VLAN not handing out Internet

threaken · November 29, 2024, 5:38pm

Im looking to hand out multiple SSIDs from a Unifi AP connected on Ether22 that are on the various VLANS.

If I setup the SSID to tag traffic on vlan 30 and connect. I am handed an IP in the 10.10.30.0/24 range, which is what I expect. The problem, I have no internet.
I dont understand why and was hoping someone could advise as to what is missing.

For context, if I put a port on VLAN via a PVID, it gets internet and works fine Ether 1,2,3,4 are examples of being on another VLAN that im trying to hand out over wifi

/interface bridge
add name=PrimaryBridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="CCTV Back"
set [ find default-name=ether2 ] comment="CCTV Front Right"
set [ find default-name=ether3 ] comment="CCTV Front Left"
set [ find default-name=ether9 ] comment=NAS
set [ find default-name=ether10 ] comment=PX3
set [ find default-name=ether11 ] comment=PX2
set [ find default-name=ether12 ] comment=PX1
set [ find default-name=ether22 ] comment=WAP
set [ find default-name=ether24 ] name="ether24 -WAN"
set [ find default-name=sfp-sfpplus2 ] comment="Office Uplink"
set [ find default-name=sfp-sfpplus3 ] comment="Synology NAS"
set [ find default-name=sfp-sfpplus4 ] comment="Synology NAS"
/interface vlan
add interface=PrimaryBridge name=CCTV vlan-id=40
add interface=PrimaryBridge name=Guest vlan-id=30
add interface=PrimaryBridge name=Local vlan-id=20
add interface=PrimaryBridge name=Production vlan-id=10
/interface list
add name=WAN
add name=LAN
add name=WinboxConnection
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment=Production name=dhcp_pool1 ranges=10.10.10.20-10.10.10.254
add comment=Guest name=dhcp_pool3 ranges=10.10.30.20-10.10.30.254
add comment=CCTV name=dhcp_pool4 ranges=10.10.40.20-10.10.40.254
add comment=Local name=dhcp_pool2 ranges=10.10.20.20-10.10.20.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=Production name=Production-DHCP
add address-pool=dhcp_pool3 interface=Guest name=Guest-DHCP
add address-pool=dhcp_pool4 interface=CCTV name=CCTV-DHCP
add address-pool=dhcp_pool2 interface=Local name=Local-DHCP
/port
set 0 name=serial0
/interface bridge port
add bridge=PrimaryBridge interface=ether4 pvid=40
add bridge=PrimaryBridge interface=ether5 pvid=40
add bridge=PrimaryBridge interface=ether6 pvid=10
add bridge=PrimaryBridge interface=ether7 pvid=10
add bridge=PrimaryBridge interface=ether8 pvid=10
add bridge=PrimaryBridge interface=ether9 pvid=10
add bridge=PrimaryBridge interface=ether2 pvid=40
add bridge=PrimaryBridge interface=ether10 pvid=10
add bridge=PrimaryBridge interface=ether11 pvid=10
add bridge=PrimaryBridge interface=ether12 pvid=10
add bridge=PrimaryBridge interface=ether13 pvid=10
add bridge=PrimaryBridge interface=ether14 pvid=10
add bridge=PrimaryBridge interface=ether15 pvid=10
add bridge=PrimaryBridge interface=ether16 pvid=10
add bridge=PrimaryBridge interface=ether17 pvid=10
add bridge=PrimaryBridge interface=ether18 pvid=10
add bridge=PrimaryBridge interface=ether19 pvid=10
add bridge=PrimaryBridge interface=ether20 pvid=10
add bridge=PrimaryBridge interface=sfp-sfpplus1 pvid=10
add bridge=PrimaryBridge interface=sfp-sfpplus2 pvid=10
add bridge=PrimaryBridge interface=sfp-sfpplus3 pvid=10
add bridge=PrimaryBridge interface=sfp-sfpplus4 pvid=10
add bridge=PrimaryBridge interface=ether21 pvid=10
add bridge=PrimaryBridge interface=ether1 pvid=40
add bridge=PrimaryBridge interface=ether22 pvid=10
add bridge=PrimaryBridge interface=ether3 pvid=40
/interface bridge vlan
add bridge=PrimaryBridge tagged=PrimaryBridge,ether22 vlan-ids=10
add bridge=PrimaryBridge tagged=PrimaryBridge,ether22,ether12 vlan-ids=20
add bridge=PrimaryBridge tagged=PrimaryBridge,ether22,ether12 vlan-ids=30
add bridge=PrimaryBridge tagged=PrimaryBridge,ether22,ether12 vlan-ids=40
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface="ether24 -WAN" list=WAN
add interface=Production list=LAN
add interface=ether23 list=LAN
add interface=CCTV list=LAN
add interface=Guest list=LAN
add interface=Local list=LAN
add interface=PrimaryBridge list=LAN
/ip address
add address=10.10.10.1/24 interface=Production network=10.10.10.0
add address=10.10.20.1/24 interface=Local network=10.10.20.0
add address=10.10.30.1/24 interface=Guest network=10.10.30.0
add address=10.10.40.1/24 interface=CCTV network=10.10.40.0
add address=192.168.0.1 interface=ether23 network=192.168.0.1
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add interface="ether24 -WAN"
/ip dhcp-server network
add address=10.10.10.0/24 comment=Production dns-server=10.10.10.2 gateway=\
    10.10.10.1
add address=10.10.20.0/24 comment=Local dns-server=10.10.10.2 gateway=\
    10.10.20.1
add address=10.10.30.0/24 comment=Guest dns-server=10.10.10.2 gateway=\
    10.10.30.1
add address=10.10.40.0/24 comment=CCTV dns-server=10.10.10.2 gateway=10.10.40.1
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=no_forward_ipv4
add address=169.254.0.0/16 comment=RFC6890 list=no_forward_ipv4
add address=224.0.0.0/4 comment=" multicast" list=no_forward_ipv4
add address=255.255.255.255 comment=RFC6890 list=no_forward_ipv4
/ip firewall filter
add action=accept chain=forward comment="Allow VLAN 30 to WAN" in-interface=\
    Guest out-interface-list=WAN
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=forward disabled=yes in-interface=CCTV out-interface=\
    "ether24 -WAN"
add action=accept chain=forward disabled=yes dst-port=554 protocol=tcp
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="accept all that matches IPSec policy" \
    ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment=" fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop bad forward IPs" src-address-list=\
    no_forward_ipv4
add action=drop chain=forward comment="drop bad forward IPs" dst-address-list=\
    no_forward_ipv4
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" disabled=yes \
    dst-address=10.10.10.0/24 out-interface=PrimaryBridge src-address=\
    10.10.10.0/24
add action=masquerade chain=srcnat comment=" masquerade" out-interface-list=WAN
add action=accept chain=srcnat comment=" accept all that matches IPSec policy" \
    ipsec-policy=out,ipsec
add action=dst-nat chain=dstnat comment="Satisfactory Game Server" dst-address=\
    82.39.60.222 dst-port=7777 in-interface="ether24 -WAN" protocol=tcp \
    to-addresses=10.10.10.101 to-ports=7777
add action=dst-nat chain=dstnat comment="Satisfactory Game Server" dst-address=\
    82.39.60.222 dst-port=7777 in-interface="ether24 -WAN" protocol=udp \
    to-addresses=10.10.10.101 to-ports=7777
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system clock
set time-zone-name=Europe/London
/system identity
set name=StrawberryRouter
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.uk.pool.ntp.org
add address=1.uk.pool.ntp.org
add address=2.uk.pool.ntp.org
add address=3.uk.pool.ntp.org
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
set auto-upgrade=yes

anav · November 29, 2024, 6:48pm

Typically UNIFI requires the management or trusted vlan UNTAGGED, and the rest of the data vlans tagged.
What is not clear to me is your trusted subnet, is it vlan10 production or vlan20 home… Since you have unifi untagged on 10 will assume its production.
All your /interface bridge port settings for access ports should look like:
add bridge=PrimaryBridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=40

It appears that maybe one of your ports is a trunk ports> PX1 ether12 port —? what is that, as you send multiple vlans to ether12 ??? Mystery…
Will treat this one as trunk port until stated otherwise… your config is confused.
add bridge=PrimaryBridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether12

You have one potential HYBRID port to the UNIF on ether 22, it is correct as is!! I note that 10 is your trusted vlan!
add bridge=PrimaryBridge interface=ether22 pvid=10

PROBLEM SOLVED - The issue with your setup is /interface bridge vlans…
/interface bridge vlan
add bridge=PrimaryBridge tagged=PrimaryBridge,ether12 vlan-ids=10
add bridge=PrimaryBridge tagged=PrimaryBridge,ether22,ether12 vlan-ids=20
add bridge=PrimaryBridge tagged=PrimaryBridge,ether22,ether12 vlan-ids=30
add bridge=PrimaryBridge tagged=PrimaryBridge,ether22,ether12 vlan-ids=40
SET THIS TO NONE, known to cause issues
/interface detect-internet
set detect-interface-list=NONE
Firewall is disorganized, keep chains together and have a coherent order of rules within a chain!
Also use your Trusted or Winbox connection idea..
/interface list
add name=WAN
add name=LAN
add name=TRUSTED

/interface list member ( bridge is not included )
add interface=“ether24 -WAN” list=WAN
add interface=Production list=LAN
add interface=ether23 list=LAN
add interface=CCTV list=LAN
add interface=Guest list=LAN
add interface=Local list=LAN
add interface=Production list=TRUSTED
add interface=ether23 list=TRUSTED comment="off bridge admin safe access for configuring
/ip firewall filter
add action=accept chain=input comment=“accept established,related,untracked”
connection-state=established,related,untracked
add action=drop chain=input comment=“drop invalid” connection-state=invalid
add action=accept chain=input comment=“accept ICMP” protocol=icmp
add action=accept chain=input comment=“allow LAN” in-interface-list=TRUSTED
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53,123 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“drop all else”
++++++++++++++++++
add action=fasttrack-connection chain=forward comment=" fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“accept established,related, untracked”
connection-state=established,related,untracked
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN src-address=!10.10.40.0/
add action=accept chain=forward comment=“admin to all VLANS” ??? { food for thought rule - use src-address list to define IPs }
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

Your destination nat rules are confusing. They seem to indicate you have a static WANIP ( which you should not post or use fake numbers to simulate it ), but then you also have in-interface=WAN??
More clarity is required on type of WANP, static/dynamic, private/public and port forwarding.

Typically its…
add action=dst-nat chain=dstnat dst-address=static-public-ip dst-port=7777 protocol=tcp to-address=10.10.10.101 { to port not required if same }

Or for dynamic WANIP
add action=dst-nat chain=dstnat dst-address-list=MyWANIP dst-port=7777 protocol=tcp to-address=10.10.10.101 { use IP cloud or any dyndns free service }

MISSING two entries…
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED

AND
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

5009Owner · November 30, 2024, 6:11am

One question about firewall, if these lines are disabled, what will happen?

add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53,123 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=tcp

I have similar rules in my firewall, but everything seems to work no matter if these lines are disabled or not?
What servicies are we talking about?

Steveocee · November 30, 2024, 6:15am

These lines refer to traffic from your specified LAN going “into” the router for DNS and NTP. Maybe you have other lines already allowing it? What do the counters say?

5009Owner · November 30, 2024, 6:31am

Counters for those lines are zero even they are enabled.
Here is my firewall:

/ip firewall filter
add action=accept chain=input comment=“Accept established, related” connection-state=established,related
add action=drop chain=input comment=“Drop invalid” connection-state=invalid log-prefix=Input_Drop_Invalid_
add action=accept chain=input comment=“Accept ICMP” protocol=icmp
add action=accept chain=input comment=“5009 config from port 8” in-interface-list=MGMT src-address=10.0.80.5
add action=accept chain=input comment=“5009 config from port 2” in-interface-list=MGMT src-address=10.0.20.55
add action=accept chain=input comment=“Allow LAN DNS queries” disabled=yes dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries” disabled=yes dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“Drop all else” log-prefix=Input_Drop_All_Else_

add action=accept chain=forward comment=“Accept established, related” connection-state=established,related
add action=drop chain=forward comment=“Drop invalid” connection-state=invalid log-prefix=Forward_Drop_Invalid_
add action=accept chain=forward comment=“List LAN to internet” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“Zyxel config from 5009 port 2” dst-address=10.0.20.15 src-address=10.0.20.55
add action=accept chain=forward comment=“Zyxel config from 5009 port 8” dst-address=10.0.20.15 src-address=10.0.80.5
add action=accept chain=forward comment=“Shelly config from 5009 port 2” dst-address=10.0.75.15 src-address=10.0.20.55
add action=drop chain=forward comment=“Drop all else” log=yes log-prefix=Forward_Drop_All_Else_

That last line in forward chain “Drop All Else”, counter is also zero. Is that normal with these firewall rules?

anav · November 30, 2024, 2:02pm

{rant on} It amazes me that we are asked to make a definitive call on a question on someones config, and they have the audacity to only show firewall rules. The config is a connected piece of work and thus a partial view is next to useless. {rant off}

If your USER rules on input chain never get any hits, then perhaps you are using ISP DNS to resolve dns???
As for never seeing block anything else, that is very weird, are you actually connected directly to the internet aka public IP?

Its also rude to crash someones else’s thread with your own questions,normally I would state ,start your own thread but feeling generous today.