Hi all. I am new to Mikrotik and have recently bought a HaP mini which I have connected to my main HaP2 router. I wouke like to setup a guest wifi on the mini router and set it as access point to offer 3 ethernet ports on 88.0 network but the gust must be on 89.0 network with no access to 88.0 Lan or resources. The same ssid for guest must be used on the main router as well. I have tried CAPsMan with no luck. Please help.
Thanks
Post both configs… I will set you up so it works without capsman…
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
Main router config:
/interface bridge
add admin-mac=********** auto-mac=no comment=defconf name=bridge
add name=bridge1-vlan1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="south africa"
disabled=no distance=indoors frequency=2462 mode=ap-bridge ssid=
Hen-Lounge wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40mhz-Ce
country="south africa" disabled=no distance=indoors installation=indoor
mode=ap-bridge ssid=Hen-Lounge-5GHz wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys
supplicant-identity=MikroTik wpa-pre-shared-key=**************
wpa2-pre-shared-key=**************
add authentication-types=wpa2-psk management-protection=allowed mode=
dynamic-keys name=profile1-guest supplicant-identity=MikroTik
wpa-pre-shared-key=************** wpa2-pre-shared-key=
""
/interface wireless
add disabled=no mac-address= master-interface=wlan1 name=
wlan3 security-profile=profile1-guest ssid=Hen-Guest-Lounge vlan-mode=
use-tag wds-default-bridge=bridge wps-mode=disabled
add mac-address=**************** master-interface=wlan2 name=wlan4
security-profile=profile1-guest ssid=Hen-Guest-Lounge-5GHz vlan-mode=
use-tag wds-default-bridge=bridge wps-mode=disabled
/interface vlan
add interface=wlan3 name=vlan1 vlan-id=1
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.89.2-192.168.89.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=23h10m name=
defconf
add address-pool=dhcp_pool1 disabled=no interface=bridge1-vlan1 lease-time=
1h10m name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge1-vlan1 interface=vlan1
add bridge=bridge1-vlan1 interface=wlan3
add bridge=bridge1-vlan1 interface=wlan4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=
192.168.88.0
add address=192.168.89.1/24 interface=bridge1-vlan1 network=192.168.89.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=15m
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.88.253 client-id=********* comment=MikroTik-AP1
mac-address=********* server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.89.0/24 gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes servers=
8.8.8.8,8.8.4.4,209.203.10.208,196.22.218.248
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=accept chain=input dst-port=80 protocol=tcp
add action=drop chain=forward in-interface=bridge1-vlan1 out-interface=bridge
add action=reject chain=input comment=DDOS-UDP dst-port=53 in-interface=
ether1 protocol=udp reject-with=icmp-network-unreachable
add action=reject chain=input comment=DDOS-TCP dst-port=53 in-interface=
ether1 protocol=tcp reject-with=icmp-network-unreachable
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=7001 in-interface=ether1 protocol=
tcp to-addresses=192.168.88.1 to-ports=80
/system clock
set time-zone-name=Africa/Johannesburg
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Mikrotik-AP1 config: (it is blank as I did a reset)
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/ip dhcp-client
add disabled=no interface=ether1
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=MikroTik-AP1
# model = RBD52G-5HacD2HnD
/interface bridge
add admin-mac=********** auto-mac=no comment=defconf name=bridge vlan-filtering=no { change to yes as last config step }
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
"**************"
/interface vlan
add interface=vlan2-home interface=bridge vlan-id=2
add interface=vlan10-guest interface=bridge vlan-id=10
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.89.2-192.168.89.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=vlan2-home lease-time=23h10m name=\
defconf
add address-pool=dhcp_pool1 disabled=no interface=vlan10-guest lease-time=\
1h10m name=dhcp1
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3 pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether5 comment="Trunk to MT Ap/swtich"
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan1 pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan2 pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan3 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan4 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether2,ether3,ether4,wlan1,wlan2 vlan-ids=2
add bridge=bridge tagged=bridge,ether5 untagged=wlan3,wlan4 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 interface=vlan2-home network=192.168.88.0
add address=192.168.89.1/24 interface=vlan10-guest network=192.168.89.0
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.89.0/24 dns-server=192.168.89.1 gateway=192.168.89.1
/ip dns static { REMOVE THIS }
add address=192.168.88.1 comment=defconf name=router.lan { REMOVE THIS }
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment="home access to config" in-interface-list=vlan2-home
add action=accept chain=input comment="User access to DNS" dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="User access to DNS" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop comment="Drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
add action=dst-nat chain=dstnat dst-port=7001 in-interface=ether1 protocol=\
tcp to-addresses=192.168.88.1 to-ports=80
/system clock
set time-zone-name=Africa/Johannesburg
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Mikrotik-AP1 config: (it is blank as I did a reset)
SAME WIRELESS SETUP AS MAIN ROUTER !!!
# model = RB931-2nD
# serial number = *******
/interface bridge
add admin-mac= auto-mac=no name=bridge vlan-filtering=yes
/interface vlan
add comment="Management" interface=bridge name=VLAN2-HOME vlan-id=2
/interface list
add name=MANAGEMENT
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 comment="trunk from router"
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan1 pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan2 pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan3 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan4 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=MANAGEMENT
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=wlan1,wlan2 vlan-ids=2
add bridge=bridge tagged=ether1 untagged=wlan3,wlan4 vlan-ids=10
/interface list member
add interface=VLAN2-HOME list=MANAGEMENT
/ip address
add address=192.168.88.XX/24 interface=VLAN2-HOME network=192.168.88.0
/ip dns
set allow-remote-requests=yes servers=192.168.88.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.88.1
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MANAGEMENT
/system identity
set name=MikroTik-AP1
Thanks for the new configs. Let me make the changes and let you know the outcome.
Regards
I tried to apply the config via terminal but it fails. Then I made the changes via Winbox which was a challenge and then got to a point and lost access to the router and could not even connect via mac address. I had to reset and restore a backup.
What is the best way to go ahead?
Thanks
First, set up a separate VLAN for your guest network (like VLAN 89). Then, configure your HaP mini to use that VLAN for the guest WiFi and adjust access point settings accordingly. Finally, block traffic between the guest network and your main LAN using firewall rules.
Okay to do this as smoothly as possible I config OFF BRIDGE.
By that I mean on the HAP AC2 for example, take one port off the bridge, give it an IP address and then attach desktop/laptop to that port by ethernet and modify ethernet card IPV4 settings.
Since you use ether5 to connect to the mini, we will use ether4. Change it back after if you want to.
/interface bridge
add admin-mac=********** auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3 pvid=2
{ether4 has been removed}
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether5 comment="Trunk to MT Ap/swtich"
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan1 pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan2 pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan3 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan4 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether2,ether3,wlan1,wlan2 vlan-ids=2 {ether4 removed}
add bridge=bridge tagged=bridge,ether5 untagged=wlan3,wlan4 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether4 list=LAN
/ip address
add address=192.168.88.1/24 interface=vlan2-home network=192.168.88.0
add address=192.168.89.1/24 interface=vlan10-guest network=192.168.89.0
add address=192.168.55.1./24 interface=ether2 network=192.168.55.0
Now go to your desktop/laptop and for ipv4 settings use address 192.168.55.5
gateway=192.158.55.1 etc.
You should be in and can change the settings and they will stick and you wont get booted out.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Same on the hap mini, use ether3 for OFF bridge. I noted that we never used ether2, or ether3
_# model = RB931-2nD
/interface bridge
add admin-mac= auto-mac=no name=bridge vlan-filtering=yes
/interface list
add name=MANAGEMENT
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 comment="trunk from router"
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan1 pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan2 pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan3 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan4 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=MANAGEMENT
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=ether2,wlan1,wlan2 vlan-ids=2
add bridge=bridge tagged=ether1 untagged=wlan3,wlan4 vlan-ids=10
/interface list member
add interface=VLAN2-HOME list=MANAGEMENT
add interface=ether3 list=MANAGEMENT
/ip address
add address=192.168.88.XX/24 interface=VLAN2-HOME network=192.168.88.0
add address=192.168.55.1/24 interface=ether3 network=192.168.55.0_
Thanks all, just a note the hap2 has 5 ethernet ports and port 1 is the wan and 2 is for the hap mini. 3 to 5 is other devices.
The hap mini only has 3 ports, and ethernet 1 is Wan or connection to hap2. Ethernet 2 and 3 I want to have the same network as the rest of my home as well as WiFi. The guest wifi I need isolated and able to route to the main HaP2 and obtain the 89.0/24 network. On the hap2 the guest network must have same ssid and also be isolated like the hap mini.
Please can you share the updated config for these settings.
Tnx
Hi guys, any feedback on my last post. It would be much appreciated.
Thanks
I have provided examples of complete configs, apply knowledge gained, make the effort yourself, and then post your config results.
I worked through the config and tried to also make sense of all the changes but it failed. I managed to connect via LAN onto the managed port but only via web interface. Strange thing was that the internet was blocked with the last firewall rule in the config:
add action=drop chain=forward comment="Drop all else"
.
I disabled this and was able to browse the internet but WinBox still did not work. I could ping the gateway and connect via LAN.
I also could not apply this line, their is no interface list called vlan2-home:
add action=accept chain=input comment="home access to config" in-interface-list=vlan2-home
My final port layouts are as follow:
Here is the config before I restored again to a backup I made: Kindly assist to identify the issue.
# apr/22/2024 20:34:36 by RouterOS 6.49.13
# software id = XBTJ-9NUD
#
# model = RBD52G-5HacD2HnD
# serial number = ********
/interface bridge
add admin-mac=************ auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name="ether1[WAN]"
set [ find default-name=ether2 ] comment="MikroTik - AP (TV Room)" name=\
"ether2[Mikrotik-AP]"
set [ find default-name=ether3 ] comment="Netgear-SW(Bedroom)" name=\
"ether3[NetgeatSW]"
set [ find default-name=ether4 ] comment=OGNW-POE-SW name="ether4[OGNW]"
set [ find default-name=ether5 ] comment=Management name="ether5[Management]"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="south africa" \
disabled=no distance=indoors frequency=2462 mode=ap-bridge ssid=\
Hen-Lounge wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40mhz-Ce \
country="south africa" distance=indoors installation=indoor mode=\
ap-bridge ssid=buzybuy.com-hen007-5GHz wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan2-home vlan-id=2
add interface=bridge name=vlan10-guest vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik wpa-pre-shared-key=******** \
wpa2-pre-shared-key=**************
add authentication-types=wpa2-psk management-protection=allowed mode=\
dynamic-keys name=profile1-guest supplicant-identity=MikroTik \
wpa-pre-shared-key=*********************** wpa2-pre-shared-key=\
****************
/interface wireless
add disabled=no mac-address=************* master-interface=wlan1 name=\
wlan3 security-profile=profile1-guest ssid=Hen-Guest-Lounge vlan-mode=\
use-tag wds-default-bridge=bridge wps-mode=disabled
add mac-address=********************* master-interface=wlan2 name=wlan4 \
security-profile=profile1-guest ssid=buzybuy.com-hen007-guest-5GHz \
vlan-mode=use-tag wds-default-bridge=bridge wps-mode=disabled
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.200
add name=dhcp_pool1 ranges=192.168.89.2-192.168.89.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=vlan2-home lease-time=23h10m \
name=defconf
add address-pool=dhcp_pool1 disabled=no interface=vlan10-guest lease-time=\
1h10m name=dhcp1
/interface bridge port
add bridge=bridge comment="Trunk to MT Ap/swtich" frame-types=\
admit-only-vlan-tagged ingress-filtering=yes interface=\
"ether2[Mikrotik-AP]"
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
"ether3[NetgeatSW]" pvid=2
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
"ether4[OGNW]" pvid=2
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
"ether5[Management]" pvid=2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged="bridge,ether2[Mikrotik-AP]" untagged=\
"ether5[Management],ether3[NetgeatSW],ether4[OGNW],wlan1,wlan2" vlan-ids=\
2
add bridge=bridge tagged="bridge,ether2[Mikrotik-AP]" untagged=wlan3,wlan4 \
vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="ether1[WAN]" list=WAN
add interface="ether5[Management]" list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=vlan2-home network=\
192.168.88.0
add address=192.168.89.1/24 interface=vlan10-guest network=192.168.89.0
add address=192.168.88.1/24 interface="ether5[Management]" network=\
192.168.88.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=15m
/ip dhcp-client
add comment=defconf disabled=no interface="ether1[WAN]" use-peer-dns=no
/ip dhcp-server lease
add address=192.168.88.250 comment="Hikvision DVR" mac-address=\
28:57:BE:E3:05:FD server=defconf
add address=192.168.88.252 comment="Samsung Printer" mac-address=\
30:CD:A7:F0:70:3F server=defconf
add address=192.168.88.251 comment="Tenda AP" mac-address=************* \
server=defconf
add address=192.168.88.248 comment=CCTV-2 disabled=yes mac-address=\
E0:62:90:C0:98:00 server=defconf
add address=192.168.88.247 comment="CCTV - 03" mac-address=************* \
server=defconf
add address=192.168.88.246 comment="CCTV - 04" mac-address=************* \
server=defconf
add address=192.168.88.244 comment="Living Room Light" mac-address=\
*********** server=defconf
add address=192.168.88.219 client-id=*********** comment="Android TV" \
mac-address=************ server=defconf
add address=192.168.88.241 client-id=************ comment=\
"Linux Server - Frigate" mac-address=*************
add address=192.168.88.218 comment="Front Door Light" mac-address=\
*********** server=defconf
add address=192.168.88.242 comment="MikroTik-AP[TV Room] Ether3" mac-address=\
****************
add address=192.168.88.243 client-id=************* comment=\
"MikroTik-AP[TV Room] Ether1" mac-address=*************** server=\
defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.89.0/24 gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes servers=\
8.8.8.8,8.8.4.4,209.203.10.208,196.22.218.248
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input dst-port=80 protocol=tcp
add action=reject chain=input comment=DDOS-UDP dst-port=53 in-interface=\
"ether1[WAN]" protocol=udp reject-with=icmp-network-unreachable
add action=reject chain=input comment=DDOS-TCP dst-port=53 in-interface=\
"ether1[WAN]" protocol=tcp reject-with=icmp-network-unreachable
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="User access to DNS" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="User access to DNS" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=7001 in-interface="ether1[WAN]" \
protocol=tcp to-addresses=192.168.88.1 to-ports=80
add action=dst-nat chain=dstnat comment="Hikvision DVR HTTP Port Type" \
dst-port=***in-interface="ether1[WAN]" protocol=tcp to-addresses=\
192.168.88.250 to-ports=***
add action=dst-nat chain=dstnat comment="Hikvision DVR RTSP Port Type" \
dst-port=***in-interface="ether1[WAN]" protocol=tcp to-addresses=\
192.168.88.250 to-ports=***
add action=dst-nat chain=dstnat comment=\
"Hikvision DVR HTTPS Port Type External Port linked to Internal 443 port" \
dst-port=***in-interface="ether1[WAN]" protocol=tcp to-addresses=\
192.168.88.250 to-ports=***
add action=dst-nat chain=dstnat dst-port=***in-interface="ether1[WAN]" \
protocol=tcp to-addresses=192.168.88.248 to-ports=***
add action=dst-nat chain=dstnat dst-port=***in-interface="ether1[WAN]" \
protocol=tcp to-addresses=192.168.88.248 to-ports=***
add action=dst-nat chain=dstnat comment="Hikvision DVR Server Port" dst-port=\
***in-interface="ether1[WAN]" protocol=tcp to-addresses=192.168.88.250 \
to-ports=***
add action=dst-nat chain=dstnat comment=\
"OGNW CCTV ***External to 80 Internal" dst-port=***in-interface=\
"ether1[WAN]" protocol=tcp to-addresses=192.168.88.247 to-ports=80
add action=dst-nat chain=dstnat comment=\
"OGNW CCTV ***External to ***Internal" dst-port=***in-interface=\
"ether1[WAN]" protocol=tcp to-addresses=192.168.88.247 to-ports=***
add action=dst-nat chain=dstnat comment=\
"OGNW CCTV ***External to ***Internal" dst-port=***in-interface=\
"ether1[WAN]" protocol=tcp to-addresses=192.168.88.247 to-ports=***
add action=dst-nat chain=dstnat comment=\
"OGNW CCTV ***External to 80 Internal" dst-port=*** in-interface=\
"ether1[WAN]" protocol=tcp to-addresses=192.168.88.246 to-ports=80
add action=dst-nat chain=dstnat comment=\
"OGNW CCTV ***External to ***Internal" dst-port=***in-interface=\
"ether1[WAN]" protocol=tcp to-addresses=192.168.88.246 to-ports=***
add action=dst-nat chain=dstnat comment=\
"OGNW CCTV ***External to ***Internal" dst-port=***in-interface=\
"ether1[WAN]" protocol=tcp to-addresses=192.168.88.246 to-ports=***
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=MikroTik-Main
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
(1) Would ensure these are complete though… Missing PVID!!
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan1 pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan2 pvid=2
(2) Then, you define wlan3 and wlan4, but where are they on bridge ports??
Should be:
/interface bridge port
add bridge=bridge comment=“Trunk to MT Ap/swtich” frame-types=
admit-only-vlan-tagged ingress-filtering=yes interface=
“ether2[Mikrotik-AP]”
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=
“ether3[NetgeatSW]” pvid=2
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=
“ether4[OGNW]” pvid=2
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=
“ether5[Management]” pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan1 pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan2 pvid=2
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan3 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan4 pvid=10
(3) Fix your Interface list members!!
/interface list member
add comment=defconf interface=“ether1[WAN]” list=WAN
add interface=vlan2-home list=LAN
add interface=vlan10-guest list=LAN
add interface=“ether5[Management]” list=LAN
(4) I am very confused as your use of ethernet 5>>> REMOVE the Ip address you entered for it !!!
/ip address
add address=192.168.88.1/24 comment=defconf interface=vlan2-home network=
192.168.88.0
add address=192.168.89.1/24 interface=vlan10-guest network=192.168.89.0
add address=192.168.88.1/24 interface=“ether5[Management]” network=
192.168.88.0
(5) This is a potentially dangerous config line and I would remove it for now, and then state what you meant by having it…
add action=accept chain=input dst-port=80 protocol=tcp
(6) Get rid of the not-required noise in the firewall rules not needed or duplicate in purple.
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input dst-port=80 protocol=tcp
add action=reject chain=input comment=DDOS-UDP dst-port=53 in-interface=
“ether1[WAN]” protocol=udp reject-with=icmp-network-unreachable
add action=reject chain=input comment=DDOS-TCP dst-port=53 in-interface=
“ether1[WAN]” protocol=tcp reject-with=icmp-network-unreachable
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment=“User access to DNS” dst-port=53
in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“User access to DNS” dst-port=53
in-interface-list=LAN protocol=tcp
add action=accept chain=forward comment=“internet traffic” in-interface-list=
LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding”
connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop all else” disabled=yes
Should look like.
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow trusted LAN" in-interface=vlan2-home
add action=accept chain=input comment="User access to DNS" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="User access to DNS" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else" { put this in last after the allow LAN rule, or you will lock yourself out }
++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
What is a tad frustrating is most of these changes, if not all, were already provided at Post #4 and yet you didn’t implement them ???
Thanks for the effort, it is appreciated. Please bare with me as I am a beginner. Most of these config lines I have to manually config via Winbox because if I execute them via terminal they fail.