RB 750GL routing and access problem, help needed.

ksuuk · January 25, 2014, 8:53pm

Hello.

1 x RouterBoard 750GL and 2 x EnGenius EAP300 AP -s, one IP is 192.168.30.30 and other IP is 192.168.30.40, multiple SSID (public and private), separated vlan -s, SSID1 uses vlan ID 100 and SSID2 uses vlan id 200.

Both AP -s are directly connected to the RB, port 3 and 4, RB terminates vlan -s, vlan -s are isolated. RB self IP is 192.168.30.60/24, GW, DNS, NTP is 192.168.30.1, also management IP 192.168.88.1 is there.

For vlan 100 RB uses port 5 for internal network access, so that SSID 1 in pure internal LAN wireless extender, no NAT, no routing, no filters, no restrictions etc.

For vlan 200 RB acts as router, shares network 192.168.200.0/24, NAT, DHCP server, wan port 1, uses ISP -s IP 192.168.1.60/24, GW 192.168.1.254, DNS 8.8.8.8.

SSID1 > internal network works fine, but SSID > internet doesn't work. I can ping GW 192.1.68.1.254, but no futher or resolve dns:
/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 S 0.0.0.0/0 192.168.1.254 1
1 ADC 192.168.1.0/24 192.168.1.254 ether1-wan 0
2 ADC 192.168.30.0/24 192.168.30.60 vlan100-br 0
3 ADC 192.168.88.0/24 192.168.88.1 ether2-mgmt 0
4 ADC 192.168.200.0/24 192.168.200.1 vlan200-br 0

ping 8.8.8.8
HOST SIZE TTL TIME STATUS
no route to host
no route to host
no route to host
sent=3 received=0 packet-loss=100%Also I can't access AP s- from internal network (192.168.30.0/24).

Please help me fixing the config:

jan/25/2014 22:45:45 by RouterOS 6.7

software id = IXWE-RW4L

/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-mgmt
set [ find default-name=ether3 ] name=ether3-ap1
set [ find default-name=ether4 ] name=ether4-ap2
set [ find default-name=ether5 ] name=ether5-lan
/interface bridge
add l2mtu=1594 name=vlan100-br
add l2mtu=1594 name=vlan200-br
/ip neighbor discovery
set ether1-wan discover=no
set ether2-mgmt discover=no
set ether3-ap1 discover=no
set ether4-ap2 discover=no
set ether5-lan discover=no
set vlan100-br discover=no
set vlan200-br discover=no
/interface vlan
add interface=ether3-ap1 l2mtu=1594 name=e3-ap1-vlan100 vlan-id=100
add interface=ether3-ap1 l2mtu=1594 name=e3-ap1-vlan200 vlan-id=200
add interface=ether4-ap2 l2mtu=1594 name=e4-ap2-vlan100 vlan-id=100
add interface=ether4-ap2 l2mtu=1594 name=e4-ap2-vlan200 vlan-id=200
/ip neighbor discovery
set e3-ap1-vlan100 discover=no
set e3-ap1-vlan200 discover=no
set e4-ap2-vlan100 discover=no
set e4-ap2-vlan200 discover=no
/ip pool
add name=vlan200-dhcp-pool ranges=192.168.200.100-192.168.200.200
/ip dhcp-server
add add-arp=yes address-pool=vlan200-dhcp-pool disabled=no interface=vlan200-br lease-time=1d name=vlan200-dhcp
/routing bgp instance
set default disabled=yes
/interface bridge port
add bridge=vlan100-br interface=ether5-lan
add bridge=vlan100-br interface=e3-ap1-vlan100
add bridge=vlan100-br interface=e4-ap2-vlan100
add bridge=vlan200-br interface=e3-ap1-vlan200
add bridge=vlan200-br interface=e4-ap2-vlan200
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip address
add address=192.168.1.60/24 interface=ether1-wan network=192.168.1.0
add address=192.168.200.1/24 interface=vlan200-br network=192.168.200.0
add address=192.168.30.1/24 interface=vlan100-br network=192.168.30.0
add address=192.168.88.1/24 interface=ether2-mgmt network=192.168.88.0
add address=192.168.30.60/24 interface=ether5-lan network=192.168.30.0
add address=192.168.1.254/24 interface=ether1-wan network=192.168.1.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-wan
/ip dhcp-server network
add
add address=192.168.200.0/24 dns-server=8.8.8.8 gateway=192.168.200.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1-wan
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-wan to-addresses=0.0.0.0
/ip route
add distance=1 gateway=192.168.1.254
/ip route rule
add
/system clock
set time-zone-name=Europe/Tallinn

ksuuk · January 27, 2014, 7:48am

As my post was waiting for approval for some time, so I digged more, and right now everything is working. I added manually gateway IP to default route, so vlan 200 > internet works and added eth3 and eh4 to thebridge ports, so that AP -s are available from internal net.

I also made isolating rules,however I'm not sure, shall I use vlan filters or firewall rules? Please, check my current setup:
[admin@MikroTik] > export

jan/26/2014 16:02:40 by RouterOS 6.7

software id = IXWE-RW4L

/interface ethernet
set [ find default-name=ether1 ] name=eth1-wan
set [ find default-name=ether2 ] name=eth2-mgmt
set [ find default-name=ether3 ] name=eth3-ap1
set [ find default-name=ether4 ] name=eth4-ap2
set [ find default-name=ether5 ] name=eth5-lan
/interface bridge
add l2mtu=1594 name=vlan100-bridge
add l2mtu=1594 name=vlan200-bridge
/ip neighbor discovery
set eth1-wan discover=no
set eth2-mgmt discover=no
set eth3-ap1 discover=no
set eth4-ap2 discover=no
set eth5-lan discover=no
set vlan100-bridge discover=no
set vlan200-bridge discover=no
/interface vlan
add interface=eth3-ap1 l2mtu=1594 name=eth3-ap1-vlan100 vlan-id=100
add interface=eth3-ap1 l2mtu=1594 name=eth3-ap1-vlan200 vlan-id=200
add interface=eth4-ap2 l2mtu=1594 name=eth4-ap2-vlan100 vlan-id=100
add interface=eth4-ap2 l2mtu=1594 name=eth4-ap2-vlan200 vlan-id=200
/ip neighbor discovery
set eth3-ap1-vlan100 discover=no
set eth3-ap1-vlan200 discover=no
set eth4-ap2-vlan100 discover=no
set eth4-ap2-vlan200 discover=no
/ip pool
add name=vlan200-dhcp-pool ranges=192.168.200.100-192.168.200.200
/ip dhcp-server
add add-arp=yes address-pool=vlan200-dhcp-pool disabled=no interface=vlan200-bridge lease-time=1d name=
vlan200-dhcp
/queue simple
add disabled=yes limit-at=512k/512k max-limit=512k/512k name=p2p packet-marks=dst-p2p-packet
add dst=eth1-wan limit-at=1M/1M max-limit=1M/1M name=1M
add disabled=yes dst=eth1-wan max-limit=2M/2M name=2M
add disabled=yes dst=eth1-wan max-limit=3M/3M name=3M
add disabled=yes dst=eth1-wan max-limit=4M/4M name=4M
add disabled=yes dst=eth1-wan max-limit=5M/5M name=5M
add disabled=yes dst=eth1-wan max-limit=1M/2M name=1/2M
add disabled=yes dst=eth1-wan max-limit=1M/3M name=1/3M
add disabled=yes dst=eth1-wan max-limit=2M/5M name=2/5M
/interface bridge filter
add action=drop chain=forward disabled=yes in-interface=eth3-ap1-vlan100 out-interface=eth3-ap1-vlan200
add action=drop chain=forward disabled=yes in-interface=eth4-ap2-vlan100 out-interface=eth4-ap2-vlan200
add action=drop chain=forward disabled=yes in-interface=eth3-ap1-vlan200 out-interface=eth3-ap1-vlan100
add action=drop chain=forward disabled=yes in-interface=eth4-ap2-vlan200 out-interface=eth4-ap2-vlan100
/interface bridge port
add bridge=vlan100-bridge interface=eth5-lan
add bridge=vlan100-bridge interface=eth3-ap1-vlan100
add bridge=vlan100-bridge interface=eth4-ap2-vlan100
add bridge=vlan200-bridge interface=eth3-ap1-vlan200
add bridge=vlan200-bridge interface=eth4-ap2-vlan200
add bridge=vlan100-bridge interface=eth3-ap1
add bridge=vlan100-bridge interface=eth4-ap2
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip address
add address=192.168.1.60/24 interface=eth1-wan network=192.168.1.0
add address=192.168.200.1/24 interface=vlan200-bridge network=192.168.200.0
add address=192.168.30.1/24 interface=vlan100-bridge network=192.168.30.0
add address=192.168.88.1/24 interface=eth2-mgmt network=192.168.88.0
add address=192.168.30.60/24 interface=eth5-lan network=192.168.30.0
add address=192.168.1.254/24 disabled=yes interface=eth1-wan network=192.168.1.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=eth1-wan
/ip dhcp-server network
add
add address=192.168.200.0/24 dns-server=192.168.200.1 gateway=192.168.200.1 netmask=24 ntp-server=192.168.200.1
/ip dns
set allow-remote-requests=yes servers=194.126.115.18,194.126.101.34
/ip firewall filter
add action=drop chain=forward comment="isolate subnets" disabled=yes dst-address=192.168.30.0/24 src-address=
192.168.200.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.88.0/24 src-address=192.168.200.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.200.0/24 src-address=192.168.30.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.88.0/24 src-address=192.168.30.0/24
add action=drop chain=input dst-address=!192.168.200.1 protocol=icmp
add chain=input comment="allow ping" icmp-options=0 protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=forward comment="drop torrent" disabled=yes in-interface=vlan200-bridge out-interface=
eth1-wan p2p=bit-torrent src-address=192.168.200.0/24
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=input comment="drop router management" in-interface=eth1-wan
add action=drop chain=input dst-port=22 in-interface=vlan200-bridge protocol=tcp src-address=!192.168.30.0/24
add action=drop chain=input dst-port=80 in-interface=vlan200-bridge protocol=tcp src-address=!192.168.30.0/24
add action=drop chain=input dst-port=8291 in-interface=vlan200-bridge protocol=tcp src-address=!192.168.30.0/24
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall mangle
add action=mark-connection chain=forward comment="TORRENT No 1: Classic non security torrent" disabled=yes
new-connection-mark=dst-p2p-conn p2p=all-p2p
add action=mark-packet chain=forward connection-mark=dst-p2p-conn disabled=yes new-packet-mark=dst-p2p-packet
add action=mark-connection chain=forward comment="TORRENT No 2: block outgoing DHT" content=d1:ad2:id20:
disabled=yes dst-port=1025-65535 in-interface=eth1-wan new-connection-mark=p2p-out-DHT packet-size=95-190
protocol=udp
add action=mark-packet chain=forward connection-mark=p2p-out-DHT disabled=yes new-packet-mark=dst-p2p-packet
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=eth1-wan to-addresses=0.0.0.0
/ip route
add distance=1 gateway=192.168.1.254
/ip route rule
add
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/system clock
set time-zone-name=Europe/Tallinn
/system ntp client
set enabled=yes primary-ntp=192.98.49.10 secondary-ntp=192.98.49.11
/system ntp server
set broadcast=yes broadcast-addresses=192.168.200.1 multicast=yes
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add