Stuck in new setup

Hiya people!

I am a bit stuck. I have run my network for about a year now, and things are going great. That is the signal for me to change things.

My current setup is quite simple.

At home I have working data for my stuff, people also live at home, and we have smart crap (some light bulbs and, a DVR and, for some unexplained reason, a washing machine. One needs to choose battles) I have a HAP AC3, with three different networks (office 192.168.88.0, home 192.168.100.0, smart crap 10.0.0.0). Each with their own ip range and firewall rules to prevent traffic between them. I have also assigned different eth ports to each use, so that I have that segmented as well. This has worked rather well, and I am able to filter things out quite easily. I access some services in my house through a wireguard interface running on 192.168.89.0 with some firewall rules to allow traffic between it and 192.168.88.0. This has worked great.

I want to add another layer to the network now. I am aiming at using a small HEX router as the main router and the HAP AC3 as the Access point. I now the HAP is more powerful, but the HEX is plenty for what I need.

So, in the HEX, eth1 will be the WAN port, eth2 the AP port and the remaining assigned to each network (office, smart crap and home). The HAP would be setup with three wifi networks (6 if you count 5 GHz), but it still want to maintain the separation as much as possible.

I have tried a whole lot so far, and I think I home come to this point

For the HEX, I am starting fresh from a blank router, I create three bridges, one for each network

/interface ethernet set [ find default-name=ether1 ] name=wan
/ip address add address=****/24 interface=wan
/ip route add dst-address=0.0.0.0/0 gateway=****

#create brigdges, add ports and assign ips.
/interface bridge
add name=bridge-office
add name=bridge-home
add name=bridge-smart_crap
/interface bridge port
add bridge=bridge-office interface=ether2
add bridge=bridge-office interface=ether3
add bridge=bridge-home interface=ether4
add bridge=bridge-smart_crap interface=ether5
/ip address
add address=192.168.88.1/24 interface=bridge-office
add address=192.168.100.1/24 interface=bridge-home
add address=10.0.0.1/24 interface=bridge-smart_crap

#for DHCP servers
/ip pool
add name=dhcp-office ranges=192.168.88.50-192.168.88.254
add name=dhcp-home ranges=192.168.100.2-192.168.100.254
add name=dhcp-smart_crap ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=dhcp-office interface=bridge-oficina name=dhcp-office
add address-pool=dhcp-home interface=bridge-home name=dhcp-home
add address-pool=dhcp-smart_crap interface=bridge-smart_crap name=dhcp-smart_crap
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.88.1
add address=192.168.100.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.100.1
add address=10.0.0.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.0.0.1

# I have the very basic firewall. This is clearly not safe, but is for testing purposes
/ip firewall filter
add chain=input action=accept connection-state=established,related
add chain=input action=drop connection-state=invalid
add chain=input action=accept src-address=192.168.88.0/24 dst-address=192.168.88.1
add chain=input action=drop
/ip firewall nat
add chain=srcnat action=masquerade out-interface=wan

I am sure you already know why this is not working, But connecting to any eth port with a windows machien does not result in assigned IP. I connect only through MAC.

I have not given any thought as to how to configure the HAP AP but I will cross that bridge when I get to it.

Unless someone has done this before and has a better idea about how to simplify this, to ensure that networks are segmented and somewhat safe from the smart_crap.

Thank you!

Better (best?) idea is using VLAN’s. Please read this great topic to get loads of informations and examples:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Hiya Erlinden!

Thank you for your reply. It took a few days, but it is working now.

The new “diagram” looks something like:

Internet — HEX ---- HAP

I am having two particular issues:

0. The HEX is working fine. As is the case with the AccessPoint I have implemented it like the script int he post

/interface bridge
add admin-mac=BC:BC:BC:BC:BC:BC auto-mac=no name=bridge vlan-filtering=yes
/interface wireguard
add listen-port=12123 mtu=1420 name=wg_oveta
/interface vlan
add interface=bridge name=casa-vlan vlan-id=101
add interface=bridge name=domotica-vlan vlan-id=102
add interface=bridge name=oficina-vlan vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=MGMT
/ip pool
add name=oficina-pool ranges=192.168.1.100-192.168.1.254
add name=casa-pool ranges=192.168.100.10-192.168.100.254
add name=domotica-pool ranges=10.0.0.10-10.0.0.254
/ip dhcp-server
add address-pool=oficina-pool interface=oficina-vlan name=oficina-dhcp
add address-pool=domotica-pool interface=domotica-vlan name=domotica-dhcp
add address-pool=casa-pool interface=casa-vlan name=casa-dhcp
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=100
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=101
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=102
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!WAN
/interface bridge vlan
add bridge=bridge comment=oficina-vlan tagged=bridge,ether5 untagged=ether2 \
    vlan-ids=100
add bridge=bridge comment=casa-vlan tagged=bridge,ether5 untagged=ether3 \
    vlan-ids=101
add bridge=bridge comment=domotica-vlan tagged=bridge,ether5 untagged=ether4 \
    vlan-ids=102
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=oficina-vlan list=LAN
add interface=domotica-vlan list=LAN
add interface=casa-vlan list=LAN
add interface=oficina-vlan list=VLAN
add interface=domotica-vlan list=VLAN
add interface=casa-vlan list=VLAN
add interface=oficina-vlan list=MGMT
add interface=wg_oveta list=MGMT
add interface=wg_oveta list=LAN
add interface=ether5 list=LAN
/interface wireguard peers
add allowed-address=192.168.10.10/32 comment="Iphone" \
    interface=wg_oveta name=iphone public-key=\
    "tezEgxDhAasdfadsfasdf="
add allowed-address=192.168.10.11/32 comment="MacBook" \
    interface=wg_oveta name=anguja public-key=\
    "j+X8Hg4asdfasdfasdf="
/ip address
add address=192.168.1.1/24 interface=oficina-vlan network=192.168.1.0
add address=192.168.100.1/24 interface=casa-vlan network=192.168.100.0
add address=10.0.0.1/24 interface=domotica-vlan network=10.0.0.0
add address=iphiddne/24 comment="Public IP" interface=ether1 network=\
    iphiddne
add address=192.168.10.1/24 interface=wg_oveta network=192.168.10.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=10.0.0.0/24 comment=domotica-dhcp gateway=10.0.0.1
add address=192.168.1.0/24 comment=oficina-dhcp gateway=192.168.1.1
add address=192.168.100.0/24 comment=casa-dhcp gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes cache-size=120048KiB servers=\
    1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4

/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
add address=192.168.100.1 comment=defconf name=router.lan
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow wireguard" dst-port= 12123 \
    log-prefix=WIREGARD protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix=DROPING
add action=accept chain=input comment=\
    "Allow oficina-vlan/MGMT access to all router services" \
    in-interface-list=MGMT
add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS UDP" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS TCP" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow VLAN ICMP Ping" \
    in-interface-list=VLAN protocol=icmp
add action=drop chain=input comment="Drop all other traffic" disabled=yes \
    in-interface-list=!LAN log=yes log-prefix=ALL_OTHER
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access Only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=\
    "Allow Port Forwarding - DSTNAT - enable if need server" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Dvr dst-address=IP_HIDDEN \
    dst-port=8000 protocol=tcp to-addresses=10.0.0.5 to-ports=8000
add action=dst-nat chain=dstnat comment=Dvr dst-address=IP_HIDDEN \
    dst-port=554 protocol=tcp to-addresses=10.0.0.5 to-ports=554
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=ether1 routing-table=main \
    suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24,192.168.10.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.1.0/24,192.168.10.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=America/XXX
/system identity
set name=Oveta
/system note
set show-at-login=no
/tool graphing interface
add allow-address=192.168.1.0/24 interface=ether1
add allow-address=192.168.1.0/24 interface=oficina-vlan
add allow-address=192.168.1.0/24 interface=domotica-vlan
add allow-address=192.168.1.0/24 interface=casa-vlan
/tool graphing resource
add allow-address=192.168.1.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

My problem is with the HAP I am using as access point.

I have setup the HAP following the AP setup in the post you suggested. I have all but implemented it exactly as is, changing only two or three things. If I run the entire script as is, the HAP is inaccessible through any interface (wired, wireless) both with IP and MAC. It is just invisible. Removing some of the rules (particularly ingress into BR1 rules), I can access it but not through the wifi, only the eth ports.

My question is: is it implied that I would not be able to access the AP for management? I know I am doing something wrong, just do not know what..

My current setup is:

####################################### # Naming #######################################

# name the device being configured /system identity set name=“AccessPoint”

####################################### # VLAN Overview #######################################

# 10 = BLUE # 20 = GREEN # 30 = RED # 99 = BASE (MGMT) VLAN

####################################### # WIFI Setup
#WIFI is working, IPS and VLAN tags are correctly assigned. 

/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no

####################################### # # – Access Ports – # #######################################

# ingress behavior 
/interface bridge port

# Blue, Green, Red VLAN 
add bridge=BR1 interface=wlan1 pvid=100
add bridge=BR1 interface=wlan2 pvid=101 
add bridge=BR1 interface=wlan3 pvid=102

/interface bridge port
# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether1

# egress behavior 
/interface bridge vlan

# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN) 
add bridge=BR1 tagged=ether1 vlan-ids=100 
add bridge=BR1 tagged=ether1 vlan-ids=101 
add bridge=BR1 tagged=ether1 vlan-ids=102
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99

####################################### # IP Addressing & Routing #######################################

# LAN facing AP's Private IP address on a BASE_VLAN 
/interface vlan 
add interface=BR1 name=BASE_VLAN vlan-id=99 
/ip address 
add address=192.168.1.3/24 interface=BASE_VLAN

# The Router's IP this AP will use 
/ip route add distance=1 gateway=192.168.1.1

####################################### # IP Services #######################################

# We have a router that will handle this. Nothing to set here.
# Attach this AP to a router configured as shown under the “RoaS” example.

####################################### # VLAN Security #######################################

# Only allow ingress packets without tags on Access Ports 
/interface bridge port 
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1] 
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2] 
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan3]

### THIS RULE IS IN THE AccessPoint.rsc script, but it just locks me out of the HAP. NOT IMPLEMENTED.
# Only allow ingress packets WITH tags on Trunk Ports 
/interface bridge port set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]

####################################### # MAC Server settings ####################################### 
### THIS IS IN THE AccessPoint.rsc script, but it just locks me out of the HAP. NOT IMPLEMENTED.
# Ensure only visibility and availability from BASE_VLAN, the MGMT network 
#/interface list add name=BASE 
#/interface list member add interface=BASE_VLAN list=BASE 
#/ip neighbor discovery-settings set discover-interface-list=BASE 
#/tool mac-server mac-winbox set allowed-interface-list=BASE #/tool mac-server set allowed-interface-list=BASE

####################################### # Turn on VLAN mode ####################################### 
/interface bridge set BR1 vlan-filtering=yes

Looks like MGT and CORP VLAN are messed up. I.e. the different network ranges are incorrect. Start with a basic setup and follow the topic by the letter. Then make changes as desired.

In regards to no access, are you using Winbox? Does it show up on discovery?

Thank you for your quick reply!

I am sorry, I am not quite getting this point.

Looks like MGT and CORP VLAN are messed up. I.e. the different network ranges are incorrect

I am using 192.168.1.0, 192.168.100.0 and 10.0.0.0, for no particular reason, but this is not really different from the post, they do the same, but just at different ranges:

# IP Services
#######################################
# Blue VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=10
/ip address add interface=BLUE_VLAN address=10.0.10.1/24
/ip pool add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP disabled=no
/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1

# Green VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=GREEN_VLAN vlan-id=20
/ip address add interface=GREEN_VLAN address=10.0.20.1/24
/ip pool add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP disabled=no
/ip dhcp-server network add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1

# Red VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=RED_VLAN vlan-id=30
/ip address add interface=RED_VLAN address=10.0.30.1/24
/ip pool add name=RED_POOL ranges=10.0.30.2-10.0.30.254
/ip dhcp-server add address-pool=RED_POOL interface=RED_VLAN name=RED_DHCP disabled=no
/ip dhcp-server network add address=10.0.30.0/24 dns-server=192.168.0.1 gateway=10.0.30.1

# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature for an admin.
# /ip pool add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
# /ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP disabled=no
# /ip dhcp-server network add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1

With respect to

In regards to no access, are you using Winbox? Does it show up on discovery?

Yes to using Winbox. If I use the script as is in the post, it does not show up on discovery through either WIFI or eth.
If I remove the last bits of the script, i can access but only on eth.

Now, for example, I am connected to the wifi and things run smooth. I just cannot access the webfig interface pointing to the ip address I assigned 192.168.1.3, which is on the same network as the router 192.168.1.1.

At this stage, the only way to access the AP is to reset the configuration, and reload the settings for it to work.

Now I see…you don’t want to have your IP address of the accesspoint in the same range as the office IP. Normally (I assumed because of the VLAN ID) you would have a management VLAN where you do the IP assignement of all hardware involved.

To get it to work you can set the BAS_VLAN to ID 100. Not sure if that is enough, sure it is a bit of a mess.

Cheers!

Ill have a look. I have to do it tonight. I just supressed an uprising at home, people have started complaining about the constant downtime.

I mean, they just cannot understand the importance of preventing foreign government actors accessing my 2010 Brother printer..