how to add virtual wifi?

johnudu · November 30, 2024, 7:58pm

Hi. I tried to add a virtual wifi for IOT. Unfortunately I was unable to connect to the internet. Could someone help me? What should the configuration look like? Thanks.

# 2024-11-19 17:30:47 by RouterOS 7.16
# software id = 4NGD-NHR9
#
# model = RBD53iG-5HacD2HnD
# serial number = xxxxxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether5 ] poe-out=off
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1 private-key=\
    "xxxxx="
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi security
add authentication-types=wpa2-psk disable-pmkid=yes disabled=no encryption=\
    ccmp,gcmp,ccmp-256,gcmp-256 group-encryption=ccmp group-key-update=5m \
    name=sec1 passphrase=xxxxxxxx wps=disable
add authentication-types=wpa2-psk disable-pmkid=yes disabled=no encryption=\
    ccmp,gcmp,ccmp-256,gcmp-256 group-encryption=ccmp group-key-update=5m \
    name=sec2 passphrase=xxxxxxxx wps=disable
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-n .frequency=2427-2447 \
    .skip-dfs-channels=disabled .width=20/40mhz configuration.country=\
    "United States" .mode=ap .ssid=MT24 disabled=no security=sec1 \
    security.authentication-types=wpa2-psk .connect-group=Grupe2 \
    .connect-priority=0/1 .disable-pmkid=yes .encryption=ccmp \
    .group-key-update=1h
set [ find default-name=wifi2 ] channel.band=5ghz-ac .frequency=5180-5320 \
    .secondary-frequency=disabled .skip-dfs-channels=all .width=20/40/80mhz \
    configuration.country="United States" .mode=ap .ssid=MT50 disabled=no \
    security=sec2 security.authentication-types=wpa2-psk .connect-group=\
    Grupe5 .connect-priority=0/1 .encryption=ccmp .group-encryption=ccmp \
    .group-key-update=1h
/ip pool
add name=default-dhcp ranges=192.168.88.25-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=5m name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge interface=wifi1
add bridge=bridge interface=wifi2
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.77.2/32 comment="xxxxx" interface=\
    wireguard1 name=peer1 public-key=\
    "xxxxx="
add allowed-address=192.168.77.3/32 comment="xxxxx" interface=\
    wireguard1 name=peer2 public-key=\
    "xxxxx="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.77.1/24 interface=wireguard1 network=192.168.77.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=passthrough chain=comment-test comment=\
    "-- SECTION -- test and info rules"
add action=passthrough chain=comment-established comment=\
    "-- SECTION -- established rules"
add chain=forward comment="allow established forward" connection-state=\
    established
add chain=forward comment="povol related forward" connection-state=related
add chain=input comment="Allow esatblished connections forward" \
    connection-state=established
add chain=input comment="Allow related connections input" connection-state=\
    related
add chain=output comment="Allow esatblished connections output" \
    connection-state=established
add chain=output comment="Allow related connections output" connection-state=\
    related
add action=passthrough chain=comment-drop comment="-- SECTION -- drop rules"
add action=log chain=input comment="Drop invalid connections" \
    connection-state=invalid log-prefix=drop_invalid
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add action=log chain=output comment="Drop invalid connections" \
    connection-state=invalid log-prefix=drop_invalid
add action=drop chain=output comment="Drop invalid connections" \
    connection-state=invalid
add action=log chain=forward comment="drop all BANNED IPs" log-prefix=\
    drop_banned src-address-list=all_banned
add action=drop chain=forward comment="drop all BANNED IPs" src-address-list=\
    all_banned
add action=log chain=input comment="Block broadcasts packets" disabled=yes \
    dst-address=255.255.255.255 log-prefix=255
add action=drop chain=input comment="Block broadcasts packets" dst-address=\
    255.255.255.255
add action=drop chain=input comment="Block broadcasts packets" \
    dst-address-type=broadcast,multicast
add action=passthrough chain=comment-VOIP comment="-- SECTION -- VOIP rules"
add action=passthrough chain=comment-DDOS comment=\
    "-- SECTION -- block ddos rules"
add action=log chain=input comment="drop ssh brute forcers for 10days" \
    dst-port=22 log-prefix=drop-ssh-brute protocol=tcp src-address-list=\
    ssh_blacklist
add action=drop chain=input comment="drop ssh brute forcers for 10days" \
    dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input comment="ssh black_list" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=20m chain=input comment="ssh black_list" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=10m chain=input comment="ssh black_list" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=5m chain=input comment="ssh black_list" \
    connection-state=new dst-port=22 protocol=tcp
add action=jump chain=forward comment=Jump_to_block-ddos disabled=yes \
    dst-port=!53,514 jump-target=block-ddos protocol=udp
add action=jump chain=input comment=Jump_to_block-ddos disabled=yes dst-port=\
    !53,514 jump-target=block-ddos protocol=udp
add action=return chain=block-ddos disabled=yes limit=16,32:packet
add action=log chain=block-ddos disabled=yes log-prefix=DDOS_ATTACK:
add action=drop chain=block-ddos disabled=yes limit=16,32:packet
add action=jump chain=input comment=Jump_to_block-ddos disabled=yes dst-port=\
    !53 jump-target=block-ddos protocol=udp
add action=passthrough chain=comment-important-basic comment=\
    "-- SECTION -- important and basic rules"
add action=accept chain=input dst-port=8291,22 in-interface=!ether1 protocol=\
    tcp
add chain=output comment="allow router DNS queries" dst-port=53 protocol=tcp
add chain=output comment="allow router DNS queries" dst-port=53 protocol=udp
add action=accept chain=input comment="allow router DNS queries" dst-port=53 \
    in-interface=!ether1 protocol=udp
add action=accept chain=input comment="allow router DNS queries" dst-port=53 \
    in-interface=!ether1 protocol=tcp
add action=accept chain=forward comment="allow router DNS queries" dst-port=\
    53 in-interface=!ether1 protocol=udp
add action=accept chain=forward comment="allow router DNS queries" dst-port=\
    53 in-interface=!ether1 protocol=tcp
add chain=output comment="allow router NTP queries" dst-port=123 protocol=udp
add action=accept chain=forward comment="allow router NTP queries" dst-port=\
    123 in-interface=!ether1 protocol=udp
add chain=output comment="allow ping z routeru" protocol=icmp
add action=accept chain=forward comment="povol PING forward" in-interface=\
    !ether1 protocol=icmp
add action=accept chain=input comment="povol PING input" in-interface=!ether1 \
    limit=10,50:packet protocol=icmp
add action=passthrough chain=comment-VPNs comment="-- SECTION -- VPNs rules"
add action=accept chain=input comment=wireguard dst-port=13231 protocol=udp
add action=accept chain=input comment=wireguard src-address=192.168.77.0/24
add action=accept chain=forward comment=wireguard src-address=192.168.77.0/24
add action=accept chain=input comment="allow input PPTP" disabled=yes \
    dst-port=1723 protocol=tcp src-port=1024-65535
add action=accept chain=input comment="allow input IPSEC" disabled=yes \
    dst-port=500 protocol=udp src-port=1024-65535
add action=accept chain=input comment="allow input IPSEC" disabled=yes \
    dst-port=4500 protocol=udp src-port=1024-65535
add action=accept chain=input comment="allow input L2TP" disabled=yes \
    dst-port=1701 protocol=udp src-port=1024-65535
add action=accept chain=input comment="allow input PPTP" disabled=yes \
    protocol=gre
add action=accept chain=input comment="allow input IPSEC-esp" disabled=yes \
    protocol=ipsec-esp
add action=passthrough chain=comment-PUBLIC-DMZ comment=\
    "-- SECTION -- public DMZ, webserver etc rules"
add action=passthrough chain=comment-INET-access comment=\
    "-- SECTION -- Internet access RULES"
add action=accept chain=forward comment="povolene vse z LAN" in-interface=\
    bridge out-interface=ether1
add chain=forward comment="povolene sluzby obecne TCP z LAN" disabled=yes \
    out-interface=ether1 protocol=tcp
add chain=forward comment="povolene sluzby obecne UDP z LAN" disabled=yes \
    out-interface=ether1 protocol=udp src-address-list=!servers_RANGE_vlan
add action=passthrough chain=comment-OTHER comment=\
    "-- SECTION -- other rules"
add action=passthrough chain=comment-DROP-FINAL comment=\
    "-- SECTION -- FINAL DROPs"
add action=log chain=forward comment="Drop everything all FORWARD" \
    log-prefix=DROP_forward
add action=drop chain=forward comment="Drop everything all FORWARD"
add action=log chain=input comment="Drop everything all INPUT" log-prefix=\
    DROP_input
add action=drop chain=input comment="Drop everything all INPUT"
add action=log chain=output comment="Drop everything all OUTPUT" log-prefix=\
    DROP_output
add action=drop chain=output comment="Drop everything all OUTPUT"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set sip disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip upnp interfaces
add interface=bridge type=internal
/system clock
set time-zone-name=Europe/Prague
/system logging
add topics=firewall
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.cz.pool.ntp.org
add address=1.cz.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

holvoetn · November 30, 2024, 9:08pm

And where is the virtual wifi in that config ??

If you add it again, don’t forget to attach it to bridge.

johnudu · December 1, 2024, 12:25pm

I’ve already solved it.

holvoetn · December 1, 2024, 12:28pm

And the solution is ?
Might help others having the same issue as you…

anav · December 2, 2024, 2:52pm

Unless solving really means overcome brain fart…