hein86
May 14, 2025, 12:21pm
1
Good day everyone
I’m busy with a setup of 18 Access Points where we need to limit users access the Wireless networks through a username and password. I’ll dot down the main config I have down below:
On the Access Point Controller we specify the network to use VLAN ID: 30
I have exported most config below.
/interface bridge
add name="bridge15 - LAN"
add name=bridge16-Wifi_LAN
/interface ethernet
set [ find default-name=ether3 ] name=ether3-LAN15
set [ find default-name=ether4 ] name=ether4-LAN16
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether2 name=pppoe-out1 password=xxxxxx \
use-peer-dns=yes user=xxxxxx
/interface vlan
add interface=bridge16-Wifi_LAN name=vlan30 vlan-id=30
/ip pool
add name=dhcp_pool-LAN ranges=192.168.15.20-192.168.15.200
add name=dhcp_pool-WIFI ranges=192.168.16.30-192.168.16.210
add name=dhcp_pool-Hotspot ranges=192.168.30.20-192.168.30.50
/ip dhcp-server
add address-pool=dhcp_pool-LAN disabled=no interface="bridge15 - LAN" lease-time=8h name=dhcp1
add address-pool=dhcp_pool-WIFI disabled=no interface=bridge16-Wifi_LAN lease-time=4h name=dhcp2
add address-pool=dhcp_pool-Hotspot disabled=no interface=vlan30 name=dhcp3
/interface bridge port
add bridge="bridge15 - LAN" interface=ether3-LAN15
add bridge=bridge16-Wifi_LAN interface=ether4-LAN16
/ip address
add address=192.168.15.1/24 comment=Sontus-LAN interface=ether3-LAN15 network=192.168.15.0
add address=192.168.16.1/24 comment=SonitusPersoneel-Wifi interface=bridge16-Wifi_LAN network=\
192.168.16.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
/ip dhcp-server network
add address=192.168.15.0/24 comment=Sonitus-LAN dns-server=192.168.15.1 gateway=192.168.15.1
add address=192.168.16.0/24 dns-server=192.168.16.1 gateway=192.168.16.1
add address=192.168.30.0/24 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Accept established connections" connection-state=\
established
add action=accept chain=input comment="Accept related connections" connection-state=related
add action=reject chain=input connection-state=new in-interface=ether1 port=53 protocol=udp \
reject-with=icmp-network-unreachable
add action=reject chain=input connection-state=new in-interface=ether1 port=53 protocol=tcp \
reject-with=icmp-network-unreachable
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=accept chain=input comment=UDP protocol=udp
add action=accept chain=input comment="Allow limited pings" limit=50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add action=log chain=input comment="Log everything else" log-prefix="DROP INPUT"
add action=drop chain=input comment="Drop everything else" disabled=yes
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=forward comment="Block Cross Interface 15 to 16" in-interface=\
"bridge15 - LAN" out-interface=bridge16-Wifi_LAN
add action=drop chain=forward comment="Block Cross Interface 16 to 15" in-interface=\
bridge16-Wifi_LAN out-interface="bridge15 - LAN"
/ip firewall nat
add action=masquerade chain=srcnat
Anyone have any idea how I can troubleshoot this?
anav
May 14, 2025, 12:44pm
2
Would need to see the complete config
hein86
May 15, 2025, 12:18pm
3
Hi Anav
We experienced a power outage but I managed to get the file out. Please see below:
# may/15/2025 14:08:40 by RouterOS 6.49.17
# software id = X4F7-LWBJ
#
# model = RB760iGS
/interface bridge
add name="bridge15 - LAN"
add name=bridge16-Wifi_LAN
/interface ethernet
set [ find default-name=ether3 ] name=ether3-LAN15
set [ find default-name=ether4 ] name=ether4-LAN16
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether2 name=pppoe-out1 \
password=xxxxx use-peer-dns=yes user=xxxxx
/interface vlan
add interface=bridge16-Wifi_LAN name=vlan30 vlan-id=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool-LAN ranges=192.168.15.20-192.168.15.200
add name=dhcp_pool-WIFI ranges=192.168.16.30-192.168.16.210
add name=dhcp_pool4 ranges=192.168.30.20-192.168.30.50
/ip dhcp-server
add address-pool=dhcp_pool-LAN disabled=no interface="bridge15 - LAN" \
lease-time=8h name=dhcp1
add address-pool=dhcp_pool-WIFI disabled=no interface=bridge16-Wifi_LAN \
lease-time=4h name=dhcp2
add address-pool=dhcp_pool4 disabled=no interface=vlan30 name=dhcp3
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge="bridge15 - LAN" interface=ether3-LAN15
add bridge=bridge16-Wifi_LAN interface=ether4-LAN16
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.15.1/24 comment=Sontus-LAN interface=ether3-LAN15 \
network=192.168.15.0
add address=192.168.16.1/24 comment=SonitusPersoneel-Wifi interface=\
bridge16-Wifi_LAN network=192.168.16.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=3m
/ip dhcp-server lease
add address=192.168.16.32 client-id=1:9c:c9:eb:e6:fd:58 mac-address=\
9C:C9:EB:E6:FD:58 server=dhcp2
/ip dhcp-server network
add address=192.168.15.0/24 comment=Office-LAN dns-server=192.168.15.1 \
gateway=192.168.15.1
add address=192.168.16.0/24 dns-server=192.168.16.1 gateway=192.168.16.1
add address=192.168.30.0/24 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Accept remote winb" dst-port=8291 \
protocol=tcp
add action=accept chain=input comment="Accept established connections" \
connection-state=established
add action=accept chain=input comment="Accept related connections" \
connection-state=related
add action=reject chain=input connection-state=new in-interface=ether1 port=\
53 protocol=udp reject-with=icmp-network-unreachable
add action=reject chain=input connection-state=new in-interface=ether1 port=\
53 protocol=tcp reject-with=icmp-network-unreachable
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=accept chain=input comment=UDP protocol=udp
add action=accept chain=input comment="Allow limited pings" limit=\
50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add action=log chain=input comment="Log everything else" log-prefix=\
"DROP INPUT"
add action=drop chain=input comment="Drop everything else" disabled=yes
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=forward comment="Block Cross Interface 15 to 16" \
in-interface="bridge15 - LAN" out-interface=bridge16-Wifi_LAN
add action=drop chain=forward comment="Block Cross Interface 16 to 15" \
in-interface=bridge16-Wifi_LAN out-interface="bridge15 - LAN"
/ip firewall nat
add action=masquerade chain=srcnat
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=8291
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=Hotspot-Mikrotik
Do you need the .rsc file as well?
All access points have a static IP on their LAN ports between 192.168.16.11 and 192.168.16.29.
anav
May 29, 2025, 2:46pm
4
I would start by using vlans for all subnets.
I dont see any IP HOTSPOT settings ???