Hi, I’m pretty new to Mikrotik configuration. I have a setup with 3 hap AX2: one router and two access points. The router is provisioning the AP’s with two wireless networks, everything is looking fine except for the fact that clients that try to connect to the AP’s are not receiving an IP. I have set a datapath on the router in the wireless configurations assigning every wifi interface to a seperate VLAN (in my case 60 for LAN and 70 for guest).
I read the documentation on Wifi in ROS v7 but I can’t find what I am doing wrong. All equipment is running on ROS V7.13.
Please find my config here under:
# 2023-12-24 16:30:51 by RouterOS 7.13
# software id = 7Z28-IETK
#
# model = C52iG-5HaxD2HaxD
# serial number = HEP099KCHF8
/interface bridge
add comment=WAN name=br_WAN_ISP port-cost-mode=short
add comment=WAN name=br_WAN_LTE port-cost-mode=short
add comment="Guest network" ingress-filtering=no name=br_guest \
port-cost-mode=short vlan-filtering=yes
add comment="LAN network" ingress-filtering=no name=br_lan port-cost-mode=\
short vlan-filtering=yes
add comment=OOB name=br_local port-cost-mode=short
/interface wireguard
add comment=back-to-home-vpn listen-port=43955 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=ether1 name=ether1_vl_GUEST vlan-id=70
add interface=ether1 name=ether1_vl_LAN vlan-id=60
add interface=ether1 name=ether1_vl_WAN_LTE vlan-id=50
add interface=ether3 name=ether3_vl_GUEST vlan-id=70
add interface=ether3 name=ether3_vl_LAN vlan-id=60
add interface=ether4 name=ether4_vl_GUEST vlan-id=70
add interface=ether4 name=ether4_vl_LAN vlan-id=60
add interface=ether5 name=ether5_vl_local vlan-id=70
add interface=br_guest name="vl_GUEST on br_GUEST" vlan-id=70
add interface=br_lan name="vl_LAN on br_LAN" vlan-id=60
/interface list
add name=LEASES
add name=UNTRUSTED
add name=WAN
add name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no name=ch_2.4Ghz width=20mhz
add band=5ghz-ax disabled=no name=ch_5Ghz width=20mhz
/interface wifi datapath
add bridge=br_lan disabled=no name="br_LAN - VLAN 60"
add bridge=br_guest disabled=no name="br_GUEST - VLAN 70"
/interface wifi security
add authentication-types=wpa2-psk disable-pmkid=yes disabled=no name=\
seccfg_Cussangy
add authentication-types=wpa2-psk connect-priority=0 disable-pmkid=yes \
disabled=no name=seccfg_Cussangy_guest
/interface wifi configuration
add datapath="br_LAN - VLAN 60" disabled=no mode=ap name=cfg_Cussangy_2.4Ghz \
security=seccfg_Cussangy security.connect-priority=0 ssid=Cussangy
add channel=ch_5Ghz country=France datapath="br_LAN - VLAN 60" \
datapath.bridge=br_lan disabled=no mode=ap name=cfg_Cussangy_5Ghz \
security=seccfg_Cussangy security.connect-priority=0 ssid=Cussangy
add datapath="br_GUEST - VLAN 70" disabled=no mode=ap name=\
cfg_Cussangy_guest_2.4Ghz security=seccfg_Cussangy_guest \
security.connect-priority=0 ssid=Cussangy_guest
add channel=ch_5Ghz country=France datapath="br_GUEST - VLAN 70" disabled=no \
mode=ap name=cfg_Cussangy_guest_5Ghz security=seccfg_Cussangy_guest \
security.connect-priority=0 ssid=Cussangy_guest
/interface wifi
set [ find default-name=wifi2 ] configuration=cfg_Cussangy_2.4Ghz \
configuration.mode=ap disabled=no name=Router_Cussangy_2.4Ghz \
security.connect-priority=0
set [ find default-name=wifi1 ] configuration=cfg_Cussangy_5Ghz \
configuration.mode=ap disabled=no name=Router_Cussangy_5Ghz \
security.connect-priority=0
add configuration=cfg_Cussangy_guest_2.4Ghz configuration.mode=ap disabled=no \
mac-address=XX:XX:XX:XX:XX:XX master-interface=Router_Cussangy_2.4Ghz \
name=Router_Cussangy_guest_2.4Ghz security.connect-priority=0
add configuration=cfg_Cussangy_guest_5Ghz configuration.mode=ap disabled=no \
mac-address=XX:XX:XX:XX:XX:XX master-interface=Router_Cussangy_5Ghz name=\
Router_Cussangy_guest_5Ghz security.connect-priority=0
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
profile1 proposal-check=strict
/ip ipsec peer
add address=XXXXXXX exchange-mode=ike2 name=XXXXXXX profile=profile1
/ip ipsec proposal
add auth-algorithms="" enc-algorithms=aes-128-gcm lifetime=1h name=proposal1 \
pfs-group=modp2048
/ip pool
add name=dhcp_local ranges=192.168.77.10-192.168.77.250
add name=dhcp_lan ranges=192.168.60.10-192.168.60.250
add name=dhcp_guest ranges=192.168.70.10-192.168.70.250
add name=dhcp_pool3 ranges=192.168.70.1-192.168.70.253
/ip dhcp-server
add address-pool=dhcp_local interface=br_local lease-time=1h name=dhcp_local
add address-pool=dhcp_lan interface=br_lan lease-time=1d name=dhcp_lan
add address-pool=dhcp_guest interface=br_guest name=dhcp_guest
/user group
add name=homeassistant policy="read,test,api,!local,!telnet,!ssh,!ftp,!reboot,\
!write,!policy,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/interface bridge port
add bridge=br_WAN_ISP disabled=yes interface=ether2 internal-path-cost=10 \
path-cost=10
add bridge=br_WAN_LTE interface=ether1_vl_WAN_LTE internal-path-cost=10 \
path-cost=10
add bridge=br_lan interface=ether3_vl_LAN internal-path-cost=10 path-cost=10
add bridge=br_lan interface=ether4_vl_LAN internal-path-cost=10 path-cost=10
add bridge=br_local interface=ether5_vl_local internal-path-cost=10 \
path-cost=10
add bridge=br_guest interface=ether3_vl_GUEST internal-path-cost=10 \
path-cost=10
add bridge=br_guest interface=ether4_vl_GUEST internal-path-cost=10 \
path-cost=10
add bridge=br_local disabled=yes interface=ether5 internal-path-cost=10 \
path-cost=10
add bridge=br_lan disabled=yes interface=ether3 internal-path-cost=10 \
path-cost=10
add bridge=br_lan disabled=yes interface=ether4 internal-path-cost=10 \
path-cost=10
add bridge=br_guest interface=ether1_vl_GUEST internal-path-cost=10 \
path-cost=10
add bridge=br_lan interface=ether1_vl_LAN internal-path-cost=10 path-cost=10
add bridge=br_local interface=ether5 internal-path-cost=10 path-cost=10
add bridge=br_lan interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set wan-interface-list=WAN
/interface list member
add disabled=yes interface=br_guest list=LEASES
add interface=br_WAN_LTE list=UNTRUSTED
add interface=br_WAN_ISP list=UNTRUSTED
add disabled=yes interface=br_guest list=UNTRUSTED
add interface=br_WAN_ISP list=WAN
add interface=br_WAN_LTE list=WAN
/interface wifi cap
set caps-man-names=2.4-Cussangy discovery-interfaces=all enabled=yes
/interface wifi capsman
set enabled=yes interfaces=all package-path="" require-peer-certificate=no \
upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled comment=APCussangyBureau5Ghz disabled=no \
master-configuration=cfg_Cussangy_5Ghz name-format=AP_Bureau_5Ghz \
radio-mac=XXXXXXX slave-configurations=cfg_Cussangy_guest_5Ghz
add action=create-dynamic-enabled comment=APCussangyBureau2.4Ghz disabled=no \
master-configuration=cfg_Cussangy_2.4Ghz name-format=AP_Bureau_2.4Ghz \
radio-mac=XXXXXXX slave-configurations=\
cfg_Cussangy_guest_2.4Ghz
add action=create-dynamic-enabled comment=APCussangyBoven5Ghz disabled=no \
master-configuration=cfg_Cussangy_5Ghz name-format=AP_Boven_5Ghz \
radio-mac=XXXXXXX slave-configurations=cfg_Cussangy_guest_5Ghz
add action=create-dynamic-enabled comment=APCussangyBoven2.4Ghz disabled=no \
master-configuration=cfg_Cussangy_2.4Ghz name-format=AP_Boven_2.4Ghz \
radio-mac=XXXXXXX slave-configurations=\
cfg_Cussangy_guest_2.4Ghz
/interface wireguard peers
add allowed-address=192.168.216.3/32,fc00:0:0:216::3/128 comment=\
"RouterCussangy | samsung SM-S901B" interface=back-to-home-vpn \
persistent-keepalive=30s public-key=\
"XXXXXXX"
/ip address
add address=192.168.77.254/24 interface=br_local network=192.168.77.0
add address=192.168.60.254/24 interface=br_lan network=192.168.60.0
add address=192.168.70.254/24 interface=br_guest network=192.168.70.0
add address=192.168.80.1/24 interface=*16 network=192.168.80.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface=br_WAN_ISP use-peer-dns=no
add interface=br_WAN_LTE
/ip dhcp-server lease
add address=192.168.60.250 client-id=1:48:a9:8a:92:7b:f0 mac-address=\
48:A9:8A:92:7B:F0 server=dhcp_lan
add address=192.168.60.251 client-id=1:48:a9:8a:b8:f2:24 mac-address=\
48:A9:8A:B8:F2:24 server=dhcp_lan
/ip dhcp-server network
add address=192.168.60.0/24 comment=net_lan dns-server=192.168.60.254 domain=\
lan.cussangy.local gateway=192.168.60.254 netmask=24
add address=192.168.70.0/24 comment=net_guest dns-server=192.168.70.254 \
domain=guest.cussangy.local gateway=192.168.70.254 netmask=24
add address=192.168.77.0/24 comment=net_oob dns-server=192.168.77.1 gateway=\
192.168.77.1
/ip dns
set allow-remote-requests=yes servers=193.190.198.14,1.1.1.1
/ip firewall address-list
add address=172.16.0.0/12 list=RFC1918
add address=192.168.0.0/16 list=RFC1918
add address=10.0.0.0/8 list=RFC1918
add address=XXXXXXX list="VPN sources"
/ip firewall filter
add action=passthrough chain=forward comment=\
"special dummy rule to show fasttrack counters"
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Accept OOB Access" in-interface=\
br_local
add action=accept chain=input comment="General - Established Input"
add action=accept chain=input comment="Allow Wireguard VPN" disabled=yes \
src-address=192.168.80.0/24
add action=accept chain=input comment="Allow Wireguard VPN" disabled=yes \
dst-port=13231 protocol=udp
add action=accept chain=input comment="VPN - Accept incoming IKE" disabled=\
yes dst-port=500,4500 in-interface=br_WAN_LTE log-prefix=IKE protocol=udp \
src-address-list="VPN sources"
add action=accept chain=input disabled=yes in-interface=br_WAN_LTE protocol=\
ipsec-esp src-address-list="VPN sources"
add action=accept chain=forward comment=\
"OPENVPN forward to Raspberry Pi static adress" disabled=yes dst-address=\
192.168.60.33 dst-port=1194 protocol=udp
add action=accept chain=input comment="HomeAssistant Integration" \
dst-address=192.168.60.254 dst-port=8728 in-interface=br_lan protocol=tcp
add action=accept chain=input comment="FW - Accept ICMP to FW" in-interface=\
!br_WAN_ISP protocol=icmp src-address-list=RFC1918
add action=accept chain=input comment="FW - Accept ICMP to FW" in-interface=\
!br_WAN_LTE protocol=icmp src-address-list=RFC1918
add action=accept chain=input comment="FW - DNS to FW" dst-port=53 \
in-interface=!br_WAN_ISP protocol=udp
add action=accept chain=input comment="FW - DNS to FW" dst-port=53 \
in-interface=!br_WAN_LTE protocol=udp
add action=accept chain=input comment="FW - Accept incoming from LAN" \
dst-address=192.168.60.254 in-interface=br_lan src-address=\
192.168.60.0/24
add action=accept chain=input comment=\
"FW - accept incoming Veemarkt over ISP" disabled=yes dst-address=\
192.168.60.254 in-interface=br_WAN_ISP src-address=192.168.205.0/24
add action=accept chain=input comment=\
"FW - Accept incoming Veemarkt over LTE" disabled=yes dst-address=\
192.168.60.254 in-interface=br_WAN_LTE src-address=192.168.205.0/24
add action=accept chain=input comment=\
"FW - Accept incoming from PBNET over ISP" disabled=yes dst-address=\
192.168.60.254 in-interface=br_WAN_ISP src-address=192.168.1.0/24
add action=accept chain=input comment=\
"FW - Accept incoming from PBNET over LTE" disabled=yes dst-address=\
192.168.60.254 in-interface=br_WAN_LTE src-address=192.168.1.0/24
add action=drop chain=input comment="FW - Drop Input UDP - silent" dst-port=\
123,137,138 protocol=udp
add action=drop chain=input comment="FW - Drop Incoming WAN over ISP" \
in-interface=br_WAN_ISP
add action=drop chain=input comment="FW - Drop incoming WAN over LTE" \
in-interface=br_WAN_LTE
add action=drop chain=input comment="FW - Drop all IN"
add action=drop chain=input comment="General - Broadcast silent drop" \
dst-address=255.255.255.255
add action=drop chain=input comment="General - Drop Invalid Input"
add action=accept chain=forward comment="Allow Wireguard to LAN" disabled=yes \
in-interface=*16 out-interface="vl_LAN on br_LAN"
add action=accept chain=forward comment="VPN: accept incoming IPSEC" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="VPN: accept outgoing IPSEC" \
disabled=yes ipsec-policy=out,ipsec
add action=accept chain=forward comment="LAN - Allow Internet over ISP" \
dst-address-list=!RFC1918 in-interface=br_lan out-interface=br_WAN_ISP \
src-address=192.168.60.0/24
add action=accept chain=forward comment="LAN - Allow Internet over LTE" \
dst-address-list=!RFC1918 in-interface=br_lan out-interface=br_WAN_LTE \
src-address=192.168.60.0/24
add action=accept chain=forward comment="GUEST - Allow Internet over ISP" \
dst-address-list=!RFC1918 in-interface=br_guest out-interface=br_WAN_ISP \
src-address=192.168.70.0/24
add action=accept chain=forward comment="GUEST - Allow Internet over LTE" \
dst-address-list=!RFC1918 in-interface=all-wireless out-interface=\
br_guest src-address=192.168.70.0/24
add action=accept chain=forward comment=Statefull connection-state=\
established
add action=accept chain=output comment="Outgoing DNS over ISP" dst-port=53 \
out-interface=br_WAN_ISP protocol=udp
add action=accept chain=output comment="Outgoing DNS over LTE" dst-port=53 \
out-interface=br_WAN_LTE protocol=udp
add action=accept chain=forward comment="VPN IN from XXXXXXX" disabled=yes \
dst-address=192.168.60.0/24 src-address=192.168.1.0/24
add action=accept chain=forward comment="VPN IN from XXXXXXX" disabled=yes \
dst-address=192.168.60.0/24 src-address=192.168.205.0/24
add action=accept chain=forward comment="VPN - LAN out to XXXXXXX" disabled=yes \
dst-address=192.168.1.0/24 src-address=192.168.60.0/24
add action=accept chain=forward comment="VPN - LAN out to XXXXXXX" disabled=\
yes dst-address=192.168.205.0/24 src-address=192.168.60.0/24
add action=accept chain=forward comment=\
"General - Accept established forward"
add action=drop chain=forward comment="General - Drop invalid forward"
add action=accept chain=forward comment="LAN - ping not ISP" in-interface=\
br_lan out-interface=!br_WAN_ISP protocol=icmp src-address=\
192.168.60.0/24
add action=accept chain=forward comment="LAN - ping not LTE" in-interface=\
br_lan out-interface=!br_WAN_LTE protocol=icmp src-address=\
192.168.60.0/24
add action=accept chain=forward comment="LAN - Allow internet over ISP" \
disabled=yes dst-address-list=!RFC1918 in-interface=br_lan out-interface=\
br_WAN_ISP src-address=192.168.60.0/24
add action=accept chain=forward comment="LAN - Allow internet over LTE" \
disabled=yes dst-address-list=!RFC1918 in-interface=br_lan out-interface=\
br_WAN_LTE src-address=192.168.60.0/24
add action=accept chain=forward comment="GUEST - Allow internet over ISP" \
disabled=yes dst-address-list=!RFC1918 in-interface=br_guest \
out-interface=br_WAN_ISP src-address=192.168.70.0/24
add action=accept chain=forward comment="GUEST - Allow internet over LTE" \
disabled=yes dst-address-list=!RFC1918 in-interface=br_guest \
out-interface=br_WAN_LTE src-address=192.168.70.0/24
add action=drop chain=forward comment="DROP ALL - Silent Drop" dst-port=\
123,137,138 protocol=udp
add action=drop chain=forward comment="DROP ALL"
/ip firewall mangle
add action=clear-df chain=postrouting disabled=yes out-interface=br_WAN_ISP \
passthrough=yes
add action=clear-df chain=postrouting disabled=yes out-interface=br_WAN_LTE \
passthrough=yes
/ip firewall nat
add action=accept chain=srcnat comment="IPsec No-NAT" ipsec-policy=out,ipsec
add action=src-nat chain=srcnat comment="NAT OpenVPN server" disabled=yes \
dst-address=192.168.60.33 dst-port=1194 protocol=udp to-addresses=\
192.168.60.254
add action=dst-nat chain=dstnat comment="NAT OpenVPN server" disabled=yes \
dst-port=1194 protocol=udp to-addresses=192.168.60.33 to-ports=1104
add action=masquerade chain=srcnat disabled=yes log=yes out-interface=\
br_WAN_ISP
add action=masquerade chain=srcnat out-interface=br_WAN_LTE
add action=masquerade chain=srcnat comment="Masquerade out LAN to WAN" \
disabled=yes out-interface-list=WAN src-address=192.168.60.0/24
add action=masquerade chain=srcnat comment="Masquerade out guest to WAN" \
out-interface-list=WAN src-address=192.168.70.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec identity
add auth-method=digital-signature certificate=cert01-vpn-cussangy \
generate-policy=port-strict match-by=certificate peer=bpnet \
remote-certificate=cert02-vpn-bpnet.crt_0
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.1.0/24 peer=XXXXXXX proposal=proposal1 src-address=\
192.168.60.0/24 tunnel=yes
/ip route
add comment="Route to XXXXXXX over ISP" disabled=yes distance=1 dst-address=\
192.168.1.0/24 gateway=br_WAN_ISP pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="Route to XXXXXXX over LTE" disabled=no distance=2 dst-address=\
192.168.1.0/24 gateway=br_WAN_LTE pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="Route to XXXXXXX over ISP" disabled=yes distance=1 dst-address=\
192.168.205.0/24 gateway=br_WAN_ISP pref-src="" routing-table=main scope=\
30 suppress-hw-offload=no target-scope=10
add comment="Route to XXXXXXX over LTE" disabled=no distance=2 dst-address=\
192.168.205.0/24 gateway=br_WAN_LTE pref-src="" routing-table=main scope=\
30 suppress-hw-offload=no target-scope=10
add comment="To WAN over br_WAN_ISP" disabled=yes distance=1 dst-address=\
0.0.0.0/0 gateway=br_WAN_ISP pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="To WAN over br_WAN_LTE" disabled=no distance=2 dst-address=\
0.0.0.0/0 gateway=br_WAN_LTE pref-src="" routing-table=main \
suppress-hw-offload=no
add comment="Recursive routing: check route over WAN_ISP" disabled=yes \
distance=1 dst-address=8.8.8.8/32 gateway=br_WAN_ISP pref-src="" \
routing-table=main scope=10 suppress-hw-offload=no target-scope=10
add comment="Recursive routing: check route over WAN_LTE" disabled=yes \
distance=1 dst-address=1.1.1.1/32 gateway=br_WAN_LTE pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Recursive routing over WAN_ISP" disabled=yes \
distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Recursive routing over WAN_LTE" disabled=yes \
distance=2 dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src="" \
routing-table=main scope=10 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name=RouterCussangy
/system note
set show-at-login=no