Community discussions

 
Evelas
just joined
Topic Author
Posts: 6
Joined: Wed Mar 06, 2019 2:17 pm

Basic wireless with cAP ac - network specific setup

Wed Mar 06, 2019 2:42 pm

Hello,

I am not sure if this is the correct forum, if not, please move this topic accordingly.
I am also new to MikroTik devices in general.
All the IPs mentioned in here are on the same local network and I will shorten them - 10.0.0.1 = xx.1 etc.

I need to install MikroTik cAP ac as a basic access point in our company, but I got stuck at connecting it to the internet. Public network traffic is all routed through xx.252. Also, only devices with local IP up to xx.100 have internet access, the rest of the range does not. I assign these IPs manually, the rest is using DHCP.

Winbox is used for setup.
I tried setting the AP up using Quick Set as WISP AP. I have set up all the wireless settings no problem. Other settings follow.

Configuration: Bridge
Adress: Static
IP: xx.40
Netmask: 255.255.255.0
Gateway: xx.252
DNS: xx.7 (our DNS)


Needless to say, the WiFI network does not show up.

So I have set up a Wireless table, set up as "ap bridge". Once I have set the SSID, it appeared on my phone and I was able to log in with the password I set up in Quick Set. I did not have any connection though.
I tried pinging all the IPs and also some webs using the terminal and all were successful.

What I think I need is to pass the connection from the AP itself to the WLAN set up in the WinBox.
My goal is to get an AP with both 2,4GHz and 5GHz, custom SSID and WPA2 authentication.

Thank you for any help.

Best Regards.

Evelas.
 
anav
Forum Guru
Forum Guru
Posts: 3100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Basic wireless with cAP ac - network specific setup

Wed Mar 06, 2019 3:55 pm

Hi Evelas,
I have two capAC in my home so I an help.
I also use Wisp-AP with no problem.
What is the main router you are using and what kind of traffic do you have flowing to and fro the capac (any vlans??)

Diagrams help.
Also post your latest capac config
/export hide-sensitive file=yourconfigmar06
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Evelas
just joined
Topic Author
Posts: 6
Joined: Wed Mar 06, 2019 2:17 pm

Re: Basic wireless with cAP ac - network specific setup

Thu Mar 07, 2019 9:50 am

Thank you for answering.

Our main router is MT RB 3011 UiAS-RM (xx.252), this part of the network is just for connecting to the internet, without access to our internal network. We use it only for public/guest WiFi and also some debugging. There is no other speciality traffic.

Exported config
https://drive.google.com/open?id=1V86HG ... DyquLtQPMa
 
erlinden
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Jun 12, 2013 1:59 pm

Re: Basic wireless with cAP ac - network specific setup

Thu Mar 07, 2019 10:16 am

If you want to configure your cAP ac as accesspoint, you shouldn't configure a DHCP server on it. If you create a bridge and add all interfaces to it (like you did), all devices will get the IP address from the corporate DHCP server (as well as the cAP ac if you define a DHCP client).

Two additional tips: don't use 40MHz bandwidth on the 2G radio, select channels manually.
 
Evelas
just joined
Topic Author
Posts: 6
Joined: Wed Mar 06, 2019 2:17 pm

Re: Basic wireless with cAP ac - network specific setup

Thu Mar 07, 2019 12:00 pm

This is the DHCP settings with the same config I exported. The server is turned off as far as I can tell.
DHCP.PNG
You do not have the required permissions to view the files attached to this post.
 
anav
Forum Guru
Forum Guru
Posts: 3100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Basic wireless with cAP ac - network specific setup

Thu Mar 07, 2019 4:11 pm

/export hide-sensitive file=yourconfigmar07capac
/export hide-sensitive file=yourconfigmar07rb3011

Provide both configs and by that I mean not google drive (not accessible by all)
After downloading both files to your PC (I use notepadd ++)
Copy and paste them into the thread.
Use the black square with white brackets above (same line as Bold and Underline) to highlight the pasted bit and it will code up and shorten the text field.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Evelas
just joined
Topic Author
Posts: 6
Joined: Wed Mar 06, 2019 2:17 pm

Re: Basic wireless with cAP ac - network specific setup

Thu Mar 07, 2019 7:26 pm

Sorry, I've been using Drive a ton lately, it didn't occur to me it could be an issue.

yourconfigmar07capac
# mar/07/2019 15:59:25 by RouterOS 6.44
# software id = 6NY0-H0MW
#
# model = RouterBOARD cAP Gi-5acD2nD
# serial number = ADCB0AD96ED1
/interface bridge
add admin-mac=74:4D:28:13:CE:4E auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    "PPCZ 2,4GHz" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=PPCZ wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=profile1 \
    supplicant-identity=""
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=10.66.81.43-10.66.81.254
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/ip address
add address=10.66.81.40/24 interface=ether2 network=10.66.81.0
add address=10.66.81.41/24 disabled=yes interface=ether1 network=10.66.81.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge
/ip dhcp-server network
add address=10.66.81.0/24 gateway=10.66.81.41 netmask=24
/ip dns
set servers=10.66.81.7
/ip route
add distance=1 gateway=10.66.81.252
/system clock
set time-zone-name=Europe/Prague
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
yourconfigmar07rb3011
# mar/07/2019 15:59:34 by RouterOS 6.44
# software id = 6NY0-H0MW
#
# model = RouterBOARD cAP Gi-5acD2nD
# serial number = ADCB0AD96ED1
/interface bridge
add admin-mac=74:4D:28:13:CE:4E auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    "PPCZ 2,4GHz" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=PPCZ wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=profile1 \
    supplicant-identity=""
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=10.66.81.43-10.66.81.254
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/ip address
add address=10.66.81.40/24 interface=ether2 network=10.66.81.0
add address=10.66.81.41/24 disabled=yes interface=ether1 network=10.66.81.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge
/ip dhcp-server network
add address=10.66.81.0/24 gateway=10.66.81.41 netmask=24
/ip dns
set servers=10.66.81.7
/ip route
add distance=1 gateway=10.66.81.252
/system clock
set time-zone-name=Europe/Prague
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
 
anav
Forum Guru
Forum Guru
Posts: 3100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Basic wireless with cAP ac - network specific setup

Thu Mar 07, 2019 9:09 pm

Those are both capac configs LOL.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Evelas
just joined
Topic Author
Posts: 6
Joined: Wed Mar 06, 2019 2:17 pm

Re: Basic wireless with cAP ac - network specific setup

Fri Mar 08, 2019 7:53 am

I exported this today. I only changed the date to 8th (no changes were made in the config). I also tried exporting yesterday's config, but I got the same file.
# mar/08/2019 06:49:43 by RouterOS 6.44
# software id = 6NY0-H0MW
#
# model = RouterBOARD cAP Gi-5acD2nD
# serial number = ADCB0AD96ED1
/interface bridge
add admin-mac=74:4D:28:13:CE:4E auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    "PPCZ 2,4GHz" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=PPCZ wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=profile1 \
    supplicant-identity=""
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=10.66.81.43-10.66.81.254
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/ip address
add address=10.66.81.40/24 interface=ether2 network=10.66.81.0
add address=10.66.81.41/24 disabled=yes interface=ether1 network=10.66.81.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge
/ip dhcp-server network
add address=10.66.81.0/24 gateway=10.66.81.41 netmask=24
/ip dns
set servers=10.66.81.7
/ip route
add distance=1 gateway=10.66.81.252
/system clock
set time-zone-name=Europe/Prague
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
You do not have the required permissions to view the files attached to this post.
 
anav
Forum Guru
Forum Guru
Posts: 3100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Basic wireless with cAP ac - network specific setup

Fri Mar 08, 2019 2:00 pm

Good day,
I understand your frustration, but clearly all the configs are from the cap as evidenced by the model# - 4 lines down from the top and the same MAC address etc etc etc.

I think what you are doing is getting all your configs from the capac and thus simply using a file name that is not reflective of the unit you are actually getting the config from.
The file name can be anything but you are identifying the wrong device in your file name. In other words you need to go into the RB3011 via winbox to download the file.
Easy to do if rushed or tired.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Evelas
just joined
Topic Author
Posts: 6
Joined: Wed Mar 06, 2019 2:17 pm

Re: Basic wireless with cAP ac - network specific setup

Fri Mar 08, 2019 3:06 pm

Gotcha. I'm just dumb and I didn't realize that the RB3011 in the file name stands for the device. Here is the proper config.
# mar/08/2019 14:03:36 by RouterOS 6.44
# software id = LSNA-D4P4
#
# model = RouterBOARD 3011UiAS
# serial number = 8EED09469E9C
/interface bridge
add admin-mac=00:0C:42:5B:12:B8 auto-mac=no comment=\
    "created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1524 mac-address=00:0C:42:5B:12:BB \
    name=WAN-ether1 speed=100Mbps
set [ find default-name=ether2 ] l2mtu=1524 mac-address=00:0C:42:5B:12:BA \
    speed=100Mbps
set [ find default-name=ether3 ] l2mtu=1524 mac-address=00:0C:42:5B:12:B9 \
    speed=100Mbps
set [ find default-name=ether4 ] l2mtu=1524 mac-address=00:0C:42:5B:12:B8 \
    name=ether4-lan speed=100Mbps
set [ find default-name=ether5 ] name=ether5-lan2
/interface ethernet switch port
set 0 default-vlan-id=0 vlan-mode=fallback
set 1 default-vlan-id=0 vlan-mode=fallback
set 2 default-vlan-id=0 vlan-mode=fallback
set 9 default-vlan-id=0 vlan-mode=fallback
set 10 default-vlan-id=0 vlan-mode=fallback
/interface list
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] group-ciphers="" supplicant-identity=MikroTik \
    unicast-ciphers=""
/ip ipsec profile
add dh-group=modp768 dpd-interval=30s enc-algorithm=des lifetime=8m name=\
    profile_1 nat-traversal=no
add dh-group=modp1024 dpd-interval=30s enc-algorithm=3des lifetime=1m name=\
    profile_2 nat-traversal=no
add dh-group=modp768 dpd-interval=30s dpd-maximum-failures=3 enc-algorithm=\
    3des lifetime=8h name=profile_3 nat-traversal=no
add dh-group=modp1024 dpd-interval=30s enc-algorithm=3des lifetime=8h name=\
    profile_4 nat-traversal=no
/ip ipsec peer
add address=93.90.135.149/32 disabled=yes name=peer2 profile=profile_2
add address=62.154.195.58/32 disabled=yes name=peer3 profile=profile_3
add address=62.100.229.4/32 disabled=yes name=peer4 profile=profile_4
add address=62.100.229.3/32 disabled=yes name=peer1 profile=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add disabled=yes enc-algorithms=3des lifetime=8m name=Ajka
add disabled=yes enc-algorithms=3des lifetime=8m name=sap
add disabled=yes enc-algorithms=3des lifetime=8h name=TM1 pfs-group=modp768
add disabled=yes enc-algorithms=3des lifetime=8h name=Ajkanew pfs-group=none
/ppp profile
add dns-server=10.66.81.7 name=PPTP use-compression=yes use-encryption=\
    required
/queue interface
set WAN-ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
set ether4-lan queue=ethernet-default
/snmp community
set [ find default=yes ] addresses=80.251.240.141/32
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=WAN-ether1
add bridge=bridge1 interface=ether4-lan
/interface bridge settings
set use-ip-firewall=yes
/interface list member
add interface=bridge1 list=mactel
add interface=ether3 list=mactel
add interface=bridge1 list=mac-winbox
add interface=ether2 list=mactel
add interface=ether3 list=mac-winbox
add interface=WAN-ether1 list=mactel
add interface=ether2 list=mac-winbox
add interface=WAN-ether1 list=mac-winbox
/interface pptp-server server
set default-profile=PPTP enabled=yes
/ip address
add address=77.48.206.11/29 interface=WAN-ether1 network=77.48.206.8
add address=10.66.81.252/24 interface=bridge1 network=10.66.81.0
add address=10.66.82.254/24 interface=ether5-lan2 network=10.66.82.0
add address=192.168.0.252/24 interface=bridge1 network=192.168.0.0
add address=77.48.206.10/29 interface=WAN-ether1 network=77.48.206.8
add address=10.66.83.252/24 interface=bridge1 network=10.66.83.0
add address=10.66.84.254/24 interface=bridge1 network=10.66.84.0
/ip dns
set max-udp-packet-size=512 servers=77.48.204.2,193.85.28.2
/ip firewall address-list
add address=gate.extranet.cz list=admin
add address=gate.mlecka.cz list=admin
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface=bridge1
add action=accept chain=input in-interface=ether5-lan2
add action=accept chain=input dst-address=77.48.206.11 dst-port=8291 \
    protocol=tcp src-address-list=admin
add action=accept chain=input dst-address=77.48.206.10 dst-port=8291 \
    protocol=tcp src-address-list=admin
# in/out-interface matcher not possible when interface (WAN-ether1) is slave - use master instead (bridge1)
add action=drop chain=input in-interface=WAN-ether1 src-address-list=admin
add action=log chain=forward disabled=yes dst-port=25 log-prefix=smtp-forward \
    protocol=tcp src-address=10.66.81.0/24
add action=accept chain=forward dst-port=80 protocol=tcp src-address=\
    10.66.81.21
add action=accept chain=forward dst-port=443 protocol=tcp src-address=\
    10.66.81.8
add action=accept chain=forward dst-port=80 protocol=tcp src-address=\
    10.66.81.8
add action=accept chain=forward src-address=10.66.81.9
add action=accept chain=forward dst-port=443 protocol=tcp src-address=\
    10.66.81.9
add action=accept chain=forward src-address=10.66.81.10
add action=accept chain=forward src-address=10.66.81.31
add action=drop chain=forward disabled=yes dst-port=80 protocol=tcp \
    src-address=10.66.81.0/24
add action=drop chain=forward dst-port=25 protocol=tcp src-address=\
    10.66.81.0/24
add action=log chain=forward disabled=yes log-prefix=190 src-address=\
    10.66.81.190
add action=accept chain=forward
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.10.0/24 src-address=\
    10.66.81.0/24
add action=accept chain=srcnat disabled=yes dst-address=10.1.111.0/24 \
    src-address=10.66.81.0/24
add action=accept chain=srcnat dst-address=192.168.48.0/24 src-address=\
    10.66.81.0/24
add action=src-nat chain=srcnat comment=MTA-PPCZ src-address=10.66.81.9 \
    to-addresses=77.48.206.10
add action=dst-nat chain=dstnat dst-address=77.48.206.10 dst-port=25 \
    protocol=tcp to-addresses=10.66.81.9 to-ports=25
add action=dst-nat chain=dstnat dst-address=77.48.206.10 dst-port=110 \
    protocol=tcp to-addresses=10.66.81.9 to-ports=110
add action=dst-nat chain=dstnat dst-address=77.48.206.10 dst-port=143 \
    protocol=tcp to-addresses=10.66.81.9 to-ports=143
add action=dst-nat chain=dstnat dst-address=77.48.206.10 dst-port=443 \
    protocol=tcp to-addresses=10.66.81.9 to-ports=443
add action=dst-nat chain=dstnat dst-address=77.48.206.10 dst-port=993 \
    protocol=tcp to-addresses=10.66.81.9 to-ports=993
add action=dst-nat chain=dstnat dst-address=77.48.206.10 dst-port=995 \
    protocol=tcp to-addresses=10.66.81.9 to-ports=995
add action=dst-nat chain=dstnat dst-address=77.48.206.10 dst-port=7025 \
    protocol=tcp src-address=10.66.81.9 to-addresses=10.66.81.9 to-ports=7025
add action=masquerade chain=srcnat comment=Masquerade src-address=\
    192.168.0.0/24
add action=masquerade chain=srcnat src-address=10.66.81.0/24
add action=dst-nat chain=dstnat comment="Prerouting local" dst-address=\
    77.48.206.11 dst-port=6129 protocol=tcp to-addresses=10.66.81.42 \
    to-ports=6129
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=6129 \
    protocol=udp to-addresses=10.66.81.42 to-ports=6129
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=5000 \
    protocol=tcp to-addresses=10.66.81.42 to-ports=5000
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=5000 \
    protocol=udp to-addresses=10.66.81.42 to-ports=5000
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=5900 \
    protocol=tcp to-addresses=10.66.81.190 to-ports=5900
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=5900 \
    protocol=tcp src-address=46.167.236.66 to-addresses=10.66.81.190 \
    to-ports=5900
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=5999 \
    protocol=tcp to-addresses=10.66.81.45 to-ports=5999
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=3348 \
    protocol=tcp src-address=46.167.236.66 to-addresses=10.66.81.8 to-ports=\
    3389
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=5050 \
    protocol=tcp to-addresses=10.66.81.144 to-ports=5050
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=3344 \
    protocol=tcp src-address=46.167.236.66 to-addresses=10.66.81.21 to-ports=\
    3389
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=7000 \
    protocol=tcp to-addresses=10.66.81.99 to-ports=7000
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=2222 \
    protocol=tcp src-address=46.167.236.66 to-addresses=10.66.81.9 to-ports=\
    22
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=7777 \
    protocol=tcp to-addresses=10.66.81.75 to-ports=7777
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=3322 \
    protocol=tcp src-address=46.167.236.66 to-addresses=10.66.81.10 to-ports=\
    3389
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=3323 \
    protocol=tcp src-address=46.167.236.66 to-addresses=10.66.81.7 to-ports=\
    3389
add action=dst-nat chain=dstnat comment=hv2018 dst-address=77.48.206.11 \
    dst-port=3313 protocol=tcp src-address=46.167.236.66 to-addresses=\
    10.66.81.13 to-ports=3389
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=11433 \
    protocol=tcp src-address=193.17.248.202 to-addresses=10.66.81.8 to-ports=\
    1433
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=11433 \
    protocol=tcp src-address=46.167.236.66 to-addresses=10.66.81.8 to-ports=\
    1433
add action=dst-nat chain=dstnat comment=palstat dst-address=77.48.206.10 \
    dst-port=3348 protocol=tcp src-address=91.218.189.26 to-addresses=\
    10.66.81.8 to-ports=3389
add action=dst-nat chain=dstnat comment=plc-stroj dst-address=77.48.206.10 \
    dst-port=102 protocol=tcp to-addresses=192.168.0.1 to-ports=102
add action=dst-nat chain=dstnat comment=plc-stroj dst-address=77.48.206.10 \
    dst-port=8448 protocol=tcp to-addresses=192.168.0.1 to-ports=8448
add action=dst-nat chain=dstnat comment=Agathon dst-address=77.48.206.10 \
    dst-port=4887 protocol=tcp to-addresses=10.66.81.42 to-ports=4887
add action=dst-nat chain=dstnat comment=PPCZ-APP dst-address=77.48.206.11 \
    dst-port=3343 protocol=tcp src-address=46.167.236.66 to-addresses=\
    10.66.81.17 to-ports=3389
add action=dst-nat chain=dstnat comment=PPCZ-APP dst-address=77.48.206.11 \
    dst-port=3343 protocol=tcp src-address=91.239.237.218 to-addresses=\
    10.66.81.17 to-ports=3389
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec identity
add peer=peer1
add peer=peer2
add peer=peer3
add peer=peer4
/ip ipsec policy
set 0 disabled=yes
add disabled=yes dst-address=10.1.111.0/24 proposal=sap sa-dst-address=\
    93.90.135.149 sa-src-address=77.48.206.11 src-address=10.66.81.0/24 \
    tunnel=yes
add disabled=yes dst-address=192.168.10.0/24 proposal=Ajka sa-dst-address=\
    62.100.229.3 sa-src-address=77.48.206.11 src-address=10.66.81.0/24 \
    tunnel=yes
add disabled=yes dst-address=192.168.48.0/24 proposal=TM1 sa-dst-address=\
    62.154.195.58 sa-src-address=77.48.206.11 src-address=10.66.81.0/24 \
    tunnel=yes
add disabled=yes dst-address=192.168.8.0/21 proposal=Ajkanew sa-dst-address=\
    62.100.229.4 sa-src-address=77.48.206.11 src-address=10.66.81.0/24 \
    tunnel=yes
/ip proxy
set cache-path=web-proxy1 max-cache-size=none parent-proxy=0.0.0.0
/ip route
add distance=1 gateway=77.48.206.9
add distance=1 dst-address=192.168.20.0/22 gateway=10.66.81.254
add distance=1 dst-address=192.168.48.0/24 gateway=10.66.81.254
/ip service
set telnet address=80.251.246.126/32 disabled=yes
set ftp disabled=yes
set www disabled=yes port=8080
set ssh address=80.251.240.128/26 disabled=yes
set api disabled=yes
/ppp secret
add disabled=yes local-address=10.66.81.223 name=zaluda profile=PPTP \
    remote-address=10.66.81.224 service=pptp
add disabled=yes local-address=10.66.81.221 name=maslan profile=PPTP \
    remote-address=10.66.81.222 service=pptp
/snmp
set enabled=yes trap-target=0.0.0.0
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Prague
/system identity
set name=meister
/system logging
set 0 disabled=yes topics=ipsec
add action=remote
add action=echo topics=firewall
/system ntp client
set enabled=yes primary-ntp=80.251.240.33
/system resource irq rps
set ether3 disabled=no
set ether2 disabled=no
set WAN-ether1 disabled=no
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool traffic-monitor
add disabled=yes name=tmon1 threshold=0
 
anav
Forum Guru
Forum Guru
Posts: 3100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Basic wireless with cAP ac - network specific setup

Fri Mar 08, 2019 5:02 pm

Gotcha. I'm just tired and confused (not dumb) and I didn't realize that the RB3011 in the file name stands for the device. Here is the proper config.
# mar/08/2019 14:03:36 by RouterOS 6.44
# software id = LSNA-D4P4
#
# model = RouterBOARD 3011UiAS
# serial number = 8EED09469E9C
/interface bridge
add admin-mac=00:0C:42:5B:12:B8 auto-mac=no comment=\
    "created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1524 mac-address=00:0C:42:5B:12:BB \
    name=WAN-ether1 speed=100Mbps
set [ find default-name=ether2 ] l2mtu=1524 mac-address=00:0C:42:5B:12:BA \
    speed=100Mbps
set [ find default-name=ether3 ] l2mtu=1524 mac-address=00:0C:42:5B:12:B9 \
    speed=100Mbps
set [ find default-name=ether4 ] l2mtu=1524 mac-address=00:0C:42:5B:12:B8 \
    name=ether4-lan speed=100Mbps
set [ find default-name=ether5 ] name=ether5-lan2
/interface ethernet switch port
set 0 default-vlan-id=0 vlan-mode=fallback
set 1 default-vlan-id=0 vlan-mode=fallback
set 2 default-vlan-id=0 vlan-mode=fallback
set 9 default-vlan-id=0 vlan-mode=fallback
set 10 default-vlan-id=0 vlan-mode=fallback
/interface list
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] group-ciphers="" supplicant-identity=MikroTik \
    unicast-ciphers=""
/ip ipsec profile
add dh-group=modp768 dpd-interval=30s enc-algorithm=des lifetime=8m name=\
    profile_1 nat-traversal=no
add dh-group=modp1024 dpd-interval=30s enc-algorithm=3des lifetime=1m name=\
    profile_2 nat-traversal=no
add dh-group=modp768 dpd-interval=30s dpd-maximum-failures=3 enc-algorithm=\
    3des lifetime=8h name=profile_3 nat-traversal=no
add dh-group=modp1024 dpd-interval=30s enc-algorithm=3des lifetime=8h name=\
    profile_4 nat-traversal=no
/ip ipsec peer
add address=93.90.135.149/32 disabled=yes name=peer2 profile=profile_2
add address=62.154.195.58/32 disabled=yes name=peer3 profile=profile_3
add address=62.100.229.4/32 disabled=yes name=peer4 profile=profile_4
add address=62.100.229.3/32 disabled=yes name=peer1 profile=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add disabled=yes enc-algorithms=3des lifetime=8m name=Ajka
add disabled=yes enc-algorithms=3des lifetime=8m name=sap
add disabled=yes enc-algorithms=3des lifetime=8h name=TM1 pfs-group=modp768
add disabled=yes enc-algorithms=3des lifetime=8h name=Ajkanew pfs-group=none
/ppp profile
add dns-server=10.66.81.7 name=PPTP use-compression=yes use-encryption=\
    required
/queue interface
set WAN-ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
set ether4-lan queue=ethernet-default
/snmp community
set [ find default=yes ] addresses=80.251.240.141/32
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=WAN-ether1
add bridge=bridge1 interface=ether4-lan
/interface bridge settings
set use-ip-firewall=yes
/interface list member
add interface=bridge1 list=mactel
add interface=ether3 list=mactel
add interface=bridge1 list=mac-winbox
add interface=ether2 list=mactel
add interface=ether3 list=mac-winbox
add interface=WAN-ether1 list=mactel
add interface=ether2 list=mac-winbox
add interface=WAN-ether1 list=mac-winbox
/interface pptp-server server
set default-profile=PPTP enabled=yes
/ip address
add address=77.48.206.11/29 interface=WAN-ether1 network=77.48.206.8
add address=10.66.81.252/24 interface=bridge1 network=10.66.81.0
add address=10.66.82.254/24 interface=ether5-lan2 network=10.66.82.0
add address=192.168.0.252/24 interface=bridge1 network=192.168.0.0
add address=77.48.206.10/29 interface=WAN-ether1 network=77.48.206.8
add address=10.66.83.252/24 interface=bridge1 network=10.66.83.0
add address=10.66.84.254/24 interface=bridge1 network=10.66.84.0
/ip dns
set max-udp-packet-size=512 servers=77.48.204.2,193.85.28.2
/ip firewall address-list
add address=gate.extranet.cz list=admin
add address=gate.mlecka.cz list=admin
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface=bridge1
add action=accept chain=input in-interface=ether5-lan2
add action=accept chain=input dst-address=77.48.206.11 dst-port=8291 \
    protocol=tcp src-address-list=admin
add action=accept chain=input dst-address=77.48.206.10 dst-port=8291 \
    protocol=tcp src-address-list=admin
# in/out-interface matcher not possible when interface (WAN-ether1) is slave - use master instead (bridge1)
add action=drop chain=input in-interface=WAN-ether1 src-address-list=admin
add action=log chain=forward disabled=yes dst-port=25 log-prefix=smtp-forward \
    protocol=tcp src-address=10.66.81.0/24
add action=accept chain=forward dst-port=80 protocol=tcp src-address=\
    10.66.81.21
add action=accept chain=forward dst-port=443 protocol=tcp src-address=\
    10.66.81.8
add action=accept chain=forward dst-port=80 protocol=tcp src-address=\
    10.66.81.8
add action=accept chain=forward src-address=10.66.81.9
add action=accept chain=forward dst-port=443 protocol=tcp src-address=\
    10.66.81.9
add action=accept chain=forward src-address=10.66.81.10
add action=accept chain=forward src-address=10.66.81.31
add action=drop chain=forward disabled=yes dst-port=80 protocol=tcp \
    src-address=10.66.81.0/24
add action=drop chain=forward dst-port=25 protocol=tcp src-address=\
    10.66.81.0/24
add action=log chain=forward disabled=yes log-prefix=190 src-address=\
    10.66.81.190
add action=accept chain=forward
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.10.0/24 src-address=\
    10.66.81.0/24
add action=accept chain=srcnat disabled=yes dst-address=10.1.111.0/24 \
    src-address=10.66.81.0/24
add action=accept chain=srcnat dst-address=192.168.48.0/24 src-address=\
    10.66.81.0/24
add action=src-nat chain=srcnat comment=MTA-PPCZ src-address=10.66.81.9 \
    to-addresses=77.48.206.10
add action=dst-nat chain=dstnat dst-address=77.48.206.10 dst-port=25 \
    protocol=tcp to-addresses=10.66.81.9 to-ports=25
add action=dst-nat chain=dstnat dst-address=77.48.206.10 dst-port=110 \
    protocol=tcp to-addresses=10.66.81.9 to-ports=110
add action=dst-nat chain=dstnat dst-address=77.48.206.10 dst-port=143 \
    protocol=tcp to-addresses=10.66.81.9 to-ports=143
add action=dst-nat chain=dstnat dst-address=77.48.206.10 dst-port=443 \
    protocol=tcp to-addresses=10.66.81.9 to-ports=443
add action=dst-nat chain=dstnat dst-address=77.48.206.10 dst-port=993 \
    protocol=tcp to-addresses=10.66.81.9 to-ports=993
add action=dst-nat chain=dstnat dst-address=77.48.206.10 dst-port=995 \
    protocol=tcp to-addresses=10.66.81.9 to-ports=995
add action=dst-nat chain=dstnat dst-address=77.48.206.10 dst-port=7025 \
    protocol=tcp src-address=10.66.81.9 to-addresses=10.66.81.9 to-ports=7025
add action=masquerade chain=srcnat comment=Masquerade src-address=\
    192.168.0.0/24
add action=masquerade chain=srcnat src-address=10.66.81.0/24
add action=dst-nat chain=dstnat comment="Prerouting local" dst-address=\
    77.48.206.11 dst-port=6129 protocol=tcp to-addresses=10.66.81.42 \
    to-ports=6129
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=6129 \
    protocol=udp to-addresses=10.66.81.42 to-ports=6129
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=5000 \
    protocol=tcp to-addresses=10.66.81.42 to-ports=5000
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=5000 \
    protocol=udp to-addresses=10.66.81.42 to-ports=5000
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=5900 \
    protocol=tcp to-addresses=10.66.81.190 to-ports=5900
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=5900 \
    protocol=tcp src-address=46.167.236.66 to-addresses=10.66.81.190 \
    to-ports=5900
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=5999 \
    protocol=tcp to-addresses=10.66.81.45 to-ports=5999
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=3348 \
    protocol=tcp src-address=46.167.236.66 to-addresses=10.66.81.8 to-ports=\
    3389
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=5050 \
    protocol=tcp to-addresses=10.66.81.144 to-ports=5050
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=3344 \
    protocol=tcp src-address=46.167.236.66 to-addresses=10.66.81.21 to-ports=\
    3389
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=7000 \
    protocol=tcp to-addresses=10.66.81.99 to-ports=7000
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=2222 \
    protocol=tcp src-address=46.167.236.66 to-addresses=10.66.81.9 to-ports=\
    22
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=7777 \
    protocol=tcp to-addresses=10.66.81.75 to-ports=7777
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=3322 \
    protocol=tcp src-address=46.167.236.66 to-addresses=10.66.81.10 to-ports=\
    3389
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=3323 \
    protocol=tcp src-address=46.167.236.66 to-addresses=10.66.81.7 to-ports=\
    3389
add action=dst-nat chain=dstnat comment=hv2018 dst-address=77.48.206.11 \
    dst-port=3313 protocol=tcp src-address=46.167.236.66 to-addresses=\
    10.66.81.13 to-ports=3389
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=11433 \
    protocol=tcp src-address=193.17.248.202 to-addresses=10.66.81.8 to-ports=\
    1433
add action=dst-nat chain=dstnat dst-address=77.48.206.11 dst-port=11433 \
    protocol=tcp src-address=46.167.236.66 to-addresses=10.66.81.8 to-ports=\
    1433
add action=dst-nat chain=dstnat comment=palstat dst-address=77.48.206.10 \
    dst-port=3348 protocol=tcp src-address=91.218.189.26 to-addresses=\
    10.66.81.8 to-ports=3389
add action=dst-nat chain=dstnat comment=plc-stroj dst-address=77.48.206.10 \
    dst-port=102 protocol=tcp to-addresses=192.168.0.1 to-ports=102
add action=dst-nat chain=dstnat comment=plc-stroj dst-address=77.48.206.10 \
    dst-port=8448 protocol=tcp to-addresses=192.168.0.1 to-ports=8448
add action=dst-nat chain=dstnat comment=Agathon dst-address=77.48.206.10 \
    dst-port=4887 protocol=tcp to-addresses=10.66.81.42 to-ports=4887
add action=dst-nat chain=dstnat comment=PPCZ-APP dst-address=77.48.206.11 \
    dst-port=3343 protocol=tcp src-address=46.167.236.66 to-addresses=\
    10.66.81.17 to-ports=3389
add action=dst-nat chain=dstnat comment=PPCZ-APP dst-address=77.48.206.11 \
    dst-port=3343 protocol=tcp src-address=91.239.237.218 to-addresses=\
    10.66.81.17 to-ports=3389
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec identity
add peer=peer1
add peer=peer2
add peer=peer3
add peer=peer4
/ip ipsec policy
set 0 disabled=yes
add disabled=yes dst-address=10.1.111.0/24 proposal=sap sa-dst-address=\
    93.90.135.149 sa-src-address=77.48.206.11 src-address=10.66.81.0/24 \
    tunnel=yes
add disabled=yes dst-address=192.168.10.0/24 proposal=Ajka sa-dst-address=\
    62.100.229.3 sa-src-address=77.48.206.11 src-address=10.66.81.0/24 \
    tunnel=yes
add disabled=yes dst-address=192.168.48.0/24 proposal=TM1 sa-dst-address=\
    62.154.195.58 sa-src-address=77.48.206.11 src-address=10.66.81.0/24 \
    tunnel=yes
add disabled=yes dst-address=192.168.8.0/21 proposal=Ajkanew sa-dst-address=\
    62.100.229.4 sa-src-address=77.48.206.11 src-address=10.66.81.0/24 \
    tunnel=yes
/ip proxy
set cache-path=web-proxy1 max-cache-size=none parent-proxy=0.0.0.0
/ip route
add distance=1 gateway=77.48.206.9
add distance=1 dst-address=192.168.20.0/22 gateway=10.66.81.254
add distance=1 dst-address=192.168.48.0/24 gateway=10.66.81.254
/ip service
set telnet address=80.251.246.126/32 disabled=yes
set ftp disabled=yes
set www disabled=yes port=8080
set ssh address=80.251.240.128/26 disabled=yes
set api disabled=yes
/ppp secret
add disabled=yes local-address=10.66.81.223 name=zaluda profile=PPTP \
    remote-address=10.66.81.224 service=pptp
add disabled=yes local-address=10.66.81.221 name=maslan profile=PPTP \
    remote-address=10.66.81.222 service=pptp
/snmp
set enabled=yes trap-target=0.0.0.0
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Prague
/system identity
set name=meister
/system logging
set 0 disabled=yes topics=ipsec
add action=remote
add action=echo topics=firewall
/system ntp client
set enabled=yes primary-ntp=80.251.240.33
/system resource irq rps
set ether3 disabled=no
set ether2 disabled=no
set WAN-ether1 disabled=no
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool traffic-monitor
add disabled=yes name=tmon1 threshold=0
..
Changes recommended. CHANGE of plans, read through this and then reset to default and start from scratch(clean). Its to messy to fix.
(1)/interface bridge
add admin-mac=00:0C:42:5B:12:B8 auto-mac=no comment=\
"created from master port" name=bridge1 protocol-mode=none vlan-filtering=yes
Note: Do this as the LAST STEP in config changes and make sure you are using SAFEMODE in winbox.

(2) Get rid of these rules.........
/interface ethernet switch port
set 0 default-vlan-id=0 vlan-mode=fallback
set 1 default-vlan-id=0 vlan-mode=fallback
set 2 default-vlan-id=0 vlan-mode=fallback
set 9 default-vlan-id=0 vlan-mode=fallback
set 10 default-vlan-id=0 vlan-mode=fallback

(3) Modify these rules to........
/interface bridge port
add bridge=bridge1 interface=ether3 ingress filtering=yes admit-only-vlan-tagged
add bridge=bridge1 interface=ether2 ingress filtering=yes admit-only-vlan-tagged
add bridge=bridge1 interface=ether4-lan ingress filtering=yes admit-only-vlan-tagged
Note: Understand eth5 is not on the bridge and is a separate LAN
Note: The WAN normally is not part of the bridge.

(4) Modify
/ip address
add address=77.48.206.11/29 interface=WAN-ether1 network=77.48.206.8
add address=77.48.206.10/29 interface=WAN-ether1 network=77.48.206.8
(okay this is for your home lan)
add address=192.168.0.252/24 interface=bridge1 network=192.168.0.0 (okay this is for your home lan)
add address=10.66.81.252/24 interface=vlan81 network=10.66.81.0
add address=10.66.82.254/24 interface=vlan82 network=10.66.82.0
add address=10.66.83.252/24 interface=vlan83 network=10.66.83.0
add address=10.66.84.254/24 interface=vlan84 network=10.66.84.0
Note: only one subnet can be associated with the bridge!!!!

YOU HAVE NOT IDENTIFIED ANY VLANS????????????????????????


(5) Horrible rules get rid of .............. see (6) before doing so!!!
add action=accept chain=input dst-address=77.48.206.11 dst-port=8291 \
protocol=tcp src-address-list=admin
add action=accept chain=input dst-address=77.48.206.10 dst-port=8291 \
protocol=tcp src-address-list=admin

(6) replace FIRST though with
add chain=input action=accept in-interface=LAN source-address-list=adminaccessonly
add firewall address list allowed PCs list=adminaccessonly
(ip services -winbox server - also limit access here appropriately)
(tools -winbox mac - also limit access here appropriately
(note: recommend disable any telnet access)

(7) I dont know what the heck this rule does so get rid of it.
# in/out-interface matcher not possible when interface (WAN-ether1) is slave - use master instead (bridge1)
add action=drop chain=input in-interface=WAN-ether1 src-address-list=admin

(8) Add to the end of the input chain rules.
action=drop chain=input comment="Drop all else"

(9) Okay these are all horrible LOL, great imagination but yuckkkkk
Firstly you dont use forward rules to replace dst nat rules. Secondly you cannot port forward the same destination port to the same server port more than once.

You only should have one general rule to allow all port forwardings through the firewall.
add chain=forward action=accept connection-state=new connection-nat-state=dst-nat \
comment="allow port forwarding"

If you want to allow traffic from LAN to WAN
then clearly state in-interface and source address and out interface,
Not sure what you are attempting by such rules (?? add action=accept chain=forward src-address=10.66.81.9 ?? )

Get rid of them!!
add action=accept chain=forward dst-port=80 protocol=tcp src-address=\
10.66.81.21
add action=accept chain=forward dst-port=443 protocol=tcp src-address=\
10.66.81.8
add action=accept chain=forward dst-port=80 protocol=tcp src-address=\
10.66.81.8
add action=accept chain=forward src-address=10.66.81.9
add action=accept chain=forward dst-port=443 protocol=tcp src-address=\
10.66.81.9
add action=accept chain=forward src-address=10.66.81.10
add action=accept chain=forward src-address=10.66.81.31
add action=drop chain=forward disabled=yes dst-port=80 protocol=tcp \
src-address=10.66.81.0/24
add action=drop chain=forward dst-port=25 protocol=tcp src-address=\
10.66.81.0/24
add action=log chain=forward disabled=yes log-prefix=190 src-address=\
10.66.81.190
add action=accept chain=forward


(10) Add last rule to forward chain
action=drop chain=forward comment="Drop all else"

(11) You are missing the default rules such as those that concern established related etc.........................

My recommendation is to set router to defaults and start from scratch and just do the subnets bridge and vlans first and then add more layers like ipsec.......
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: MSN [Bot] and 23 guests