Hi all,
I’m setting up a new network in my home using Hap Ax2 routers to provide wired and wireless networking across four VLANs:
VLAN 11 - Main network for the family
VLAN 12 - Guest network
VLAN 13 - IOT network
VLAN 99 - Management network
If I connect to VLAN 11 or 99 everything is great (I haven’t tried this on 13 as it is not supposed to get to the WAN anyway), I can surf the web etc. with no issues. However, VLAN 12 cannot resolve any DNS entries. I can’t see anything getting caught in the firewall, and I think the bridging is set in the same manner for the VLANs. Looking at a capture of the VLAN 12 traffic I note that if the router responds it takes a long time to do it, and when it does the IP packet identifier is always zero - this is not the case on the other VLANs.
Can anyone see what’s going wrong in my configuration please?
# 2024-11-04 07:10:00 by RouterOS 7.16.1
# software id = 276N-QS8G
#
# model = C52iG-5HaxD2HaxD
# serial number = ****
/interface bridge
add admin-mac=78:9A:18:F0:6B:CB auto-mac=no comment=defconf fast-forward=no \
name=bridge vlan-filtering=yes
/interface vlan
add comment="VLAN 12" interface=bridge name=GuestVLAN vlan-id=12
add comment="VLAN 13" interface=bridge name=IOTVLAN vlan-id=13
add comment="VLAN 11" interface=bridge name=MainVLAN vlan-id=11
add comment="VLAN 99" interface=bridge name=ManagementVLAN vlan-id=99
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no name="2G AX"
add band=5ghz-ax disabled=no frequency=5260-5380 name="5G AX" \
skip-dfs-channels=10min-cac width=20/40/80mhz
/interface wifi
set [ find default-name=wifi2 ] channel="2G AX" configuration.antenna-gain=0 \
.country="United Kingdom" .mode=ap .ssid=MikroTik-F06BCF disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi1 ] channel="5G AX" configuration.country=\
"United Kingdom" .mode=ap .ssid=MikroTik-F06BCF disabled=no mtu=1500 \
name=wifi_5 security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
.ft-over-ds=yes
/interface wifi datapath
add bridge=bridge disabled=no name=Main vlan-id=11
add bridge=bridge disabled=no name=Guest vlan-id=12
add bridge=bridge disabled=no name=IOT vlan-id=13
add bridge=bridge disabled=no name=Manager vlan-id=99
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=Main
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=Guest
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=IOT
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=Management
/interface wifi configuration
add channel="5G AX" country="United Kingdom" datapath=Main disabled=no mode=\
ap name=Main_5 security=Main ssid=ComingSoon
add channel="5G AX" country="United Kingdom" datapath=IOT disabled=no \
hide-ssid=yes mode=ap name=IOT_5 security=IOT ssid=Devices
add channel="5G AX" country="United Kingdom" datapath=Guest disabled=no mode=\
ap name=Guest_5 security=Guest ssid=MostWelcomeGuests
add channel="2G AX" country="United Kingdom" datapath=Manager disabled=no \
hide-ssid=yes name=Management security=Management \
security.authentication-types=wpa2-psk,wpa3-psk ssid=Manager
add channel="2G AX" country="United Kingdom" datapath=Main disabled=no mode=\
ap name=Main_2 security=Main ssid=ComingSoon
add channel="2G AX" country="United Kingdom" datapath=Guest disabled=no mode=\
ap name=Guest_2 security=Guest ssid=MostWelcomeGuests
add channel="2G AX" country="United Kingdom" datapath=IOT disabled=no \
hide-ssid=yes mode=ap name=IOT_2 security=IOT ssid=Devices
/interface wifi
add channel.frequency=5260-5380 configuration=Guest_2 configuration.mode=ap \
disabled=no mac-address=7A:9A:18:F0:6B:D1 master-interface=wifi2 name=\
Guest_2
add channel.frequency=5260-5380 configuration=Guest_5 configuration.mode=ap \
disabled=no mac-address=7A:9A:18:F0:6B:D3 master-interface=wifi_5 name=\
Guest_5
add channel.frequency=5260-5380 configuration=IOT_5 configuration.mode=ap \
datapath=IOT disabled=no mac-address=7A:9A:18:F0:6B:D0 master-interface=\
wifi2 name=IOT_2 security=IOT
add channel.frequency=5260-5380 configuration=IOT_5 configuration.mode=ap \
datapath=IOT disabled=no mac-address=7A:9A:18:F0:6B:D5 master-interface=\
wifi_5 name=IOT_5 security=IOT
add configuration=Main_2 configuration.mode=ap disabled=no mac-address=\
7A:9A:18:F0:6B:D2 master-interface=wifi2 name=Main_2
add configuration=Main_5 configuration.mode=ap datapath=Main disabled=no \
mac-address=7A:9A:18:F0:6B:CF master-interface=wifi_5 name=Main_5 \
security=Main
add configuration=Management configuration.mode=ap disabled=no mac-address=\
7A:9A:18:F0:6B:D4 master-interface=wifi2 name=Management
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=ManagementPool ranges=192.168.99.20-192.168.99.40
add name=MainPool ranges=192.168.11.20-192.168.11.255
add name=GuestPool ranges=192.168.12.20-192.168.12.255
add name=IOTPool ranges=172.16.0.10-172.16.1.255
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=MainPool interface=MainVLAN name=Main
add address-pool=GuestPool interface=GuestVLAN name=Guest
add address-pool=IOTPool interface=IOTVLAN name=IOT
add address-pool=ManagementPool interface=ManagementVLAN name=Management
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment="Downlink Port" interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wifi_5
add bridge=bridge comment="Management Port" interface=ether5 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=ether2,bridge untagged=ether5,Management vlan-ids=99
add bridge=bridge tagged=ether2,bridge untagged=ether3,ether4,Main_5,Main_2 \
vlan-ids=11
add bridge=bridge tagged=ether2,bridge untagged=Guest_5,Guest_2 vlan-ids=12
add bridge=bridge tagged=ether2,bridge untagged=IOT_5,IOT_2 vlan-ids=13
/interface detect-internet
set lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ManagementVLAN list=LAN
add interface=MainVLAN list=LAN
add interface=GuestVLAN list=LAN
add interface=ether2 list=LAN
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=ether2 \
package-path="" require-peer-certificate=yes upgrade-policy=\
require-same-version
/interface wifi provisioning
add action=none disabled=no master-configuration=Management supported-bands=\
2ghz-ax
/ip address
add address=192.168.99.1/24 interface=ManagementVLAN network=192.168.99.0
add address=192.168.11.1/24 interface=MainVLAN network=192.168.11.0
add address=192.168.12.1/24 interface=GuestVLAN network=192.168.12.0
add address=172.16.0.1 interface=IOTVLAN network=172.16.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.11.20 mac-address=E4:5F:01:DF:28:E5
/ip dhcp-server network
add address=172.16.0.0/23 comment=IOT gateway=172.16.0.1
add address=192.168.11.0/24 comment=Main gateway=192.168.11.1
add address=192.168.12.0/24 comment=Guest gateway=192.168.12.1
add address=192.168.99.0/24 comment=Management gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes mdns-repeat-ifaces=IOTVLAN,MainVLAN
/ip dns static
add address=192.168.88.1 comment=defconf disabled=yes name=router.lan type=A
/ip firewall address-list
add address=192.168.99.0/24 list=Management
add address=192.168.11.0/24 list=Main
add address=172.16.0.0/23 list=IOT
add address=192.168.12.0/24 list=Guest
add address=Main comment=Intra-VLAN list=IntraVLAN
add address=Guest comment=Intra-VLAN list=IntraVLAN
add address=IOT comment=Intra-VLAN list=IntraVLAN
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes log-prefix="Drop Invalid Input: "
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log=yes log-prefix="Drop input not from LAN: "
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
"defconf: fasttrack established, firewall works on new" connection-state=\
established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment=\
"Drop packets from IOT network to the Internet" out-interface-list=WAN \
src-address-list=IOT
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes log-prefix="Drop Invalid:"
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=reject chain=forward comment="Drop Intra-VLAN packets" \
dst-address-list=IntraVLAN reject-with=icmp-net-prohibited \
src-address-list=IntraVLAN
add action=drop chain=forward comment="Drop from normal VLANs to management" \
dst-address-list=Management src-address-list=IntraVLAN
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable, fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/London
/system identity
set name=MikroTikA
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-limit=2000KiB file-name=guestvlan.log filter-interface=GuestVLAN
