There is no separate subnet for the guest WiFi or normal WiFi.First, it's not clear how it works now. What addresses do guests get? Is there separate subnet only on AP? Also how the blocked access to LAN works would be interesting to know.
The router and the switch are both running RouterOS (which I did write in the first post, but no worries for missing it).For new config you need to configure switch to allow tagged vlan 9 on ports connected to AP and router. You didn't even write if it has RouterOS or SwOS, so...
I think I may have gotten this far last time but the firewall rules ended up with "access nowhere". How do I provide access to the WAN but not the LAN to that subnet?Once you have vlan 9 passing through switch, you need same vlan also on router. If there's only single port connected to switch (no bridge), then simply add vlan interface on top of this port. If you have something more complex there, you'll have to integrate it into that.
With vlan interface ready, add some new subnet to it, then configure DHCP server, and you'll have guest subnet. Depending on your current firewall, it may have access everywhere or nowhere or something in between, so you'll have to do something with that.
Sounds like there is no access to CPU, so you are isolated from your Router. Is your Bridge and Trunk added to the tagged ports ?I followed those examples and got things mostly working, but the clients on the guest SSID (now VLAN 20) don't seem to get IP addresses assigned.
Any ideas what's wrong?
The AP is plugged into ether1 of the CRS. I thought it had to be plugged into a trunk port because the packets coming from it are already tagged (with either 10 or 20)?Assuming the AP is plugged into the CRS as shown in the picture, there is no /interface bridge vlan configuration for VLAN 20 on the CRS
# egress behavior
/interface bridge vlan
# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
set bridge=BR1 tagged=ether1,ether2 [find vlan-ids=10]
set bridge=BR1 tagged=ether1,ether2 [find vlan-ids=20]
add bridge=BR1 tagged=ether1,ether2 vlan-ids=20 comment="GREEN_VLAN"
Just add the following ruleThanks anav. I am trying to access the server 10.0.10.3 using its WAN IP from the same network (10.0.10.0/24).
How would I accomplish this?
;;; Seems closest to example in https://wiki.mikrotik.com/wiki/Hairpin_NAT
chain=srcnat action=masquerade protocol=tcp
src-address=10.0.10.0/24 dst-address=10.0.10.3
out-interface=BLUE_VLAN dst-port=8023
;;; no out-interface
chain=srcnat action=masquerade protocol=tcp
src-address=10.0.10.0/24 dst-address=10.0.10.3 dst-port=8023
;;; dst-address is whole subnet
chain=srcnat action=masquerade protocol=tcp
src-address=10.0.10.0/24 dst-address=10.0.10.0/24 dst-port=8023
;;; no dst-port
chain=srcnat action=masquerade protocol=tcp
src-address=10.0.10.0/24 dst-address=10.0.10.0/24
;;; no protocol
chain=srcnat action=masquerade src-address=10.0.10.0/24
dst-address=10.0.10.0/24
Please take your meds, no one here is saying anything different.Why does everyone keep making the same mistake? Hairpin NAT means that connections will be coming from LAN. Guess what will happen when dstnat rule has in-interface-list=WAN. Right, nothing.