I have a relatively simple (lol) setup, where my ISP’s router is my egress, and I have a Mikrotik hAP ac and a Raspberry Pi connected to it.
The RPi is my DNS (PiHole), but everything else is behind the Mikrotik.
I am trying to create a separate wireless network for IoT devices; the network has its own VLAN (32).
The RPi has
- the default interface connected to the ISP router
- VLAN4 that lets it talk to the “defconf” network
- VLAN 32 is supposed to let it talk to the IoT network.
On the Mikrotik, in short (and I’m pasting my redacted /export hide-sensitive below)
- the Virtual WLAN has PVID32
- there is a VLAN (from /interfaces) configured for the ingress from the RPi and
- a bridge tying them all together
- addresses are configured, and DHCP server too.
And yet, while the RPi is able to ping the hAP (on the VLAN32 address) and get an address from the DHCP on VLAN32, devices on the “IoT WLAN” are not able to get an IP address. Windows gives me the 169.254.x.x address, Android just gives up.
The weird part is that I do see from /interface bridge host print, devices connected to the IoT WLAN with the correct VID. They just can’t figure out how to talk to the hAP, I guess..?
I tried (re)configuring this multiple times, including every possible iteration (including the stupid ones) of “accept all” and “accept only tagged” frames, and “tagged” and “untagged” interfaces.
I can’t understand what I’m doing wrong, does anybody spot anything that I’m missing?
Thanks!
[admin@MikroTik] > /export hide-sensitive
# model = RouterBOARD 962UiGS-5HacT2HnT
/interface bridge
add admin-mac=AA:BB:CC:DD:EE:FF auto-mac=no comment=defconf name=bridge
add ingress-filtering=yes name=bridge_home_devices pvid=32 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=wifi wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=wifi wireless-protocol=802.11
/interface vlan
add interface=bridge name=mgmt vlan-id=99
add interface=ether1 name=vlan_pihole_default vlan-id=4
add interface=ether1 name=vlan_pihole_home_devices vlan-id=32
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
dynamic-keys name=home_devices supplicant-identity=MikroTik
/interface wireless
add disabled=no hide-ssid=yes mac-address=11:22:33:44:55:66 master-interface=\
wlan1 name=wlan_home_devices security-profile=home_devices ssid=wifi-dev \
vlan-id=32 vlan-mode=use-tag wds-default-bridge=bridge_home_devices \
wps-mode=disabled
/ip pool
add name=dhcp_unknown ranges=192.168.88.100-192.168.88.199
add name=known_devices ranges=192.168.88.4-192.168.88.99
add name=dhcp_homedev ranges=192.168.88.200-192.168.88.254
add comment="Home devices addresses" name=homedev_pool ranges=\
192.168.32.2-192.168.32.254
/ip dhcp-server
add address-pool=dhcp_unknown disabled=no interface=bridge name=defconf
add address-pool=homedev_pool disabled=no interface=bridge_home_devices name=\
dhcp_home_devices
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge comment="PiHole Access" interface=vlan_pihole_default
add bridge=bridge_home_devices comment="Home Devices Bridge" interface=\
vlan_pihole_home_devices pvid=32
add bridge=bridge_home_devices interface=wlan_home_devices pvid=32
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge_home_devices untagged=\
wlan_home_devices,vlan_pihole_home_devices vlan-ids=32
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge_home_devices list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
add address=192.168.0.7/24 interface=ether1 network=192.168.0.0
add address=192.168.99.1/24 comment="Management access" interface=mgmt \
network=192.168.99.0
add address=192.168.32.1/24 comment="Home Devices Gateway" interface=\
bridge_home_devices network=192.168.32.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.32.0/24 comment="Home devices network" dns-server=\
192.168.32.2 gateway=192.168.32.1 netmask=24
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.2 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.0.2
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow DNS (UDP) to PiHole" \
dst-address=192.168.88.2 dst-port=53 in-interface=bridge_home_devices \
protocol=udp
add action=accept chain=input comment="Allow DNS (TCP) to PiHole" \
dst-address=192.168.88.2 dst-port=53 in-interface=bridge_home_devices \
protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.0.1
add comment="Route traffic to PiHole on bridge_home_devices (VLAN 32)" \
distance=2 dst-address=192.168.32.2/32 gateway=ether1
add comment="Route traffic to PiHole on default net (VLAN 4)" distance=2 \
dst-address=192.168.88.2/32 gateway=ether1
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/tool mac-server
set allowed-interface-list=LAN