Both router and switch are running RouterOS v6.45.7.
Currently the clients of the Guest SSID only have WAN access (no LAN access) by way of some internal firewall rules in the AP.
And AFAICT, there’s no way for any machine on the LAN to connect to anything on the Guest SSID.
I’d like to allow connections be initiated from some of “Other LAN clients” to some of the clients in Guest SSID.
I figured out how to get the RT-AC68U to tag the Guest SSID’s packets with a VLAN tag (I used 9).
However once I do that, the Guest SSID clients lose WAN connectivity entirely. I fiddled around a bit in the router trying to restore it but was unable to figure it out.
Note that both the Guest and Normal traffic are flowing over a single ethernet cable from the RT-AC68U AP to the CRS326 switch, and this would be very hard to change.
So my questions are:
What are the steps to give WAN access to the clients of Guest SSID (which I think amounts to the packets with VLAN tag 9)?
What are the steps to allow something in “other LAN clients” to initiate a connection to something VLAN 9, but not vice versa?
First, it’s not clear how it works now. What addresses do guests get? Is there separate subnet only on AP? Also how the blocked access to LAN works would be interesting to know.
For new config you need to configure switch to allow tagged vlan 9 on ports connected to AP and router. You didn’t even write if it has RouterOS or SwOS, so…
Once you have vlan 9 passing through switch, you need same vlan also on router. If there’s only single port connected to switch (no bridge), then simply add vlan interface on top of this port. If you have something more complex there, you’ll have to integrate it into that.
With vlan interface ready, add some new subnet to it, then configure DHCP server, and you’ll have guest subnet. Depending on your current firewall, it may have access everywhere or nowhere or something in between, so you’ll have to do something with that.
I mean, I know I’m not really helping, but it’s difficult. You have nice image, but the fact is, pretty much everything about your current config is one big mystery.
Hi Sob,
Thanks so much for taking the time to read and reply.
There is no separate subnet for the guest WiFi or normal WiFi.
Everything gets addresses via DHCP from the router from 192.168.88.0/24.
I am fairly sure that before I set up any VLAN stuff, the blocking of guest access to LAN works through some firewall rules in the ASUS AP.
I think I’ll need to implement a different solution as part of switching from the ASUS AP’s default settings to using VLANs.
The router and the switch are both running RouterOS (which I did write in the first post, but no worries for missing it).
Is what I need to do covered in “Manual:Basic VLAN switching”?
I think I may have gotten this far last time but the firewall rules ended up with “access nowhere”. How do I provide access to the WAN but not the LAN to that subnet?
Same kind of config is also for switch, when it runs RouterOS (right, now I see it). And this CRS should even support automatic HW offloading.
If you have basic config working, i.e. you have vlan interface on router, with dhcp server and clients connected to AP are getting addresses, the rest is just firewall. I can be blocked by filter, you may be missing srcnat rule, etc. Add the endless amount of possible creative misconfigurations and we can be guessing until next Christmas. It’s best to export this non-working config and post it here in code tags, then it should be clear what’s wrong.
Thanks for linking to “Using RouterOS to VLAN your network”. I followed those examples and got things mostly working, but the clients on the guest SSID (now VLAN 20) don’t seem to get IP addresses assigned.
Summary, see nothing wrong with hex setup except the following rule…
add action=masquerade chain=srcnat comment=
“hairpin NAT so LAN can access hass using WAN IP” dst-address=10.0.10.2
dst-port=8023 out-interface=BR1 protocol=tcp src-address=192.168.88.0/24
For hairpin NAT, this ONLY applies to the same subnet that the server is within.
If you are accessing the server from a different subnet then a hairpin nat rule is not required.
In this case it appears as though you wish to access servers from the 192.168.0 subnet while the servers are are on the 10.0.10. subnet In which case you do not need an extra source nat rule at all!!
IF the server was also on the 192.168.0.0 subnet the sourcenat rule you need to add (xtra rule) is as follows.
add chain=srcnat action=masquerade comment=“HairpinNAT” src-address=192.168.0.0/24 dst-address=192.168.0.0/24
Note: This assumes that your server is the .0.0 subnet and you want PCs from the same subnet to access the server using the WANIP address of the router.
What is not clear is if the WANIP is dynamic or static, since you use masquerade as action in the standard source nat rule one could assume dynamic.
If that is the case, then the associated dstnat rule (for hairpin nat - server in same subnet) for that server gets complicated… No need to bring it up here as it appears you just need to get rid of the interfering source nat rule…
Hold… WTF is 192.168.88.0 There is no subnet on the config lol…
anav: Thanks for pointing out the bugs in the hairpin NAT rules. They had been copy pasted from my previous configuration without having been updated for the new IP subnets and addresses. I will fix soon.
The AP is plugged into ether1 of the CRS. I thought it had to be plugged into a trunk port because the packets coming from it are already tagged (with either 10 or 20)?
So I thought this code was all that was needed, but please let me know if it’s wrong:
# egress behavior
/interface bridge vlan
# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
set bridge=BR1 tagged=ether1,ether2 [find vlan-ids=10]
set bridge=BR1 tagged=ether1,ether2 [find vlan-ids=20]
I think I have some issue with my DHCP and / or VLAN configs I’m struggling to figure out. Symptoms:
[] The access point main network works if I statically assign an IP address to the access point itself (10.0.10.4). At that point the clients on the main SSID get assigned IP addresses on the blue VLAN + subnet. But when I changed the access point to receive an IP over DHCP, it seems to not get an IP address and it basically stops working entirely (clients lose DHCP as well).
[] The guest SSID was never getting IP addresses assigned to clients.
[*] Machines plugged directly into Switch do get an IP address assigned and have internet access.
Now clients on the guest WiFi network (VLAN 20, GREEN_VLAN) do get IP addresses assigned by the GREEN_POOL DHCP server!
But, it seems for clients on both, there are frequent connection interruptions, even for connections between two clients on the same VLAN. E.g. SSH’ing from the WiFi to a wired client gets interrupted frequently, as does internet access. So I think something must still be misconfigured.
You didnt fix your mess here,
(1) the dst nat rules need an in-interface-list=WAN for a dynamic WANIP (except any server where you wish to use hairpin nat - then do not use in-interface-list=wan)
(2) Dont need too ports if same as destination ports
(3) Other issue is your second srcnat rule for hairpin.
It appears that you wish to be able to access servers in the 10.0.10. network via your WANIP address from the 192.168.0 network?
If so it should work without an additional sourcnat hairpin rule. It is only required when accessing the server from the same network, ie pcS in the 10.0.10 network trying to reach a server in the 10.0.10 network via the WANIP of the router.
A question for Sob and Mkx, as I didnt think of this before… When accessing a server from a different subnet it would appear this may be a unique method for bypassing normal layer 2 restrictions but am curious about L3 (firewall rules). For example, normally, a user on vlan10 would not be able to access a server on VLAN20 due to basic layer 2 separation, however we also need to prevent the router from routing between the two so we add in either a drop vlan10 to vlan 20 rule, or add in a drop all else rule at the end of the forward chain etc…
So with vlan separation and a firewall setup that prevents vlan cross talk, Q - Does the router allow vlan10 user to bypass vlan and firewall restrictions to vlan 20 when the user enters the WANIP of the router and server port to access the server?
It depends on order of rules. If you allow all dstnatted ports first and then block access between vlans, it will work. If you swap these rules, then it won’t.
And I just changed all the dst-nat rules to have in-interface-list=WAN and disabled the hairpin NAT rule but I think I’m still seeing intermittent internet connectivity issues.
Just add the following rule
add chain=srcnat action=masquerate src-address=10.0.10.0.24 dst-address=10.0.10.0/24
This is the associated dst nat rule ?
add action=dst-nat chain=dstnat comment=“home assistant” in-interface-list=WAN dst-port=8023
protocol=tcp to-addresses=10.0.10.3
The above rule for destination nat is for dynamic WANIPs, and should also work if you have a static WANIP. although its better to stat the destination nat rule as this for static wanips..
add action=dst-nat chain=dstnat comment=“home assistant” dst-port=8023 dst-address=x.x.x.x
protocol=tcp to-addresses=10.0.10.3
If you have a dynamic WANIP AND a Hairpin issue, then one has to modify the destination nat rule for hairpin situations…you need to change that destination nat rule to this…
add chain=dstnat action=dst-nat dst-port=8023 protocol=tcp dst-address=**!**10.0.10.1
dst-address-type=local to-addresses=10.0.10.3