Firewall: Input Accept LAN doesn't work

reima · October 19, 2020, 8:54pm

Hey Guys,

I have a Mikrotik hap ac2, on ether 1 the Internet uplink to an 5G Router via DHCP is granted, on ether2 i’m havin a Subnet for my private LAN, this also includes vlan_manuel(20, 10.0.2.0/24). There is also another VLAN for IOT (10,10.0.1.0/24 just on WLAN) and another for VPN (30,10.0.3.0/24, not finally configured).

Everything works quite fine, the VPN Server ist not finally configured.

But: I did start with no default-config, cause I had some troubles with the VLAN and default ports the first time. So i created now some FW Rules to save the router from input from the WAN Interface (eth1):

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked log-prefix=input_accept
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 protocol=udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=drop chain=input in-interface-list=!LAN log=yes log-prefix=input_drop

But my rule:

add action=accept chain=input in-interface-list=LAN

doesn’t work. All the traffic from LAN is dropped and i can just access via winport and the MAC Adress.
Log content:

input_drop input: in:vlan_manuel out:(unknown 0), src-mac 00:e0:4c:30:XX:XX, proto UDP, 10.0.2.91:58844->255.255.255.255:20561, len 50

Here is my full export, I searched from hour now but i can’t find the problem or just can’t understand it. Who knows…

[admin@MikroTik] /ip firewall nat> /export
# oct/19/2020 21:47:04 by RouterOS 6.47.4
# software id = FVNK-2IPL
#
# model = RBD52G-5HacD2HnD
# serial number = C6140C7A47AD
/caps-man channel
add band=2ghz-b/g/n extension-channel=XX name=channel_2
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=eCee frequency=5520 name=channel_5
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(27dBm), SSID: Attention_5GLAN, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5520/20-eCee/ac/DP(24dBm), SSID: Attention_5GLAN, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface vlan
add interface=bridge1 name=vlan_iot vlan-id=10
add interface=bridge1 name=vlan_manuel vlan-id=20
add interface=bridge1 name=vlan_vpn vlan-id=30
/caps-man datapath
add bridge=bridge1 client-to-client-forwarding=yes local-forwarding=yes name=datapath1
add bridge=bridge1 name=datapath2_iot vlan-id=10 vlan-mode=use-tag
add bridge=bridge1 client-to-client-forwarding=yes local-forwarding=yes name=datapath3_manuel vlan-id=20 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip name=security1 passphrase=XXXXXXX
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip name=security_iot passphrase=XXXXXXXX
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=security_manuel passphrase=XXXXXXXXXX
/caps-man configuration
add channel=channel_2 country=no_country_set datapath=datapath1 installation=indoor mode=ap name=cfg1_24 rx-chains=0,1 security=security1 ssid=Attention_5GLAN tx-chains=0,1
add channel=channel_5 country=no_country_set datapath=datapath1 installation=indoor name=cfg2_5 rx-chains=0,1 security=security1 ssid=Attention_5GLAN tx-chains=0,1
add channel=channel_5 country=no_country_set datapath=datapath1 installation=indoor name=cfg3_solo rx-chains=0,1 security=security1 ssid=Attention_5Gsolo tx-chains=0,1
add channel=channel_2 country=no_country_set datapath=datapath2_iot installation=indoor name=cfg4_iot rx-chains=0,1 security=security_iot ssid=Attention_5GIOT tx-chains=0,1
add channel=channel_2 country=no_country_set datapath=datapath3_manuel installation=indoor name=cfg5_manu2 rx-chains=0,1 security=security_manuel ssid=Attention_5Gx tx-chains=0,1
add channel=channel_5 country=no_country_set datapath=datapath3_manuel installation=indoor name=cfg6_manu5 rx-chains=0,1 security=security_manuel ssid=Attention_5Gx tx-chains=0,1
/caps-man interface
add configuration=cfg1_24 configuration.ssid=Attention_5GLAN disabled=yes l2mtu=1600 mac-address=74:4D:28:BC:D9:0B master-interface=none name=cap1_2 radio-mac=74:4D:28:BC:D9:0B radio-name=\
    744D28BCD90B
add channel.frequency=5520 configuration=cfg2_5 configuration.mode=ap configuration.ssid=Attention_5GLAN disabled=yes l2mtu=1600 mac-address=74:4D:28:BC:D9:0C master-interface=none name=cap1_5 \
    radio-mac=74:4D:28:BC:D9:0C radio-name=744D28BCD90C
add channel=channel_2 configuration=cfg4_iot datapath=datapath2_iot disabled=no l2mtu=1600 mac-address=76:4D:28:BC:D9:0B master-interface=cap1_2 name=cap1_iot radio-mac=00:00:00:00:00:00 \
    radio-name=""
add configuration=cfg5_manu2 disabled=no mac-address=76:4D:28:BC:D9:0C master-interface=cap1_2 name=cap1_m2 radio-mac=00:00:00:00:00:00 radio-name=""
add configuration=cfg6_manu5 disabled=no mac-address=76:4D:28:BC:D9:0D master-interface=cap1_5 name=cap1_m5 radio-mac=00:00:00:00:00:00 radio-name=""
add configuration=cfg3_solo disabled=no mac-address=76:4D:28:BC:D9:0E master-interface=cap1_5 name=cap1_solo radio-mac=00:00:00:00:00:00 radio-name=""
add configuration=cfg1_24 disabled=no l2mtu=1600 mac-address=48:8F:5A:BF:01:44 master-interface=none name=hap1_2 radio-mac=48:8F:5A:BF:01:44 radio-name=hap1_2
add channel.frequency=5520 configuration=cfg2_5 configuration.country=no_country_set configuration.installation=indoor disabled=no l2mtu=1600 mac-address=48:8F:5A:BF:01:45 master-interface=none \
    name=hap1_5 radio-mac=48:8F:5A:BF:01:45 radio-name=hap1_5
add configuration=cfg4_iot disabled=no l2mtu=1600 mac-address=4A:8F:5A:BF:01:44 master-interface=hap1_2 name=hap1_iot radio-mac=00:00:00:00:00:00 radio-name=""
add configuration=cfg5_manu2 disabled=no l2mtu=1600 mac-address=4A:8F:5A:BF:01:46 master-interface=hap1_2 name=hap1_m2 radio-mac=00:00:00:00:00:00 radio-name=""
add configuration=cfg6_manu5 configuration.country=no_country_set configuration.ssid=Attention_5Gx disabled=no l2mtu=1600 mac-address=4A:8F:5A:BF:01:47 master-interface=hap1_5 name=hap1_m5 \
    radio-mac=00:00:00:00:00:00 radio-name=""
add configuration=cfg3_solo disabled=no l2mtu=1600 mac-address=4A:8F:5A:BF:01:45 master-interface=hap1_5 name=hap1_solo radio-mac=00:00:00:00:00:00 radio-name=""
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
add enc-algorithm=aes-256,3des name=ipsec_ibk
/ip ipsec peer
# This entry is unreachable
add name=l2tp-peer passive=yes profile=ipsec_ibk
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=proposal1_l2tp_vpn_ibk pfs-group=none
/ip pool
add name=pool1 ranges=10.0.0.1-10.0.0.100
add name=pool2 ranges=10.0.1.1-10.0.1.100
add name=pool3 ranges=10.0.2.1-10.0.2.100
add name=pool_vpn ranges=10.0.254.1-10.0.254.100
/ip dhcp-server
add address-pool=pool1 disabled=no interface=bridge1 lease-script=":local DHCPtag name=server1
add address-pool=pool2 disabled=no interface=vlan_iot lease-script=":local DHCPtag name=server2
add address-pool=pool3 disabled=no interface=vlan_manuel lease-script=":local DHCPtag name=server3
add address-pool=pool_vpn disabled=no interface=vlan_vpn name=server4_vpn
/ip ipsec mode-config
add address-pool=pool_vpn name=vpndhcp
/ppp profile
add local-address=10.0.254.254 name=l2tp_vpn remote-address=pool_vpn use-encryption=required use-mpls=yes
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=-80..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no signal-range=-120..120 ssid-regexp=""
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=20
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=vlan_iot pvid=10
add bridge=bridge1 interface=hap1_solo
add bridge=bridge1 interface=hap1_2
add bridge=bridge1 interface=hap1_5
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=vlan_manuel pvid=20
add bridge=bridge1 interface=cap1_2
add bridge=bridge1 interface=cap1_5
add bridge=bridge1 interface=cap1_iot pvid=10
add bridge=bridge1 interface=hap1_iot pvid=10
add bridge=bridge1 interface=hap1_m2 pvid=20
add bridge=bridge1 interface=hap1_m5 pvid=20
add bridge=bridge1 interface=cap1_m2 pvid=20
add bridge=bridge1 interface=cap1_m5 pvid=20
add bridge=bridge1 interface=cap1_solo
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,vlan_iot,ether5,cap1_iot,hap1_iot vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether5,vlan_manuel,cap1_m2,cap1_m5,hap1_m2,hap1_m5 untagged=ether2 vlan-ids=20
add bridge=bridge1 tagged=vlan_vpn vlan-ids=30
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp_vpn enabled=yes ipsec-secret=XXXXXXXXX max-mru=1480 max-mtu=1460 use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/interface wireless cap
#
set bridge=bridge1 caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2
/ip accounting
set account-local-traffic=yes enabled=yes
/ip accounting web-access
set accessible-via-web=yes
/ip address
add address=10.0.1.254/24 interface=vlan_iot network=10.0.1.0
add address=10.0.0.254/24 interface=bridge1 network=10.0.0.0
add address=10.0.2.254/24 interface=vlan_manuel network=10.0.2.0
add address=10.0.254.254/24 interface=vlan_vpn network=10.0.254.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.254 gateway=10.0.0.254 netmask=24
add address=10.0.1.0/24 dns-server=10.0.1.254 gateway=10.0.1.254 netmask=24
add address=10.0.2.0/24 dns-server=10.0.2.201,1.0.0.1,8.8.8.8 gateway=10.0.2.254 netmask=24
add address=10.0.254.0/24 dns-server=10.0.2.201 gateway=10.0.254.254
/ip dns
set allow-remote-requests=yes servers=1.0.0.1,8.8.8.8
/ip firewall address-list
add address=10.0.0.0/24 list=Main
add address=10.0.1.0/24 list=Main
add address=10.0.2.0/24 list=Main
add address=10.0.254.0/24 list=Main
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked log-prefix=input_accept
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 protocol=udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=drop chain=input in-interface-list=!LAN log=yes log-prefix=input_drop
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop packets from LAN without LAN IP" in-interface=bridge1 log=yes log-prefix=!LAN src-address-list=!Main
add action=reject chain=forward dst-address=10.0.1.0/24 reject-with=icmp-network-unreachable src-address=10.0.0.0/24
add action=reject chain=forward dst-address=10.0.2.0/24 reject-with=icmp-network-unreachable src-address=10.0.0.0/24
add action=reject chain=forward dst-address=10.0.0.0/24 reject-with=icmp-network-unreachable src-address=10.0.1.0/24
add action=reject chain=forward dst-address=10.0.0.0/24 reject-with=icmp-network-unreachable src-address=10.0.2.0/24
add action=reject chain=forward dst-address=10.0.1.0/24 reject-with=icmp-network-unreachable src-address=10.0.2.0/24
add action=reject chain=forward dst-address=10.0.2.0/24 reject-with=icmp-network-unreachable src-address=10.0.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec policy
add proposal=proposal1_l2tp_vpn_ibk template=yes
/ppp secret
add name=vpn-dit password=XXXXX profile=l2tp_vpn service=l2tp
/system clock
set time-zone-name=Europe/Vienna

In the DHCP Servers i have also a script, this isn’t visible up there due to readability:

\r\
    \n:set DHCPtag \"#DHCP\"\r\
    \n\r\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\r\
    \n\r\
    \n:if ( \$leaseBound = 1 ) do=\\\r\
    \n{\r\
    \n    :local ttl\r\
    \n    :local domain\r\
    \n    :local hostname\r\
    \n    :local fqdn\r\
    \n    :local leaseId\r\
    \n    :local comment\r\
    \n\r\
    \n    /ip dhcp-server\r\
    \n    :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n    network \r\
    \n    :set domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n\r\
    \n    .. lease\r\
    \n    :set leaseId [ find address=\$leaseActIP ]\r\
    \n\r\
    \n    # Check for multiple active leases for the same IP address. It's weird and it shouldn't be, but just in case.\r\
    \n\r\
    \n    :if ( [ :len \$leaseId ] != 1) do={\r\
    \n        :log info \"DHCP2DNS: not registering domain name for address \$leaseActIP because of multiple active leases for \$leaseActIP\"\r\
    \n        :error \"multiple active leases for \$leaseActIP\"\r\
    \n    }  \r\
    \n\r\
    \n    :set hostname [ get \$leaseId host-name ]\r\
    \n    :set comment [ get \$leaseId comment ]\r\
    \n    /\r\
    \n\r\
    \n    :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\r\
    \n\r\
    \n    :if ( [ :len \$hostname ] <= 0 ) do={\r\
    \n        :log error \"DHCP2DNS: not registering domain name for address \$leaseActIP because of empty lease host-name or comment\"\r\
    \n        :error \"empty lease host-name or comment\"\r\
    \n    }\r\
    \n    :if ( [ :len \$domain ] <= 0 ) do={\r\
    \n        :log error \"DHCP2DNS: not registering domain name for address \$leaseActIP because of empty network domain name\"\r\
    \n        :error \"empty network domain name\"\r\
    \n    }\r\
    \n\r\
    \n    :set fqdn \"\$hostname.\$domain\"\r\
    \n\r\
    \n    /ip dns static\r\
    \n    :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disabled=no ] ] = 0 ) do={\r\
    \n        :log info \"DHCP2DNS: registering static domain name \$fqdn for address \$leaseActIP with ttl \$ttl\"\r\
    \n        add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag disabled=no\r\
    \n    } else={\r\
    \n        :log error \"DHCP2DNS: not registering domain name \$fqdn for address \$leaseActIP because of existing active static DNS entry with this name or address\"\r\
    \n    }\r\
    \n    /\r\
    \n} else={\r\
    \n    /ip dns static\r\
    \n    :local dnsDhcpId\r\
    \n    :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\r\
    \n    :if ( [ :len \$dnsDhcpId ] > 0 ) do={\r\
    \n        :log info \"DHCP2DNS: removing static domain name(s) for address \$leaseActIP\"\r\
    \n        remove \$dnsDhcpId\r\
    \n    }\r\
    \n    /\r\
    \n} "

thanks for your help
Manuel

anav · October 20, 2020, 12:27am

(1) A vlan interface is not a Bridge Port t(traffing is ingressing the ports, and these two lines should be removed.
Bridge ports are in the form of a. etherport or b. wlan port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=vlan_iot pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=vlan_manuel pvid=20

(2) Similarly in Bridge VLAN settings, once is identifyng the vlans by IDs, and not vlan interfaces,how is traffic egressing the bridge ports (etherports and wlan ports) and should be removed.
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,**vlan_iot,**ether5,cap1_iot,hap1_iot vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether5,vlan_manuel,cap1_m2,cap1_m5,hap1_m2,hap1_m5 untagged=ether2 vlan-ids=20
add bridge=bridge1 tagged=vlan_vpn vlan-ids=30

(3) Firewall rules, I would get rid of unless there is a good reason to keep them…
add action=drop chain=forward comment=“Drop packets from LAN without LAN IP” in-interface=bridge1 log=yes log-prefix=!LAN src-address-list=!Main
add action=reject chain=forward dst-address=10.0.1.0/24 reject-with=icmp-network-unreachable src-address=10.0.0.0/24
add action=reject chain=forward dst-address=10.0.2.0/24 reject-with=icmp-network-unreachable src-address=10.0.0.0/24
add action=reject chain=forward dst-address=10.0.0.0/24 reject-with=icmp-network-unreachable src-address=10.0.1.0/24
add action=reject chain=forward dst-address=10.0.0.0/24 reject-with=icmp-network-unreachable src-address=10.0.2.0/24
add action=reject chain=forward dst-address=10.0.1.0/24 reject-with=icmp-network-unreachable src-address=10.0.2.0/24
add action=reject chain=forward dst-address=10.0.2.0/24 reject-with=icmp-network-unreachable src-address=10.0.1.0/24

(4) INput chain rules… modify to this
add action=accept chain=input connection-state=established,related,untracked log-prefix=input_accept
add action=drop chain=input comment=“drop invalid” connection-state=invalid (this was missing)
add action=accept chain=input in-interface-list=LAN source-address-list=admin_access ****

(here put in allow rule for port 53 udp and tcp if required from the in-interface-list=LAN

add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 protocol=udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=drop chain=input

**** Where admin access is a list of LANIPs that you will use to config the router, ie desktop pc, laptop on one of the vlans, IPAD from alll LANS (assuming all fixed IPs of course static).
There is NO need for any users to have full access to the router on the input chain only the admin. However if there are router services like DNS that you want the router to provide for users then you put those. The last rule simply needs to DROP!! clean simple.

(4) Forward chain.
A. default rules are good.
B. rules you wish to allow traffic like vlan 10 users to shared printers on vlan 20, or admin access to all vlans etc.
C. Last rule simply add chain=forward acton=drop; clean and simple to stop all other traffic cold.

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment=“drop invalid” connection-state=invalid
ADD ANY RULES FOR ACCEPT
add action=drop chain=forward

(5) Source nat, if you have a pppoe connection and you have to define ether 1 and a pppoe separately, ensure that both ether1 and the pppoe are included on the interface list for WAN.
Then modify the rule if this is the case but only if necessary otherwise fine.

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=wan

(6), Perhaps I am blind but I didnt see any IP Routing rules…

(7) Lastly, there are other ways the router blocks access to winbox control (it may not be your input rules)… under USERs, under TOOLS mac server, and IP SERVICES - winbox.

reima · October 20, 2020, 7:57am

Hey,
Thank you for your fast response!

I did what you mentioned:

# oct/20/2020 09:50:37 by RouterOS 6.47.4
# software id = FVNK-2IPL
#
# model = RBD52G-5HacD2HnD
# serial number = C6140C7A47AD
/caps-man channel
add band=2ghz-b/g/n extension-channel=XX name=channel_2
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=eCee \
    frequency=5520 name=channel_5
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(27dBm), SSID: Attention_5GLAN, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5520/20-eCee/ac/DP(24dBm), SSID: Attention_5GLAN, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface vlan
add interface=bridge1 name=vlan_iot vlan-id=10
add interface=bridge1 name=vlan_manuel vlan-id=20
add interface=bridge1 name=vlan_vpn vlan-id=30
/caps-man datapath
add bridge=bridge1 client-to-client-forwarding=yes local-forwarding=yes name=\
    datapath1
add bridge=bridge1 name=datapath2_iot vlan-id=10 vlan-mode=use-tag
add bridge=bridge1 client-to-client-forwarding=yes local-forwarding=yes name=\
    datapath3_manuel vlan-id=20 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip name=\
    security1 passphrase=4llMenarecreated3qual
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip name=\
    security_iot passphrase=IOTidTS30
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=\
    security_manuel passphrase=WvMRdidTS30w
/caps-man configuration
add channel=channel_2 country=no_country_set datapath=datapath1 installation=\
    indoor mode=ap name=cfg1_24 rx-chains=0,1 security=security1 ssid=\
    Attention_5GLAN tx-chains=0,1
add channel=channel_5 country=no_country_set datapath=datapath1 installation=\
    indoor name=cfg2_5 rx-chains=0,1 security=security1 ssid=Attention_5GLAN \
    tx-chains=0,1
add channel=channel_5 country=no_country_set datapath=datapath1 installation=\
    indoor name=cfg3_solo rx-chains=0,1 security=security1 ssid=\
    Attention_5Gsolo tx-chains=0,1
add channel=channel_2 country=no_country_set datapath=datapath2_iot \
    installation=indoor name=cfg4_iot rx-chains=0,1 security=security_iot \
    ssid=Attention_5GIOT tx-chains=0,1
add channel=channel_2 country=no_country_set datapath=datapath3_manuel \
    installation=indoor name=cfg5_manu2 rx-chains=0,1 security=\
    security_manuel ssid=Attention_5Gx tx-chains=0,1
add channel=channel_5 country=no_country_set datapath=datapath3_manuel \
    installation=indoor name=cfg6_manu5 rx-chains=0,1 security=\
    security_manuel ssid=Attention_5Gx tx-chains=0,1
/caps-man interface
add configuration=cfg1_24 configuration.ssid=Attention_5GLAN disabled=yes \
    l2mtu=1600 mac-address=74:4D:28:BC:D9:0B master-interface=none name=\
    cap1_2 radio-mac=74:4D:28:BC:D9:0B radio-name=744D28BCD90B
add channel.frequency=5520 configuration=cfg2_5 configuration.mode=ap \
    configuration.ssid=Attention_5GLAN disabled=yes l2mtu=1600 mac-address=\
    74:4D:28:BC:D9:0C master-interface=none name=cap1_5 radio-mac=\
    74:4D:28:BC:D9:0C radio-name=744D28BCD90C
add channel=channel_2 configuration=cfg4_iot datapath=datapath2_iot disabled=\
    no l2mtu=1600 mac-address=76:4D:28:BC:D9:0B master-interface=cap1_2 name=\
    cap1_iot radio-mac=00:00:00:00:00:00 radio-name=""
add configuration=cfg5_manu2 disabled=no mac-address=76:4D:28:BC:D9:0C \
    master-interface=cap1_2 name=cap1_m2 radio-mac=00:00:00:00:00:00 \
    radio-name=""
add configuration=cfg6_manu5 disabled=no mac-address=76:4D:28:BC:D9:0D \
    master-interface=cap1_5 name=cap1_m5 radio-mac=00:00:00:00:00:00 \
    radio-name=""
add configuration=cfg3_solo disabled=no mac-address=76:4D:28:BC:D9:0E \
    master-interface=cap1_5 name=cap1_solo radio-mac=00:00:00:00:00:00 \
    radio-name=""
add configuration=cfg1_24 disabled=no l2mtu=1600 mac-address=\
    48:8F:5A:BF:01:44 master-interface=none name=hap1_2 radio-mac=\
    48:8F:5A:BF:01:44 radio-name=hap1_2
add channel.frequency=5520 configuration=cfg2_5 configuration.country=\
    no_country_set configuration.installation=indoor disabled=no l2mtu=1600 \
    mac-address=48:8F:5A:BF:01:45 master-interface=none name=hap1_5 \
    radio-mac=48:8F:5A:BF:01:45 radio-name=hap1_5
add configuration=cfg4_iot disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:BF:01:44 master-interface=hap1_2 name=hap1_iot radio-mac=\
    00:00:00:00:00:00 radio-name=""
add configuration=cfg5_manu2 disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:BF:01:46 master-interface=hap1_2 name=hap1_m2 radio-mac=\
    00:00:00:00:00:00 radio-name=""
add configuration=cfg6_manu5 configuration.country=no_country_set \
    configuration.ssid=Attention_5Gx disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:BF:01:47 master-interface=hap1_5 name=hap1_m5 radio-mac=\
    00:00:00:00:00:00 radio-name=""
add configuration=cfg3_solo disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:BF:01:45 master-interface=hap1_5 name=hap1_solo radio-mac=\
    00:00:00:00:00:00 radio-name=""
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
add enc-algorithm=aes-256,3des name=ipsec_ibk
/ip ipsec peer
# This entry is unreachable
add name=l2tp-peer passive=yes profile=ipsec_ibk
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=\
    proposal1_l2tp_vpn_ibk pfs-group=none
/ip pool
add name=pool1 ranges=10.0.0.1-10.0.0.100
add name=pool2 ranges=10.0.1.1-10.0.1.100
add name=pool3 ranges=10.0.2.1-10.0.2.100
add name=pool_vpn ranges=10.0.254.1-10.0.254.100
/ip dhcp-server
add address-pool=pool1 disabled=no interface=bridge1 lease-script=":local DHCP\
    tag\r\
    \n:set DHCPtag \"#DHCP\"\r\
    \n\r\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\
    \r\
    \n\r\
    \n:if ( \$leaseBound = 1 ) do=\\\r\
    \n{\r\
    \n    :local ttl\r\
    \n    :local domain\r\
    \n    :local hostname\r\
    \n    :local fqdn\r\
    \n    :local leaseId\r\
    \n    :local comment\r\
    \n\r\
    \n    /ip dhcp-server\r\
    \n    :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n    network \r\
    \n    :set domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n\r\
    \n    .. lease\r\
    \n    :set leaseId [ find address=\$leaseActIP ]\r\
    \n\r\
    \n    # Check for multiple active leases for the same IP address. It's wei\
    rd and it shouldn't be, but just in case.\r\
    \n\r\
    \n    :if ( [ :len \$leaseId ] != 1) do={\r\
    \n        :log info \"DHCP2DNS: not registering domain name for address \$\
    leaseActIP because of multiple active leases for \$leaseActIP\"\r\
    \n        :error \"multiple active leases for \$leaseActIP\"\r\
    \n    }  \r\
    \n\r\
    \n    :set hostname [ get \$leaseId host-name ]\r\
    \n    :set comment [ get \$leaseId comment ]\r\
    \n    /\r\
    \n\r\
    \n    :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\r\
    \n\r\
    \n    :if ( [ :len \$hostname ] <= 0 ) do={\r\
    \n        :log error \"DHCP2DNS: not registering domain name for address \
    \$leaseActIP because of empty lease host-name or comment\"\r\
    \n        :error \"empty lease host-name or comment\"\r\
    \n    }\r\
    \n    :if ( [ :len \$domain ] <= 0 ) do={\r\
    \n        :log error \"DHCP2DNS: not registering domain name for address \
    \$leaseActIP because of empty network domain name\"\r\
    \n        :error \"empty network domain name\"\r\
    \n    }\r\
    \n\r\
    \n    :set fqdn \"\$hostname.\$domain\"\r\
    \n\r\
    \n    /ip dns static\r\
    \n    :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disable\
    d=no ] ] = 0 ) do={\r\
    \n        :log info \"DHCP2DNS: registering static domain name \$fqdn for \
    address \$leaseActIP with ttl \$ttl\"\r\
    \n        add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag\
    \_disabled=no\r\
    \n    } else={\r\
    \n        :log error \"DHCP2DNS: not registering domain name \$fqdn for ad\
    dress \$leaseActIP because of existing active static DNS entry with this n\
    ame or address\"\r\
    \n    }\r\
    \n    /\r\
    \n} else={\r\
    \n    /ip dns static\r\
    \n    :local dnsDhcpId\r\
    \n    :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\r\
    \n    :if ( [ :len \$dnsDhcpId ] > 0 ) do={\r\
    \n        :log info \"DHCP2DNS: removing static domain name(s) for address\
    \_\$leaseActIP\"\r\
    \n        remove \$dnsDhcpId\r\
    \n    }\r\
    \n    /\r\
    \n} " name=server1
add address-pool=pool2 disabled=no interface=vlan_iot lease-script=":local DHC\
    Ptag\r\
    \n:set DHCPtag \"#DHCP\"\r\
    \n\r\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\
    \r\
    \n\r\
    \n:if ( \$leaseBound = 1 ) do=\\\r\
    \n{\r\
    \n    :local ttl\r\
    \n    :local domain\r\
    \n    :local hostname\r\
    \n    :local fqdn\r\
    \n    :local leaseId\r\
    \n    :local comment\r\
    \n\r\
    \n    /ip dhcp-server\r\
    \n    :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n    network \r\
    \n    :set domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n\r\
    \n    .. lease\r\
    \n    :set leaseId [ find address=\$leaseActIP ]\r\
    \n\r\
    \n    # Check for multiple active leases for the same IP address. It's wei\
    rd and it shouldn't be, but just in case.\r\
    \n\r\
    \n    :if ( [ :len \$leaseId ] != 1) do={\r\
    \n        :log info \"DHCP2DNS: not registering domain name for address \$\
    leaseActIP because of multiple active leases for \$leaseActIP\"\r\
    \n        :error \"multiple active leases for \$leaseActIP\"\r\
    \n    }  \r\
    \n\r\
    \n    :set hostname [ get \$leaseId host-name ]\r\
    \n    :set comment [ get \$leaseId comment ]\r\
    \n    /\r\
    \n\r\
    \n    :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\r\
    \n\r\
    \n    :if ( [ :len \$hostname ] <= 0 ) do={\r\
    \n        :log error \"DHCP2DNS: not registering domain name for address \
    \$leaseActIP because of empty lease host-name or comment\"\r\
    \n        :error \"empty lease host-name or comment\"\r\
    \n    }\r\
    \n    :if ( [ :len \$domain ] <= 0 ) do={\r\
    \n        :log error \"DHCP2DNS: not registering domain name for address \
    \$leaseActIP because of empty network domain name\"\r\
    \n        :error \"empty network domain name\"\r\
    \n    }\r\
    \n\r\
    \n    :set fqdn \"\$hostname.\$domain\"\r\
    \n\r\
    \n    /ip dns static\r\
    \n    :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disable\
    d=no ] ] = 0 ) do={\r\
    \n        :log info \"DHCP2DNS: registering static domain name \$fqdn for \
    address \$leaseActIP with ttl \$ttl\"\r\
    \n        add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag\
    \_disabled=no\r\
    \n    } else={\r\
    \n        :log error \"DHCP2DNS: not registering domain name \$fqdn for ad\
    dress \$leaseActIP because of existing active static DNS entry with this n\
    ame or address\"\r\
    \n    }\r\
    \n    /\r\
    \n} else={\r\
    \n    /ip dns static\r\
    \n    :local dnsDhcpId\r\
    \n    :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\r\
    \n    :if ( [ :len \$dnsDhcpId ] > 0 ) do={\r\
    \n        :log info \"DHCP2DNS: removing static domain name(s) for address\
    \_\$leaseActIP\"\r\
    \n        remove \$dnsDhcpId\r\
    \n    }\r\
    \n    /\r\
    \n} " name=server2
add address-pool=pool3 disabled=no interface=vlan_manuel lease-script=":local \
    DHCPtag\r\
    \n:set DHCPtag \"#DHCP\"\r\
    \n\r\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\
    \r\
    \n\r\
    \n:if ( \$leaseBound = 1 ) do=\\\r\
    \n{\r\
    \n    :local ttl\r\
    \n    :local domain\r\
    \n    :local hostname\r\
    \n    :local fqdn\r\
    \n    :local leaseId\r\
    \n    :local comment\r\
    \n\r\
    \n    /ip dhcp-server\r\
    \n    :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n    network \r\
    \n    :set domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n\r\
    \n    .. lease\r\
    \n    :set leaseId [ find address=\$leaseActIP ]\r\
    \n\r\
    \n    # Check for multiple active leases for the same IP address. It's wei\
    rd and it shouldn't be, but just in case.\r\
    \n\r\
    \n    :if ( [ :len \$leaseId ] != 1) do={\r\
    \n        :log info \"DHCP2DNS: not registering domain name for address \$\
    leaseActIP because of multiple active leases for \$leaseActIP\"\r\
    \n        :error \"multiple active leases for \$leaseActIP\"\r\
    \n    }  \r\
    \n\r\
    \n    :set hostname [ get \$leaseId host-name ]\r\
    \n    :set comment [ get \$leaseId comment ]\r\
    \n    /\r\
    \n\r\
    \n    :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\r\
    \n\r\
    \n    :if ( [ :len \$hostname ] <= 0 ) do={\r\
    \n        :log error \"DHCP2DNS: not registering domain name for address \
    \$leaseActIP because of empty lease host-name or comment\"\r\
    \n        :error \"empty lease host-name or comment\"\r\
    \n    }\r\
    \n    :if ( [ :len \$domain ] <= 0 ) do={\r\
    \n        :log error \"DHCP2DNS: not registering domain name for address \
    \$leaseActIP because of empty network domain name\"\r\
    \n        :error \"empty network domain name\"\r\
    \n    }\r\
    \n\r\
    \n    :set fqdn \"\$hostname.\$domain\"\r\
    \n\r\
    \n    /ip dns static\r\
    \n    :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disable\
    d=no ] ] = 0 ) do={\r\
    \n        :log info \"DHCP2DNS: registering static domain name \$fqdn for \
    address \$leaseActIP with ttl \$ttl\"\r\
    \n        add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag\
    \_disabled=no\r\
    \n    } else={\r\
    \n        :log error \"DHCP2DNS: not registering domain name \$fqdn for ad\
    dress \$leaseActIP because of existing active static DNS entry with this n\
    ame or address\"\r\
    \n    }\r\
    \n    /\r\
    \n} else={\r\
    \n    /ip dns static\r\
    \n    :local dnsDhcpId\r\
    \n    :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\r\
    \n    :if ( [ :len \$dnsDhcpId ] > 0 ) do={\r\
    \n        :log info \"DHCP2DNS: removing static domain name(s) for address\
    \_\$leaseActIP\"\r\
    \n        remove \$dnsDhcpId\r\
    \n    }\r\
    \n    /\r\
    \n} " name=server3
add address-pool=pool_vpn disabled=no interface=vlan_vpn name=server4_vpn
/ip ipsec mode-config
add address-pool=pool_vpn name=vpndhcp
/ppp profile
add local-address=10.0.254.254 name=l2tp_vpn remote-address=pool_vpn \
    use-encryption=required use-mpls=yes
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=\
    -80..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no signal-range=\
    -120..120 ssid-regexp=""
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=20
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=hap1_solo
add bridge=bridge1 interface=hap1_2
add bridge=bridge1 interface=hap1_5
add bridge=bridge1 interface=cap1_2
add bridge=bridge1 interface=cap1_5
add bridge=bridge1 interface=cap1_iot pvid=10
add bridge=bridge1 interface=hap1_iot pvid=10
add bridge=bridge1 interface=hap1_m2 pvid=20
add bridge=bridge1 interface=hap1_m5 pvid=20
add bridge=bridge1 interface=cap1_m2 pvid=20
add bridge=bridge1 interface=cap1_m5 pvid=20
add bridge=bridge1 interface=cap1_solo
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5,cap1_iot,hap1_iot vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether5,cap1_m2,cap1_m5,hap1_m2,hap1_m5 \
    untagged=ether2 vlan-ids=20
add bridge=bridge1 vlan-ids=30
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp_vpn enabled=yes ipsec-secret=\
    B5OJdoF7 max-mru=1480 max-mtu=1460 use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/interface wireless cap
#
set bridge=bridge1 caps-man-addresses=127.0.0.1 enabled=yes interfaces=\
    wlan1,wlan2
/ip accounting
set account-local-traffic=yes enabled=yes
/ip accounting web-access
set accessible-via-web=yes
/ip address
add address=10.0.1.254/24 interface=vlan_iot network=10.0.1.0
add address=10.0.0.254/24 interface=bridge1 network=10.0.0.0
add address=10.0.2.254/24 interface=vlan_manuel network=10.0.2.0
add address=10.0.254.254/24 interface=vlan_vpn network=10.0.254.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.254 gateway=10.0.0.254 netmask=24
add address=10.0.1.0/24 dns-server=10.0.1.254 gateway=10.0.1.254 netmask=24
add address=10.0.2.0/24 dns-server=10.0.2.201,1.0.0.1,8.8.8.8 gateway=\
    10.0.2.254 netmask=24
add address=10.0.254.0/24 dns-server=10.0.2.201 gateway=10.0.254.254
/ip dns
set allow-remote-requests=yes servers=1.0.0.1,8.8.8.8
/ip firewall address-list
add address=10.0.0.0/24 list=Main
add address=10.0.1.0/24 list=Main
add address=10.0.2.0/24 list=Main
add address=10.0.254.0/24 list=Main
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked \
    log-prefix=input_accept
add action=drop chain=input connection-state=invalid
add action=accept chain=input in-interface-list=LAN protocol=tcp src-port=53
add action=accept chain=input in-interface-list=LAN protocol=udp src-port=53
add action=accept chain=input log=yes log-prefix=input_accept
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 \
    protocol=udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=drop chain=input log=yes log-prefix=input_drop
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all forward"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec policy
add proposal=proposal1_l2tp_vpn_ibk template=yes
/ppp secret
add name=vpn-dit password=test profile=l2tp_vpn service=l2tp
/system clock
set time-zone-name=Europe/Vienna

I have connected an 5G Router on Port 1, so there is no pppoe at all. My ether1 Port gets the IP dynamic from the router, so there is no ip routing visible in the export file, it’s generated dynamic.

But same problem: If i put the LAN or Bridge Interface in the accept input Rule to connect to the hap ac2 i can’t connect and get blocked, if i put my IP Adress in there everything works. I understand that it’s better to filter here with IP Adresses, but why does this doesn’t work?

And another question: When i put just one drop rule for forward, i need an accept rule to connect the internet?
Ist this:

add action=drop chain=forward out-interface=eth1

the needed rule, and is this not acutally provided by masquerading?

thanks
Manuel

anav · October 20, 2020, 1:03pm

Yes, as I stated,
Forward chain (Oreo Cookie, the cream are the rules you want to permit traffic)
(1) Default Rules…
(2) All the accept rules you need…
(3) Last rule drop all.

So for internet you could put something like
add chain=forward action=accept in-interface-list=LAN out-interface=WAN
OR
add chain=forward action=accept source-address-list=MAIN out-interface=WAN

What I recommend also for your interface-list LAN (don’t know why its acting strange for you )
but add both vlans to the LAN as well.

anav · October 20, 2020, 1:17pm

Okay understand about IP route.
Please confirm that under IP DHCP CLIENT selection, under “Add Default Route” you have YES selected!

Looking a bit more closely in the bridge vlan rules I see many potential errors.
I have highlighted the most obvious. You state that WLAN cap1_iot is an access port accepting traffic from individuals and then tagging that traffic with VLAN10 (as shown on the bridge port - ingress). However when I look at the egress side (Bridge VLAN settings) you are saying tag or keep the tag on the traffic.
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=20
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=hap1_solo
add bridge=bridge1 interface=hap1_2
add bridge=bridge1 interface=hap1_5
add bridge=bridge1 interface=cap1_2
add bridge=bridge1 interface=cap1_5
add bridge=bridge1 interface=cap1_iot pvid=10
add bridge=bridge1 interface=hap1_iot pvid=10
add bridge=bridge1 interface=hap1_m2 pvid=20
add bridge=bridge1 interface=hap1_m5 pvid=20
add bridge=bridge1 interface=cap1_m2 pvid=20
add bridge=bridge1 interface=cap1_m5 pvid=20
add bridge=bridge1 interface=cap1_solo
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5,cap1_iot,hap1_iot vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether5,cap1_m2,cap1_m5,hap1_m2,hap1_m5
untagged=ether2 vlan-ids=20
add bridge=bridge1 vlan-ids=30

The line should be…
add bridge=bridge1 tagged=bridge1,ether5,hap1_iot untagged=capt1_iot vlan-ids=10

+++++++++++++++++++++++++++++++++++++++++++++++

Applying the logic for your rules…
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=20
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=hap1_solo
add bridge=bridge1 interface=hap1_2
add bridge=bridge1 interface=hap1_5
add bridge=bridge1 interface=cap1_2
add bridge=bridge1 interface=cap1_5
add bridge=bridge1 interface=cap1_iot pvid=10
add bridge=bridge1 interface=hap1_iot pvid=10
add bridge=bridge1 interface=hap1_m2 pvid=20
add bridge=bridge1 interface=hap1_m5 pvid=20
add bridge=bridge1 interface=cap1_m2 pvid=20
add bridge=bridge1 interface=cap1_m5 pvid=20
add bridge=bridge1 interface=cap1_solo
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5, untagged=capt1_iot,hap1_iot vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether5 untagged=cap1_m2,cap1_m5,hap1_m2,hap1_m5,ether2 vlan-ids=20

As far as this line, not sure why its here?? It says nothing (no relation to a vlan in terms of ports??
add bridge=bridge1 vlan-ids=30

reima · October 20, 2020, 2:19pm

Hello,

yes, “add default route” is selected and the default route is also visible and working.

Short question to the VLAN rules/idea:

In my head CAPSMAN is tagging all packets from Interface cap1_iot with VLAN Tag 10. So it’s comming to the bridge as a packet, tagged with VLAN ID 10. I thought untagged inmeans that packets come without any tag and getting tagged on/by the bridge?

The line

 add bridge=bridge1 vlan-ids=30

is not used now, i’m planning an new VLAN for all VPN Clients, but i’m not sure now if this is the best idea…

After a little bit testing today i figured out, that the VLANs are not part of the bridge. So i have to add them separately to the interface list LAN. If i do so, my accept rule works.

Thanks
Manuel

anav · October 20, 2020, 3:49pm

Vlans are part of the bridge as they are assigned to the bridge interface.
They may not be considered part of the LAN when one puts the bridge as part of the LAN interface list.
THis certainly needs to be clarified by someone who knows OS better than I…

Capsman should have nothing to do with VLANS, I dont use vlans in any of my WLAN assignments but they run on VLANS.
The way this assignment is done is BRIDGE PORT identification ingress behaviour) and Bridge VLAN identification (egress behaviour)

My recommendation is get rid of assigning vlans in capsman unless you are doing something with capsman and vlans for an extra layer of control or blocking etc that I am not aware about.
For example I have no clue what datapaths are.
The router should do the routing and the capsman is there to simplify WIFI if you have multiple AP.
At least thats my understanding but it seems there may be more going on???