I've configured my Mikrotik with 2 active VLANS. The main VLAN, ID=10 and the guest VLAN (ID=20)
Ether1 is connected to the WAN and Ether2 is connected to a CISCO-AP in autonomous mode.
On the Mikrotik everything is working perfectly.
The Cisco-AP has a static IP (within the main VLAN range) and the gateway points to the of the main VLAN. The Cisco replicates the SSIDs of the Mikrotik with identical VLAN IDs.
My problem is that I am able to connect when I connect to the internet via the main VLAN (id=10), but not with the Guest VLAN (id=20). The device connects but is not able to exit to the internet?
I am posting my configs below:Thank you for any guidance in resolving the problem.
Cisco
Code: Select all
!
! Last configuration change at 22:11:53 +0100 Mon Jan 25 2021 by admin
! NVRAM config last updated at 22:11:53 +0100 Mon Jan 25 2021 by admin
! NVRAM config last updated at 22:11:53 +0100 Mon Jan 25 2021 by admin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CISCO-AP
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
clock timezone +0100 1 0
no ip source-route
no ip cef
ip name-server 192.168.0.1
!
!
!
!
dot11 pause-time 100
dot11 syslog
dot11 vlan-name GUEST_VLAN vlan 20
dot11 vlan-name SOHO_VLAN vlan 10
!
dot11 ssid SOHO-AP
vlan 10
authentication open
authentication key-management wpa version 2
wpa-psk ascii 7 ********************************8
!
dot11 ssid GUEST-AP
vlan 20
authentication open
authentication key-management wpa version 2
wpa-psk ascii 7 ******************************
!
!
!
no ipv6 cef
!
!
username admin privilege 15 secret 5 *********************
username administrator privilege 15 password 7 ******************************8
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm
!
encryption vlan 10 mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
ssid SOHO-AP
!
ssid GUEST-AP
!
antenna gain 0
stbc
beamform ofdm
mbssid
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
no dot11 extension aironet
!
interface Dot11Radio0.10
encapsulation dot1Q 10 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption mode ciphers aes-ccm
!
encryption vlan 10 mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
ssid SOHO-AP
!
ssid GUEST-AP
!
antenna gain 0
peakdetect
no dfs band block
stbc
beamform ofdm
mbssid
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
packet retries 128 drop-packet
channel dfs
station-role root
no dot11 extension aironet
!
interface Dot11Radio1.10
encapsulation dot1Q 10 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0.10
encapsulation dot1Q 10 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 spanning-disabled
no bridge-group 20 source-learning
!
interface BVI1
mac-address xxxx.yyyy.zzzz
ip address 192.168.16.252 255.255.255.0
ipv6 address dhcp
ipv6 address autoconfig
!
ip default-gateway 192.168.16.1
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http timeout-policy idle 120 life 300 requests 200
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
no cdp run
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
transport input all
!
sntp server pool.ntp.org
sntp broadcast client
end
Code: Select all
# feb/03/2021 12:31:39 by RouterOS 6.48
# software id = 0E9A-7W1F
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 665805B580DC
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Connected to ISP"
set [ find default-name=ether2 ] comment="Connected to Cisco AP"
set [ find default-name=ether3 ] comment="Connected to LAN Switch"
set [ find default-name=ether4 ] comment="Connected to SRV-TOR"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=malta disabled=no frequency=2442 mode=ap-bridge ssid=SOHO-AP
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-eCee country=malta disabled=no frequency=5260 mode=ap-bridge \
ssid=SOHO-AP
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=GUEST_VLAN vlan-id=20
add arp=proxy-arp interface=BR1 name=SOHO_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Base \
supplicant-identity=MikroTik
/interface wireless
add mac-address=E6:8D:8C:D6:E4:5F master-interface=wlan1 name=wlan1-admin \
security-profile=Base ssid=BASE
add disabled=no mac-address=E6:8D:8C:D6:E4:5E master-interface=wlan1 name=\
wlan1-guest security-profile=guest ssid=GUEST-AP
add mac-address=E6:8D:8C:D6:E4:60 master-interface=wlan2 name=wlan2-admin \
security-profile=Base ssid=BASE
add disabled=no mac-address=E6:8D:8C:D6:E4:5D master-interface=wlan2 name=\
wlan2-guest security-profile=guest ssid=GUEST-AP
/ip pool
add name=SOHO_POOL ranges=192.168.16.20-192.168.16.99
add name=GUEST_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
add address-pool=SOHO_POOL disabled=no interface=SOHO_VLAN name=SOHO_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN lease-time=7h \
name=GUEST_DHCP
/ppp profile
set *0 use-upnp=no
set *FFFFFFFE use-upnp=no
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan1-guest pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan2-guest pvid=20
add bridge=BR1 interface=wlan1-admin pvid=99
add bridge=BR1 interface=wlan2-admin pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2 untagged=ether3,ether4,wlan1,wlan2 vlan-ids=\
10
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-guest,wlan2-guest vlan-ids=20
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-admin,wlan2-admin vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=SOHO_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes \
require-client-certificate=yes
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=xxx.yyy.zzz.180/27 comment="Fixed IP provided by ISP" interface=\
ether1 network=xxx.yyy.zzz.160
add address=192.168.16.1/24 interface=SOHO_VLAN network=192.168.16.0
add address=10.0.20.1/24 interface=GUEST_VLAN network=10.0.20.0
/ip dhcp-server network
add address=10.0.20.0/24 comment="Guest Subnet" dns-server=192.168.0.1 \
gateway=10.0.20.1
add address=192.168.16.0/24 comment="SOHO Subnet" dns-server=192.168.0.1 \
gateway=192.168.16.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9,8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN from WAN" dst-port=1194 \
protocol=tcp
add chain=input comment="Allow all ICMP" protocol=icmp
add action=accept chain=input comment=\
"Allow Establised and Related Connections" connection-state=\
established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward comment=\
"Source: https://forum.mikrotik.com/viewtopic.php\?f=2&t=171682" \
in-interface=all-ppp out-interface=SOHO_VLAN
add action=accept chain=forward comment=\
"Source: https://forum.mikrotik.com/viewtopic.php\?f=2&t=171682" \
in-interface=SOHO_VLAN out-interface=all-ppp
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.16.0/24 src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP dst-address=xxx.yyy.zzz.180 \
dst-port=80 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=HTTPS dst-address=xxx.yyy.zzz.180 \
dst-port=443 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=SFTP dst-address=xxx.yyy.zzz.180 \
dst-port=5552 protocol=tcp to-addresses=192.168.16.5 to-ports=22
add action=dst-nat chain=dstnat comment=Plex dst-address=xxx.yyy.zzz.180 \
dst-port=52400 protocol=tcp to-addresses=192.168.16.8 to-ports=32400
add action=dst-nat chain=dstnat comment=BlueIris dst-address=xxx.yyy.zzz.180 \
dst-port=8080 protocol=tcp to-addresses=192.168.16.5 to-ports=8080
/ip route
add comment="ISP gateway" distance=1 gateway=xxx.yyy.zzz.161
/ip service
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add comment="IP Address Assigned to user" local-address=192.168.16.1 name=\
chri remote-address=192.168.16.240 service=ovpn
add local-address=192.168.16.1 name=conn remote-address=192.168.16.241 \
service=ovpn
/system clock
set time-zone-name=Europe/Malta
/system identity
set name=RouterSwitchAP
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE