Wireless ACL and VLAN: DHCP offered but never bound

ax25 · February 9, 2023, 5:10pm

Hi all,

Judging by the forum I’m not the only one who’s having DHCP issues… but anyway. I have a fairly simple setup which doesn’t work with Wi-Fi and VLANs.

Device:
hAP ac2, ROS 7.7

Goal:
To have “Main” (VLAN ID 33) and “Guest” (VLAN ID 10) VLANs, with one having TVs and cell phones etc in “Guest” and having laptops in “Main”. Firewall will come later because I just want to have this fixed first. More specifically, I want to assign wireless clients to different VLANs based on their MAC addresses (yes, I know about RADIUS and how insecure this is etc). Two SSIDs are not really an option since area is quite big and idea of having to come up closer to the router to access different network is beyond ridiculous for me. Also, I want uniform SSID for both ranges.

The Problem:
Using Wireless ACL never really sets VLAN tag on a device – it’s visible on DHCP Leases tab as “offered”, but bonding never happens. There are some DHCP errors in system log after I enabled explicit logging, suggesting (I’ve seen it here in similar topics) that final communication between client and AP doesn’t happen, hence address is never accepted – but that’s just my assumption.

Config:

# feb/09/2023 17:41:59 by RouterOS 7.7
# software id = NMRU-ISKF
#
# model = RBD52G-5HacD2HnD
# serial number = 1234567890
/interface bridge
add admin-mac=18:FD:74:30:1A:B4 auto-mac=no comment=defconf ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="WAN port"
set [ find default-name=ether5 ] comment=TV
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=etsi disabled=no distance=\
    indoors frequency=auto installation=indoor mode=ap-bridge ssid=Cactus wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=etsi disabled=no \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=Cactus wireless-protocol=802.11
/interface vlan
add comment="Main VLAN, data access" interface=bridge name=vlan1 vlan-id=33
add comment="Guest VLAN, Internet access only" interface=bridge name=vlan2 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=GUEST
add name=WIRELESS
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=guest_pool ranges=192.168.10.10-192.168.10.254
add name=main_pool ranges=192.168.33.10-192.168.33.254
/ip dhcp-server
add address-pool=guest_pool interface=vlan2 lease-time=1m name=guest
add address-pool=main_pool interface=vlan1 lease-time=1m name=main
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 pvid=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1 pvid=33
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2 pvid=33
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=wlan1,wlan2,ether5 vlan-ids=10
add bridge=bridge tagged=bridge untagged=wlan1,wlan2 vlan-ids=33
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan2 list=GUEST
add interface=wlan1 list=WIRELESS
add interface=wlan2 list=WIRELESS
/interface wireless access-list
add comment=lenovo disabled=yes interface=WIRELESS mac-address=E0:XX:XX:XX:XX:XX vlan-id=33 vlan-mode=use-tag
add comment=asus disabled=yes interface=WIRELESS mac-address=A4:XX:XX:XX:XX vlan-id=33 vlan-mode=no-tag
add comment=chrome disabled=yes interface=WIRELESS mac-address=4C:XX:XX:XX:XX:XX vlan-id=33 vlan-mode=use-tag
add comment="Default all clients to guest VLAN" disabled=yes interface=WIRELESS vlan-id=10 vlan-mode=use-tag
/ip address
add address=192.168.10.1/24 comment="VLAN for guests" interface=vlan2 network=192.168.10.0
add address=192.168.33.1/24 comment="Main VLAN" interface=vlan1 network=192.168.33.0
/ip dhcp-client
add add-default-route=yes comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 comment="Guest VLAN network" gateway=192.168.10.1
add address=192.168.33.0/24 comment="Main VLAN network" gateway=192.168.33.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=ether1 routing-table=main suppress-hw-offload=no

Wireless ACL is disabled now since I hardcoded all wireless interfaces to use VLAN 33. Once I enable this and remove PVID from the bridge, wireless network is broken – no one can get an IP.

What I have tried:

enabling/disabling ingress filtering on the bridge;
different combinations of tagged/untagged ports for the bridge;
assigning IP to a client manually;
changing VLAN admit policy for bridge ports;

I’m out of ideas, but I do suspect something is wrong with Wi-Fi settings (or the bridge? )… I would greatly appreciate any help!

Thank you

ax25 · February 10, 2023, 12:25am

UPDATE: disabling VLAN filtering magically fixes DHCP, all wireless clients seem to get IPs in their respective VLANs (I re-enabled ACLs and removed hardcoded PVIDs from the bridge). So clearly problem is inside Bridge VLANs then…

Per my understanding, tagged (trunk) port should be bridge itself, and untagged (access) ports should be the WLANs, but it seems that when ACLs slaps a VLAN tag on top of a packet coming from a WLAN, it cannot enter bridge then (when filtering is enabled), because now wlan1/2 are not access port but hybrid ones (access + trunk)

anav · February 10, 2023, 1:30am

(1) I have never used wireless ACLs, so not sure what your requirement is in that regard?

In any case, if you can disable those rules for now and then fix this and see what happens…

/interface list member
add comment=defconf interface=bridge list=LAN { remove }
add interface=vlan1 list=LAN { add }
add interface=vlan2 list=LAN { add }
add comment=defconf interface=ether1 list=WAN
add interface=vlan2 list=GUEST
add interface=wlan1 list=WIRELESS
add interface=wlan2 list=WIRELESS

(2) If this is an internet facing router remove it from the WAN immediately you have no protection (missing firewall rules )

Fixed…
/ip firewall filter
(default rules)
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
(admin rules)
add action=accept chain=input in-interface=vlan1 src-address-list=AdminAccess
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=TCP
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment=“drop all else” { This is the last rule you put in once everything else is working }
(default rules)
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(admin rules)
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment=“drop all else”

where you have a firewall address list so only you can access the router for configuration purposes via firewall address list=AdminAccess
where the IPs are fixed, statically set in the leases as follows:
add ip-address=admin_desktop;_ip list=AdminAccess
add ip-address=amdin_laptop_IP-wired list=AdminAccess
add ip-address=admin_laptop_IP-WIFI list=AdminAccess
add ip-address=admin_iphone/ipad-WIFI list=AdminAccess

tdw · February 10, 2023, 1:58am

No, your VLAN configuration is incorrect as there is a mix of untagged and tagged use for the same VLAN, and having the same interface listed in more than one untagged= bridge vlan statement is just wrong. If you wish the default to be that devices are connected to VLAN 10 unless there is an ACL entry something along the lines of:
/interface bridge port
…
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 pvid=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1 pvid=3310
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2 pvid=3310
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=wlan1,wlan2,ether5 vlan-ids=10 # the untagged= entries are optional, they will be added dynamically from the bridge port PVID setting
add bridge=bridge tagged=bridge,wlan1,wlan2 untagged=wlan1,wlan2 vlan-ids=33
/interface wireless access-list
add comment=lenovo disabled=yesno interface=WIRELESS mac-address=E0:XX:XX:XX:XX:XX vlan-id=33 vlan-mode=use-tag
add comment=asus disabled=yesno interface=WIRELESS mac-address=A4:XX:XX:XX:XX vlan-id=33 vlan-mode=no-taguse-tag
add comment=chrome disabled=yesno interface=WIRELESS mac-address=4C:XX:XX:XX:XX:XX vlan-id=33 vlan-mode=use-tag
add comment=“Default all clients to guest VLAN” disabled=yes interface=WIRELESS vlan-id=10 vlan-mode=use-tag

ax25 · February 10, 2023, 11:30am

Thank you @tdw! The changes you suggested have worked. Now DHCP is working properly and clients are assigned to the right VLANs. Next step is to setup proper firewall to isolate them

@anav – thanks for your suggestions! It’s not an internet-facing router, it’s behind NAT (there’s modem from ISP), but firewall is needed anyway.

Thank you all!