hAP lite

wickedsick · November 18, 2019, 11:21am

I’m a beginner and i have few noobish questions - is it possible to use layer7 filtering if i have ISP router and hAP lite connected to it in a bridge mode? i need it in a bridge mode because i need IPs to stay in 192.168.1.x pool. Everything is working fine when hAP lite is in a router mode in 88 pool and when i switch it to bridge mode filtering is not working anymore. I googled a lot and i found that i can turn off HW offload and i got it working that way but the problem is when i turn HW off all other APs in office stop working, no internet connection on any wifi. Can someone help please?

Zacharias · November 18, 2019, 6:00pm

Why do you need the layer 7 filtering ?
What are you trying to block ?

wickedsick · November 19, 2019, 8:40am

I need layer7 filtering because most of the ppl in the ofice are not doing what they are supposed to do and instead they are on social media, youtube, portals and so on and i want to block them. I’m trying to block facebook, youtube, twitter and so on and as i said everything is working fine when i use hAP lite in WISP AP router mode and everything goes to 192.168.88.x pool but i need them in 192.168.1.x pool and that’s why i set WISP AP to bridge mode. When in bridge mode layer7 stops working until i turn off HW offload but then shit starts happening - layer7 is working but all the rest of APs (which are connected directly to ISP router, not to hap) stops working, LAN is working fine but WiFi is not working at all, it takes a long time to connect to wifi and when it connects you get msg “no internet connection”. i tried it at multiple locations with different setups and same thing happens, hap lite is reseted and after that quick setup is done for wisp ap and added layer7, filter and IP firewall turned on in bridge.

p.s. i forgot to mention when turning off hw offload and when blocking starts working i cant open some sites and servers which are not included in layer7, FTP for those servers also cant connect.

mkx · November 19, 2019, 12:00pm

If wifi and LAN part of hAP lite are in same IP subnet, and you want to use IP firewall (for L7 filtering), then you absolutely must turn off HW offload … otherwise traffic doesn’t get pushed through CPU and thus avoids firewall rules.

It is expected that performance drops when HW offload is disabled. However, it is not expected that things start to misbehave. Which means that there is something misconfigured. I suggest you post output from /export hide-sensitive (inside [__code] [/code] environment for better readability) and we might notice something odd …

wickedsick · November 19, 2019, 12:27pm

[admin@MikroTik] > export hide-sensitive 
# nov/19/2019 13:21:07 by RouterOS 6.45.7
# software id = TA6E-94EV
#
# model = RouterBOARD 941-2nD
# serial number = 8CE5088E9334
/interface bridge
add admin-mac=CC:2D:E0:93:41:4B auto-mac=no comment=defconf name=bridge
add comment="new bridge1" name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-93414F wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=deny regexp="^.+(facebook.com|facebook.net|fbcdn.com|fbsbx.com|fbcdn.net|fb.com|tfbnw.net|youtube.com|net.hr|konzum.hr|jutarnji.hr|vecernji.hr|index.hr|ekupi.hr|tportal.hr|24sata.hr|zaba.hr).*\$"
/ip pool
add name=dhcp ranges=0.0.0.1-0.0.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge1 comment=defconf interface=ether2
add bridge=bridge comment=defconf hw=no interface=ether3
add bridge=bridge1 comment=defconf interface=ether4
add bridge=bridge1 comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=wlan1 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=ether2 network=192.168.88.0
add address=192.168.88.1/24 comment=defconf disabled=yes interface=ether2 network=192.168.88.0
add address=192.168.88.1/24 comment=defconf disabled=yes interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=bridge
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf gateway=0.0.0.0 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=reject chain=forward layer7-protocol=deny protocol=tcp reject-with=tcp-reset
add action=reject chain=forward layer7-protocol=deny protocol=tcp reject-with=tcp-reset
add action=reject chain=forward layer7-protocol=deny protocol=tcp reject-with=tcp-reset
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Zagreb
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

bridge-
eth1 is wan
eth3 is port which i want to be filtered
wlan1 for wifi

HW offload is turned off only for eth3

when i turned off hw offload i noticed that /ip adresses, /ip firewall filter and /ip firewall nat have tripled entries now

i noticed that when i turned off HW offload on eth3 (

sebastia · November 19, 2019, 12:31pm

Have a look here wrt L7 config: https://www.youtube.com/watch?v=RtFZKvLKgD0
(+ changes as suggested by mkx)

mkx · November 19, 2019, 12:45pm

There are a few things weird:

trippling the configuration items you noticed should not be result of disabling HW offload, they might be there but hidden before. Try to manually remove surplus occurrences.
IP address 192.168.88.1/24 should be bound to bridge1, not on its member interface
not that it matters, but you should adjust interface membership in appropriate interface list

BTW, what’s the point of having two bridges, are you using the poor hAP as “two ethernet switches in one”?

I’m not sure what you mean by “but all the rest of APs (which are connected directly to ISP router, not to hap) stops working, LAN is working fine but WiFi is not working at all” … clients of those APs can’t use internet (does that data flow through hAP at all?) or clients of those APs can’t communicate with clients of hAP or ???

wickedsick · November 19, 2019, 1:22pm

i will reset hap lite and do it all over again. Why should 88 pool be bound to bridge if 88 pool does not exist because it’s in a bridge mode? about APs, i have 3 APs in office which are connected directly to ISP router and have no connection with hAP lite (3 APs and 1 hAP are connected by cable to ISP router and all other LAN is coming from hAP lite), but when i turn off HW offload on bridge all 3 AP stop working normally and you cant connect to their wifi. That’s what bothers me because they have no connection to hap and when i turn on hap HW offload they start working normally.

p.s. should i turn of HW offload on bridge or just on ports which i want to filter?

mkx · November 19, 2019, 2:10pm

I didn’t write about DHCP pool, I was writing about

add address=192.168.88.1/24 comment=defconf disabled=yes interface=ether2 network=192.168.88.0

ether2 is member of bridge and in such case, L3 settings (including IP address and everything else) should be bound to bridge, not to ether2.

Basic truth: hAP lite can’t break connections which don’t pass it. Unless it was doing some nasty L2 stuff, such as arp-proxy or some such, but I didn’t see anything like that in the config posted. So if disabling HW offload breaks other APs, then there is something that other APs link with hAP lite or something beyond hAP lite. And this needs some investigation to determine why hAP lite affects other APs.

It is enough to turn off HW offload on the port (or multiple ports) which carries data which you want to inspect using bridge/firewall filters …

wickedsick · November 20, 2019, 10:53am

i reset hap lite, put it in wisp ap mode, changed to bridge mode, added layer7, added filter rule, turned on IP firewall in bridge, turned of HW offloading on ether2 and same thing happens again, lan working normally, blocking all sites in layer7 but all other APs which have no connection with hap lite start to missbehave. this has no logic, how can something what doesnt have any kind of managing, controlling or even connection fuck up all other APs when i turn off HW offloading?! :S

[admin@MikroTik] > export hide-sensitive 
# nov/20/2019 11:46:25 by RouterOS 6.45.7
# software id = TA6E-94EV
#
# model = RouterBOARD 941-2nD
# serial number = 8CE5088E9334
/interface bridge
add admin-mac=CC:2D:E0:93:41:4B auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-93414F wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=deny regexp="^.+(facebook.com|facebook.net|fbcdn.com|fbsbx.com|fbcdn.net|fb.com|tfbnw.net|youtube.com|net.hr|konzum.hr|jutarnji.hr|vecernji.hr|index.hr|ekupi.hr|tportal.hr|24sata.hr|zaba.hr).*\$"
/ip pool
add name=dhcp ranges=0.0.0.1-0.0.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf hw=no interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=wlan1 list=LAN
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=bridge
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf gateway=0.0.0.0 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=reject chain=forward layer7-protocol=deny protocol=tcp reject-with=tcp-reset
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Zagreb
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

mkx · November 20, 2019, 4:35pm

How about this:

reset (or even better: netinstall) hAP lite with no default config, create a bridge and add all ether ports to the bridge
add IP config
switch off HW offload
add wireless interfaces to the bridge and set-up wireless (security, …)
enable use of IP firewall in bridge
add L7 filter rule

And, most importantly, check your network after every step made. This way you might find out which step actually breaks other APs so badly …

Note that to execute step #1 you’ll have to connect using winbox via MAC.

It wouldn’t be the first time that changing device mode (e.g. from wisp to bridge) would break things even though config seems just fine (it seems that sometimes remains of previous config somehow lurk in the background).

wickedsick · November 21, 2019, 7:04am

yesterday i already did what you now said (this was first time i reset it without default config). when i checked this morning it was working normally, as i can see all other APs working also but i still have one problem, when trying to connect to one server with ftp connection says - initializing TSL… error: could not connect to server - of course mails which are on that server are not working also. when i turn on HW offload this is working and when i turn it off again not working.

[admin@MikroTik] > export hide-sensitive 
# nov/21/2019 08:00:48 by RouterOS 6.45.7
# software id = TA6E-94EV
#
# model = RouterBOARD 941-2nD
# serial number = 8CE5088E9334
/interface bridge
add fast-forward=no name=bridge1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=asdf1234 supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge security-profile=asdf1234 ssid=MikroTik
/ip firewall layer7-protocol
add name=deny regexp="^.+(facebook.com|facebook.net|fbcdn.com|fbsbx.com|fbcdn.net|fb.com|tfbnw.net|youtube.com|net.hr|konzum.hr|jutarnji.hr|vecernji.hr|index.hr|ekupi.hr|tportal.hr|24sata.hr|zaba.hr).*\$"
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 hw=no interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan1
/interface bridge settings
set use-ip-firewall=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge1
/ip firewall filter
add action=drop chain=forward layer7-protocol=deny protocol=tcp
/system clock
set time-zone-name=Europe/Zagreb