- I’ve spent at least a week trying to figure this out.
- I’ve used multiple A.I. platform. Copilot and Gemini trying to figure this out, but for some reason it’s not working.
- Please someone help me configure an EAP-TLS client-to-router local wireless authentication.
- The network works when I use WPA2-PSK as a security profile, so I know it’s not my network or firewall configuration, it’s in the EAP-TLS security profile that is the problem
Here’s my configuration: hAP ac lite dual frequency (mipsbe)
# 2025-01-31 08:12:34 by RouterOS 7.17
# software id = G5FZ-TNJR
#
# model = RB952Ui-5ac2nD
# serial number = HCW08BQZ70D
/interface bridge
add admin-mac=18:FD:74:5C:EB:86 auto-mac=no dhcp-snooping=yes fast-forward=no \
name=bridge-lan port-cost-mode=short
add dhcp-snooping=yes fast-forward=no name=bridge-wlan-5ghz
/interface list
add name=WAN
add name=LAN
add name=WLAN
add name=LAN&WLAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk comment="Abc123\?\?\?" mode=dynamic-keys \
name="WPA2 PSK" supplicant-identity=""
add authentication-types=wpa2-eap comment=10.20.20.1 eap-methods=eap-tls \
mode=dynamic-keys name=EAP-TLS supplicant-identity="southview5.com" tls-certificate=\
10-server tls-mode=dont-verify-certificate
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=\
20/40/80mhz-XXXX country="united states3" default-forwarding=no disabled=\
no frequency=auto mac-address=18:FD:74:2C:3B:5A mode=ap-bridge \
multicast-helper=disabled name=wlan-5ghz radio-name=southview5 \
security-profile=EAP-TLS ssid=southview5 wireless-protocol=802.11 \
wps-mode=disabled
/ip pool
add name=dhcp-pool-lan ranges=192.168.10.2-192.168.10.254
add name=dhcp-pool-wlan-5ghz ranges=10.20.20.2-10.20.20.254
/ip dhcp-server
add address-pool=dhcp-pool-lan interface=bridge-lan lease-time=2m name=\
dhcp-lan
add address-pool=hs-pool-16 interface=bridge-wlan-5ghz lease-time=2m name=\
dhcp-wlan-5ghz
/ip smb users
set [ find default=yes ] disabled=yes
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/user group
set read policy="local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,s\
ensitive,api,romon,!ftp,!write,!policy,!rest-api"
set write policy="local,telnet,ssh,reboot,read,write,test,winbox,password,web,\
sniff,sensitive,api,romon,!ftp,!policy,!rest-api"
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,!rest-api"
/certificate settings
set crl-use=yes
/interface bridge port
add bridge=bridge-lan broadcast-flood=no ingress-filtering=no interface=\
ether2 internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge-lan broadcast-flood=no ingress-filtering=no interface=\
ether3 internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge-lan broadcast-flood=no ingress-filtering=no interface=\
ether4 internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge-lan broadcast-flood=no ingress-filtering=no interface=\
ether5 internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge-wlan-5ghz broadcast-flood=no ingress-filtering=no \
interface=wlan-5ghz internal-path-cost=10 path-cost=10 trusted=yes
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
use-ip-firewall-for-vlan=yes
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set allow-fast-path=no max-neighbor-entries=8192 tcp-syncookies=yes
/interface list member
add interface=bridge-lan list=LAN
add interface=ether1 list=WAN
add interface=bridge-lan list=LAN&WLAN
add interface=bridge-wlan-5ghz list=LAN&WLAN
add interface=bridge-wlan-5ghz list=WLAN
/interface wireless sniffer
set multiple-channels=yes
/ip address
add address=192.168.10.1/24 interface=bridge-lan network=192.168.10.0
add address=10.20.20.1/24 interface=bridge-wlan-5ghz network=10.20.20.0
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add comment="ISP router" interface=ether1 use-peer-dns=no use-peer-ntp=no
dhcp-lan
/ip dhcp-server network
add address=10.20.20.0/24 gateway=10.20.20.1
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=10.20.20.1 name=mynetwork.com type=A
/ip firewall address-list
add address=192.168.0.0/16 disabled=yes list=BOGON
add address=10.0.0.0/8 disabled=yes list=BOGON
add address=172.16.0.0/12 list=BOGON
add address=127.0.0.0/8 list=BOGON
add address=0.0.0.0/8 disabled=yes list=BOGON
add address=169.254.0.0/16 list=BOGON
add address=224.0.0.0/4 list=BOGON
add address=198.18.0.0/15 list=BOGON
add address=192.0.0.0/24 list=BOGON
add address=192.0.2.0/24 list=BOGON
add address=198.51.100.0/24 list=BOGON
add address=203.0.113.0/24 list=BOGON
add address=100.64.0.0/10 list=BOGON
add address=192.168.10.2-192.168.10.254 list=HOSTS
add address=10.20.20.2-10.20.20.254 list=HOSTS
/ip firewall filter
add action=accept chain=input comment=\
"ACCEPT - INPUT (connection-state=established,related)" connection-state=\
established,related
add action=drop chain=input comment="DROP - INPUT (drop invalid)" \
connection-state=invalid
add action=accept chain=input comment="ACCEPT - INPUT (allow PING request)" \
protocol=icmp
add action=drop chain=input comment=\
"DROP - INPUT (drop anything else not from HOSTS)" src-address-list=\
!HOSTS
add action=accept chain=forward comment=\
"ACCEPT - FORWARD (connection-state=established,related)" \
connection-state=established,related
add action=drop chain=forward comment=\
"DROP - FORWARD (connection-state=invalid)" connection-state=invalid
add action=accept chain=forward comment=\
"ACCEPT - FORWARD (accept internet connection HOSTS to WAN)" \
out-interface-list=WAN src-address-list=HOSTS
add action=accept chain=forward comment=\
"ACCEPT - FORWARD (allow PING request)" protocol=icmp
add action=drop chain=forward comment=\
"DROP - FORWARD (drop LAN to WLAN connections)" in-interface-list=LAN \
out-interface-list=WLAN
add action=drop chain=forward comment=\
"DROP - FORWARD (drop WLAN to LAN connections)" in-interface-list=WLAN \
out-interface-list=LAN
add action=drop chain=forward comment="DROP - FORWARD (Drop connections that i\
s not DSTNATed, connection-state=new connection-nat-state=!dstnat)" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="DROP - FORWARD (drop anything else) (di\
sable this if you have a hotspot)"
add action=drop chain=unused-hs-chain comment=\
"DROP - UNUSED-HS-CHAIN (enable if you have hotspot)" connection-limit=\
!50,32 disabled=yes protocol=tcp tcp-flags=syn
add action=drop chain=unused-hs-chain comment=\
"DROP - UNUSED-HS-CHAIN (enable ifnyou have hotspot)" disabled=yes
/ip firewall mangle
add action=change-ttl chain=prerouting comment=\
"CHANGE-TTL - PREROUTING - (Protection from trace routes, increment=5)" \
new-ttl=increment:5
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"MASQUERADE - SRCNAT (srcnat everything to WAN)" out-interface-list=WAN
add action=redirect chain=dstnat comment=\
"REDIRECT - DSTNAT (redirect DNS requests-tcp)" dst-port=53 protocol=tcp \
to-ports=53
add action=redirect chain=dstnat comment=\
"REDIRECT - DSTNAT (redirect DNS requests-udp)" dst-port=53 protocol=udp \
to-ports=53
add action=dst-nat chain=dstnat comment=\
"DSTNAT - DSTNAT (PLDT Telephone VOIP port forward - tcp)" dst-address=\
192.168.10.1 dst-port=5060 protocol=tcp to-addresses=192.168.100.1 \
to-ports=5060
add action=dst-nat chain=dstnat comment=\
"DSTNAT - DSTNAT (PLDT Telephone VOIP port forward - udp)" dst-address=\
192.168.10.1 dst-port=5060 protocol=udp to-addresses=192.168.100.1 \
to-ports=5060
/ip firewall raw
add action=accept chain=prerouting dst-port=443,1812,1813 protocol=tcp
add action=drop chain=output comment="DROP - OUTPUT (drop connection if not FT\
P, SSH, TELNET, WINBOX to LAN interface)" out-interface-list=!LAN \
protocol=tcp src-port=20,21,22,23,8291
add action=drop chain=prerouting comment="DROP - PREROUTING (drop connection i\
f not FTP, SSH, TELNET, WINBOX to LAN interface)" dst-port=\
20,21,22,23,8291 in-interface-list=!LAN protocol=tcp
add action=drop chain=prerouting comment="DROP - PREROUTING (limit ICMP)" \
limit=!1,2:packet protocol=icmp
add action=drop chain=prerouting comment=\
"DROP - PREROUTING (drop hosts to hosts connections)" dst-address-list=\
HOSTS src-address-list=HOSTS
add action=drop chain=prerouting comment=\
"DROP - PREROUTING (drop BOGON list)" src-address-list=BOGON
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip hotspot service-port
set ftp disabled=yes
/ip hotspot user
add name=admin
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Asia/Manila
/system identity
set name=mynetwork
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user-manager
set certificate=*0