Firewall rules

David1234 · April 2, 2014, 7:04am

hello
I want to connect 2 units using wds ,and in every unit I have 2 Vlan (that I need them to talk between them)
I have config everything but I think I’m missing some rules to make this work
I can go to the internet from the 2nd unit , but I can’t go the private Vlan
this is Unit1(that connected to the external modem )

/interface bridge
add l2mtu=1524 name=Bridge-BH protocol-mode=rstp
add name=V_Bridge-Private protocol-mode=rstp
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g disabled=no frequency=2462 \
    frequency-mode=superchannel l2mtu=2290 mode=ap-bridge name=\
    wlan-2.4Ghz-hotspot ssid=FREE tx-power=10 tx-power-mode=card-rates \
    wireless-protocol=802.11 wmm-support=enabled
set [ find default-name=wlan2 ] antenna-mode=ant-b disabled=no frequency=5280 \
    frequency-mode=superchannel hide-ssid=yes l2mtu=2290 mode=ap-bridge name=\
    wlan1-5Ghz radio-name=Unit1-100 scan-list=5100-5200 ssid=BH \
    tx-power=10 tx-power-mode=card-rates wds-default-bridge=Bridge-BH \
    wds-mode=dynamic-mesh wireless-protocol=802.11 wmm-support=enabled
/interface ethernet
set [ find default-name=ether1 ] name="ether1-not use"
set [ find default-name=ether2 ] name="ether2-to private"
set [ find default-name=ether3 ] name="ether3-to modem"
/interface vlan
add interface="ether2-to private" l2mtu=1520 name=vlan-Private vlan-id=20
/interface wireless
add disabled=no l2mtu=2290 mac-address=02:15:6D:53:76:CF master-interface=\
    wlan-2.4Ghz-hotspot name=VAP-Private ssid=Private wds-cost-range=0 \
    wds-default-cost=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=3GRouter
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=camera supplicant-identity="" \
    wpa2-pre-shared-key=cameracamera
/ip hotspot profile
set [ find default=yes ] dns-name="testing " hotspot-address=172.16.1.254 \
    login-by=http-chap,http-pap
/ip pool
add name=dhcp_pool1 ranges=172.16.1.1-172.16.1.253
add name=dhcp_pool2 ranges=172.16.2.100-172.16.2.150
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=wlan-2.4Ghz-hotspot name=\
    dhcp1
add address-pool=dhcp_pool2 disabled=no interface=V_Bridge-Private name=dhcp2
/ip hotspot user profile
set [ find default=yes ] address-pool=dhcp_pool1 idle-timeout=5m \
    keepalive-timeout=5m mac-cookie-timeout=3d session-timeout=1d \
    shared-users=80
/interface bridge port
add bridge=V_Bridge-Private interface=vlan-Private
add bridge=V_Bridge-Private interface="ether2-to private"
add bridge=Bridge-BH interface=wlan1-5Ghz
add bridge=Bridge-BH interface="ether3-to modem"
add bridge=V_Bridge-Private interface=VAP-Private
/ip address
add address=10.0.0.101/24 interface=Bridge-BH network=10.0.0.0
add address=172.17.2.102/24 interface=wlan-2.4Ghz-hotspot network=172.17.2.0
add address=172.16.2.254/24 interface=V_Bridge-Private network=172.16.2.0
add address=10.10.10.254/24 interface=wlan1-5Ghz network=10.10.10.0
/ip dhcp-server network
add address=172.16.2.0/24 dns-server=8.8.8.8 gateway=172.16.2.254
/ip firewall nat
add action=masquerade chain=srcnat
/ip hotspot user
add name=admin
/ip route
add comment="IP of the modem " distance=1 gateway=10.0.0.254
/ip service
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=Unit1-101

this is unit2 (connected by 5Ghz - and can go to the internet)

# apr/02/2014 10:06:04 by RouterOS 6.5
# software id = AD9Q-U00E
#
/interface bridge
add l2mtu=2290 name=Bridge-BH protocol-mode=rstp
add l2mtu=1520 name=V_Bridge-Private protocol-mode=rstp
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g disabled=no frequency=2427 \
    frequency-mode=superchannel l2mtu=2290 mode=ap-bridge name=\
    wlan-2.4Ghz-hotspot radio-name=2.4G-AP scan-list=2400-2500 ssid=FREE \
    tx-power=15 tx-power-mode=card-rates wireless-protocol=802.11 \
    wmm-support=enabled
set [ find default-name=wlan2 ] antenna-mode=ant-b disabled=no frequency=5280 \
    hide-ssid=yes l2mtu=2290 mode=ap-bridge name=wlan1-5Ghz radio-name=\
    Unit2-102 scan-list=5200-5400 ssid=BH tx-power=10 tx-power-mode=\
    card-rates wds-default-bridge=Bridge-BH wds-mode=dynamic-mesh \
    wireless-protocol=802.11 wmm-support=enabled
/interface ethernet
set [ find default-name=ether1 ] name="ether1-not use"
set [ find default-name=ether2 ] name="ether2-not use"
set [ find default-name=ether3 ] name=ether3-Private
/ip neighbor discovery
set wlan-2.4Ghz-hotspot discover=no
set wlan1-5Ghz discover=no
/interface vlan
add interface=ether3-Private l2mtu=1520 name=vlan-private vlan-id=20
/interface wireless
add disabled=no l2mtu=2290 mac-address=02:15:6D:63:5F:16 master-interface=\
    wlan-2.4Ghz-hotspot name=Wlan-VAP-Private ssid=BeezzPrivate \
    wds-cost-range=0 wds-default-cost=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add dns-name=KorenRon hotspot-address=10.0.1.254 login-by=http-pap name=\
    hsprof1
/ip pool
add name=dhcp_pool2 ranges=172.16.2.100-172.16.2.150
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=wlan-2.4Ghz-hotspot name=\
    dhcp1
add address-pool=dhcp_pool2 disabled=no interface=V_Bridge-Private name=dhcp2
/ip hotspot user profile
set [ find default=yes ] address-pool=dhcp_pool1 idle-timeout=50m \
    keepalive-timeout=5m mac-cookie-timeout=3d shared-users=60
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/user group
add name=bus policy="local,telnet,ssh,ftp,reboot,read,write,test,web,sniff,sen\
    sitive,api,!policy,!winbox,!password" skin=Bus
/interface bridge port
add bridge=Bridge-BH interface=wlan1-5Ghz
add bridge=V_Bridge-Private interface=ether3-Private
add bridge=V_Bridge-Private interface="ether2-not use"
add bridge=V_Bridge-Private interface=Wlan-VAP-Private
add bridge=V_Bridge-Private interface=vlan-private
/ip address
add address=10.0.0.102/24 interface=Bridge-BH network=10.0.0.0
add address=172.17.2.102/24 interface=wlan-2.4Ghz-hotspot network=172.17.2.0
add address=172.16.2.253/24 interface=V_Bridge-Private network=172.16.2.0
add address=10.10.10.253/24 interface=wlan1-5Ghz network=10.10.10.0
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server network
add address=172.16.2.0/24 dns-server=0.0.0.0 gateway=172.16.2.253
/ip dns
set max-udp-packet-size=512
/ip firewall nat
add action=masquerade chain=srcnat
/ip proxy
set max-cache-size=none parent-proxy=0.0.0.0
/ip route
distance=1 gateway=10.10.10.254
/ip service
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=Unit2-102
/system logging
add topics=debug
add topics=dhcp

what am I missing \ didn’t do?

Rudios · April 2, 2014, 9:34am

I can not clearly conclude how your ether ports are wired but the thing I see is that you added two interfaces to the VLAN bridge.

The VLAN interface
the ether interface the VLAN is created on
I suggest you remove the ehter interface. Then all the traffice entered the ether interface is put on the VLAN interface, and the put to the bridge.

David1234 · April 2, 2014, 11:41am

but now it’s not working at all…
I don’t have a ping to a computer that connected to Unit2 with IP 172.16.2.200

Rudios · April 2, 2014, 11:49am

How are your devices connected?
Can you share a graphic?

David1234 · April 3, 2014, 8:56am

hope this help

what I want to do -
to see all the VLAN network (computers and wireless devices) from all devices that connected to it