Hello,
I’m super new to the Mikrotik environment and I need some help with my home setup.
I want to setup 3 wireless networks:
- one for my devices (full access)
- one for guests (filtered access to internet only, not my LAN)
- one for my home automation, access only to my wired deices in port 4 on my router
I followed several tutorials with no success (includingCAPsMAN). Can anybody help? This is my setup:
Router:
# jun/22/2018 02:52:20 by RouterOS 6.42.2
# software id = VJ0A-JW5R
#
# model = 951Ui-2HnD
# serial number = 7175xxxx
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - modem"
set [ find default-name=ether2 ] name="ether2 - LAN"
set [ find default-name=ether3 ] name="ether3 - trunked"
set [ find default-name=ether4 ] name="ether4 - IoT"
set [ find default-name=ether5 ] name="ether5 - DMZ"
/interface pppoe-client
add add-default-route=yes disabled=no interface="ether1 - modem" name=\
pppoe-out-VodanoneADSL use-peer-dns=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface vlan
add interface="ether3 - trunked" name="vlan2 - WLAN" vlan-id=2
add interface="ether3 - trunked" name="vlan4 - IoT WLAN" vlan-id=4
add interface="ether3 - trunked" name="vlan5 - guest WLAN" vlan-id=5
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=LAN-IP-pool ranges=192.168.1.10-192.168.1.254
add name=WLAN-pool ranges=192.168.2.10-192.168.2.254
/ip dhcp-server
add address-pool=LAN-IP-pool disabled=no interface="ether2 - LAN" name=\
dhcp-server-LAN
add address-pool=WLAN-pool disabled=no interface="vlan2 - WLAN" name=\
hhcp-server-WLAN
/ip address
add address=192.168.0.2/24 interface="ether1 - modem" network=192.168.0.0
add address=192.168.1.1/24 interface="ether2 - LAN" network=192.168.1.0
add address=192.168.2.1/24 interface="vlan2 - WLAN" network=192.168.2.0
add address=192.168.4.1/24 interface="vlan4 - IoT WLAN" network=192.168.4.0
add address=192.168.5.1/24 interface="vlan5 - guest WLAN" network=192.168.5.0
add address=192.168.3.1/24 interface="ether4 - IoT" network=192.168.3.0
add address=192.168.6.1/24 interface="ether5 - DMZ" network=192.168.6.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 dns-server=8.8.8.8 gateway=192.168.2.1
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
/ip firewall filter
add action=drop chain=forward comment=\
"Drop new connections from internet which are not dst-natted" \
connection-nat-state=!dstnat connection-state=new in-interface=\
"ether1 - modem"
add action=accept chain=input comment="Accept established connections" \
connection-state=established
add action=accept chain=input comment="Accept related connections" \
connection-state=related
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=accept chain=input comment=UDP disabled=yes protocol=udp
add chain=input comment="Allow limited pings" limit=50/5s,2 protocol=icmp
add action=drop chain=input comment=" Drop excess pings" protocol=icmp
add action=accept chain=input comment=" From LAN" in-interface="ether2 - LAN" \
src-address=192.168.1.0/24
add action=drop chain=input comment=\
"Drop all packets which are not destined to routes IP address" \
dst-address-type=!local
add action=drop chain=input comment=\
"Drop all packets which does not have unicast source IP address" \
src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet whi\
ch should not exist in public network" in-interface="ether1 - modem" \
src-address-list=NotPublic
add action=log chain=input comment=" Log everything else" log-prefix=\
" DROP INPUT"
add action=drop chain=input comment=" Drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat src-address=192.168.2.0/24
/system clock
set time-zone-name=Europe/Athens
/system identity
set name="MikroTik Router"
/system ntp client
set enabled=yes primary-ntp=194.177.210.54 secondary-ntp=88.198.12.78
/system routerboard settings
set silent-boot=no
Access Point:
# jan/19/1970 02:13:18 by RouterOS 6.41.2
# software id = V9U3-24G1
#
# model = RouterBOARD cAP L-2nD
# serial number = 7xxxxx
/interface bridge
add fast-forward=no name=bridge vlan-filtering=yes
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=K____WLAN_sec_prof \
supplicant-identity="" wpa2-pre-shared-key=K___
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=K____GUEST_sec_prof \
supplicant-identity="" wpa2-pre-shared-key=K___
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=K____IoT_sec_prof supplicant-identity=\
"" wpa2-pre-shared-key=K___
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no mode=ap-bridge \
name=K____WLAN security-profile=K____WLAN_sec_prof ssid=\
K____WLAN vlan-id=2 vlan-mode=use-tag wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=66:D1:xx:xx:xx:58 \
master-interface=K____WLAN multicast-buffering=disabled name=\
K____GUEST security-profile=K____GUEST_sec_prof ssid=\
K____GUEST vlan-id=5 vlan-mode=use-tag wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=66:D1:xx:xx:xx:59 \
master-interface=K____WLAN multicast-buffering=disabled name=\
K____IoT security-profile=K____IoT_sec_prof ssid=K____IoT \
vlan-id=4 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=\
disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge interface=K____WLAN
add bridge=bridge interface=K____IoT
add bridge=bridge interface=K____GUEST
/interface bridge vlan
add bridge=bridge tagged=ether1,K____WLAN vlan-ids=2
add bridge=bridge tagged=ether1,K____IoT vlan-ids=4
add bridge=bridge tagged=ether1,K____GUEST vlan-ids=5
/interface detect-internet
set detect-interface-list=all
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=AP_FL0
/system ntp client
set enabled=yes primary-ntp=155.207.113.227 secondary-ntp=193.219.28.147
Thank you!