Hi All,
I need some help sorting of what I think should be a simple problem. As part of a larger configuration, I need to create a VLAN for untrusted devices that can access the Internet, but nothing else. So far I have set up a VLAN with ID 300 on my CRS-125 with a static IP for the CRS (192.168.2.1) and DHCP server (192.168.2.2-192.168.2.254) on this VLAN. Devices on this VLAN can receive an IP address from the CRS but they cannot access the Internet nor ping the CRS itself. I’ve spend many hours trying to figure out why DHCP works, but ping does not. Any help would be greatly appreciated!! I’ve included my config below. My test machine is connected to ether8 over another switch using tagged VLAN 300 and receives the IP 192.168.2.253 from the CRS using DHCP.
jul/20/2020 14:52:57 by RouterOS 6.46.4
software id = 6H4L-8PM5
model = CRS125-24G-1S-2HnD
serial number = SERIAL
/caps-man channel
add band=5ghz-onlyac extension-channel=XXXX name=channel1
add band=2ghz-onlyn extension-channel=disabled name=channel2
/interface wireless
managed by CAPsMAN
channel: 2412/20/gn(30dBm), SSID: WIFINAME, local forwarding
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-onlyn country=canada disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower l2mtu=1588 mode=ap-bridge ssid=WIFINAME wireless-protocol=802.11
/interface bridge
add admin-mac=E4:8D:8C:58:16:B2 auto-mac=no igmp-snooping=yes name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=ether11 ] speed=100Mbps
set [ find default-name=ether12 ] speed=100Mbps
set [ find default-name=ether13 ] speed=100Mbps
set [ find default-name=ether14 ] speed=100Mbps
set [ find default-name=ether15 ] speed=100Mbps
set [ find default-name=ether16 ] speed=100Mbps
set [ find default-name=ether17 ] speed=100Mbps
set [ find default-name=ether18 ] speed=100Mbps
set [ find default-name=ether19 ] speed=100Mbps
set [ find default-name=ether20 ] speed=100Mbps
set [ find default-name=ether21 ] speed=100Mbps
set [ find default-name=ether22 ] speed=100Mbps
set [ find default-name=ether23 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes mtu=1520
/interface vlan
add interface=bridge name=vlan300 vlan-id=300
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=datapath1
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=security1
/caps-man configuration
add channel=channel1 country=“united states3” datapath=datapath1 datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes distance=indoors mode=ap name=“5G config” security=security1 ssid=WIFINAME
add channel=channel2 country=“united states3” datapath=datapath1 datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes distance=indoors name=“2.4G config” security=security1 ssid=WIFINAME
/interface list
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool4 ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool4 authoritative=after-2sec-delay disabled=no interface=vlan300 lease-time=1w name=dhcp-vlan300
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=require-same-version
/caps-man provisioning
add action=create-dynamic-enabled comment=“802.11ac capable radios” hw-supported-modes=ac master-configuration=“5G config”
add action=create-dynamic-enabled comment=“802.11g/n capable radios” hw-supported-modes=gn master-configuration=“2.4G config”
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=wlan1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=ether11
add bridge=bridge interface=ether12
add bridge=bridge interface=ether13
add bridge=bridge interface=ether14
add bridge=bridge interface=ether15
add bridge=bridge interface=ether16
add bridge=bridge interface=ether17
add bridge=bridge interface=ether18
add bridge=bridge interface=ether19
add bridge=bridge interface=ether20
add bridge=bridge interface=ether21
add bridge=bridge interface=ether22
add bridge=bridge interface=ether23
add bridge=bridge interface=ether24
/ip neighbor discovery-settings
set discover-interface-list=discover
/ip settings
set rp-filter=strict
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether8 vlan-id=200
add tagged-ports=ether8,switch1-cpu vlan-id=300
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=200 ports=ether22
add customer-vid=0 disabled=yes new-customer-vid=300 ports=ether24
/interface ethernet switch port
set 25 isolation-leakage-profile-override=0
/interface ethernet switch vlan
add ports=ether8,ether22 vlan-id=200
add ports=ether8,switch1-cpu vlan-id=300
/interface list member
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=ether11 list=discover
add interface=ether12 list=discover
add interface=ether13 list=discover
add interface=ether14 list=discover
add interface=ether15 list=discover
add interface=ether16 list=discover
add interface=ether17 list=discover
add interface=ether18 list=discover
add interface=ether19 list=discover
add interface=ether20 list=discover
add interface=ether21 list=discover
add interface=ether22 list=discover
add interface=ether23 list=discover
add interface=ether24 list=discover
add interface=sfp1 list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add list=discover
add list=discover
add list=discover
add list=discover
/interface wireless cap
set bridge=bridge caps-man-certificate-common-names=CAPsMAN-E48D8C5816B1 certificate=request discovery-interfaces=bridge enabled=yes interfaces=wlan1 lock-to-caps-man=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
add address=192.168.2.1 interface=vlan300 network=192.168.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=bridge
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1
/ip firewall filter
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
/ip firewall nat
add action=src-nat chain=srcnat disabled=yes to-addresses=192.168.1.1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet address=192.168.1.0/24,2001:470:1d:615::/64 disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24
set ssh address=192.168.1.0/24
set www-ssl address=192.168.1.0/24 certificate=server.crt_0 disabled=no
set api disabled=yes
set winbox address=192.168.1.0/24,2001:470:1d:615::/64 disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add type=external
/ipv6 firewall filter
add action=reject chain=forward comment=“Do not forward packets to CIFS shares on local network” disabled=yes dst-address=2001:470:1d:615::/64 dst-port=445 protocol=tcp reject-with=icmp-admin-prohibited
add action=reject chain=forward comment=“Drop all packets to NAS (device has no IPv6 security settings)” disabled=yes dst-address=2001:470:1d:615:56b8:aff:fe00:3ff8/128 reject-with=icmp-address-unreachable
add action=reject chain=input comment=“Drop DNS queries not from LAN (TCP)” disabled=yes dst-port=53 protocol=tcp reject-with=icmp-admin-prohibited src-address=!2001:470:1d:615::/64
add action=reject chain=input comment=“Drop DNS queries not from LAN (UDP)” disabled=yes dst-port=53 protocol=udp reject-with=icmp-admin-prohibited src-address=!2001:470:1d:615::/64
/ipv6 firewall raw
add action=notrack chain=prerouting comment=“Disable connection tracking (for performance)”
add action=notrack chain=output
/lcd pin
set pin-number=XXXX
/system clock
set time-zone-name=America/Toronto
/system identity
set name=“XXXX”
/system ntp client
set enabled=yes server-dns-names=0.ca.pool.ntp.org,1.ca.pool.ntp.org,2.ca.pool.ntp.org,3.ca.pool.ntp.org
/tool bandwidth-server
set authenticate=no enabled=no
/tool e-mail
set address=192.168.1.12 from=“Mikrotik RouterOS root@routeros” start-tls=yes
/tool graphing
set store-every=hour
/tool graphing interface
add interface=ether24
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no