No internet connection on vlan / virtual wan

kellbot · February 15, 2022, 9:57pm

I have spent the last few days searching for an answer and finally breaking down and posting for help.

I have created a virtual wan, wlan3 / SprocketStudios, and a vlan for it with the intention of later setting up firewall rules to cordon this vlan off from everything else. I can connect to wlan3 and get an ip from the vlan dhcp server ((192.168.100.1)), but there is no internet access. Devices connected to the other two wlans have internet just fine.

Right now the devices connected to the ethernet ports and wlan1 / wlan2 are getting their IP addresses from another router upstream (192.168.88.1), and I suspect that the issue is related to NAT but I don’t understand it well enough to be able to fix it.

/interface bridge
add admin-mac=DC:2C:6E:16:EB:61 auto-mac=no comment=defconf name=bridgeLocal
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no mode=ap-bridge
ssid=106Gay-Tenants wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=DE:2C:6E:16:EB:67
master-interface=wlan2 multicast-buffering=disabled name=wlan3 ssid=
SprocketStudios vlan-id=100 vlan-mode=use-tag wds-cost-range=0
wds-default-cost=0 wps-mode=disabled
/interface vlan
add comment=“Trusted Sprocket Studios” interface=wlan3 name=vlanSprocket
vlan-id=100
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods=“” mode=dynamic-keys name=
iot-devices supplicant-identity=“”
/interface wireless
set [ find default-name=wlan1 ] country=“united states” disabled=no mode=
ap-bridge security-profile=iot-devices ssid=106Gay-Utils vlan-id=200
vlan-mode=use-tag wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=poolSprocket ranges=192.168.100.20-192.168.100.254
/ip dhcp-server
add address-pool=poolSprocket disabled=no interface=vlanSprocket name=
dhcpSprocket
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2 trusted=yes
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal comment=defconf interface=sfp1
add bridge=bridgeLocal interface=wlan2
add bridge=bridgeLocal interface=wlan1
add bridge=bridgeLocal interface=wlan3
/interface list member
add interface=ether1 list=WAN
add interface=bridgeLocal list=LAN
/interface wireless cap
set bridge=bridgeLocal discovery-interfaces=bridgeLocal interfaces=wlan1,wlan2
/ip address
add address=192.168.84.1/24 interface=ether2 network=192.168.84.0
add address=192.168.100.1/24 interface=vlanSprocket network=192.168.100.0
/ip dhcp-client
add comment=defconf disabled=no interface=bridgeLocal
/ip dhcp-relay
add dhcp-server=192.168.88.1 disabled=no interface=bridgeLocal name=relay1
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4
gateway=192.168.100.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=America/New_York

Sob · February 17, 2022, 12:40am

If upstream router doesn’t have route to your 192.168.100.0/24, you need NAT. You have masquerade rule, but it only works for out-interface-list=WAN. And it won’t work, because WAN interface list contains only ether1, but since ether1 is member of bridgeLocal, actual outgoing interface, as seen by IP firewall (and NAT) is bridgeLocal. So either add that to WAN interface list, or use different rule, e.g.:

/ip firewall nat
add chain=srcnat src-address=192.168.100.0/24 action=masquerade

kellbot · February 17, 2022, 2:06am

Thank you! Adding that NAT rule to the firewall did it.

Just so I understand, for the first option you mentioned I’d need to add bridgeLocal to the WAN interface list, is that correct?

We’ve got an annoyingly complicated setup due to the combination of limited wiring (only one ethernet cable between first and third floor) and some IoT devices that get incredibly cranky if they’re not all on the same subnet.

Sob · February 17, 2022, 2:59am

Yes, adding bridgeLocal to the WAN interface list would work with your original:

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

kellbot · February 25, 2022, 4:54pm

Thanks! I really appreciate the help.

Last question (probably) - if I wanted to instead set up a route on router A to 192.168.100.0/24, what’s the gateway for that? I thought it would be 192.168.100.1 but it’s coming up as unreachable, do I need a firewall rule to accept traffic through those IPs?

404Network · February 25, 2022, 6:53pm

Just in case it wasnt intentional
/ip address
add address=192.168.84.1/24 interface=ether2 network=192.168.84.0

Should normally be the bridge!!

Sob · February 25, 2022, 9:07pm

Gateway on upstream router to 192.168.100.0/24 would be either 192.168.84.1 or whatever address DHCP client gets.

kellbot · February 26, 2022, 12:44am

Works perfectly now, thanks! A couple days after my original post we had a new tenant on the floor who wanted her own wired VLAN, firewalled off from everything, so I repeated the steps, added a firewall rule, and we’re good to go. Thank you!