Hello, I have a 3011UiAS with CAT6 connections onto several hAP AC2 (D52G-5HacD2HnD-TC). My 3011UiAS seems to be working well, except that I could clean up a little my overall configuration. For example, I have firewall rules that I am not using (they are disabled) and probably should delete them altogether. In addition, at some point I tried to configure CAPS-MAN, but was unsuccessful in the process and some of those settings are still lingering around. In turn, my various hAP AC2 are setup as APs and they are working well for the main WiFi network, but the guest WiFi network do not have internet access at all. I’ve been scrambling to figure out what the issue is with the guest WiFi to no avail. You’ll note that I also have some firewall rules that I am not using (they’re disabled) and probably I should delete them altogether too. I am enclosing below both configurations and would be immensely grateful if anyone could point me in the right direction in order for both my main WiFi network and my guest WiFi network to work properly. Also, feel free to suggest what settings you think are not necessary in order for me to clean up my configurations. Clearly, both a quite cluttered. Thanks in advance for all the help!

model = RouterBOARD 3011UiAS

serial number = [HIDDEN]

/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2462 name=channel11
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2412 name=channel1
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2437 name=channel6
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2422 name=channel3
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2452 name=channel9
add band=5ghz-a/n/ac control-channel-width=40mhz-turbo frequency=5190 name=channel38
add band=5ghz-a/n/ac control-channel-width=40mhz-turbo frequency=5230 name=channel46
add band=5ghz-a/n/ac control-channel-width=40mhz-turbo frequency=5755 name=channel151
add band=5ghz-a/n/ac control-channel-width=40mhz-turbo frequency=5795 name=channel159
/interface bridge
add admin-mac=[HIDDEN] auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ]
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] name=ether6-master speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip name=[HIDDEN]
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip name=[HIDDEN]
/caps-man configuration
add channel=channel11 country=“united states” mode=ap name=2GHz security=[HIDDEN] ssid=2GHz
add channel=channel151 country=“united states” mode=ap name=5GHz security=[HIDDEN] ssid=5GHz
add channel=channel9 country=“united states” mode=ap name=“Guests-2GHz” security=“Guests” ssid=“Guests”
add channel=channel46 country=“united states” mode=ap name=“Guests-5GHz” security=“Guests” ssid=" Guests"
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.134-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/caps-man manager
set ca-certificate=auto certificate=auto
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1 list=WAN
/ip address
add address=192.168.88.7/24 comment=defconf interface=bridge network=192.168.88.0
/ip arp
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=8.8.8.8 domain=8.8.4.4 gateway=192.168.88.7 netmask=24
add address=192.168.88.7/32 comment=defconf dns-server=8.8.8.8 domain=8.8.4.4 gateway=192.168.88.7 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.88.7,8.8.8.8,8.8.4.4,159.148.172.226
/ip dns static
add address=192.168.88.7 name=router
/ip firewall filter
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept established,related” connection-state=established,related
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=drop chain=input comment=“defconf: drop all from WAN” in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface=ether1
add action=dst-nat chain=dstnat comment=“Verizon FIOS Service” disabled=yes dst-address=[HIDDEN] dst-port=4567 in-interface=ether1 protocol=tcp
to-addresses=127.0.0.1 to-ports=0-65535
add action=dst-nat chain=dstnat comment=“Verizon FIOS Service” disabled=yes dst-address=[HIDDEN] dst-port=63145 in-interface=ether1 protocol=udp
to-addresses=192.168.88.101 to-ports=63145
add action=dst-nat chain=dstnat comment=“Verizon FIOS Service” disabled=yes dst-address=[HIDDEN] dst-port=35000 in-interface=ether1 protocol=tcp
to-addresses=192.168.88.102 to-ports=8082
add action=dst-nat chain=dstnat comment=“Verizon FIOS Service” disabled=yes dst-address=[HIDDEN] dst-port=63146 in-interface=ether1 protocol=udp
to-addresses=192.168.88.102 to-ports=63145
add action=src-nat chain=srcnat comment=NTP protocol=udp src-port=123 to-addresses=192.168.88.1
add action=src-nat chain=srcnat comment=“NTP interface ether2” protocol=udp src-address=192.168.88.111 src-port=123 to-addresses=192.168.88.7
add action=src-nat chain=srcnat comment=“NTP interface ether2” protocol=udp src-address=192.168.88.112 src-port=123 to-addresses=192.168.88.7
add action=src-nat chain=srcnat comment=“NPT interface ether2” dst-address=0.0.0.0 protocol=udp src-address=192.168.88.113 src-port=123 to-addresses=
192.168.88.7
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
add address=::224.0.0.0/100 comment=“defconf: other” list=bad_ipv6
add address=::127.0.0.0/104 comment=“defconf: other” list=bad_ipv6
add address=::/104 comment=“defconf: other” list=bad_ipv6
add address=::255.0.0.0/104 comment=“defconf: other” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=33434-33534 protocol=udp
add action=accept chain=input comment=“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=accept chain=input comment=“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=“defconf: drop everything else not coming from LAN” in-interface-list=WAN
add action=accept chain=forward comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1” hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=accept chain=forward comment=“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=“defconf: drop everything else not coming from LAN” in-interface-list=WAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/lcd
set time-interval=daily
/system clock
set time-zone-name=America/New_York
/system identity
set name=[HIDDEN]
/system ntp client
set enabled=yes primary-ntp=69.89.207.99 secondary-ntp=162.210.110.4
/system ntp server
set enabled=yes manycast=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

model = RouterBOARD D52G-5HacD2HnD-TC

serial number = [HIDDEN]

/interface bridge
add admin-mac=[HIDDEN] auto-mac=no comment=defconf name=bridge
add comment=“Guests Bridge” name=bridge-wlan-guests
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-Ce country=“united states” default-authentication=no disabled=no
distance=indoors frequency=2432 frequency-mode=manual-txpower mode=ap-bridge ssid=2GHz station-roaming=enabled wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country=“united states” default-authentication=no disabled=
no distance=indoors frequency-mode=manual-txpower mode=ap-bridge ssid=5GHz station-roaming=enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods=“” mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods=“” mode=dynamic-keys name=guests supplicant-identity=“”
/interface wireless
add disabled=no mac-address=CE:[HIDDEN] master-interface=wlan1 name=wlan1-guests security-profile=guests ssid=“Guests” station-roaming=enabled
wps-mode=disabled
add disabled=no mac-address=[HIDDEN] master-interface=wlan2 name=wlan2-guests security-profile=guests ssid=“Guests” station-roaming=enabled
wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=guests-dhcp ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=guests-dhcp bootp-support=dynamic interface=bridge-wlan-guests name=wlan-guests
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge filter
add action=drop chain=forward disabled=yes in-interface=wlan2-guests
add action=drop chain=forward disabled=yes out-interface=wlan2-guests
add action=drop chain=forward disabled=yes in-interface=wlan1-guests
add action=drop chain=forward disabled=yes out-interface=wlan1-guests
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge-wlan-guests interface=wlan2-guests
add bridge=bridge-wlan-guests interface=wlan1-guests
add bridge=bridge comment=“Added to use WAN port as LAN port” interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add comment=“Added to use WAN port as LAN port” interface=ether1 list=LAN
add comment=defconf interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan1 list=LAN
add interface=wlan1-guests list=LAN
add interface=wlan2 list=LAN
add interface=wlan2-guests list=LAN
/interface wireless access-list
/ip address
add address=192.168.88.111/24 comment=defconf interface=ether1 network=192.168.88.0
add address=192.168.88.111/24 interface=bridge network=192.168.88.0
add address=10.10.10.1/24 interface=bridge-wlan-guests network=10.10.10.0
/ip arp
add address=192.168.88.7 interface=bridge mac-address=[HIDDEN]
add address=192.168.88.111 interface=bridge mac-address=[HIDDEN]
/ip dhcp-client
add comment=defconf interface=bridge
/ip dhcp-server network
add address=10.10.10.2/32 dns-server=192.168.88.7,8.8.8.8,8.8.4.4,159.148.172.226 gateway=192.168.88.7 netmask=24
add address=192.168.88.111/32 comment=defconf dns-server=192.168.88.7,8.8.8.8,8.8.4.4,159.148.172.226 gateway=192.168.88.7 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.88.7,8.8.8.8,8.8.4.4,159.148.172.226
/ip dns static
add address=192.168.88.111 name=router.lan
/ip firewall address-list
add address=10.10.10.10-10.10.10.254 list=“Guest Users”
/ip firewall filter
add action=accept chain=forward comment=“defconf: accept in ipsec policy” disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related disabled=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid disabled=yes
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new disabled=yes
in-interface-list=WAN
add action=drop chain=input comment=“Block Guests from Local Ports” dst-address=10.10.10.0/24 dst-port=80,21,22,23,8291 protocol=tcp src-address-list=
“Guest Users”
add action=drop chain=input comment=“Block Guests from LAN Access” dst-address=192.168.88.0/24 src-address-list=“Guest Users”
add action=reject chain=forward comment=“LAN Client Isolation” dst-address-list=“Guest Users” reject-with=icmp-network-unreachable src-address-list=
“Guest Users”
add action=drop chain=forward dst-address=192.168.88.0/24 src-address=10.10.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” disabled=yes ipsec-policy=out,none out-interface=bridge src-address=192.168.88.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=bridge-wlan-guests src-address=10.10.10.0/24
/ip route
add distance=1 gateway=192.168.88.7
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment=“defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
add address=::224.0.0.0/100 comment=“defconf: other” list=bad_ipv6
add address=::127.0.0.0/104 comment=“defconf: other” list=bad_ipv6
add address=::/104 comment=“defconf: other” list=bad_ipv6
add address=::255.0.0.0/104 comment=“defconf: other” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid disabled=yes
add action=accept chain=input comment=“defconf: accept ICMPv6” disabled=yes protocol=icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” disabled=yes port=33434-33534 protocol=udp
add action=accept chain=input comment=“defconf: accept DHCPv6-Client prefix delegation.” disabled=yes dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment=“defconf: accept IKE” disabled=yes dst-port=500,4500 protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” disabled=yes protocol=ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” disabled=yes protocol=ipsec-esp
add action=accept chain=input comment=“defconf: accept all that matches ipsec policy” disabled=yes ipsec-policy=in,ipsec
add action=drop chain=input comment=“defconf: drop everything else not coming from LAN” disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid disabled=yes
add action=drop chain=forward comment=“defconf: drop packets with bad src ipv6” disabled=yes src-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: drop packets with bad dst ipv6” disabled=yes dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1” disabled=yes hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” disabled=yes protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” disabled=yes protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” disabled=yes dst-port=500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” disabled=yes protocol=ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” disabled=yes protocol=ipsec-esp
add action=accept chain=forward comment=“defconf: accept all that matches ipsec policy” disabled=yes ipsec-policy=in,ipsec
add action=drop chain=forward comment=“defconf: drop everything else not coming from LAN” disabled=yes in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/system clock
set time-zone-name=America/New_York
/system identity
set name=”[HIDDEN]"
/system ntp client
set enabled=yes primary-ntp=192.168.88.7

I’d be grateful for any thoughts that folks may have on here… Thanks in advance!