[Mikrotik Chateau LTE 12] 3 bridges, one of them contains the 2 wlan

uiblogit · March 3, 2022, 4:53pm

hi everyone, I have a friend who has the following situation with his Mikrotik Chateau LTE 12:

in practice it has 3 bridges:
the first bridge goes from port ether1 to ether4
the second bridge uses only the ether5 port
the third bridge has combined the 2 wlan (wlan1 and wlan2)

the first bridge (BRIDGE-Financelab), has 192.168.1.0/24 as a subnet
the second bridge (BRIDGE-SweetHome) has 192.168.0.0/24 as a subnet
the third bridge (BRIDGE-Wifi) has 192.168.2.0/24 as a subnet

Both with wifi and from the lan of the respective bridges it manages to go out on the internet without problem, and manages to ping the hosts between wifi and lan and vice versa.

the only thing it cannot do is to be able to access from the wifi network to the 2 lan present in the 2 distinct bridges, in fact from the wifi it does not access any machine connected via lan.

write below the export of its configuration:

# mar/03/2022 15:59:04 by RouterOS 7.1.3
# software id = 
#
# model = D53G-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=\
    BRIDGE-Financelab
add name=BRIDGE-SweetHome
add name=BRIDGE-Wifi
/interface lte
set [ find ] allow-roaming=no band="" name=lte1 network-mode=lte
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=web.ho-mobile.it use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=profile_Local supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=italy disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge security-profile=profile_Local ssid=Wifi2G \
    wireless-protocol=802.11 wmm-support=enabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=italy disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge security-profile=profile_Local \
    skip-dfs-channels=all ssid=Wifi5G wireless-protocol=802.11 wmm-support=\
    enabled
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool2 ranges=192.168.0.2-192.168.0.254
add name=dhcp_pool3 ranges=192.168.0.2-192.168.0.254
add name=dhcp_pool4 ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=BRIDGE-Financelab name=dhcp1
add address-pool=dhcp_pool3 interface=BRIDGE-SweetHome name=dhcp2
add address-pool=dhcp_pool4 interface=BRIDGE-Wifi name=dhcp3
/port
set 0 name=usb1
/interface bridge port
add bridge=BRIDGE-Financelab comment=defconf interface=ether1
add bridge=BRIDGE-Financelab comment=defconf interface=ether2
add bridge=BRIDGE-Financelab comment=defconf interface=ether3
add bridge=BRIDGE-Financelab comment=defconf interface=ether4
add bridge=BRIDGE-SweetHome interface=ether5
add bridge=BRIDGE-Wifi interface=wlan1
add bridge=BRIDGE-Wifi interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/interface list member
add comment=defconf interface=BRIDGE-Financelab list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=BRIDGE-Financelab \
    network=192.168.1.0
add address=192.168.0.1/24 interface=BRIDGE-SweetHome network=192.168.0.0
add address=192.168.2.1/24 interface=BRIDGE-Wifi network=192.168.2.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.0/24 list=Accesso-Chateau-LTE12
add address=192.168.0.0/24 list=Accesso-Chateau-LTE12
add address=192.168.2.0/24 list=Accesso-Chateau-LTE12
add address=192.168.88.0/24 list=Accesso-Chateau-LTE12
/ip firewall filter
add action=accept chain=input comment=Accesso-Chateau-LTE12 dst-port=\
    XXXX,XXXX,XXXXX protocol=tcp src-address-list=Accesso-Chateau-LTE12
add action=drop chain=input comment="Drop servizi Accesso-Chateau-LTE12" \
    dst-port=XXXX,XXXX,XXXXX protocol=tcp
add action=accept chain=input comment="Accetta conn. enstablished related" \
    connection-state=established,related
add action=accept chain=input comment=" Accetta echo request" icmp-options=\
    8:0 protocol=icmp
add action=drop chain=input comment="Blocca tutto il resto" in-interface=lte1
add action=drop chain=forward connection-state=invalid
add action=drop chain=input comment="Blocca nuove connessioni da IP presenti n\
    ella lista nera verso il Chateau LTE12 " connection-state=new \
    in-interface=lte1 src-address-list=blacklist
/ip firewall nat
add action=masquerade chain=srcnat out-interface=lte1 src-address=\
    192.168.1.0/24
add action=masquerade chain=srcnat out-interface=lte1 src-address=\
    192.168.0.0/24
add action=masquerade chain=srcnat out-interface=lte1 src-address=\
    192.168.2.0/24
/ip firewall raw
add action=drop chain=prerouting comment="Drop ip from abusedb list" \
    src-address-list=abusedb
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8090
set ssh port=2223
set api disabled=yes
set winbox port=18291
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Rome
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=ntp1.inrim.it
add address=ntp2.inrim.it
add address=time.inrim.it
add address=0.it.pool.ntp.org
/system routerboard settings
set cpu-frequency=auto
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Do you have any idea what the problem might be?

bpwl · March 3, 2022, 8:12pm

Add the 2 other bridges as member to the LAN interface list. It has effect on all settings where LAN or notLAN (!LAN) is used in the configuration.
Like : add action=drop chain=forward comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN

No forwarding rules for IPv4 ??? Accept and drop ??? So all is allowed? Even if from internet?

Connection between the bridges is routed, PING and other IP unicast traffic will be routed. However device discovery based on multicast or broadcast will not work.
Problems to be expected with printers, cameras, Chromecast, Bonjour announcements, NBT= Netbios over TCP, …

uiblogit · March 5, 2022, 7:07am

The friend I spoke to told me he found where the problem was; in practice, before taking the Mikrotik Chateau LTE 12 he had another product from another manufacturer (and he had not divided his network as in the Mikrotik) and in the machines he had under the “working” subnet he had set in the ufw firewall present in these machines to do not accept connections on services from a subnet other than 192.168.1.0/24, and therefore while a possible ping from the wifi subnet (192.168.2.0/24) was accepted; when, on the other hand, an attempt was made to access the doors of the various services, the request was dropped.

He had therefore forgotten precisely these active rules in the respective machines, consequently it was not a problem of the configuration of the Mikrotik