RB 750G with multi SSID / VLAN EAP9550

New with Vlans, so bear with me.

I need help configuring a RB750G (V4.11) for use with an EnGenius EAP9550 access point. This AP is configured for two separate SSID’s. I have the SSID’s mapped in the 9550 as Main → vlan #100, Guest → vlan #200. The 9550’s IP is 192.168.10.11 and is plugged into Eth5 of the 750.

On the 750, I have added two Vlans to Eth5. I gave eth5 an IP address of 192.168.10.1. I gave vlan1 (#100) an IP address of 192.168.10.100 and vlan2(#200) an IP address of 192.168.10.200. I have my laptop configured for 192.168.10.55. When I connect my laptop wirelessly to either the main or guest SSID’s and try to ping the IP address assigned to eth5 or either vlan, I get no results. I cannot ping the AP’s address (10.11) from inside the 750.

If I connect my laptop to eth5 with an address of 10.66 via a cable and try to ping the above, I only get a successful ping from 10.1. If I try to ping my laptop from inside the router, I am unsuccessful.

I think I am setting this up correctly. I have attached a screen shot of what I think is the pertinent info. Any help would be appreciated.

That isn’t how VLANs work. VLAN interfaces are basically logical interfaces for different networks, and each VLAN is its own broadcast domain. You now have overlapping IP space across three different broadcast domains, since the IPs you assigned to ether5 and the two VLAN interfaces are in the same network. Pretend that adding the two VLAN interfaces added two physical ports to your router that you can now plug cables into - which in a logical (not physical) way is exactly what happened.

Just like with different physical interfaces you need to pick different IP networks for the three logical interfaces. RouterOS lets you assign overlapping IP addresses, some other routers would refuse to do so in the first place.

The physical interface could be 192.168.10.1/24, VLAN 1 could be 192.168.100.1/24, and VLAN 2 could be 192.168.200.1/24. Then adjust all other IP addressing references in the configuration to match.

You also need to consider that 750Gs have a switch chip set that is enabled by default, and that needs to be off for ether5 to be a routed port. To turn it off set the master-port of ether5 to ‘none’.

Unfortunately screenshots are fairly bad at getting information across. If you require further help, please post the output of “/interface ethernet print detail”, “/ip address print detail”, “/ip route print detail”, “/ip pool export”, “/ip dhcp-server export”, and “/ip firewall export” and wrap the output in

 tags when posting it so it is printed in a readable font.

FIXED!! I thought I had tried that very configuration last week with no success. One thing I did different this time was when I set the 750 back to factory defaults, I told it NOT to add the routing statements, switch settings, etc. I think this is what made the difference this time around. Thanks for pointing me in the right direction.

Once I got the IP’s working, I assigned DHCP to the interfaces and that all works great. Now all I have to do is figure out how to keep the guest and regular traffic apart. I found a few posts on here and else where that explain how to accomplish this feat.

Thanks again for the info and for helping out a noob.

Keeping the two VLANs separate is pretty easy - after all they’re going through logical routed interfaces and thus go through the IP firewall. The simplest case:

/ip firewall filter
add chain=forward in-interface=vlan1 out-interface=vlan2 action=drop
add chain=forward in-interface=vlan2 out-interface=vlan1 action=drop

Those firewall rules work great. The next problem is that I am throwing a hotspot into the mix on VLAN2. To Review: This is an AP running dual SSID’s. The main SSID (VLAN1) needs to have access to all of the nets in the router. (no problem, it happens already) The guest SSID (VLAN2) should be totally walled off except for access to the WAN port (ETH1). I have attempted to do this, but I can’t seem to find the correct configuration of the NAT/Firewall rules.

Again, I apologize for asking such 1st grader questions, but this is my first time with quite a few things: RouterOS, Hotspot, Multi SSID’s per AP and VLANs. Thanks so much for your help.

/IP Firewall Export:

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s
tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here” disabled=no
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat comment=“” disabled=no
add action=masquerade chain=srcnat comment=“masquerade hotspot network” disabled=yes src-address=192.168.200.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

/ip route print detail:

0 ADS dst-address=0.0.0.0/0 gateway=192.168.1.10 gateway-status=192.168.1.10 reachable ether1 - WAN
distance=0 scope=30 target-scope=10

1 S dst-address=0.0.0.0/0 gateway=ether1 - WAN gateway-status=ether1 - WAN reachable distance=1
scope=30 target-scope=10

2 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.151 gateway=ether1 - WAN
gateway-status=ether1 - WAN reachable distance=0 scope=10

3 ADC dst-address=192.168.10.0/24 pref-src=192.168.10.1 gateway=ether5 - Wired LAN
gateway-status=ether5 - Wired LAN reachable distance=0 scope=10

4 ADC dst-address=192.168.100.0/24 pref-src=192.168.100.1 gateway=vlan1 - Internal
gateway-status=vlan1 - Internal reachable distance=0 scope=10

5 ADC dst-address=192.168.200.0/24 pref-src=192.168.200.1 gateway=vlan2 - Guest
gateway-status=vlan2 - Guest reachable distance=0 scope=10

Just add a Hotspot to the VLAN 2 interface.
http://wiki.mikrotik.com/wiki/Manual:IP/Hotspot#HotSpot_Setup
That will force you to create an address pool to use. You’ll probably want to turn that off, so after the setup has completed, run:

/ip hotspot set [/ip hotspot find] address-pool=none

Since VLAN2 is the ‘guest’ AP, I want it to hand out DHCP addresses.

Upon further review:
Since it was a few hours ago I’m a bit foggy on details, but I know I added the firewall rules you suggested and I could not get to any other IP range besides the 200 range and the internet. For the sake of testing, however, I just got done doing a factory reset. (got rid of Hotspot)
I added your suggested firewall rules, and I can ping from my laptop (on Guest VLAN in the 200 IP range) to 192.168.100.1 (VLAN1’s IP addy.) I’m not sure why the firewall rules seemingly worked earlier, but that no longer seems to be the case. I’m confused.

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=forward comment=“” disabled=no in-interface=“vlan1 - Net” out-interface=“vlan2 -Guest”
add action=drop chain=forward comment=“” disabled=no in-interface=“vlan2 -Guest” out-interface=“vlan1 - Net”
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

OK. I give up. Every attempt I have made to segregate the Hotspot VLAN from the rest of the router, doesn’t work.
I have tried the firewall rules suggested earlier in this thread. I have tried the suggestions posted in these threads as well:

http://forum.mikrotik.com/t/help-with-nat-config-router-to-router/45003/1
http://forum.mikrotik.com/t/hotspot-configuration-questions-and-functions/38000/1

I have found that when I add:

add chain=forward in-interface=vlan2 out-interface=vlan1 action=drop

I bust the ability to get the hotspot login page.

The address pool configured on a Hotspot has nothing to do with DHCP, it has to do with Universal NAT - which is a nice feature when you have clients with static IPs you don’t have control over, but that doesn’t apply to you. Removing the address pool from the Hotspot profile doesn’t affect DHCP.

I don’t know what difficulties you’re running into. I run several Hotspots - each on a different VLAN interface - on many routers, and use firewall filters as outlined in this thread to keep them from talking to one another. It works fine.

Below a basic configuration that should work. It’ll name the WAN interface ‘outside’ and the VLAN interface (ether5) according to your screenshots ‘inside’. It’ll apply a DHCP client to ‘outside’, configure basic NAT and a firewall (an address list named Administrative_Networks is created with entries for 1.1.1.0/24 and 2.2.2.0/24 - you’ll want to edit those, SSH, winbox etc. to the router will only be allowed from those addresses), then creates two VLAN interfaces for vlan IDs 1 and 2 named ‘vlan1’ and ‘vlan2’ (10.0.1.1/24 and 10.0.2.1/24 - edit that in all relevant sections if you need to), adds DHCP to both VLANs, and adds Hotspots to those interfaces. VLAN 2 can only talk to the WAN, traffic initiated from the WAN will be blocked, and all other interfaces can talk among each other. It also creates two Hotspot users (‘vlan1’ and ‘vlan2’ with the same passwords as the usernames) that can be used to log into the corresponding Hotspot. HTTP-PAP (clear text!) is configured for login, change that if you need to after you’ve determined PAP works (it’s the simplest mechanism, so it’s good for testing). The Hotspot DNS names are set to hotspot.example.com and hotspot2.example.com, adjust that if you need to.

Note that this is cobbled together to sort of match your requirements from configurations I have lying around so there may be errors, but it should get you started.

/interface ethernet
set [find name~ether1] name=outside
set [find name~ether5] name=inside master-port=none
/ip dhcp-client
add interface=outside disabled=no add-default-route=yes use-peer-dns=yes
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=16384
/interface vlan
add arp=enabled disabled=no interface=inside name=vlan1 use-service-tag=no vlan-id=1
add arp=enabled disabled=no interface=inside name=vlan2 use-service-tag=no vlan-id=2
/ip address
add address=10.0.1.1/24 interface=vlan1
add address=10.0.2.1/24 interface=vlan2
/ip firewall address-list
add address=1.1.1.0/24 list=Administrative_Networks
add address=2.2.2.0/24 list=Administrative_Networks
/ip firewall filter
add action=accept chain=input comment="allow established" connection-state=established 
add action=accept chain=input comment="allow related" connection-state=related 
add action=accept chain=input comment="allow local service UDP ports from LAN" dst-port=53,67,123 in-interface=!outside protocol=udp
add action=accept chain=input comment="allow local service TCP ports from LAN" dst-port=53 in-interface=!outside protocol=tcp
add action=accept chain=input comment="allow rate-limited ICMP" limit=20,20 protocol=icmp
add action=accept chain=input comment="allow everything from admin networks" src-address-list=Administrative_Networks
add action=drop chain=input comment="drop everything else" 
add action=accept chain=forward comment="forward established traffic" connection-state=established 
add action=accept chain=forward comment="forward related traffic" connection-state=related 
add action=accept chain=forward comment="forward traffic from VLAN 2 to WAN" in-interface=vlan2 out-interface=outside
add action=accept chain=forward comment="drop traffic initiated from WAN" in-interface=WAN action=drop
add action=accept chain=forward comment="accept everything else"
/ip firewall nat
add action=src-nat chain=masquerade out-interface=outside 
add action=accept chain=pre-hotspot comment="" disabled=no dst-address-type=!local hotspot=auth
add action=accept chain=pre-hotspot comment="" disabled=no dst-port=53 protocol=udp
/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit="" 
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip hotspot walled-garden ip
add action=accept protocol=icmp
add action=accept dst-port=53 protocol=udp
/ip pool
add name=DHCP-Pool-vlan1 ranges=10.0.1.10-10.0.1.254
add name=DHCP-Pool-vlan2 ranges=10.0.2.10-10.0.2.254
/ip dhcp-server
add address-pool=DHCP-Pool-vlan1 authoritative=yes bootp-support=static disabled=no interface=vlan1 lease-time=3h name=DHCP-vlan1
add address-pool=DHCP-Pool-vlan2 authoritative=yes bootp-support=static disabled=no interface=vlan2 lease-time=3h name=DHCP-vlan2
/ip dhcp-server network
add address=10.0.1.0/24 comment=vlan1 dns-server=10.0.1.1 gateway=10.0.1.1
add address=10.0.2.0/24 comment=vlan2 dns-server=10.0.2.1 gateway=10.0.2.1
/ip hotspot profile
add dns-name=hotspot.example.com hotspot-address=10.0.1.1 html-directory=vlan1 login-by=http-pap name=vlan1 rate-limit=10m/10m 
add dns-name=hotspot2.example.com hotspot-address=10.0.2.1 html-directory=vlan2 login-by=http-pap name=vlan2 rate-limit=10m/10m 
/ip hotspot user profile
add idle-timeout=none keepalive-timeout=15m name=vlan1 rate-limit=256k/512k shared-users=unlimited status-autorefresh=1m transparent-proxy=no
add idle-timeout=none keepalive-timeout=15m name=vlan2 rate-limit=256k/512k shared-users=unlimited status-autorefresh=1m transparent-proxy=no
/ip hotspot user
add name=vlan1 password=vlan1 profile=vlan1
add name=vlan2 password=vlan2 profile=vlan2
/ip hotspot
add idle-timeout=30m interface=vlan1 keepalive-timeout=5m name=vlan1 profile=vlan1
add idle-timeout=30m interface=vlan2 keepalive-timeout=5m name=vlan2 profile=vlan2

Thanks Fewi. It’s getting late here on the east cost of the US. My brain and children upstairs are getting VERY tired. (Not a good plan for working on routers.) I’ll give this a try tomorrow. Again, I appreciate your hand holding in all of this. I wasn’t looking to put anyone out of that much work, but I do appreciate it greatly. More to come tomorrow.

No worries.

What is the best way to add these lines into the 750? I assumed I could simply type them into the terminal windows one line at a time.

I am mostly familiar with configurations via the WinBox utility, sorry.

You can also copy and paste.
Or use them as guides for winbox. They translate 1:1.

/ip address
add address=10.0.1.1/24 interface=vlan1

Click the IP button to fan out that menu, click the Address button to get that window. Click the + button to add an entry, set the Address field to 10.0.1.1/24, and set the Interface field to “vlan1”. Click OK to save.

All the other commands are translated to the GUI the same way.

STILL no joy.
While the hotspot works good and I can get DHCP addresses and have access to the internet, I can STILL ping from the guest network to the other “internal” LANs. In the interest of having a second set of eyes look at things, I have attached a few text file dumps.

I do have a question on this line:

add action=src-nat chain=masquerade out-interface=outside

I couldn’t come up with the correct way to enter that particular rule. When I set the action to “src-nat” it would complain that it needed a ‘to’ address. I was able to come up with the following possible alternatives:

add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether1-WAN

add action=src-nat chain=masquerade comment="" disabled=no out-interface=ether1-WAN to-addresses=0.0.0.0-255.255.255.255

I’m unsure how to implement that rule correctly.

Interesting point: I dumped the text files below and then I did a reboot. After the reboot, magically NEW hotspot rules appeared with jumps and such. These “new” rules only appear in WinBox. If you do a “ip firewall export”, they don’t show up. ---- More confusion.

Fewi - If you have some time and are willing, can we work on this 1 on 1 sometime. I am self employed, (and under-employed at that) so I can be available most any time. If you are willing, we can connect via telephone and TeamViewer? so that we can talk via voice and you can run the box remotely through my machine. I have everything setup on the test bench with a laptop to connect to the APs. I have a second laptop at hand as well if needed. As always, thanks for your help and understanding.

0   address=192.168.100.1/24 network=192.168.100.0 broadcast=192.168.100.255 
     interface=vlan1-Main actual-interface=vlan1-Main 
 1   address=192.168.200.1/24 network=192.168.200.0 broadcast=192.168.200.255 
     interface=vlan2-Guest actual-interface=vlan2-Guest 
 2 D address=192.168.1.150/24 network=192.168.1.0 broadcast=192.168.1.255 
     interface=ether1-WAN actual-interface=ether1-WAN 
 3   address=192.168.10.1/24 network=192.168.10.0 broadcast=192.168.10.255 
     interface=ether5-LAN actual-interface=ether5-LAN

/ip pool
add name=pool-vlan1 ranges=192.168.100.10-192.168.100.254
add name=pool-vlan2 ranges=192.168.200.10-192.168.200.254

/ip dhcp-server
add address-pool=pool-vlan1 authoritative=yes bootp-support=static disabled=no interface=vlan1-Main lease-time=3h name=DHCP-vlan1
add address-pool=pool-vlan2 authoritative=yes bootp-support=static disabled=no interface=vlan2-Guest lease-time=3h name=DHCP-vlan2
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.100.0/24 comment=vlan1-Main dns-server=192.168.100.1 gateway=192.168.100.1
add address=192.168.200.0/24 comment=vlan2-Guest dns-server=192.168.200.1 gateway=192.168.200.1

/ip firewall address-list
add address=192.168.1.0/24 comment="" disabled=no list=Administrative_Networks
add address=192.168.100.0/24 comment="" disabled=no list=Administrative_Networks
add address=192.168.10.0/24 comment="" disabled=no list=Administrative_Networks
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
    tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m \
    udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="allow established" connection-state=established disabled=no
add action=accept chain=input comment="allow related" connection-state=related disabled=no
add action=accept chain=input comment="allow local service UDP ports from LAN" disabled=no dst-port=53,67,123 in-interface=!ether1-WAN protocol=udp
add action=accept chain=input comment="allow local service TCP ports from LAN" disabled=no dst-port=53 in-interface=!ether1-WAN protocol=tcp
add action=accept chain=input comment="allow rate-limited ICMP" disabled=no limit=20,20 protocol=icmp
add action=accept chain=input comment="allow everything from admin networks" disabled=no src-address-list=Administrative_Networks
add action=drop chain=input comment="drop everything else" disabled=no
add action=accept chain=forward comment="forward established traffic" connection-state=established disabled=no
add action=accept chain=forward comment="forward related traffic" connection-state=related disabled=no
add action=accept chain=forward comment="forward traffic from vlan2 to WAN" disabled=no in-interface=vlan2-Guest out-interface=ether1-WAN
add action=drop chain=forward comment="drop traffic initiated from WAN" disabled=no in-interface=ether1-WAN
add action=accept chain=forward comment="accept everything else" disabled=no
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether1-WAN
add action=accept chain=pre-hotspot comment="" disabled=no dst-address-type=!local hotspot=auth
add action=accept chain=pre-hotspot comment="" disabled=no dst-port=53 protocol=udp
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

NAT: it should be action=masquerade and chain=src-nat, you have them swapped. But what you ended up putting in will work just fine, and is what was intended.
Hotspot rules that show in winbox: those are dynamically created rules that actually make Hotspots work. The CLI by default filters dynamic rules, you can look at them via “/ip firewall nat print all” (same principle in other sections). The OS adds them whenever a Hotspot is added, they do the actual work. The wiki on Hotspot customization does a pretty good job of explaining what each rule does.

Sorry, was missing a filter rule there - the one that drops traffic from VLAN 2 to other networks. Duh. Should have proofread what I posted more carefully.

/ip firewall filter
add chain=forward in-interface=vlan2-Guest action=drop place-before=[find comment="drop traffic initiated from WAN"]

That should do the trick. Further up traffic from VLAN 2 to WAN is permitted, that rule then drops all other traffic entering the router through that VLAN’s interface.

Sorry, I don’t do 1:1 - granted, keeping things in forums is more frustrating for the person asking for help, but allows the person helping to easily control schedule, and also potentially helps out anyone who reads the thread further down the road.

Understood. It’s difficult to see how my ineptness could be useful, but one we reach a conclusion (hopefully) it will be!

NAT: it should be action=masquerade and chain=src-nat, you have them swapped. But what you ended up putting in will work just fine, and is what was intended.

I thought so. Some of this IS sinking in.

/ip firewall filter
add chain=forward in-interface=vlan2-Guest action=drop place-before=[find comment="drop traffic initiated from WAN"]

Added the above and I am STILL able to ping from Vlan2 to other interface IP’s. (IE 192.168.100.1, 192.168.10.1, etc.)

As I wrote the above, I thought “Those are all interface IP’s. Just because I can ping the interface, doesn’t mean I can ping an actual device on that netowrk.” Sure enough, that is true. I can ping the interfaces (x.x.x.1) but not a device on those interfaces.

While it’s not a show-stopper, it sure would be nice to have no trace of those other IP ranges even being present as seen from the Guest Vlan.

That’s both trivial, and not.

The router distinguishes between traffic THROUGH the router (between devices connecting through the router), and traffic TO the router (traffic between devices connected to the router and the router itself). Traffic through the router goes into the forward chain, traffic to the router goes into the input chain, after destination NAT has rewritten whatever IP addresses it was going to rewrite.
Right now there’s only filtering in the forward chain - traffic through the router. If you’re pinging other interfaces on the router that’s traffic to the router, so the forward chain is never evaluated - the input chain would be.
If you want VLAN 2 to only be able to talk to the VLAN 2 interface on the router:

/ip firewall filter
add chain=input in-interface=vlan2-Guest dst-address=192.168.200.1 action=accept
add chain=input in-interface=vlan2-Guest action=drop

And, of course, place them somewhere sensible in the existing input filters.

However, that may break stuff. The reason this usually isn’t done is that you’d have to make exceptions for a whole bunch of traffic. Sometimes traffic may go to a broadcast address. Sometimes it may go to an empty IP address. Or a multicast group the router is a member of on that interface. If you really want to filter this traffic it would probably be easiest to explicitly list the interface IPs VLAN 2 cannot talk to, and drop that traffic. In a high security environment that would be a bad approach, but in a home or small business scenario this is probably acceptable:

/ip firewall address-list
add list=drop-vlan-2 address=192.168.100.1
add list=drop-vlan-2 address=192.168.10.1
/ip firewall filter
add chain=input in-interface=vlan2-Guest dst-address-list=drop-vlan-2 action=drop

Given the separation between through and to traffic I think it’d be best to just ignore this. The goal is to secure the networks, so being able to ping router interfaces doesn’t interfere with that goal.