address=10.0.20.0/24 comment="Guest Subnet" dns-server=192.168.0.1 \
gateway=10.0.20.1
add address=192.168.16.0/24 comment="SOHO Subnet" dns-server=192.168.0.1 \
gateway=192.168.16.1
add address=192.168.89.0/24 comment="VPN Subnet" dns-server=192.168.0.1 \
gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9,8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow OpenVPN (OVPN)" dst-port=1194 \
protocol=tcp
add action=drop chain=input comment=Drop
add action=accept chain=forward comment=HTTP dst-address=192.168.16.4 \
dst-port=80 in-interface=all-ethernet protocol=tcp
add action=accept chain=forward comment=HTTPS dst-address=192.168.16.4 \
dst-port=443 in-interface=all-ethernet protocol=tcp
add action=accept chain=forward comment=SFTP dst-address=192.168.16.5 \
dst-port=22 in-interface=all-ethernet protocol=tcp
add action=accept chain=forward comment=Plex dst-address=192.168.16.8 \
dst-port=32400 in-interface=all-ethernet protocol=tcp
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.16.0/24 src-address=192.168.16.0/24
add action=dst-nat chain=dstnat comment=HTTP dst-port=80 in-interface=\
all-ethernet protocol=tcp to-addresses=192.168.16.4 to-ports=80
add action=dst-nat chain=dstnat comment=HTTPS dst-port=443 in-interface=\
all-ethernet protocol=tcp to-addresses=192.168.16.4 to-ports=443
add action=dst-nat chain=dstnat comment=SFTP dst-port=5552 in-interface=\
all-ethernet protocol=tcp to-addresses=\
192.168.16.5 to-ports=22
add action=dst-nat chain=dstnat comment=Plex dst-port=52400 in-interface=\
all-ethernet protocol=tcp to-addresses=192.168.16.8 to-ports=32400
/ip route
add comment="ISP gateway" distance=1 gateway=xxx.yyy.zzz.161
/ppp secret
add comment="IP Address Assigned to user" name=chribonn service=ovpn
add name=connie service=ovpn
/system clock
set time-zone-name=Europe/Malta
/system identity
set name=RouterSwitchAP
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
tdw
December 28, 2020, 3:15pm
17
I would suspect that the firewall rules are being overly restrictive, certainly that is the case for OpenVPN - you permit the OpenVPN connection, but not traffic from the connected clients. Enabling logging on the input and forward drop rules will likely provide a clue.
Not allowing ICMP input will break PMTU discovery which can cause connectivity issues to some sites.
For external access there is Mikrotik default rule which only drops non-dstnat traffic forwarded from WAN, I prefer separating this into a rule to allow any dstnat traffic and a rule drop everything else:
Either method allows dstnat rules to be added to /ip firewall nat without having to add additional rules to /ip firewall filter.
I would suspect that the firewall rules are being overly restrictive, certainly that is the case for OpenVPN - you permit the OpenVPN connection, but not traffic from the connected clients. Enabling logging on the input and forward drop rules will likely provide a clue.
Not allowing ICMP input will break PMTU discovery which can cause connectivity issues to some sites.
For external access there is Mikrotik default rule which only drops non-dstnat traffic forwarded from WAN, I prefer separating this into a rule to allow any dstnat traffic and a rule drop everything else:
Either method allows dstnat rules to be added to /ip firewall nat without having to add additional rules to /ip firewall filter.
I included ICMP rule as you suggested.
I noticed that the two filters you mentioned seem to be there in a more generic (I assume encompassing the scope) you mentioned.
I also adjust both the Filter and NAT rules to point to ether1.
I can confirm that I can access the servers listening on port 80 and 443 from outside my network .
I noticed that when I surf to my website I am now landing on the Mikrotik Router login page (192.168.16.1).
/ip firewall filter
add chain=input comment="Allow all ICMP" protocol=icmp
add action=accept chain=input comment=\
"Allow Establised and Related Connections" connection-state=\
established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow OpenVPN (OVPN)" dst-port=1194 \
protocol=tcp
add action=drop chain=input comment=Drop
add action=accept chain=forward connection-nat-state=dstnat in-interface=\
ether1
add action=accept chain=forward comment=HTTP dst-address=192.168.16.4 \
dst-port=80 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment=HTTPS dst-address=192.168.16.4 \
dst-port=443 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment=SFTP dst-address=192.168.16.5 \
dst-port=22 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment=Plex dst-address=192.168.16.8 \
dst-port=32400 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP dst-port=80 in-interface=ether1 \
protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=HTTPS dst-port=443 in-interface=\
ether1 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=SFTP dst-port=5552 in-interface=\
ether1 protocol=tcp to-addresses=192.168.16.5 to-ports=22
add action=dst-nat chain=dstnat comment=Plex dst-port=52400 in-interface=\
ether1 protocol=tcp to-addresses=192.168.16.8 to-ports=32400
As I have been making changes I am posting the firewall section of the configuration.
