Wlan has no internet access but lan has internet access

Hi guys,
in continuation from this thread http://forum.mikrotik.com/t/help-in-analyzing-new-setup/163573/1
i’m at lost .
the problem is accessing from WLAN has no internet connection, but from LAN no issue.
please find the config export as below, and I would appreciate a new set of eyes to see what I missed here.

# jan/14/2023 20:00:57 by RouterOS 6.49.7
# software id = T9PD-VUT8
#
# model = RB941-2nD
# serial number = HCR087MNR5P
/interface bridge
add name=Bridge_LAN
/interface list
add name=WAN
add name=Sys
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=\
    dynamic-keys name=E3User supplicant-identity="" unicast-ciphers=\
    tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] country=indonesia disabled=no frequency=auto \
    installation=indoor mode=ap-bridge security-profile=E3User ssid=E3Cipanas
/ip pool
add name=LAN ranges=192.168.27.2-192.168.27.254
add name=Sys ranges=192.168.88.2-192.168.88.10
/ip dhcp-server
add add-arp=yes address-pool=LAN disabled=no interface=Bridge_LAN lease-time=\
    12h name=DHCP_LAN
add add-arp=yes address-pool=Sys disabled=no interface=ether4 name=DHCP_Sys
/interface bridge port
add bridge=Bridge_LAN interface=ether2
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=wlan1
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=Sys
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface=ether1 list=WAN
add interface=ether4 list=Sys
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=wlan1 list=LAN
add interface=ether4 list=LAN
/ip address
add address=192.168.88.1/24 interface=ether4 network=192.168.88.0
add address=192.168.27.1/24 interface=Bridge_LAN network=192.168.27.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.27.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.27.1
add address=192.168.88.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input connection-state=new dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox address=192.168.27.0/24,192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=Marge
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no

Thank you so very much

Do you get an IP address when connected through wireless?

yep, checked in my mobile phone, and in leases is assigned IP address for my mobile phone in WLAN

(1) Any reason why you are doing this… its for advanced usage and not regular usage… Suggesting remove it!!
/interface bridge settings
set use-ip-firewall=yes

(2) Change this to NONE this setting is not well known and has caused funny issues in the past…
/interface detect-internet
set detect-interface-list=WAN

(3) Lets look at the logic of your firewall rules… ( by the way I like the drop rule as the last rule )

add action=accept chain=input connection-state=new dst-port=53
in-interface-list=LAN protocol=udp
add action=accept chain=input in-interface-list=LAN

First you let all lan users access to dns services only, on the routerfor protocol udp, but not for TCP ?
Then you let all lan users access to all ports on the router.

a. so the first rule would make no sense as the second rule allows the same thing and a lot more. { logic problem }
b. why are you letting all user full access to the router including config. { security problem }

MODIFY TO.
add action=accept chain=input src-address-list=Authorized
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else”

Note1: Authorized is a firewall address list comprised of
a. admin IP address if on regular LAN ( optional )
b. admin IP address on sys LAN ( desktop )
c. admin IP address on sys LAN ( ipad/laptop )
c. admin IP address on wireguard remote warrior access ( optional )

Note2: wording new connection state is NOT required in the config.

Note3: The winbox addresses will not conflict as they are wider in scope and you refine them to particular IPs in firewall settings… You may need to add a wireguard remote subnet if you decided you want to be able to access the router whilst away from on site, as you may have it setup on both an iphone and a laptop

(4) You have to decide what the purpose of sys LAN is?
Bit confusing at the moment because you dont have it labelled as your mac server mac-winbox interface list but you do have it for your neighbours discovery setting ? Just a tad inconsistent.
My recommendation, and assuming your sys lan is basically for having a separate safe way to config the router but you still want to be able to work from the regular LAN…
Then simply change the IP neighbours discovery to LAN interface list as well!!

(5) I note that there is no routing between sys lan and regular LAN, as there is no allow rule for such and you have the proper drop all else rule at the end of the forward chain!

Hi Anav, great to hear from you
This is referring to the early research why i can’t get the LAN to have internet access, came across a thread with this as suggestion and give it a try. when it seems that i forgot to add the “/ip dhcp-server network gateway=…” silly me, so removed this, & it’s DONE!

Done, set to none

yes, you should like the drop rules, i took it from the following https://forum.mikrotik.com/viewtopic.php?t=180838

added
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp

i don’t add the authorized list yet, as for now as an admin i would like to have the freedom to access the routerbox from any lan or wlan and especially for ether 4 if it comes to that using mac address.
please cmiiw

my RB-941 is still running os 6, i’m not sure if wireguard is available.

hmm… my logic is follow, from LAN i am able to access using IP. from only ether 4 I am able to access router using ip &/or Mac address, just in case some clicking disable bridge for all lan (it happens…)
but cmiiw if there is another way more better.

hmm… not sure i follow on this. so i should have a rule in firewall to allow forward between sys lan & regular lan ?
for my issue, in using sys ethernet i am able to access internet from both ordinary lan under bridge and sys port.
I am unable to get internet access from wlan.
and i don’t have any issue if i’m connected using sys & unable to ping or access other client in regular lan, if this rule is supposedly to allow me to do so ? please cmiiw

my latest config as follows and my mobile phone is still unable to access the internet

# jan/14/2023 21:40:01 by RouterOS 6.49.7
# software id = T9PD-VUT8
#
# model = RB941-2nD
# serial number = HCR087MNR5P
/interface bridge
add name=Bridge_LAN
/interface list
add name=WAN
add name=Sys
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=\
    dynamic-keys name=E3User supplicant-identity="" unicast-ciphers=\
    tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] country=indonesia disabled=no frequency=auto \
    installation=indoor mode=ap-bridge security-profile=E3User ssid=E3Cipanas
/ip pool
add name=LAN ranges=192.168.27.2-192.168.27.254
add name=Sys ranges=192.168.88.2-192.168.88.10
add name=Wlan ranges=192.168.28.2-192.168.28.254
/ip dhcp-server
add add-arp=yes address-pool=LAN disabled=no interface=Bridge_LAN lease-time=\
    12h name=DHCP_LAN
add add-arp=yes address-pool=Sys disabled=no interface=ether4 name=DHCP_Sys
/interface bridge port
add bridge=Bridge_LAN interface=ether2
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=Sys
/interface list member
add interface=ether1 list=WAN
add interface=ether4 list=Sys
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=wlan1 list=LAN
add interface=ether4 list=LAN
/ip address
add address=192.168.88.1/24 interface=ether4 network=192.168.88.0
add address=192.168.27.1/24 interface=Bridge_LAN network=192.168.27.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.27.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.27.1
add address=192.168.88.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=drop chain=forward
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.27.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox address=192.168.27.0/24,192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=Marge
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no

What is the purpose of this rule. Get rid of it or disable it for now…
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
src-address=192.168.27.0/24

I also dont understand your setup for wlan in terms of IP Pool , for troubleshooting purposes lets get rid of 'strange" config items…

Namely this offending orphan
add name=Wlan ranges=192.168.28.2-192.168.28.254

you have one bridge with one IP pool…
The bridge is defined in terms of pool, ip address, dhcp server and dhcp server-network.
I have no idea what the effect of that ip pool entry has but for now get rid of it or disable it as I suspect the wlan devices never get an IP address…

sorry was trying out stuff randomly from the net, one of them wds, it seems for ap to ap bridging, the setup automatically created that you mention
all connected to wlan seems doesn’t have an internet access, but from lan (any lan port) I am able to get access.weird, is there something that i missed in creating wlan?

Nope, it should work you attached wlan to bridge, and thats all that is needed.
So it would appear youve made an error in the wifi settings somewhere.

On my wifi there is not much to screw up.


Wireless Settings.
a. mode = ap bridge

i’ll try to separate the wlan from bridge, see if it makes any difference. will give it a try tomorrow.

For what purpose, its right to be on the bridge,
but review to see if your wifi settings are okay

well i’ve separated the wlan, set it own dhcp, gateway & assigned a new address. and it work.
wlan is working but somehow when under bridge is not working.

does wlan need to be assigned it’s own ip ?

# jan/15/2023 10:02:00 by RouterOS 6.49.7
# software id = T9PD-VUT8
#
# model = RB941-2nD
# serial number = HCR087MNR5P
/interface bridge
add name=Bridge_LAN
/interface list
add name=WAN
add name=Sys
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=\
    dynamic-keys name=E3User supplicant-identity="" unicast-ciphers=\
    tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=indonesia disabled=no \
    frequency=2417 mode=ap-bridge security-profile=E3User ssid=E3Cipanas \
    wds-default-bridge=Bridge_LAN
/ip pool
add name=LAN ranges=192.168.27.10-192.168.27.254
add name=Sys ranges=192.168.88.2-192.168.88.10
add name=WLAN ranges=192.168.28.2-192.168.28.250
/ip dhcp-server
add add-arp=yes address-pool=LAN disabled=no interface=Bridge_LAN lease-time=\
    12h name=DHCP_LAN
add add-arp=yes address-pool=Sys disabled=no interface=ether4 name=DHCP_Sys
add address-pool=WLAN disabled=no interface=wlan1 name=DHCP_Wlan
/interface bridge port
add bridge=Bridge_LAN interface=ether2
add bridge=Bridge_LAN interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=Sys
/interface list member
add interface=ether1 list=WAN
add interface=ether4 list=Sys
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=wlan1 list=LAN
add interface=ether4 list=LAN
/ip address
add address=192.168.88.1/24 interface=ether4 network=192.168.88.0
add address=192.168.27.1/24 interface=Bridge_LAN network=192.168.27.0
add address=192.168.28.1/24 interface=wlan1 network=192.168.28.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.27.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.27.1
add address=192.168.28.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.28.1
add address=192.168.88.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox address=192.168.27.0/24,192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=Marge
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no

anyway, this should suffice for now. at least both lan & wlan now able to access internet.

At first post I see you include wlan interface as Bridge Port, but you want to set it to have different IP network with the Bridge network. Of course it doesnt work since if you insist to make wlan as member of Bridge port, you must use Bridge network to make it work.
I see your main goal is to make different network for wlan users, so the workaround is to remove that wlan from bridge port and then setup its own network. (that you set it up at your last config).
OR you can using VLAN. With VLAN even wlan is member of bridge port, it can have its own network (different from the bridge network).

CMIIW

the first setup, only have 1 ip network (27) within bridge and wlan is a member of the bridge. with this setup, LAN able to get internet but WLAN doesn’t get internet. the other set of network ip 88 is assigned for another port ether 4 (sys)

on the last post then I take out wlan from bridge and set it as its own, this then solved the wlan getting internet acces but using different network. lan is 27, wlan is 28.

've read the other thread and other source of setting up, the setup of wlan under 1 bridge should work, but not in my case tho.
I’ve rebooted the router. enabled and renabled bridges & wlan interface. still nothing.

well this is another happy problem.

I want to create 2 SSID
1 for IOT (192,168.28.0/24)
1 for Guest ((192,168.29.0/24)

I tried to combine the 2 into 1 bridge, doesn’t work. both IOT & Guest no internet.
Unbridge both of them, set dhcp server, assigned address, add gateway & the whole shebang.
IOT as the main wlan is able to access internet
Guest no luck with internet.
below is my config, a fresh set of eyes is very much welcome, Thank you!

# jan/15/2023 14:39:50 by RouterOS 6.49.7
# software id = T9PD-VUT8
#
# model = RB941-2nD
# serial number = HCR087MNR5P
/interface bridge
add name=Bridge_LAN
/interface list
add name=WAN
add name=Sys
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=\
    dynamic-keys name=E3User supplicant-identity="" unicast-ciphers=\
    tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=E3IOT \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=indonesia disabled=no \
    frequency=2472 mode=ap-bridge security-profile=E3IOT ssid=E3IOT \
    wds-default-bridge=Bridge_LAN
add disabled=no keepalive-frames=disabled mac-address=1A:FD:74:39:10:18 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan2 ssid=\
    E3Cipanas wds-cost-range=0 wds-default-cost=0 wps-mode=push-button-5s
/ip hotspot profile
set [ find default=yes ] hotspot-address=192.168.27.1
/ip pool
add name=LAN ranges=192.168.27.10-192.168.27.250
add name=Sys ranges=192.168.88.2-192.168.88.10
add name=wlan_IOT ranges=192.168.28.10-192.168.28.250
add name=wlan_guest ranges=192.168.29.10-192.168.29.250
/ip dhcp-server
add add-arp=yes address-pool=LAN disabled=no interface=Bridge_LAN lease-time=\
    12h name=DHCP_LAN
add add-arp=yes address-pool=Sys disabled=no interface=ether4 name=DHCP_Sys
add add-arp=yes address-pool=wlan_IOT disabled=no interface=wlan1 lease-time=\
    12h name=DHCP_WLANIIOT
add add-arp=yes address-pool=wlan_guest disabled=no interface=wlan2 \
    lease-time=12h name=DHCP_WLANGuest
/ip hotspot
add address-pool=wlan_IOT interface=wlan2 name=HotSpot_Server
/interface bridge port
add bridge=Bridge_LAN interface=ether2
add bridge=Bridge_LAN interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=Sys
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface=ether1 list=WAN
add interface=ether4 list=Sys
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=wlan1 list=LAN
add interface=ether4 list=LAN
add list=LAN
/ip address
add address=192.168.88.1/24 interface=ether4 network=192.168.88.0
add address=192.168.27.1/24 interface=Bridge_LAN network=192.168.27.0
add address=192.168.28.1/24 interface=wlan1 network=192.168.28.0
add address=192.168.29.1/24 interface=wlan2 network=192.168.29.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.27.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.27.1
add address=192.168.28.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.28.1
add address=192.168.29.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.29.1
add address=192.168.88.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip hotspot user
add name=E3Guest server=HotSpot_Server
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox address=\
    192.168.27.0/24,192.168.28.0/24,192.168.29.0/24,192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Asia/Jayapura
/system identity
set name=Marge
/system logging
add topics=wireless
add topics=dhcp
add topics=bridge
add topics=dns
add topics=error
add topics=hotspot
add topics=interface
add topics=wireless
add topics=firewall
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no

Very annoying you keep changing the requirements which tells me you dont know what you want LOL.
Having multiple SSIDs with different groups of users is a totally different scenario. Will look at this later..

For many network managed inside a mikrotik router, Just suggestion to using Bridge VLAN Filtering bro. Nothing wrong if not using vlan, but with vlan more convenient, expandable in future.
For my self I only use an ethernet that not become default bridge member port, just for backup emergency access ONLY. In case accidentally I cant access the router (config mistake or anything).

I have been there since I learn mikrotik only from tutorial around. That time, like this, adding new segment network must release that ethernet port from default bridge, so I can set DHCP Server from that port since it’s not a slave port anymore.

Back to your setting, I see wlan2 (Guest) are slave of Wlan1(IOT). As far as I know, does slave interface cant have it’s own dhcp server?
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=indonesia disabled=no frequency=2472 mode=ap-bridge security-profile=E3IOT ssid=E3IOT wds-default-bridge=Bridge_LAN
add disabled=no keepalive-frames=disabled mac-address=1A:FD:74:39:10:18 master-interface=wlan1 multicast-buffering=disabled name=wlan2 ssid=E3Cipanas wds-cost-range=0 wds-default-cost=0 wps-mode=push-button-5s
That’s why from the start I encourage you to use VLAN. For ethernet port you can simply make that port leave as member port of default bridge since it’s physical port. But for your hAP-Lite? That wlan2 is VIRTUAL WLAN not another physical wlan. Wlan2 is virtual interface which is a slave of its master wlan1.

Then the hotspot?
/ip hotspot profile set [ find default=yes ] hotspot-address=192.168.27.1
/ip pool add name=LAN ranges=192.168.27.10-192.168.27.250
add name=Sys ranges=192.168.88.2-192.168.88.10
add name=wlan_IOT ranges=192.168.28.10-192.168.28.250
add name=wlan_guest ranges=192.168.29.10-192.168.29.250
/ip dhcp-server add add-arp=yes address-pool=LAN disabled=no interface=Bridge_LAN lease-time=12h name=DHCP_LAN
add add-arp=yes address-pool=Sys disabled=no interface=ether4 name=DHCP_Sys
add add-arp=yes address-pool=wlan_IOT disabled=no interface=wlan1 lease-time=12h name=DHCP_WLANIIOT
add add-arp=yes address-pool=wlan_guest disabled=no interface=wlan2 lease-time=12h name=DHCP_WLANGuest
/ip hotspot add address-pool=wlan_IOT interface=wlan2 name=HotSpot_Server

Server hotspot interface=wlan2 address pool=wlan_IOT
while add DHCP area address pool wlan_IOT interface=wlan1
then hotspot profile set [ find default=yes ] hotspot-address=192.168.27.1 which DHCP_LAN address
I really confuse.

CMIIW.

Lol
My thinking was getting at least all lan n wlan getting internet access. Then start exploring this multi ssid thingy.

Anyway i managed to get all in 1 bridge i’ve used default configuration that comes with the router. Strangely it all works under 1 bridge.

Now i am able to get 2 ssid up. Without vlan tho. Will spare some time to explore vlan setup

Yep2, gonna spare sometime to explore the vlan.
And yes the wlan2 virtual interface can’t be assigned dhcp server, found this out the hard way when i try to set up a hotspot hahhaa.

So yes, next step gonna have to explore vlan. For now should be suitable until i have the time n focus to explore more.

Default config, all interface in bridge (except ether1 as WAN) DHCP server at bridge interface. All client get default Bridge network IPs, must be can connect internet.
Of course SSID even one is slave interface, as long as it’s part of that default Bridge port, surely it can get Bridge network IPs and get internet.

All your trouble before happened because you want that slave interfaces have their own network IPs, different from the default Bridge IPs. Without using VLAN, but using routed interface.