VLAN

Rey68 · August 4, 2022, 11:24am

Hello:
I have a VLAN created on the 1st router (eth3) and it works fine.

I connect a second router eth3 to eth1 trunk port, and in the winbox I don’t see it.

But if I connect through another port on the first router eth5 to eth1 I see it in winbox.
Is my configuration correct in the second router?

jul/25/2022 18:32:03 by RouterOS 6.49

software id = 7DE5-ZHUJ

model = 951G-2HnD

serial number =

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] country=spain disabled=no mode=ap-bridge
ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] comment=“VLAN INVITADOS”
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.10.1-192.168.10.253
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=vlan10 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether1 pvid=10
add bridge=bridge1 interface=wlan1 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether1,vlan10 vlan-ids=10
/ip address
add address=192.168.10.254/24 interface=vlan10 network=192.168.10.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.254

nichky · August 4, 2022, 11:44am

just change this, if u want to use e1 as a tagged interface

/interface bridge port
add bridge=bridge1 interface=ether1 pvid=1

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=10

(dont do copy/paste, jusy edit)

Rey68 · August 4, 2022, 12:34pm

I dont see in winbox

\

jul/25/2022 19:38:06 by RouterOS 6.49

software id = 7DE5-ZHUJ

model = 951G-2HnD

serial number =

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] country=spain disabled=no mode=ap-bridge
ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] comment=“VLAN INVITADOS”
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.10.1-192.168.10.253
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=vlan10 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=10
/ip address
add address=192.168.10.254/24 interface=vlan10 network=192.168.10.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.254

nichky · August 4, 2022, 9:03pm

do u have second router?

anav · August 4, 2022, 9:45pm

Post config for both routers and please add a network diagram that shows internet connectivity, the ports on connected devices the subnets flowing through them.

Rey68 · August 5, 2022, 7:01am

aug/05/2022 08:29:14 by RouterOS 6.48.6

software id = EJGX-NLPK

model = RB4011iGS+5HacQ2HnD

serial number =

/caps-man datapath
add name=Invitados
/interface bridge
add name=Puente vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment=“VLAN PRUEBAS”
set [ find default-name=ether4 ] comment=LAN
set [ find default-name=ether5 ] comment=LAN
set [ find default-name=ether6 ] comment=LAN
set [ find default-name=ether7 ] comment=LAN
set [ find default-name=ether8 ] comment=LAN
set [ find default-name=ether9 ] comment=LAN
set [ find default-name=ether10 ] comment=LAN
/interface eoip
add disabled=yes local-address=81.36.138.168 mac-address=02:98:C2:91:1D:6E
name=eoip-Muntaner remote-address=80.26.190.115 tunnel-id=1
/interface vlan
add interface=ether1 name=vlan6 vlan-id=6
add interface=Puente name=vlan10ETH3 vlan-id=10
/caps-man configuration
add country=spain datapath.bridge=Puente name=“Configuracion CAP”
security.authentication-types=wpa-psk,wpa2-psk security.encryption=
aes-ccm,tkip ssid=SnapSalon2G
add country=spain datapath.bridge=Puente name=CAPSALON
security.authentication-types=wpa-psk,wpa2-psk security.encryption=
aes-ccm,tkip ssid=SnapSalon2Ga
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan6 keepalive-timeout=60
name=pppoe-out1 user=adslppp@telefonicanetpa
/caps-man interface
add configuration=CAPSALON disabled=no l2mtu=1600 mac-address=
E4:8D:8C:9F:6D:6F master-interface=none name=Salon radio-mac=
E4:8D:8C:9F:6D:6F radio-name=E48D8C9F6D6F
/caps-man security
add authentication-types=wpa-psk,wpa2-psk name=security1Invitados
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods=“”
management-protection=allowed mode=dynamic-keys name=Misclaves
supplicant-identity=“”
/interface wireless

managed by CAPsMAN

channel: 5640/20-eeCe/ac/DP(27dBm)+5210/80/P(23dBm), SSID: SnapSalon2G, CAPsMAN forwarding

set [ find default-name=wlan1 ] antenna-gain=0 country=no_country_set
frequency-mode=manual-txpower mac-address=74:4D:28:8C:76:98 mode=
ap-bridge radio-name=744D288C7698 security-profile=Misclaves ssid=SNAPs5
station-roaming=enabled wireless-protocol=802.11

managed by CAPsMAN

channel: 2447/20-Ce/gn(20dBm), SSID: SnapSalon2G, CAPsMAN forwarding

set [ find default-name=wlan2 ] antenna-gain=0 country=no_country_set
frequency-mode=manual-txpower mode=ap-bridge security-profile=Misclaves
ssid=SnapSalon2G station-roaming=enabled wireless-protocol=802.11
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool2 ranges=192.168.200.2-192.168.200.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=Puente name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlan10ETH3 lease-time=10s
name=dhcp2
/user group
set full policy=“local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas
sword,web,sniff,sensitive,api,romon,dude,tikapp”
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=Puente
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=“Configuracion CAP”
/interface bridge port
add bridge=Puente interface=ether2
add bridge=Puente interface=ether1
add bridge=Puente interface=ether4
add bridge=Puente interface=ether5
add bridge=Puente interface=ether6
add bridge=Puente interface=ether7
add bridge=Puente interface=ether8
add bridge=Puente interface=ether9
add bridge=Puente interface=ether10
add bridge=Puente interface=ether3 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=Puente tagged=Puente untagged=ether3 vlan-ids=10
/interface list member
add interface=ether1 list=WAN
add interface=Puente list=LAN
/interface wireless cap

set bridge=Puente discovery-interfaces=Puente enabled=yes interfaces=
wlan1,wlan2
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
add address=192.168.200.1/24 interface=vlan10ETH3 network=192.168.200.0
/ip arp
add address=192.168.1.201 comment=Camara interface=Puente mac-address=
00:62:6E:61:B5:85
/ip cloud
set ddns-enabled=yes
/ip dhcp-client

DHCP client can not run on slave interface!

add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.176 comment=“BOOX ONXY” mac-address=B0:F1:EC:21:A5:38
server=dhcp1
add address=192.168.1.3 client-id=1:7c:e9:d3:8f:f5:d8 comment=IMPRESORA
mac-address=7C:E9:D3:8F:F5:D8 server=dhcp1
add address=192.168.1.18 client-id=1:0:11:32:ee:97:5 comment=SYNOLOGY
mac-address=00:11:32:EE:97:05 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.2.0/24 gateway=192.168.2.1
add address=192.168.200.0/24 gateway=192.168.200.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.0/24 list=“Red LAN”
add address=192.168.200.0/24 list=REDVLAN
/ip firewall filter
add action=accept chain=input comment=
“Regla para aceptar solo las conexiones relacionadas y establecidas:”
connection-state=established,related
add action=drop chain=input comment=“Regla para denegar conexiones invalidas”
connection-state=invalid
add action=accept chain=input comment=
“Regla para aceptar el trafico que viene de nuestra Red LAN”
src-address-list=“Red LAN”
add action=accept chain=input comment=
“Regla para aceptar el trafico que viene de nuestra Red VLAN”
src-address-list=REDVLAN
add action=drop chain=input comment=“Regla para denegar todo el trafico restan
te, solo dejara entrar lo que este en el DST-NAT” connection-nat-state=
!dstnat
add action=accept chain=forward comment=
“Regla para aceptar solo las conexiones relacionadas y establecidas”
connection-state=established,related
add action=drop chain=forward comment=
“Regla para denegar conexiones invalidas” connection-state=invalid
add action=accept chain=forward comment=
“Regla para aceptar el trafico que saldr\E1 que viene de nuestra Red LAN”
src-address-list=“Red LAN”
add action=accept chain=forward comment=“Regla para aceptar el trafico que sal
dr\E1 que viene de nuestra Red VLAN” src-address-list=REDVLAN
add action=drop chain=forward comment=“Regla para denegar el resto del trafico
_a trav\E9s del router, a excepci\F3n del trafico que este autorizado con
_una regla DST-NAT” connection-nat-state=!dstnat
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat in-interface=pppoe-out1 port=5000 protocol=
tcp to-addresses=192.168.1.18
add action=dst-nat chain=dstnat in-interface=pppoe-out1 port=6281 protocol=
tcp to-addresses=192.168.1.18
add action=dst-nat chain=dstnat in-interface=pppoe-out1 port=6150 protocol=
tcp to-addresses=192.168.1.40
add action=dst-nat chain=dstnat comment=“CAMARA TERRAZA” in-interface=
pppoe-out1 port=6170,443 protocol=tcp to-addresses=192.168.1.8
add action=src-nat chain=srcnat disabled=yes protocol=tcp src-address=
79.155.7.84 src-port=7200 to-addresses=192.168.1.215 to-ports=7200
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=CASA
/system leds
set 0 interface=wlan2 leds=“wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-
led,wlan2_signal4-led,wlan2_signal5-led” type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system package update
set channel=long-term

jul/25/2022 19:38:06 by RouterOS 6.49

software id = 7DE5-ZHUJ

model = 951G-2HnD

serial number =

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] country=spain disabled=no mode=ap-bridge
ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] comment=“VLAN INVITADOS”
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.10.1-192.168.10.253
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=vlan10 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=10
/ip address
add address=192.168.10.254/24 interface=vlan10 network=192.168.10.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.254

anav · August 5, 2022, 11:33am

Hmm, well I am allergic to
a. capsman, I find it easier with 3 or less devices just to configure wifi on each device, much less complex and less prone to error.
b. mixing lans and vlans on a router, I prefer to use all vlans.

Questions.
(1) Why is ether1 (your WAN connection) associated with a VLAN (vlan6)??. Is that how it comes from the provider?
I will assume yes based on your ppoe settings. So seems okay.

(2) The ether1 your WAN connection should NOT be on the bridge!

(3) It is not clear the role of VLAN10 on ether3? You state its a trunk port on the RB but you config it like an access port, thus a confused setup.

The better question/answer is do you expect to have the LAN network on the RB951G device or ONLY vlan10 traffic?

(4) Why do you attempt to apply DHCP twice for vlan10 and different ones at that…
once on the RB4011 with subnt 192.168.200.0/24 and then on the second MT device again with subnet 192.168.10.0/24

============================
On your network diagram you need to add all the ports being used on the RB400 and which traffic flows through the ports including the connection between the two devices.
It will then become clear what you have setup incorrectly. One only needs DHCP settings for a subnet in one location.

Personally I would create as many vlans as needed and have NO subnet attached to the bridge, only vlans.

Rey68 · August 5, 2022, 12:07pm

Questions.
(1) Why is ether1 (your WAN connection) associated with a VLAN (vlan6)??. Is that how it comes from the provider?
I will assume yes based on your ppoe settings. So seems okay.

Yes is TV o TEF.

(2) The ether1 your WAN connection should NOT be on the bridge!
OK

(3) It is not clear the role of VLAN10 on ether3? You state its a trunk port on the RB but you config it like an access port, thus a confused setup.
I am learning with the VLANs and I do tests watching youtube videos, it is normal that it is wrong.

The better question/answer is do you expect to have the LAN network on the RB951G device or ONLY vlan10 traffic?
I want to use RB951G as CAP with a VLAN that is my purpose.

(4) Why do you attempt to apply DHCP twice for vlan10 and different ones at that…
once on the RB4011 with subnt 192.168.200.0/24 and then on the second MT device again with subnet 192.168.10.0/24
I understand that I should only have a DHCP

============================
On your network diagram you need to add all the ports being used on the RB400 and which traffic flows through the ports including the connection between the two devices.
It will then become clear what you have setup incorrectly. One only needs DHCP settings for a subnet in one location.

Personally I would create as many vlans as needed and have NO subnet attached to the bridge, only vlans.
Thanks for the suggestion.

Rey68 · August 5, 2022, 12:10pm

Now set RB95 default CAP Mode. I want to create a vlan on that cap.

aug/05/2022 13:06:00 by RouterOS 6.49

software id = 7DE5-ZHUJ

model = 951G-2HnD

serial number =

/interface bridge
add admin-mac=E4:8D:8C:9F:6D:6A auto-mac=no comment=defconf name=bridgeLocal
/interface wireless

managed by CAPsMAN

channel: 2447/20-eC/gn(17dBm), SSID: SnapSalon2Ga, CAPsMAN forwarding

set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
/interface wireless cap

set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes
interfaces=wlan1
/ip dhcp-client
add comment=defconf disabled=no interface=bridgeLocal
/system clock
set time-zone-name=Atlantic/Canary

Rey68 · August 5, 2022, 12:17pm

CAP RB95 already has a connection with CAPMAN where I created the vlan for CAPRB95

anav · August 5, 2022, 6:03pm

WARNING - Why is SSH setup without crypto, what is the purpose???
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote

{ Another error just noted, is incorrect = /ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0 it should be the bridge for your config setup }
However I am suggesting an alternative approach }

{ Another error noted, REMOVE the IP DHCP client (warning message indicates an issue) it is NOT required as the dhcp client is handled already in pppoe-client settings!! }
/ip dhcp-client

DHCP client can not run on slave interface!

add disabled=no interface=ether1

{ Missing is pppoe-1 as a WAN interface list member }

{ Format for destination nat is **dst-**port = )

{ Also why is this lease time set to 10 seconds, recommend at least 1 day ???
add address-pool=dhcp_pool2 disabled=no interface=vlan10ETH3 lease-time=10s \ }

{ Firewall rules, many small errors, the big one is Port Forwarding DST nat rules dont belong in the input chain! }

In general, there should be a trusted subnet.
It can be the LAN subnet on the RB4011, it could be vlan10 for example or you can add one.

It should be one that your PC is normally connected to as you configure the devices from this pc.
All attached smart devices (such as APs and Switches that can read vlan tags such as the RB95 ) should have an IP address from this subnet.

The solution I would find easiest to implement is to add vlan11
This will be the home vlan currently your 192.168.1.0 subnet.

Router: BEFORE you start, recommend both firmwares should be the same if possible.
***** I include only changed portions for the most part****

# model = RB4011iGS+5HacQ2HnD
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment="VLAN PRUEBAS"
set [ find default-name=ether4 ] comment=LAN
set [ find default-name=ether5 ] comment=LAN
set [ find default-name=ether6 ] comment=LAN
set [ find default-name=ether7 ] comment=LAN
set [ find default-name=ether8 ] comment=LAN
set [ find default-name=ether9 ] comment=LAN
set [ find default-name=ether10 ] comment=eth10-OffBridge
/interface vlan
add interface=ether1 name=vlan6 vlan-id=6
add interface=Puente name=vlanHOME-11  vlan-id-11
add interface=Puente name=vlanCAP-10  vlan-id=10
add name=WAN
add name=LAN
add name=BASE
/interface wireless
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool2 ranges=192.168.200.2-192.168.200.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=vlanHome-11 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlanCAP-10 name=dhcp2
/interface bridge port
add bridge=Puente interface=ether2  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether4  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether5  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether6  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether7  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether8  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether9 pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=Puente interface=ether3 ingress-filtering=yes frame-types=admit-only-vlan-tagged
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=Puente  tagged=Puente,ether3  vlan-ids=10
add bridge=Puente  tagged=Puente,ether3  untagged=ether2,ether4,ether5,ether6,ether7,ether8,ether9  vlan-ids=11
/interface list member
add interface=ether1 list=WAN
add interface=pppoe-out1  list=WAN
add interface=vlanCAP-10  list=LAN
add interface=vlanHOME-11  list=LAN
add interface=vlanHOME-11  list=BASE
add interface=eth10-OffBridge  list=BASE
/interface wireless cap
set bridge=Puente discovery-interfaces=Puente enabled=yes interfaces=\   { maybe vlan10 here is what is needed ?? }
wlan1,wlan2
/ip address
add address=192.168.1.1/24 interface=vlanHOME-11 network=192.168.1.0
add address=192.168.200.1/24 interface=vlanCAP-10 network=192.168.200.0
add address=192.168.5.1/24  interface=ether10-OffBridge
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.200.0/24 dns-server=192.168.200.1 gateway=192.168.200.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
{Input Chain}
add action=accept chain=input comment=\
"Regla para aceptar solo las conexiones relacionadas establecidas y untracked:" \
connection-state=established,related,untracked
add action=drop chain=input comment="Regla para denegar conexiones invalidas" \
connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=BASE comment=\
"Regla para aceptar el trafico que viene de nuestra BASE" \
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp comment=\
"Regla para aceptar el trafico LAN para DNS TCP" \
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=UDP comment=\
"Regla para aceptar el trafico LAN  para DNS UDP" \
add action=drop chain=input  comment="Drop all else"
{Forward Chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment=\
"Regla para aceptar solo las conexiones relacionadas  establecidas y untracked" \
connection-state=established,related,untracked
add action=drop chain=forward  connection-state=invalid comment=\
   "Regla para denegar conexiones invalidas"
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment=\
   "Regla para aceptar el trafico que saldr\E1 l'internet que viene de LAN" \
add action=accept chain=input connection-state=dstnat  comment=\
      "entrar lo que este en DST-NAT"
add action=drop  comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat in-interface=pppoe-out1 dst-port=5000 protocol=\
tcp to-addresses=192.168.1.18
add action=dst-nat chain=dstnat in-interface=pppoe-out1 dst-port=6281 protocol=\
tcp to-addresses=192.168.1.18
add action=dst-nat chain=dstnat in-interface=pppoe-out1 dst-port=6150 protocol=\
tcp to-addresses=192.168.1.40
add action=dst-nat chain=dstnat comment="CAMARA TERRAZA" in-interface=\
pppoe-out1 dst-port=6170,443 protocol=tcp to-addresses=192.168.1.8
/ip ssh
set ????????????
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE

…

The only thing I am not sure about is this line.
_/interface wireless cap

set bridge=Puente discovery-interfaces=Puente enabled=yes interfaces=
wlan1,wlan2_

I am guessing this may what is needed ??
set bridge=Puente discovery-interfaces=vlan10 enabled=yes interfaces=wlan1,wlan2 ???

anav · August 5, 2022, 6:04pm

For ether10 configuring off bridge before doing other changes FROM bridge, easy to lock yourself out!!!
https://forum.mikrotik.com/viewtopic.php?t=181718

The only config item I am not sure of is one of the capsman settings where you referred to the Bridge.
I dont know if that should remain bridge or identify vlanCAP-10

The next post will detail the CAP config to match.

anav · August 5, 2022, 6:26pm

For this one the complete config is required… Again, take ether5 and configure it off the bridge as per the article, and then and do all your changes hooked up to ether5.
ACCESS POINT SWITCH CONFIG

# model = 951G-2HnD
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] country=spain disabled=no mode=ap-bridge \
ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] comment="VLAN INVITADOS"
set [ find default-name=ether5 ]  name=ether5-OffBridge
/interface vlan
add interface=bridge1 name=vlan11-home  vlan-id=11  { required as this is the base vlan }
add interface=bridge1 name=vlan10 vlan-id=10  { not required as only passing data through but is good for the reader to understand  }
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface list
add name=MANAGE
/interface list members
add interface=vlan11-home  list=MANAGE
add interface=ether5-OffBridge list=MANAGE
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface bridge port
add bridge=bridge1 interface=ether1  ingress-filtering=yes  frame-types=admit-only-vlan-tagged
add bridge=bridge1 interface=wlan1 pvid=10 ingress-filtering=yes  frame-types=admit-priority-and-untagged
/interface bridge vlan
add bridge=bridge1  tagged=bridge1,ether1  vlan-ids=11
add bridge=bridge1  tagged=bridge1  untagged=wlan1  vlan-ids=10
/ip address
add address=192.168.5.1/24  interface=ether5-OffBridge network=192.168.5.0
/ip dns
set allow-remote-requests=yes servers=192.168.1.1 comment="dns through trusted subnet gateway"
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 comment="ensures route avail through trusted subnet gateway"
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

Rey68 · August 5, 2022, 6:53pm

WARNING - Why is SSH setup without crypto, what is the purpose???
I don’t understand this I don’t use SSH.
What should I do?

anav · August 5, 2022, 7:08pm

Hi there…
Well not sure, as the stupid item was a default config along time ago.
Did you copy and paste older configs when putting on 6.48.6 ??

The best thing to do for now is to turn that off.
Go to in winbox SYSTEM, then Services, then ensure SSH is off NOT green. (hit the red X).

After some research on capsman, Its getting in the way of success, it gets complicated with vlans and hurts my head ( I avoid it like the plague )
Suggest get a working config with regular wifi settings first, then when its stable introduce capsman after some reading etc…

Unless of course you are a capsman whiz and this is no problem for you.

rextended · August 5, 2022, 7:13pm

Is not the user wanted settings, are the default for v6.xx and when migrating to another version, where the new default are no / no, the export show that.

anav · August 5, 2022, 7:15pm

Also in CLI accessed via New Terminal you can type...............
/ip ssh set allow-none-crypto=no

rextended · August 5, 2022, 7:17pm

Paste this on device for solve / align the new default

/ip ssh
set allow-none-crypto=no forwarding-enabled=no

rextended · August 5, 2022, 7:19pm

On that capsman line I see thousand of problems…

security.authentication-types=wpa-psk,wpa2-psk security.encryption=aes-ccm,tkip

wpa-psk and tkip must disappear

management-protection=allowed

management-protection not work with clients, only between mikrotik devices…

lease-time=10s

10 seconds???

On RB4011iGS+5HacQ2HnD paste this on terminal

{
/caps-man configuration
set [find] security.authentication-types=wpa2-psk security.encryption=aes-ccm
/caps-man security
set [find] authentication-types=wpa2-psk
/interface pppoe-client
set [find] keepalive-timeout=10
/interface wireless security-profiles
set Misclaves authentication-types=wpa2-psk eap-methods=passthrough management-protection=disabled supplicant-identity=MikroTik
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,!dude,tikapp
/ip neighbor discovery-settings
set discover-interface-list=static
/ip ssh
set allow-none-crypto=no forwarding-enabled=no
}

Paste this on 951G-2HnD

/ip neighbor discovery-settings
set discover-interface-list=static

Rey68 · August 5, 2022, 7:35pm

Ready!!