hAP ac lite: configure guest network in WISP AP mode

mikear · March 25, 2022, 12:02pm

Hi, for some time now I try to get my hAP ac lite configured so that I have:

regular private network access including access to my own network devices, and
a guest network which limits the access to the internet
As a starting point I used the set of rules for the WISP AP mode. Based on information from the forum I’ve come up with the below configuration. The private connection to the internet works fine, and the guest access (MyTik_2G_2) does allow to connect and allows access to the internet (added NAT/masquerade for the guest network) but I cannot isolate it from my home-network. What firewall rules do I need to add to make the guest-network guest-proof?
Thanks
Mike

Current configuration
(please notice that the network configured by defconf (192.168.88.0) has been disabled)

mar/25/2022 12:26:31 by RouterOS 6.49.5

software id = AUD0-SZKJ

model = RB952Ui-5ac2nD

serial number = CC3E0EE9FF44

/interface bridge
add admin-mac=2C:C8:1B:D8:DB:1C auto-mac=no comment=defconf name=bridge-private
add name=bridge-public

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=netherlands disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MyTik_2G wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=netherlands disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MyTik_5G wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:D8:DB:22 master-interface=wlan1 multicast-buffering=disabled name=wlan3 ssid=MyTik_2G_2 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=12345678 wpa2-pre-shared-key=12345678
add authentication-types=wpa2-psk eap-methods=“” management-protection=allowed mode=dynamic-keys name=private supplicant-identity=“” wpa2-pre-shared-key=12345678

/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=public ranges=10.10.10.2-10.10.10.254

/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-private name=defconf
add address-pool=public disabled=no interface=bridge-public name=public

/interface bridge port
add bridge=bridge-private comment=defconf interface=ether2
add bridge=bridge-private comment=defconf interface=ether3
add bridge=bridge-private comment=defconf interface=ether4
add bridge=bridge-private comment=defconf interface=ether5
add bridge=bridge-private comment=defconf interface=wlan1
add bridge=bridge-private comment=defconf interface=wlan2
add bridge=bridge-private interface=ether1
add bridge=bridge-public interface=wlan3

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN

/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge-private network=192.168.88.0
add address=10.10.10.1/24 interface=bridge-public network=10.10.10.0

/ip dhcp-client
add comment=defconf disabled=no interface=bridge-private

/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf dns-server=192.168.88.1 gateway=0.0.0.0 netmask=24
add address=10.10.10.0/24 gateway=10.10.10.1

/ip dns
set allow-remote-requests=yes

/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=“NAT Guest” out-interface=bridge-private src-address=10.10.10.0/24

/system clock
set time-zone-name=Europe/Amsterdam
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · March 28, 2022, 11:32am

edit: Nm

Your config is very confused, especially within the context of your explanation, and thus not sure what you are trying to accomplish.
Please draw a network diagram

mikear · March 28, 2022, 1:05pm

Here’s the implified topology. The MT is initially configured as WISP AP in bridge mode. The public (guest) network has its own DHCP server for 10.10.10.0.

Simplified topology.jpg

anav · March 28, 2022, 1:15pm

Ahh okay and what is the reason for dhcp on the haplite vice the main router??

mikear · March 28, 2022, 1:19pm

ISP blocked most configuration options

mkx · March 28, 2022, 1:32pm

If the block named “Router DHCP server” is ISP router then you probably can’t do things safely. The problem is that ISP router probably won’t perform NAT for the “alien” IP subnet (10.10.10.0/24), so your hAP ac will have to do it (to its own IP address from the private subnet) and in this case guests will be able to interact with devices in private subnet. But even if ISP modem will perform NAT, it’ll still need to know how to route the new subnet (via hAP ac as gateway). In addition to setting route towards public subnet you will have to set ISP router’s firewall to block connections between your both subnets.

Unless you can put hAP ac into ISP modem DMZ, but in that case you probably won’t be able to run AP for prvate LAN on the same device.

So in short: if you really can’t configure ISP in any kind of sensible way, then it won’t be secure.

anav · March 28, 2022, 2:13pm

A solution is to put the hapac (or something like the hex router) behind the ISP modem router so ONLY it gets 192.168.2. subnet as its WANIP.
Then you can run several subnets including home and guests and keep them separated, all behind the MT router.

mikear · March 28, 2022, 4:36pm

This is actually what I thought I’m doing in my configuration. MT router gets 192.168.2.10 allocated by ISP router. I masquerade the public subnet (10.10.10.0/24) to bridge-private (I think).

Meanwhile I’ve monitored the firewall logs and I see that when I do not filter out trafic to 192.168.2.0/24, any request to the internet first makes a call to port 53 on the default gateway. I found that I did not define DNS servers in the dhcp-server for the 10.10.10.0/24 subnet. After I added some public DNS servers in the public dhcp server. Actually this solved the problem as it no longer tries the default local DNS server first.

The current setup works and is as follows, however I’m not sure if this is the best setup:

# mar/28/2022 17:14:01 by RouterOS 7.1.5
# software id = AUD0-SZKJ
#
# model = RB952Ui-5ac2nD
# serial number = CC3E0EE9FF44
/interface bridge
add admin-mac=2C:C8:1B:D8:DB:1C auto-mac=no comment=defconf name=bridge-private protocol-mode=none
add name=bridge-public protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors frequency=2432 installation=indoor \
     mode=ap-bridge ssid=MyTik-2G wireless-protocol=802.11 \
     wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40mhz-XX country=netherlands disabled=no \
     distance=indoors installation=indoor mode=ap-bridge ssid=MyTik-5G \
     wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:D8:DB:21 master-interface=wlan1 \
     multicast-buffering=disabled name=wlan4 ssid=MyTik-2 wds-cost-range=0 \
     wds-default-cost=0 wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk,wpa2-eap eap-methods="" mode=dynamic-keys name=public supplicant-identity=123456789
add authentication-types=wpa2-psk,wpa2-eap eap-methods="" mode=dynamic-keys name=temporary-access \
     supplicant-identity=123456789 
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:D8:DB:22 master-interface=wlan1 \
     multicast-buffering=disabled name=wlan3 security-profile=public \
     ssid=MyTik-guest wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:D8:DB:23 master-interface=wlan2 \
     multicast-buffering=disabled name=wlan5 security-profile=temporary-access \
     ssid=MyTik-guest-2 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=public ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge-private name=defconf
add address-pool=public interface=bridge-public name=public
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge-public comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge-public comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge-public comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge-public comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge-private comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge-private comment=defconf ingress-filtering=no interface=wlan2
add bridge=bridge-private ingress-filtering=no interface=ether1
add bridge=bridge-public ingress-filtering=no interface=wlan3
add bridge=bridge-private ingress-filtering=no interface=wlan4
add bridge=bridge-public ingress-filtering=no interface=wlan5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge-private network=192.168.88.0
add address=10.10.10.1/24 interface=bridge-public network=10.10.10.0
/ip dhcp-client
add comment=defconf interface=bridge-private
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf dns-none=yes gateway=0.0.0.0 netmask=24
add address=10.10.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=8.8.8.8 name=public_dns_1
add address=8.8.4.4 name=public_dns_2
add address=192.168.2.254 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="winbox access from wan" dst-port=8291 protocol=tcp
add action=accept chain=input comment="https access to router" dst-port=443 protocol=tcp
add action=drop chain=forward dst-address=192.168.2.0/24 src-address=10.10.10.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
     connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="NAT Guest" log=yes out-interface=bridge-private src-address=10.10.10.0/24
/ip service
set www-ssl certificate=cert0001 disabled=no
/system clock
set time-zone-name=Europe/Amsterdam
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · March 28, 2022, 5:00pm

Dont see any routes…
Did you assign yes to ISP route automatic in IP DHCP CLIENT??

What shows when you print IP routes details…
+++++++++++++++++++++++++++++++++++++

In other words, how is the public traffic getting to the private bridge… src-nat is the what it does, not how it gets there…

mikear · March 28, 2022, 6:27pm

Mm… yes, although the routes are not exported with the ‘export’ command they still are defined.

/ip/dhcp-client> print
Columns: INTERFACE, USE-PEER-DNS, ADD-DEFAULT-ROUTE, STATUS, ADDRESS
# INTERFACE       USE-PEER-DNS  ADD-DEFAULT-ROUTE  STATUS  ADDRESS        
;;; defconf
0 bridge-private  yes           yes                bound   192.168.2.10/24

/ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c, d, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS     GATEWAY         DISTANCE
DAd 0.0.0.0/0       192.168.2.254          1
DAc 10.10.10.0/24   bridge-public          0
DAc 192.168.2.0/24  bridge-private         0

anav · March 28, 2022, 6:32pm

Looks like it should work
The only other rule I would consider is
add chain=forward action=drop src-address=192.168.2.0/24 dst-address=10.10.10.0/24 to ensure private users also on the hapac wont be able to access guest users just to be sure.

mikear · March 28, 2022, 7:04pm

Yes anav, you’re right, didn’t think of that. Will add that rule to ensure 2-way protection…
Thanks for your thoughts and considerations!

anav · March 28, 2022, 7:08pm

Well its a non-standard approach that looks really innovative!!
Dont think I would have been able to come up with that solution, well done!
One small point use guest vice public as public IP etc has different connotations.

mikear · March 28, 2022, 9:11pm

Thanks, anav, but honesly, all credits should go to the members of this forum who’ve been struggling to find solutions for their problems and freely shared their approaches here…