I’m having some trouble with getting guest and IoT WiFi SSIDs working in our home network. There are two issues:
- If I try to provision Guest as a slave config to our Mgmt or IoT configs, it never shows up on devices I’m trying to connect to it, so I’m probably missing some magic in the steps of how to set that up
- Devices that connect to the PiperNet_IoT SSID get assigned an IP address properly, from the IOT_POOL (10.0.40.2-10.0.40.254). However, they are unable to ping the gateway at 10.0.40.1. The main problem here is that there is no internet access on these devices. Devices that connect to the main PiperNet are able to reach internet, most likely because of the “allow all” rule in the firewall for the Mgmt subnet.
The basic topology of our network is an RB5009UG+S+IN router connected to ISP that acts as the main router for the house, connected to a hAP ac3 that serves as the main AP for the house.
The hAP ac3 has a few things attached to it by ethernet cables (stereo, AppleTV, TV) that all get assigned properly to the ENTERTAINMENT_VLAN and are able to reach the internet.
We have a second AP to serve the front end of the house, but I’ve got it turned off for now for reasons that are irrelevant to this post. I force all DNS traffic on the router through a PiHole on the network.
Here’s the main router config:
# dec/31/2023 14:20:35 by RouterOS 7.1.1
# model = RB5009UG+S+
/caps-man channel
add band=5ghz-onlyac control-channel-width=20mhz extension-channel=eeeC frequency=5240 name=5ghz-onlyac
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2412 name=2.4GHz-bgn
/interface bridge
add admin-mac=DC:2C:6E:28:E1:FF auto-mac=no comment=defconf name=bridge protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=ENTERTAINMENT_VLAN vlan-id=50
add interface=bridge name=GUEST_VLAN vlan-id=240
add interface=bridge name=HOME_SEC_VLAN vlan-id=30
add interface=bridge name=HOME_SVC_VLAN vlan-id=20
add interface=bridge name=IOT_VLAN vlan-id=40
add interface=bridge name=MGMT_VLAN vlan-id=9
add interface=bridge name=NET_SVC_VLAN vlan-id=10
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=CAP_MGMT_DATAPATH vlan-id=9 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=CAP_IOT_DATAPATH vlan-id=40 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=CAP_GUEST_DATAPATH vlan-id=240 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk name=CAP_MGMT_SECURITY
add authentication-types=wpa2-psk name=CAP_IOT_SECURITY
add authentication-types=wpa2-psk name=CAP_GUEST_SECURITY
/caps-man configuration
add channel=5ghz-onlyac country="united states3" datapath=CAP_MGMT_DATAPATH installation=indoor name=CAP_MGMT_CONFIG security=CAP_MGMT_SECURITY ssid=PiperNet
add channel=2.4GHz-bgn country="united states3" datapath=CAP_IOT_DATAPATH installation=indoor name=CAP_IOT_CONFIG security=CAP_IOT_SECURITY ssid=PiperNet_IoT
add channel=5ghz-onlyac country="united states3" datapath=CAP_GUEST_DATAPATH installation=indoor name=CAP_GUEST_CONFIG security=CAP_GUEST_SECURITY ssid=PiperNet_Guest
/caps-man interface
add configuration=CAP_IOT_CONFIG disabled=no l2mtu=1600 mac-address=<REDACTED> master-interface=none name=LivingRoomAP_2.4GHz radio-mac=<REDACTED> radio-name=<REDACTED>
add configuration=CAP_MGMT_CONFIG disabled=no l2mtu=1600 mac-address=<REDACTED> master-interface=none name=LivingRoomAP_5GHz radio-mac=<REDACTED> radio-name=<REDACTED>
add configuration=CAP_GUEST_CONFIG disabled=yes l2mtu=1600 mac-address=<REDACTED> master-interface=LivingRoomAP_5GHz name=LivingRoomAP_5GHz_Guest radio-mac=00:00:00:00:00:00 radio-name=""
add configuration=CAP_IOT_CONFIG disabled=yes l2mtu=1600 mac-address=<REDACTED> master-interface=none name=OfficeAP_2.4GHz radio-mac=<REDACTED> radio-name=<REDACTED>
add configuration=CAP_MGMT_CONFIG disabled=yes l2mtu=1600 mac-address=<REDACTED> master-interface=none name=OfficeAP_5GHz radio-mac=<REDACTED> radio-name=<REDACTED>
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=MGMT_POOL ranges=10.0.0.2-10.0.0.254
add name=NET_SVC_POOL ranges=10.0.10.2-10.0.10.254
add name=HOME_SVC_POOL ranges=10.0.20.2-10.0.20.254
add name=HOME_SEC_POOL ranges=10.0.30.2-10.0.30.254
add name=IOT_POOL ranges=10.0.40.2-10.0.40.254
add name=ENTERTAINMENT_POOL ranges=10.0.50.2-10.0.50.254
add name=GUEST_POOL ranges=10.0.240.2-10.0.240.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=MGMT_POOL interface=MGMT_VLAN name=MGMT_DHCP
add address-pool=NET_SVC_POOL interface=NET_SVC_VLAN name=NET_SVC_DHCP
add address-pool=HOME_SVC_POOL interface=HOME_SVC_VLAN name=HOME_SVC_DHCP
add address-pool=HOME_SEC_POOL interface=HOME_SEC_VLAN name=HOME_SEC_DHCP
add address-pool=IOT_POOL interface=IOT_VLAN name=IOT_DHCP
add address-pool=ENTERTAINMENT_POOL interface=ENTERTAINMENT_VLAN name=ENTERTAINMENT_DHCP
add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP
/user group
add name=Readonly_API policy="api,!local,!telnet,!ssh,!ftp,!reboot,!read,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp,!rest-api"
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-enabled master-configuration=CAP_MGMT_CONFIG slave-configurations=CAP_GUEST_CONFIG
add action=create-enabled master-configuration=CAP_IOT_CONFIG
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=9
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment="PoE Switch" interface=ether6
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=9
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3,ether5,ether6,ether8 vlan-ids=9
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=20
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=30
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=40
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=50
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=240
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=MGMT_VLAN list=VLAN
add interface=NET_SVC_VLAN list=VLAN
add interface=HOME_SVC_VLAN list=VLAN
add interface=HOME_SEC_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=ENTERTAINMENT_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=MGMT_VLAN list=MGMT
add interface=wireguard1 list=MGMT
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=10.0.1.2/32 interface=wireguard1 public-key="<REDACTED>"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.0.0.1/24 interface=MGMT_VLAN network=10.0.0.0
add address=10.0.10.1/24 interface=NET_SVC_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=HOME_SVC_VLAN network=10.0.20.0
add address=10.0.30.1/24 interface=HOME_SEC_VLAN network=10.0.30.0
add address=10.0.40.1/24 interface=IOT_VLAN network=10.0.40.0
add address=10.0.50.1/24 interface=ENTERTAINMENT_VLAN network=10.0.50.0
add address=10.0.240.1/24 interface=GUEST_VLAN network=10.0.240.0
add address=10.0.1.1/24 interface=wireguard1 network=10.0.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
add address=10.0.1.0/24 gateway=10.0.1.1
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
add address=10.0.40.0/24 gateway=10.0.40.1
add address=10.0.50.0/24 gateway=10.0.50.1
add address=10.0.240.0/24 gateway=10.0.240.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=10.0.10.2
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.0.30.0/24 comment="HOME_SEC subnet" list=WAN_DENIED
add address=10.0.50.3 comment=AppleTV list=ALLOWS_HOMEASSISTANT
add address=10.0.40.3 comment=Printer list=ALLOWS_HOMEASSISTANT
add address=10.0.50.4 comment=Stereo list=ALLOWS_HOMEASSISTANT
add address=10.0.40.4 comment=Thermostat list=ALLOWS_HOMEASSISTANT
add address=10.0.50.5 comment="LG TV" list=ALLOWS_HOMEASSISTANT
add address=10.0.50.3 comment="Apple TV" list=UDP_ALLOWED
add address=10.0.40.5 comment="Doorbell Camera" list=CAMERAS
add address=10.0.30.2 comment="Back Porch Camera" list=CAMERAS
add address=10.0.40.100 comment=Firestick list=EXPLICIT_ALLOW_WAN
/ip firewall filter
add action=accept chain=input comment="Accept VPN UDP" dst-port=13231 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked log-prefix=ESTABLISHED
add action=accept chain=input comment="Allow MGMT full access" in-interface-list=MGMT
add action=accept chain=input comment="Allow PiHole TCP" dst-address=10.0.10.2 dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow PiHole UDP" dst-address=10.0.10.2 dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow UDP" protocol=udp src-address-list=UDP_ALLOWED
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix="Drop input invalid"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=NON_LAN
add action=drop chain=input comment="Drop all else" log=yes log-prefix="Dropped Input"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="Allow MGMT full access" in-interface-list=MGMT
add action=accept chain=forward comment="Allow Net Services Access to LAN" dst-address=10.0.10.2 in-interface-list=VLAN log=yes log-prefix="Allow Net Service Usage"
add action=drop chain=forward comment="Deny WAN Access" log=yes log-prefix="Denied WAN" out-interface-list=WAN src-address-list=WAN_DENIED
add action=accept chain=forward comment="Allow VLAN internet access" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow HomeAssistant" dst-address-list=ALLOWS_HOMEASSISTANT src-address=10.0.20.5
add action=accept chain=forward comment="Allow Frigate to Cameras" dst-address-list=CAMERAS src-address=10.0.20.2
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix="Forward Invalid"
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="Forward not DSTNATed"
add action=drop chain=forward comment="Drop all else" log=yes log-prefix="Dropped forward"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Intercept DNS queries TCP" dst-address=!10.0.10.2 dst-port=53 protocol=tcp src-address=!10.0.10.2 to-addresses=10.0.10.2 to-ports=53
add action=dst-nat chain=dstnat comment="Intercept DNS queries UDP" dst-address=!10.0.10.2 dst-port=53 protocol=udp src-address=!10.0.10.2 to-addresses=10.0.10.2 to-ports=53
add action=masquerade chain=srcnat comment="Masquerade request to PiHole TCP" dst-address=10.0.10.2 dst-port=53 protocol=tcp src-address=10.0.0.0/8
add action=masquerade chain=srcnat comment="Masquerade request to PiHole UDP" dst-address=10.0.10.2 dst-port=53 protocol=udp src-address=10.0.0.0/8
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.0.0/24,10.0.1.0/24
set ssh disabled=yes
set api address=10.0.0.0/24,10.0.20.5/32
set winbox address=10.0.0.0/24
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/Denver
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add down-script=\
":log warning \"PiHole offline. Changing DNS\"\r\
\nsystem script run BeepDown\r\
\nip dns set servers=\"1.1.1.1\"" host=10.0.10.2 interval=5s up-script=":log warning \"PiHole back online. Changing DNS\"\r\
\nsystem script run BeepUp\r\
\nip dns set servers=\"10.0.10.2\""
And the AP config:
# dec/31/2023 18:17:49 by RouterOS 6.47.9
# model = RBD53iG-5HacD2HnD
/interface bridge
add admin-mac=2C:C8:1B:A0:58:58 auto-mac=no comment=defconf name=bridgeLocal protocol-mode=none vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(27dBm), SSID: PiperNet_IoT, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5240/20-eeeC/ac(25dBm), SSID: PiperNet, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface vlan
add interface=bridgeLocal name=ENTERTAINMENT_VLAN vlan-id=50
add interface=bridgeLocal name=GUEST_VLAN vlan-id=240
add interface=bridgeLocal name=IOT_VLAN vlan-id=40
add interface=bridgeLocal name=MGMT_VLAN vlan-id=9
add interface=bridgeLocal name=NET_SVC_VLAN vlan-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeLocal comment="Trunk Port" frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridgeLocal comment="Uses ENTERTAINMENT_VLAN" frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=50
add bridge=bridgeLocal comment="Uses ENTERTAINMENT_VLAN" frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=50
add bridge=bridgeLocal comment="Uses ENTERTAINMENT_VLAN" frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=50
add bridge=bridgeLocal comment=defconf interface=ether5
/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=9
add bridge=bridgeLocal tagged=ether1 vlan-ids=50
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=40
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=240
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=10
/interface wireless cap
set bridge=bridgeLocal caps-man-addresses=10.0.0.1 discovery-interfaces=bridgeLocal enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add comment=defconf interface=bridgeLocal
add disabled=no interface=MGMT_VLAN
/system clock
set time-zone-name=America/Denver
/system identity
set name="Living Room AP"
Hoping somebody with more experience can easily spot anything I’ve got misconfigured. Aside from looking for the cause of the issues above, feel free to roast my configs!