Routing with Guest network

ppetasis · May 15, 2020, 1:34pm

Hello everyone,

my current setup includes a main network 192.168.0/23 with 3 WAN interfaces with PPPoE.
I am trying to add another isolated network (192.168.20.1/24 Guest) in which a Unifi AP will provide internet access to guests through one of my 3 WANs. My Unifi Controller is hosted in the main network 192.168.1.XX
I have used ether5 as the LAN for the main network and ether4 as the LAN for the Guest Network.

In my current setup, devices in the Guest network can ping and connect to IP addresses in the main network but not the other way another. For example i can not ping or connect to a PC connected to the Guest network.

What is wrong with the current setup that disables routing between the 2 networks?
What is the best/safest way to allow access from the Guest network only to the IP Address of the Unifi controller for AP to fetch settings and for end users to see the Guest portal?
How can I route the Guest network through one of the 3 WAN?

Thanks in advance
Panagiotis

Please find below my current configuration.

# may/08/2020 18:24:25 by RouterOS 6.46.5
# software id = BSX4-P5PU
#
# model = 2011UiAS
# serial number = B914xxxxxxx
/interface bridge
add name=GUEST
add name=LAN
/interface pppoe-client
add add-default-route=yes comment="WAN_3" default-route-distance=3 \
    disabled=no interface=ether3 max-mru=1492 max-mtu=1492 name=\
    pppoe-out_210xxxxxxx password=nxxxxxx user=xxxx@otenet.gr
add add-default-route=yes comment="WAN_2" default-route-distance=2 \
    disabled=no interface=ether2 max-mru=1492 max-mtu=1492 name=\
    pppoe-out_211xxxxxxx password=xxxxxxx user=xxxxxx@tellas.gr
add add-default-route=yes comment="WAN_1" disabled=no interface=ether1 \
    max-mru=1492 max-mtu=1492 name=pppoe-out_211xxxxxxx password=xxxxxx \
    user=xxxxxxx@tellas.gr
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=43 name=unifi value=0x0104C0A801A4
/ip pool
add name=dhcp_pool0 ranges=192.168.0.2-192.168.0.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.239
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=GUEST name=DHCP_GUEST
/ip hotspot user profile
set [ find default=yes ] address-list=allowed_internet_ips3 address-pool=\
    dhcp_pool1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=LAN interface=ether5
add bridge=GUEST interface=ether4
/ip address
add address=192.168.1.1 interface=LAN network=255.255.254.0
add address=192.168.1.250 interface=LAN network=255.255.254.0
add address=192.168.20.1/24 interface=GUEST network=192.168.20.0
/ip dhcp-server lease
add address=192.168.20.246 mac-address=78:8A:20:F0:6F:8C server=DHCP_GUEST
add address=192.168.20.247 mac-address=C4:E9:84:59:41:29
/ip dhcp-server network
add address=192.168.20.0/23 dhcp-option=unifi dns-server=8.8.8.8,8.8.4.4 \
    gateway=192.168.20.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.254 list=allowed_internet_ips3
add address=192.168.0.1-192.168.0.32 list=allowed_internet_ips
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=input connection-nat-state=dstnat connection-state=\
    established,related,new in-interface=pppoe-out_211xxxxxxx
/ip firewall mangle
add action=accept chain=prerouting in-interface=pppoe-out_211xxxxxxx
add action=accept chain=prerouting in-interface=pppoe-out_211xxxxxxx
add action=accept chain=prerouting in-interface=pppoe-out_210xxxxxxx
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=LAN new-connection-mark=WAN1_conn passthrough=yes \
    src-address-list=allowed_internet_ips
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=LAN new-connection-mark=WAN2_conn passthrough=yes \
    src-address-list=allowed_internet_ips2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=LAN new-routing-mark=WAN1_route passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=LAN new-routing-mark=WAN2_route passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=LAN new-connection-mark=WAN3_conn passthrough=yes \
    src-address-list=allowed_internet_ips3
add action=mark-routing chain=prerouting connection-mark=WAN3_conn \
    in-interface=LAN new-routing-mark=WAN3_route passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=pppoe-out_211xxxxxxx \
    src-address-list=allowed_internet_ips
add action=masquerade chain=srcnat out-interface=pppoe-out_211xxxxxxx \
    src-address-list=allowed_internet_ips2
add action=masquerade chain=srcnat out-interface=pppoe-out_210xxxxxxx \
    src-address-list=allowed_internet_ips3
add action=dst-nat chain=dstnat dst-port=443 in-interface=\
    pppoe-out_211xxxxxxx protocol=tcp to-addresses=192.168.1.113 to-ports=443
add action=dst-nat chain=dstnat dst-port=3391 in-interface=\
    pppoe-out_211xxxxxxx protocol=udp to-addresses=192.168.1.113 to-ports=\
    3391
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.20.0/24
/ip route
add distance=1 gateway=pppoe-out_211xxxxxxx routing-mark=WAN1_route
add distance=1 gateway=pppoe-out_211xxxxxxx routing-mark=WAN2_route
add distance=1 gateway=pppoe-out_210xxxxxxx routing-mark=WAN3_route
add distance=1 dst-address=192.168.0.0/23 gateway=LAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ip ssh
set strong-crypto=yes
/lcd
set enabled=no
/system clock
set time-zone-name=Europe/Athens
/tool traffic-monitor
add disabled=yes interface=pppoe-out_211xxxxxxx name=tmon1

anav · May 15, 2020, 3:23pm

The first thing I would do is NOT use LAN as a name for a bridge.
Its too confusing as there is already an interface called LAN.
Change it to lan-bridge and guest-bridge for example.

Some of the comments may be due to my ignorance of how the unifi controller or hotspots work, so take it with a grain of salt.

Where is dhcp-server for lan-bridge?
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=guest-bridge name=DHCP_GUEST
???

Why do you have two addresses identified for lan-bridge??
/ip address
add address=192.168.1.1 interface=lan-bridge network=255.255.254.0
add address=192.168.1.250 interface=lan-bridge network=255.255.254.0
add address=192.168.20.1/24 interface=guest-bridge network=192.168.20.0

Where is the dhcp server-network for the lan-bridge
/ip dhcp-server network
add address=192.168.20.0/23 dhcp-option=unifi dns-server=8.8.8.8,8.8.4.4
gateway=192.168.20.1
???

FIREWALL RULES WTF???
There are none, this should not be facing the internet.

ppetasis · May 15, 2020, 4:29pm

Hello,

thanks for the recommendations.
I have renamed the bridges.
The second IP address was added to deal with some clients in the network that may have static IP assignment and a default gateway of 192.168.1.250 from the previous network configuration. I removed it but i dont think that was the problem.

The DHCP server for 192.168.0.0/23 is a Windows DHCP server. The Guest network will get IP addresses from the Mikrotik since we do not want access to the main network (except Unifi controller).

Firewall rules are to be added but currently the problem is routing between the two networks

Thanks for the help