LAN device can not access in CAP's LAN, but can accessed from router LAN

shuxiao9058 · February 9, 2025, 3:53am

RB5009 RouterOS version 17.2
cap AX version 17.2

Can not access in CAP’s LAN or wifi networks, But connect to the rb5009 router directly, it works fine, it seems is the CAP’s issue.

It seems same with the issue: http://forum.mikrotik.com/t/site-to-site-vpn-one-http-service-accessible-only-via-roguewarrior-not-lan/181565/8

Any one can help me to resolve this issue.

johnson73 · February 9, 2025, 9:55am

If you need Vlan, then the address subnets are defined on the main router (5009). Is it specified in your Rb5009 forward chain that VLAN99 mgmt has access to your internal LAN? If you connect directly to the router, you probably immediately get a local Lan address, so you can get there. What is the 5009 firewall configuration? /ip firewall filter export…?

The second option: if it is a simple home LAN and you want to create 2,3 or more Lan, you can also not use Vlan. Create 2 Bridges on the main router, one 10.x.x.x, the other 10.10.x.x. Enable Dhcp, specify in the Forward chain access which network will have access to this or another Lan, and create 2 masquarades. Bridge the ports on the Cap, without a firewall, define the subnets of the necessary networks and all IPs will be assigned to you from the main router.

shuxiao9058 · February 9, 2025, 11:34am

VLAN99 mgmt is the capsman’s manage network 10.0.0.0/24, WLAN 192.168.199.0/24 is local lan network.

anav · February 9, 2025, 12:24pm

you need to provide both configs… not just one
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys)

shuxiao9058 · February 9, 2025, 4:05pm

shuxiao9058 · February 10, 2025, 2:07pm

This is not because the dhcp server, wifi and cap’s lan can also get the ip address, but can not access the router lan devices(but pint success from cap’s lan or wifi).

If you need Vlan, then the address subnets are defined on the main router (5009). Is it specified in your Rb5009 forward chain that VLAN99 mgmt has access to your internal LAN? If you connect directly to the router, you probably immediately get a local Lan address, so you can get there. What is the 5009 firewall configuration? /ip firewall filter export…?

The second option: if it is a simple home LAN and you want to create 2,3 or more Lan, you can also not use Vlan. Create 2 Bridges on the main router, one 10.x.x.x, the other 10.10.x.x. Enable Dhcp, specify in the Forward chain access which network will have access to this or another Lan, and create 2 masquarades. Bridge the ports on the Cap, without a firewall, define the subnets of the necessary networks and all IPs will be assigned to you from the main router.

shuxiao9058 · February 11, 2025, 1:26am

any one can help resolve this issue?

shuxiao9058 · February 13, 2025, 1:12pm

any response?

johnson73 · February 13, 2025, 7:37pm

Please tell me, if all this ‘‘mega’’ configuration works for you for home needs, I have a question - why do you need to complicate everything so much?
If we look at your traffic flow, firewall… it looks like one very big space
It looks like you have 3 IP subnets configured.
/ip dhcp-server
add address-pool=POOL-WLAN
add address-pool=POOL-MGMT
add address-pool=POOL-IPTV
If you want, you can configure 3 VLANs for these subnets and that’s it. We use address-list, use firewall policy for access from one VLAN to another, etc.
You can also use a simpler option - you can not use VLAN, but create 3 Bridge pools. It will also work well and everything will be secure, provided that you arrange the firewall rules. It affects the operation of traffic, stability and security. In your case, all this is not there, there is only one big mix.
I described what it might look like here - http://forum.mikrotik.com/t/ros7-vlan-problem/181929/5

shuxiao9058 · February 14, 2025, 2:32am

Done now, thanks for your reply.