No Internet access using wlan1 & wlan2 for Guest Network

RouterOS Wireless Networking
1

Can I get some insight in configuring Guest Networks using wlan1 & wlan2 interface. I have no need for the wireless networks, so my thought is to use the two wireless interfaces for guest networks.

I’m a newb to MikroTik. This is my first post outside the beginner forum. I’m using a RB4011iGS+5HacQ2HnD with an sfp S-RJ01 interfaced to the ISP. The MikroTik is running RouterOS 7.19.2. I am using WinBox to make configuration changes.

I have modified very little from the default configuration. I’ve added to the defconf an Offbridge interface “comment=offbridge build” (thanks @anav) and three DHCP servers “comment=subnet build” on ethernet interfaces ether7, ether8 & ether9. All the wired interface appear to be working (i.e. provide access to the Internet). I did test the default wireless configuration to confirm they worked before removing them.

I have successfully configured the wlan1 & wlan2 interfaces for guest login “comment=guest wifi build”. Hosts connect and obtain an IP. The failure is no internet access.

I can see data traffic numbers on RX wlan1 interface (only wireless interface I can test) and on the guest-bridge but no TX data for both. I have focused my attention on the nat rule trying a number of configurations without success. I never see any bytes or packet in the rule.

The nat rule in this file is the last I tried. I’m thinking it is a rule configuration but that may be wrong.

# 2025-06-30 20:06:06 by RouterOS 7.19.2

#
# model = RB4011iGS+5HacQ2HnD

/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
add comment="subnet build" name="bridge 70"
add comment="subnet build" name="bridge 80"
add comment="subnet build" name="bridge 90"
add comment="guest wifi build" name=guest-bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    comment="guest wifi build" country=canada disabled=no distance=indoors \
    frequency=auto mode=ap-bridge ssid=Guest_RRS_2G wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX comment="guest wifi build" country=canada disabled=no \
    distance=indoors frequency=auto mode=ap-bridge ssid=Guest_RRS_5G \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether10 ] comment="offbridge build" name=OFFBridge
/interface wireless manual-tx-power-table
set wlan1 comment="guest wifi build"
set wlan2 comment="guest wifi build"
/interface wireless nstreme
set wlan1 comment="guest wifi build"
set wlan2 comment="guest wifi build"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk comment=\
    "guest wifi build" mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add comment="guest wifi build" name=guest-pool ranges=\
    192.168.100.200-192.168.100.254
add comment="subnet build" name="pool 70" ranges=\
    192.168.70.200-192.168.70.254
add comment="subnet build" name="pool 80" ranges=\
    192.168.80.200-192.168.80.254
add comment="subnet build" name="pool 90" ranges=\
    192.168.90.200-192.168.90.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=guest-pool comment="guest wifi build" interface=guest-bridge \
    name=guest-server
add address-pool="pool 70" comment="subnet build" interface="bridge 70" name=\
    "server 70"
add address-pool="pool 80" comment="subnet build" interface="bridge 80" name=\
    "server 80"
add address-pool="pool 90" comment="subnet build" interface="bridge 90" name=\
    "server 90"
/port
set 0 name=serial0
set 1 name=serial1
/certificate settings
set builtin-trust-anchors=not-trusted
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge interface=ether1
add bridge="bridge 70" comment="subnet build" interface=ether7
add bridge="bridge 80" comment="subnet build" interface=ether8
add bridge="bridge 90" comment="subnet build" interface=ether9
add bridge=guest-bridge comment="guest wifi build" interface=wlan1
add bridge=guest-bridge interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
add comment="offbridge build" interface=OFFBridge list=LAN
add comment="subnet build" interface="bridge 70" list=LAN
add comment="subnet build" interface="bridge 80" list=LAN
add comment="subnet build" interface="bridge 90" list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.69.1/30 comment="offbridge build" interface=OFFBridge \
    network=192.168.69.0
add address=192.168.100.1/24 comment="guest wifi build" interface=\
    guest-bridge network=192.168.100.0
add address=192.168.70.1/24 comment="subnet build" interface="bridge 70" \
    network=192.168.70.0
add address=192.168.80.1/24 comment="subnet build" interface="bridge 80" \
    network=192.168.80.0
add address=192.168.90.1/24 comment="subnet build" interface="bridge 90" \
    network=192.168.90.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=sfp-sfpplus1
/ip dhcp-server network
add address=192.168.70.0/24 comment="subnet build" dns-server=192.168.70.1 \
    gateway=192.168.70.1
add address=192.168.80.0/24 comment="subnet build" dns-server=192.168.80.1 \
    gateway=192.168.80.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
add address=192.168.90.0/24 comment="subnet build" dns-server=192.168.90.1 \
    gateway=192.168.90.1
add address=192.168.100.0/24 comment="guest wifi build" dns-server=\
    192.168.100.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=149.112.120.20,149.112.121.20
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="guest wifi build" out-interface=\
    sfp-sfpplus1 src-address=192.168.100.0/24
/ip service
set ftp disabled=yes
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-autodetect=no time-zone-name=America/Winnipeg
/system identity
set name=officerouter
/system leds
add interface=wlan1 leds="wlan1_signal1-led,wlan1_signal2-led,wlan1_signal3-le\
    d,wlan1_signal4-led,wlan1_signal5-led" type=wireless-signal-strength
add interface=wlan1 leds=wlan1_tx-led type=interface-transmit
add interface=wlan1 leds=wlan1_rx-led type=interface-receive
/tool graphing interface
add interface=bridge
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

Currently your guest-bridge is not part of the LAN interface list, but your router’s firewall is set to drop everything not coming from that interface list on the input chain.

The DHCP server for guest-bridge however specifies that the router should be the DNS server of the subnet. As a result from all of the above, the clients in guest-bridge have cannot resolve DNS.

You can either make exception for in-interface=guest-bridge and UDP and TCP port 53 on chain input, so that DNS works for the guest clients. Or modify the DHCP server network entry for that subnet to point the clients to 8.8.8.8 or 1.1.1.1 for dns-server.

Or put guest-bridge in the interface list LAN but that’s probably not what you want.

Also note that the default IPv6 firewall only allows forwarding for in-interface-list=LAN. If you also plant to use IPv6 for guest-bridge don’t forget to change the IPv6 firewall filters to also allow forwarding from guest-bridge to WAN.

This extra NAT rule is not needed (already cover by the default masquerade rule above it)

/ip firewall nat
add action=masquerade chain=srcnat comment="guest wifi build" out-interface=\
    sfp-sfpplus1 src-address=192.168.100.0/24
3

Thank you for the response. I will review your suggestions and reply.

4

I’ve made a change to the guest wifi build DHCP server network, providing specific DNS IP’s and not using the gateway. IT WORKS!

I was oh so close. During my quest for a resolution I dabbled in DNS but it was on the host. My test was to get returns for dig -x . Now that I know the problem, that would fail because it would use the gateway pathway to resolve.

I’m wondering if I had specified a DNS server in the dig that wasn’t the gateway would it have worked? Got other problems to resolve. That will have to wait.

I made an IPv6 firewall rule entry for the scenario I think you are pointing out. Did I got it right? I’m not using IPv6 so I can’t test. I didn’t want to leave the issue for someone else to resolve.

ty# 2025-07-01 07:38:18 by RouterOS 7.19.2

/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
add comment="subnet build" name="bridge 70"
add comment="subnet build" name="bridge 80"
add comment="subnet build" name="bridge 90"
add comment="guest wifi build" name=guest-bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    comment="guest wifi build" country=canada disabled=no distance=indoors \
    frequency=auto mode=ap-bridge ssid=Guest_RRS_2G wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX comment="guest wifi build" country=canada disabled=no \
    distance=indoors frequency=auto mode=ap-bridge ssid=Guest_RRS_5G \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether10 ] comment="offbridge build" name=OFFBridge
/interface wireless manual-tx-power-table
set wlan1 comment="guest wifi build"
set wlan2 comment="guest wifi build"
/interface wireless nstreme
set wlan1 comment="guest wifi build"
set wlan2 comment="guest wifi build"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk comment=\
    "guest wifi build" mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add comment="guest wifi build" name=guest-pool ranges=\
    192.168.100.200-192.168.100.254
add comment="subnet build" name="pool 70" ranges=\
    192.168.70.200-192.168.70.254
add comment="subnet build" name="pool 80" ranges=\
    192.168.80.200-192.168.80.254
add comment="subnet build" name="pool 90" ranges=\
    192.168.90.200-192.168.90.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=guest-pool comment="guest wifi build" interface=guest-bridge \
    name=guest-server
add address-pool="pool 70" comment="subnet build" interface="bridge 70" name=\
    "server 70"
add address-pool="pool 80" comment="subnet build" interface="bridge 80" name=\
    "server 80"
add address-pool="pool 90" comment="subnet build" interface="bridge 90" name=\
    "server 90"
/port
set 0 name=serial0
set 1 name=serial1
/certificate settings
set builtin-trust-anchors=not-trusted
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge interface=ether1
add bridge="bridge 70" comment="subnet build" interface=ether7
add bridge="bridge 80" comment="subnet build" interface=ether8
add bridge="bridge 90" comment="subnet build" interface=ether9
add bridge=guest-bridge comment="guest wifi build" interface=wlan1
add bridge=guest-bridge interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
add comment="offbridge build" interface=OFFBridge list=LAN
add comment="subnet build" interface="bridge 70" list=LAN
add comment="subnet build" interface="bridge 80" list=LAN
add comment="subnet build" interface="bridge 90" list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.69.1/30 comment="offbridge build" interface=OFFBridge \
    network=192.168.69.0
add address=192.168.100.1/24 comment="guest wifi build" interface=\
    guest-bridge network=192.168.100.0
add address=192.168.70.1/24 comment="subnet build" interface="bridge 70" \
    network=192.168.70.0
add address=192.168.80.1/24 comment="subnet build" interface="bridge 80" \
    network=192.168.80.0
add address=192.168.90.1/24 comment="subnet build" interface="bridge 90" \
    network=192.168.90.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=sfp-sfpplus1
/ip dhcp-server network
add address=192.168.70.0/24 comment="subnet build" dns-server=192.168.70.1 \
    gateway=192.168.70.1
add address=192.168.80.0/24 comment="subnet build" dns-server=192.168.80.1 \
    gateway=192.168.80.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
add address=192.168.90.0/24 comment="subnet build" dns-server=192.168.90.1 \
    gateway=192.168.90.1
add address=192.168.100.0/24 comment="guest wifi build" dns-server=\
    149.112.120.20,149.112.121.20 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=149.112.120.20,149.112.121.20
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set ftp disabled=yes
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=drop chain=forward comment=\
    "guest wifi build: drop all from WAN not DSTNATed" in-interface-list=WAN
/system clock
set time-zone-autodetect=no time-zone-name=America/Winnipeg
/system identity
set name=officerouter
/system leds
add interface=wlan1 leds="wlan1_signal1-led,wlan1_signal2-led,wlan1_signal3-le\
    d,wlan1_signal4-led,wlan1_signal5-led" type=wireless-signal-strength
add interface=wlan1 leds=wlan1_tx-led type=interface-transmit
add interface=wlan1 leds=wlan1_rx-led type=interface-receive
/tool graphing interface
add interface=bridge
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LANpe or paste code here
5

The IPv6 rule you added is not quite right. Let’s look at the default defconf firewall rules first:

  • For forwarding IPv4, the defconf firewall blocks if the incoming connections enter by the interface in the WAN list
/ip firewall filter
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

That’s why you don’t have to do anything special for the clients from the guest-bridge interface. Because guest-bridge is not member of WAN, connection attempts from guest-bridge to other destinations (including WAN) will be forwarded normally and not blocked.

You also see that the defconf drop rule has an exception for connections that have been changed by dstnat, that’s why when you do port forwarding (using dstnat), you don’t need to add exemptions to allows connection from the internet (WAN) for those forwarded ports anymore.

  • For IPv6, usually NAT is not used (no SRCNAT masquerade, and no port forwarding with DSTNAT), so the defconf rule that is meant to block incoming connection from the internet has no connection-nat-state exception. However, instead of matching with in-interface-list=WAN like the IPv4 rule, MikroTik decided to use in-interface-list=!LAN for the drop rule:
/ipv6 firewall filter
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN

and the rule is actually a rule that drops forwarding for anything not coming from one of the interfaces in the LAN interface list.

Which means if one day you decide to enable IPv6 in your network, clients from the guest-bridge interface will not be able to access the internet because guest-bridge is not member of the interface list LAN, so forwarding will be prevented.

The rule that I suggested to add could be something like:

/ipv6 firewall filter
add action=accept chain=forward in-interface=guest-bridge out-interface-list=WAN

This rule needs to be moved above the “defconf: drop everything else not coming from LAN” rule, and will explicitly allow forwarding from guest-bridge to WAN.

6

Your response was spot on! Thank you for taking the time to share your insight. I explored IPv6 ten years ago and it been longer than that since I have worked closely with filter rules. The knowledge of iptables has long faded from my memory. I gave up maintaining my own firewall at home when I could purchase a router for less than $50.

Isolating guest wifi was important. Integrating the wifi requirement into the configuration has come with challenges. Much appreciate a person with your knowledge sharing.

ty/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="guest wifi build" in-interface=guest-bridge out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LANpe or paste code here