Guest WIFI, has no internet connection.

kpcz · December 20, 2019, 2:11pm

Hi, all.

I have a probabbly trivial problem but I cant really get past to it.

So I am trying to confiugre a guest wifi on my cAP ac. I am not doing this via wizard, because already I have set up main - working wifi network and want just to add secodary as guest.

The problem is that the guest wifi (the guest bridge) doesnt get any wifi.

So basically my setup:

I have another device which is gateway on network 192.168.1.2
cAP 192.168.1.3 is also a DHCP server for 192.168.1.0/24

so I added new virtual wifi interface
created new bridge for the guest wifi
added new port, added there newly created wifi and bridge
created new DHCP server for the newly created bridge interface/

The wifi gives out IP addresses for new devices but there is no internet.

added NAT rule chain=srcnat out-interface=WAN action=masquerade

Still no internet to the guest wifi.

My config from terminal:

[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.1.2               1
 1 ADC  10.10.10.0/24      10.10.10.1      guest-bridge              0
 2 ADC  192.168.1.0/24     192.168.1.3     bridge                    0

 
 admin@MikroTik] > ip export hide-sensitive
# dec/20/2019 15:39:54 by RouterOS 6.43

#
# model = RouterBOARD cAP Gi-5acD2nD

/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.1.200-192.168.1.250
add name=dhcp_pool1 ranges=10.10.10.2-10.10.10.254
add name=dhcp_pool2 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge lease-time=5m name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=guest-bridge name=dhcp2
/ip address
add address=192.168.1.3/24 interface=ether2 network=192.168.1.0
add address=10.10.10.1/24 interface=guest-bridge network=10.10.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=bridge
/ip dhcp-server lease
add address=192.168.1.150 client-id=1:7c:7a:91:3e:80:14 mac-address=7C:7A:91:3E:80:14 server=dhcp1
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=8.8.8.8 gateway=10.10.10.1 netmask=24
add address=192.168.1.0/24 dns-server=192.168.1.2 gateway=192.168.1.2
/ip dns
set servers=192.168.1.2
/ip firewall filter
add action=reject chain=forward comment="test" dst-address=!192.168.1.0/24 reject-with=icmp-network-unreachable src-address=192.168.1.136
add action=accept chain=output disabled=yes
add action=accept chain=input connection-state=established
add action=accept chain=forward
add action=accept chain=output
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.1.2

Thank you.

Sob · December 20, 2019, 6:14pm

You have rule with out-interface-list=WAN, but there’s no interface list named WAN in posted config.

kpcz · December 20, 2019, 6:43pm

In my interface list there is

WAN/ether1 (interface:ehter1) which is connected to gateway

Sob · December 20, 2019, 8:01pm

It doesn’t sound right. Gateway is 192.168.1.2, so it can be accessed from 192.168.1.3/24, which you have on ether2. But connected route for this subnet is on bridge, which means that ether2 is part of bridge and it’s where the address should be (although this part is not critical). Outgoing interface for masquerade rule should be bridge too (this is important). And if ether1 is also part of bridge, it will work.

mkx · December 20, 2019, 8:05pm

Two things (might be the cause or not):

you didn’t post complete config, so we have to imagine stuff. But anyway, it seems that ether2 is part of bridge bridge … subnet 192.168.1.0/24 is reachable via bridge interface, while correspondong IP address is assigned to ether2. Move IP address to bridge interface.
you have static IP address assigned to ether2, at the same time DHCP client running on bridge - probably you should disable it. Even more so as you’re running DHCP server on the same interface and if running DHCP client was sensible this would mean there was another DHCP server in the same L2 domain.

I see @Sob is victim of insufficient config export as well

kpcz · December 20, 2019, 9:17pm

Thank You for your time and answers.

Sorry, did not know how wide config I should provide

This is how my bridge ports looks like

/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=guest-bridge interface=guest-wlan

and addresses

add address=192.168.1.3/24 interface=ether2 network=192.168.1.0
add address=10.10.10.1/24 interface=guest-bridge network=10.10.10.0

So basically I should change ether2 to bridge for address=192.168.1.3/24 ?

The DHCP client on bridge is already disabled, looks like my provided config did not state that.

mkx · December 20, 2019, 9:43pm

You should move IP address from ether2 to bridge …

The issue with ether1 being WAN interface is a bit tricky … ideally all bridge ports (including bridge interface) should be members of same interface list. In your case it’s a problem because WAN interface is not only WAN for guest-wlan, it’s also LAN for the rest of connected devices. And you actually only want to src-nat traffic from guest-wifi but with current rule router will masquerade any packet exiting through ether1 that might incidentally pass router’s CPU even if it originated from 192.168.1.0/24 subnet.

So you better change the masquerade NAT rule with something like this

/ip firewall nat
add chain=srcnat action=src-nat src-address=10.10.10.0/24 log=yes

And, BTW, since guest-bridge has only single member port (guest-wlan), you could omit using it entirely and use guest-wlan interface to bind all “guest config” … this would save a few CPU cycles, but the difference would not really be significant.

kpcz · December 20, 2019, 10:06pm

You should move IP address from ether2 to bridge …

sorry my ignorance, but how should I do that?

mkx · December 21, 2019, 1:49pm

There are many ways to change things, from CLI you could do something like

/ip address
set [ find address="192.168.1.3/24" ] interface=bridge

I’m guessing that from GUI you select address line and then select correct interface from the (drop-down) list.

You can expect intermittent loss of management accessibility after you change interface if bridge has different MAC address than ether2.

Probably it would be wise to enable safe mode before running the command (in CLI press ctrl-X, in GUI there supposedly is a button somewhere). If the management connectivity resumes after a short while, exit safe mode (or else the changes revert after log-out).