I'm struggeling with the Bridge Setup on a CCR1009.
What I want to achieve:
Bridge with 2 ethernet ports (ether2 & ether3) and 2 VLAN's (vlan1 for management access to my Access Points and vlan10 for Hotspot SSID).
Everything is fine for normal conection. AP's are online and reachable. Client attached to SSID get's an IP and is online. But as long as the vlan10 is attached to the bridge I didn't get the Hotspot login. Works only when I attach the vlan10 directly to one of the ethernet ports.
I checked/tried several posts about bridge/vlan setup without success.
I'm not sure if there is a problem with the bridge/vlan settings or with the firewall rules...
Code: Select all
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan1 vlan-id=1
add interface=bridge1 name=vlan10 vlan-id=10
/interface list
add name=LAN
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=vlan10 list=LAN
/ip pool
add name=dhcp_pool4 ranges=10.10.100.20-10.10.103.250
add name=dhcp_pool5 ranges=10.10.10.20-10.10.10.254
add name=dhcp_pool6 ranges=192.168.1.20-192.168.1.50
add name=dhcp_pool7 ranges=10.0.100.50-10.0.101.254
/ip dhcp-server
add address-pool=dhcp_pool4 disabled=no interface=vlan10 name=WLAN
add address-pool=dhcp_pool5 disabled=no interface=vlan1 lease-time=30m name=\
Management
add address-pool=dhcp_pool6 disabled=no interface=lan-bridge lease-time=30m \
name=LAN
add address-pool=dhcp_pool7 disabled=no interface=ether4 name="WLAN alt"
/ip hotspot
add address-pool=dhcp_pool4 disabled=no interface=vlan10 name=hotspot1 \
profile=hsprof1
/interface bridge port
add bridge=lan-bridge interface=ether7
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=vlan1
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=vlan10
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,vlan10,ether2,ether3 vlan-ids=10
add bridge=bridge1 tagged=vlan1,bridge1 untagged=ether2,ether3 vlan-ids=1
/interface ethernet switch vlan
add disabled=yes ports=ether2,ether3 switch=switch1 vlan-id=1
add disabled=yes ports=ether2,ether3 switch=switch1 vlan-id=10
/ip address
add address=192.168.1.1/24 comment="LAN Internet Terminals" interface=\
lan-bridge network=192.168.1.0
add address=10.0.100.1/23 comment="WLAN BBG" interface=ether4 network=\
10.0.100.0
add address=10.10.10.1/24 interface=vlan1 network=10.10.10.0
add address=10.10.100.1/22 interface=vlan10 network=10.10.100.0
/ip dhcp-server network
add address=10.0.100.0/23 gateway=10.0.100.1
add address=10.10.10.0/24 dhcp-option=vSZ-Option43 gateway=10.10.10.1
add address=10.10.100.0/22 dhcp-option=vSZ-Option43 gateway=10.10.100.1
add address=192.168.1.0/24 gateway=192.168.1.1
/ip dns
set servers=10.10.100.1
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=10.0.100.1 list=DHCPSERVERS
add address=192.168.1.1 list=DHCPSERVERS
add address=85.183.135.162 list=erlaubte-IP
add address=10.10.10.1 list=DHCPSERVERS
add address=10.10.100.1 list=DHCPSERVERS
/ip firewall filter
add action=accept chain=input comment=\
"Accept established and related packets" connection-state=\
established,related
add action=drop chain=input comment="Drop invalid packets" connection-state=\
invalid log-prefix=invalid
add action=drop chain=input comment="drop dns from internet" disabled=yes \
dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment="drop dns from internet" disabled=yes \
dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="Drop Rogue DHCP-Servers" dst-port=68 \
log=yes log-prefix=RogueDHCP protocol=udp src-address-list=!DHCPSERVERS \
src-port=67
add action=accept chain=input comment="accept https & winbox von erlaubte-IP" \
dst-port=8291,443,161,1022 log-prefix=accept protocol=tcp \
src-address-list=erlaubte-IP
add action=accept chain=input comment="accept snmp von erlaubte-IP" dst-port=\
161,162 log-prefix=accept protocol=udp src-address-list=erlaubte-IP
add action=accept chain=input comment=\
"Accept all connections from local network" in-interface-list=LAN
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22,1022 \
log=yes log-prefix="drop brute forcers" protocol=tcp src-address=\
!85.183.135.162 src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input connection-state=new dst-port=22,1022 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22,1022 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22,1022 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22,1022 \
protocol=tcp
add action=drop chain=input comment=\
"Drop all packets which are not destined to routes IP address" disabled=\
yes dst-address-type=!local src-address=!85.183.135.162
add action=drop chain=input comment=\
"Drop all packets which does not have unicast source IP address" \
disabled=yes src-address=!85.183.135.162 src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet whi\
ch should not exist in public network" disabled=yes in-interface=ether1 \
src-address=!85.183.135.162 src-address-list=NotPublic
add action=accept chain=forward comment=\
"Accept established and related packets" connection-state=\
established,related
add action=drop chain=forward comment="Drop invalid packets" \
connection-state=invalid log-prefix=invalid
add action=drop chain=forward comment=\
"Drop new connections from internet which are not dst-natted" \
connection-nat-state=!dstnat connection-state=new disabled=yes \
in-interface=ether1
add action=drop chain=forward comment="Drop all packets from public internet w\
hich should not exist in public network" disabled=yes in-interface=ether1 \
src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to \
internet which should not exist in public network" disabled=yes \
dst-address-list=NotPublic in-interface-list=LAN
add action=drop chain=forward comment="Drop all packets in local network which\
\_does not have local network address" disabled=yes in-interface-list=LAN \
src-address-list=!NotPublic
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here"
add action=drop chain=input comment="drop all" log-prefix=drop
add action=accept chain=forward comment="accept erlaubte-IP" \
src-address-list=erlaubte-IP
add action=drop chain=forward comment="drop privat <-> privat" \
dst-address-list=NotPublic src-address-list=NotPublic
add action=accept chain=forward comment="accept privat -> internet" \
out-interface=PPPoEClient src-address-list=NotPublic
add action=drop chain=forward comment="drop all"
/ip firewall mangle
add action=log chain=forward disabled=yes log-prefix=HAMFREEWIFIGateway1 \
protocol=tcp tcp-flags=!,ack
add action=log chain=forward disabled=yes log-prefix=HAMFREEWIFIGateway1 \
protocol=udp
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network alt" \
out-interface=PPPoEClient src-address=10.0.100.0/23
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
out-interface=PPPoEClient src-address=10.10.100.0/22
add action=masquerade chain=srcnat comment="masquerade managemet network" \
out-interface=PPPoEClient src-address=10.10.10.0/24
add action=masquerade chain=srcnat comment="masquerade LAN" out-interface=\
PPPoEClient src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="DST-NAT auf DAH" dst-port=4443 \
in-interface=PPPoEClient protocol=tcp to-addresses=10.10.10.10 to-ports=\
443
add action=dst-nat chain=dstnat comment="DST-NAT auf Switch" dst-port=4444 \
in-interface=PPPoEClient protocol=tcp to-addresses=10.10.10.2 to-ports=\
443
/ip firewall service-port