My Requirements:
- VLAN3 should be able to communicate with switch on tagged ether1 trunk and will get its IP from the DHCP server. (Working)
VLAN3 should be able to access the cAP AC admin interface through either Winbox, Web, or SSH. (Not Working)
VLAN6 should be able to communicate with the switch on tagged ether1 trunk and will get its IP from the DHCP server (Working)
VLAN4 out of scope for this issue.
- When connected to CASSA50 virtual wireless interface, the dhcp request is passed to the switch over the VLAN and my dhcp server provides an IP. DNS, internet access, etc. all work as expected.
Connection fails to any IP assigned to cAP AC, when connected to CASSA50.
Connection fails to any IP assigned to cAP AC from switch or any device on the network
As a test, I disabled all firewall rules. Problem persists. This leads me to believe the problem is not related to firewall rules.
My config:
Code: Select all
# aug/15/2021 09:50:55 by RouterOS 6.48.3
# software id = I321-0PC8
#
# model = RBcAPGi-5acD2nD
# serial number = E2830EE0106F
/interface bridge
add admin-mac=2C:C8:1B:B4:A6:4B auto-mac=no comment=defconf name=bridge
add fast-forward=no frame-types=admit-only-vlan-tagged ingress-filtering=yes \
name=bridgev pvid=6 vlan-filtering=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=Family supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name=Admin \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=Guest \
supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto hide-ssid=yes installation=\
indoor mode=ap-bridge security-profile=Admin ssid=CASSWAP124 \
wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto hide-ssid=\
yes installation=indoor mode=ap-bridge security-profile=Admin ssid=\
CASSWAP150 wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:B4:A6:4F \
master-interface=wlan2 multicast-buffering=disabled name=CASSA50 \
security-profile=Admin ssid=CASSA50 vlan-id=3 vlan-mode=use-tag \
wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 \
wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:B4:A6:4D \
master-interface=wlan1 multicast-buffering=disabled name=CASSF24 \
security-profile=Family ssid=CASSF24 vlan-id=6 vlan-mode=use-tag \
wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 \
wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:B4:A6:4C \
master-interface=wlan2 multicast-buffering=disabled name=CASSF50 \
security-profile=Family ssid=CASSF50 vlan-id=6 vlan-mode=use-tag \
wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 \
wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:B4:A6:4E \
master-interface=wlan1 multicast-buffering=disabled name=CASSG24 \
security-profile=Guest ssid=CASSG24 vlan-id=4 vlan-mode=use-tag \
wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 \
wps-mode=disabled
/ip pool
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto hide-ssid=\
yes installation=indoor mode=ap-bridge security-profile=Admin ssid=\
CASSWAP150 wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:B4:A6:4F \
master-interface=wlan2 multicast-buffering=disabled name=CASSA50 \
security-profile=Admin ssid=CASSA50 vlan-id=3 vlan-mode=use-tag \
wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 \
wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:B4:A6:4D \
master-interface=wlan1 multicast-buffering=disabled name=CASSF24 \
security-profile=Family ssid=CASSF24 vlan-id=6 vlan-mode=use-tag \
wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 \
wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:B4:A6:4C \
master-interface=wlan2 multicast-buffering=disabled name=CASSF50 \
security-profile=Family ssid=CASSF50 vlan-id=6 vlan-mode=use-tag \
wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 \
wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:B4:A6:4E \
master-interface=wlan1 multicast-buffering=disabled name=CASSG24 \
security-profile=Guest ssid=CASSG24 vlan-id=4 vlan-mode=use-tag \
wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 \
wps-mode=disabled
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridgev interface=ether1
add bridge=bridgev frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=CASSF50 pvid=6
add bridge=bridgev frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=CASSF24 pvid=6
add bridge=bridgev frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=CASSG24 pvid=4
add bridge=bridgev frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=CASSA50 pvid=3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridgev tagged=ether1,CASSF50,CASSF24 vlan-ids=6
add bridge=bridgev tagged=ether1,CASSG24 vlan-ids=4
add bridge=bridgev tagged=ether1,CASSA50 vlan-ids=3
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.15/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.6.15 interface=bridgev network=192.168.6.0
add address=192.168.4.15 interface=bridgev network=192.168.4.0
add address=192.168.3.15 interface=bridgev network=192.168.3.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN