My WLAN guest don't get local DHCP IP's

pelleplupp · March 17, 2019, 1:00pm

Hello all

I'm trying to create a guest-WLAN with its DHCP server. I have created two (2,4GHz & 5GHz) virtual WLAN interface, and I think I have created a VLAN 6 for the Guest WLAN (SSID: Nowhere). I don't get it to work What I can see, the 'Nowhere' SSID do connect my Wireless client (iPhone) on an 802.11 level, but I never get any IP from my DHCP-server setting. It's not a DHCP-server problem, because I have successfully use the VLAN 6 from a physical port. The problem seems to be inside my hAP ac, the 'connection' between the two virtual interface WLAN 3 & WLAN 4 and the vlan6-NONE. I have 'played' with bridge port PVID, bridge filter and ingress-filtering, but without any success

Changing bridge filtering make the client on wlan3 & wlan4 to just 'bridge' down to the physical WLAN interface, which I don't want to happen. WLAN 1 & WLAN 2 are for my internal users and will have there DHCP-IP's from another DHCP server connected to the VLAN 1 ethernet. I want the WLAN 3 and wlan4 to be separated from WLAN 1 & WLAN 2 also on the wired side. I have so far not done the firewall for VLAN 1 and VLAN 6. But as long as I can't get a client on the virtual WLAN get it's IP from the MikroTik DHCP server on VLAN 6, it does not matter.

What do I miss???

Best Regards

Per Håkansson

Here is my cropped config:

/export

mar/17/2019 10:44:58 by RouterOS 6.44

software id = 4FDB-Y5HC

model = RouterBOARD 962UiGS-5HacT2HnT

serial number = 8A770-----

/interface bridge
add admin-mac=CC:2D:E0:E7:86:60 auto-mac=no name=bridge-LANs
/interface ethernet
set [ find default-name=ether1 ] name=ether1-HP
set [ find default-name=ether2 ] name=ether2-AP
set [ find default-name=ether3 ] name=ether3-NAS
set [ find default-name=ether4 ] name=ether4-UPS
set [ find default-name=ether5 ] name=ether5-220V
set [ find default-name=sfp1 ] name=sfp1-WAN
/interface vlan
add interface=bridge-LANs name=vlan6-NONE vlan-id=6
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=NotUsed wpa2-pre-shared-key=[NotUsed]
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=Nowhere supplicant-identity=NoLAN wpa2-pre-shared-key=[NotForYourEyesToSee]
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=YouAreHere supplicant-identity=MyLAN wpa2-pre-shared-key=[NotForYourEyesToSee]
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 band=2ghz-b/g/n channel-width=20/40mhz-XX country=sweden disabled=no distance=indoors frequency=auto frequency-mode=regulatory-domain mode=ap-bridge security-profile=YouAreHere ssid=YouAreHere wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=2 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=sweden disabled=no distance=indoors frequency=auto frequency-mode=regulatory-domain mode=ap-bridge security-profile=YouAreHere ssid=YouAreHere wireless-protocol=802.11 wps-mode=disabled
add disabled=no mac-address=CE:2D:E0:E7:86:65 master-interface=wlan2 name=wlan3 security-profile=Nowhere ssid=Nowhere vlan-id=6 wps-mode=disabled
add disabled=no mac-address=CE:2D:E0:E7:86:66 master-interface=wlan1 name=wlan4 security-profile=Nowhere ssid=Nowhere vlan-id=6 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=NoPool ranges=192.168.116.64/26
/ip dhcp-server
add address-pool=NoPool disabled=no interface=vlan6-NONE name=NoDHCP
/interface bridge filter
add action=drop chain=forward in-interface=wlan3
add action=drop chain=forward out-interface=wlan3
add action=drop chain=forward in-interface=wlan4
add action=drop chain=forward out-interface=wlan4
/interface bridge port
add bridge=bridge-LANs interface=ether2-AP
add bridge=bridge-LANs interface=ether3-NAS
add bridge=bridge-LANs interface=ether4-UPS
add bridge=bridge-LANs interface=ether5-220V
add bridge=bridge-LANs interface=wlan1
add bridge=bridge-LANs interface=wlan2
add bridge=bridge-LANs interface=ether1-HP
add bridge=bridge-LANs ingress-filtering=yes interface=wlan3 pvid=6
add bridge=bridge-LANs ingress-filtering=yes interface=wlan4 pvid=6
add bridge=bridge-LANs interface=LAN
/interface list member
add interface=bridge-LANs list=LAN
add interface=sfp1-WAN list=WAN
/interface wireless access-list
add ap-tx-limit=5000000 interface=wlan4 vlan-id=6
add ap-tx-limit=5000000 interface=wlan3 vlan-id=6
/ip address
add address=192.168.111.54/24 interface=ether1-HP network=192.168.111.0
add address=192.168.116.1/24 interface=vlan6-NONE network=192.168.116.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1-WAN
/ip dhcp-server network
add address=192.168.116.0/24 dns-server=192.168.116.1 domain=lost.local gateway=192.168.116.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.111.54 name=router.lan
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN

anav · March 17, 2019, 2:21pm

Yeah your config makes no sense to me at all.
What I need is a clear indication of how many subnets you are using and their purpose (you have half done for what looks like two of them)
Im assuming the AP ether port is attached to an access point that is serving all four of your wlans (2 normal and 2 virtual)?

Have a good long read of this link and the examples…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Configure as best you can based on that
then post here again
/export hide-sensitive file=yourconfigmar17

pelleplupp · March 18, 2019, 6:16pm

OK, I agree that the config was cropped, I did it to clean out some other VLAN not in use so far. I also agree that I'm probably only half the way for a successful config. As you can see in the new config I send, I have planned for more VLAN/WLAN which should be doing the same as vlan6<-bridge->virt wlan3/4. I'm sorry if I'm stupid, but for the moment I really think VLAN, WLAN, Tagged, untagged and pvid are handled a bit 'strange' on the MikroTik if I compare it to other vendors I worked with, like HP and Cisco. But it's probably because MikroTik can handle everything and therefore the configuration is a bit complex . . . . or because I'm stupid

But here are all config as you ask for and I also try to 'draw' a picture. The main focus is to have VLAN 1 bridged and untagged between all ether1-5 and WLAN 1/2 because I have an external DHCP untagged on ether3 (all this works fine). But VLAN 6 should have its own DHCP server defined in the MikroTik itself and VLAN6 should bridge traffic from wlan3/4 to allow WiFi clients on wlan3/4 SSID to have its DHCP IP from vlan6 local DHCP server.:

Once again, thanks for all help I can get.

Regards

Per Håkansson

My 'picture'

SFP (WAN DHCP Client) --- ! Routed Interface
LTE (WAN Backup) -------- ! Routed interface

ether1 - 5 ------------------! Bridge-LANs
vlan1 Internal LAN ---------! Untagged on all ether1-5 - DHCP server from another device (192.168.111.x)
vlan10 DMZ ----------------! Tagged on all ether1-5 - Only static IP's (10.100.100.x)
vlan4 Guest (not def. yet) --! Tagged on all ether1-5 - Will have a DHCP the same way as vlan6
vlan5 IoT (not def. yet) -----! Tagged on all ether1-5 - Will have a DHCP the same way as vlan6
vlan6 None ----------------! Tagged on all ether1-5 and wlan3/4 and should have a DHCP server scoop for 192.168.116.x <--THIS
wlan1&2 internal -----------! Do bridge packet to vlan 1 and WiFi client get IP from external untagged vlan1 DHCP server
virtual wlan3&4 None ------! Should bridge packet to VLAN 6 and allow WiFi client to get DHCP IP from a local defined DHCP server (192.168.116.x) <--THIS

Sorry if my 'description' is a bit messy, but it's really only about vlan6 and wlan3&4 SSID client. How does virtual wlan3&4 WiFi client reach all the way to the vlan6 DHCP server?

/export hide-sensitive

mar/18/2019 18:33:00 by RouterOS 6.44

software id = 4FDB-Y5HC

model = RouterBOARD 962UiGS-5HacT2HnT

serial number = 8A770------

/interface lte
set [ find ] disabled=yes mac-address=36:4B:50:xx:xx:xx name=lte1-BACKUP
/interface bridge
add admin-mac=CC:2D:E0:xx:xx:xx auto-mac=no name=bridge-LANs
/interface ethernet
set [ find default-name=ether1 ] name=ether1-HP
set [ find default-name=ether2 ] name=ether2-AP
set [ find default-name=ether3 ] name=ether3-NAS
set [ find default-name=ether4 ] name=ether4-UPS
set [ find default-name=ether5 ] name=ether5-220V
set [ find default-name=sfp1 ] name=sfp1-WAN <-------- Not interesting for the moment, it's has nothing to do with bridging between vlan 6 DHCP server and virt. wlan3/4
/interface vlan
add interface=bridge-LANs name=vlan4-GUEST vlan-id=4 <-------- Not interesting for the moment
add interface=bridge-LANs name=vlan5-IoT vlan-id=5 <-------- Not interesting for the moment
add interface=bridge-LANs name=vlan6-NONE vlan-id=6
add interface=bridge-LANs name=vlan10-DMZ vlan-id=10 <-------- Not interesting for the moment
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik <---- Not used
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=Nowhere supplicant-identity=MikroTik <---- for virt wlan3/4
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=YouAreHere supplicant-identity=MikroTik <---- for wlan1/2
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 band=2ghz-b/g/n channel-width=20/40mhz-XX country=sweden disabled=no distance=indoors frequency=auto frequency-mode=regulatory-domain mode=ap-bridge security-profile=YouAreHere ssid=YouAreHere wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=2 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=sweden disabled=no distance=indoors frequency=auto frequency-mode=regulatory-domain mode=ap-bridge security-profile=YouAreHere ssid=YouAreHere wireless-protocol=802.11 wps-mode=
disabled
add disabled=no mac-address=CE:2D:E0:xx:xx:x5 master-interface=wlan2 name=wlan3 security-profile=Nowhere ssid=Nowhere vlan-id=6 wps-mode=disabled
add disabled=no mac-address=CE:2D:E0:xx:xx:x6 master-interface=wlan1 name=wlan4 security-profile=Nowhere ssid=Nowhere vlan-id=6 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=GuestPool ranges=192.168.114.16/28 <-------- Not interesting for the moment
add name=NoPool ranges=192.168.116.64/26
/ip dhcp-server
add address-pool=GuestPool disabled=no interface=vlan4-GUEST name=GuestDHCP <-------- Not interesting for the moment
add address-pool=NoPool disabled=no interface=vlan6-NONE name=NoDHCP
/interface bridge filter
add action=drop chain=forward in-interface=wlan3 <-------- Should this really be here?
add action=drop chain=forward out-interface=wlan3 <-------- Should this really be here?
add action=drop chain=forward in-interface=wlan4 <-------- Should this really be here?
add action=drop chain=forward out-interface=wlan4 <-------- Should this really be here?
/interface bridge port
add bridge=bridge-LANs interface=ether2-AP
add bridge=bridge-LANs interface=ether3-NAS
add bridge=bridge-LANs interface=ether4-UPS
add bridge=bridge-LANs interface=ether5-220V
add bridge=bridge-LANs interface=wlan1
add bridge=bridge-LANs interface=wlan2
add bridge=bridge-LANs interface=ether1-HP
add bridge=bridge-LANs ingress-filtering=yes interface=wlan3 pvid=6 <-------- Should it be ingress-filter=yes and pvid=6?
add bridge=bridge-LANs ingress-filtering=yes interface=wlan4 pvid=6 <-------- Should it be ingress-filter=yes and pvid=6?
add bridge=bridge-LANs interface=LAN <-------- Isn't this the same as ether1-5 above?
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge-LANs list=LAN
add interface=sfp1-WAN list=WAN
add interface=lte1-BACKUP list=WAN
/interface wireless access-list
add ap-tx-limit=5000000 interface=wlan4 vlan-id=6
add ap-tx-limit=5000000 interface=wlan3 vlan-id=6
/ip address
add address=192.168.111.54/24 interface=ether1-HP network=192.168.111.0 <-------- Does it matter if this point to ether1 or to vlan1, is it the same?
add address=10.100.100.2/24 interface=vlan10-DMZ network=10.100.100.0 <-------- Not interesting for the moment
add address=192.168.114.1/24 interface=vlan4-GUEST network=192.168.114.0 <-------- Not interesting for the moment
add address=192.168.115.1/24 interface=vlan5-IoT network=192.168.115.0 <-------- Not interesting for the moment
add address=192.168.116.1/24 interface=vlan6-NONE network=192.168.116.0 <-------- It's vlan 6 and vlan 1 I play with for the moment
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1-WAN
/ip dhcp-server network
add address=192.168.114.0/24 dns-server=8.8.8.8,1.1.1.1 domain=guest.local gateway=192.168.114.1 netmask=24 <-------- Not interesting for the moment
add address=192.168.116.0/24 dns-server=192.168.116.1 domain=lost.local gateway=192.168.116.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.111.54 name=router.lan
/ip firewall filter <-------- Don't care about filter for the moment if it's not an issue for wlan3&4 to vlan 6 DHCP bridge traffic
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=webadmin disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes
/system clock
set time-zone-name=Europe/Stockholm
/system logging
add topics=dhcp
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=vlan10.pcap filter-interface=ether3-NAS

anav · March 18, 2019, 7:14pm

Nice router! I dont understand why you have DHCP from a device on your LAN. The router can handle that just fine. Non-standard things (okay non-standard for home use) freak me out because I dont have any IT training LOL. So this is what I call the blind leading the blind. No you are probably brilliant but it takes time to master these things.

(1) Remove these, not required
/interface bridge filter
add action=drop chain=forward in-interface=wlan3 <-------- Should this really be here?
add action=drop chain=forward out-interface=wlan3 <-------- Should this really be here?
add action=drop chain=forward in-interface=wlan4 <-------- Should this really be here?
add action=drop chain=forward out-interface=wlan4 <-------- Should this really be here?

(2) Yes wifi on the bridge port should have the settings you put in the right place for ingress filtering and the fact that the WLANs act as access ports (the wifi devices traffic need to be tagged with the PVID incoming)!!
add bridge=bridge-LANs interface=wlan1 (also here when you decide what you are using for vlan (I had it like this but I changed to separate vlan and NOT using vlan1)
add bridge=bridge-LANs interface=wlan2 (also here when you decide what your are using for vlan (same same- the link example I gave you does not use vlan1)
add bridge=bridge-LANs interface=ether1-HP
add bridge=bridge-LANs ingress-filtering=yes interface=wlan3 pvid=6 … excellent
add bridge=bridge-LANs ingress-filtering=yes interface=wlan4 pvid=6 … excellent

(3) Remove this rule it doesn’t belong…
add bridge=bridge-LANs interface=LAN <-------- Isn’t this the same as ether1-5 above?

(4) BE CAREFUL with addresses for VLANS and Bridges…
/ip address
add address=192.168.111.54/24 interface=ether1-HP network=192.168.111.0 <-------- Does it matter if this point to ether1 or to vlan1, is it the same?
The reason I stay away from vlan1 is so that I do not use any dhcp for my bridge. Clean!!
The fact that you are dhcp from another device is what is preventing me from seeing this clearly ( A layer I find distracting and confusing).
So yes, you may have some issues with your IP address block, but I cannot figure it out.

(5) MISSING (mia) is the /interface bridge vlan settings…
This is how you tell the router to handle egress of packets for example…
Typically one tags the bridge and any etherports that are trunk ports
Typically one untags any vlans that are access ports
Typically we do not mix vlanIDs per rule but can be done when appropriate.
Ensure you review the link I provided earlier for the example or wifi on the router (all in one unit).

(6) The last step by the way for your configuration, after we get the rest done properly is to go to your bridge setting and enable VLAN filtering.
Ensure you have SAFE MODE selected when doing this as sometimes it takes a few times for the router to make the change for some reason.

(7) Your Source NAT Masquerade rules should be done by the out-interface=specific wan interface (not out-interface-list or out-interface**=wan**).
Configure the one rule for the out-interface=sfp1-WAN, and another for out-interface=lte-backup

++++++++++++++++++++++++++++++++++++++++++++++++++++++++