Community discussions

MikroTik App
 
nescribal
just joined
Topic Author
Posts: 15
Joined: Fri Feb 16, 2018 12:20 am

Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Sat Feb 17, 2018 2:10 pm

I have one router and 6 caps. I configured capsman and I have three SSID each of them goes to a bridge (Privada, Invitado and CCT). Each bridge has it's own dhcp server. The problem is:
If I connect to any of the wifi, I can't ping the gateway so I have no internet.
The device connected to wifi gets the ip. I'm posting my configuration. Any help will be welcome.

# feb/17/2018 08:56:43 by RouterOS 6.34.3
# software id = T1Q8-0MEJ
#
/caps-man channel
add band=2ghz-b/g/n frequency=2412 name=channel1 width=20
add band=2ghz-b/g/n frequency=2437 name=channel6 width=20
add band=2ghz-b/g/n frequency=2462 name=channel11 width=20
/interface bridge
add name="Bridge CCTV"
add name="Bridge Invitado"
add name="Bridge Oficina"
/interface ethernet
set [ find default-name=ether1 ] name="ether1 WAN0"
set [ find default-name=ether2 ] name="ether2 WAN1"
set [ find default-name=ether3 ] name="ether3 LAN"
set [ find default-name=ether4 ] name="ether4 - TOTA"
set [ find default-name=ether6 ] name="ether6 - LAN"
set [ find default-name=ether7 ] name="ether7 - WIFI"
/ip neighbor discovery
set "ether1 WAN0" discover=no
set "ether2 WAN1" discover=no
set "ether3 LAN" discover=no
set "ether4 - TOTA" discover=no
set ether5 discover=no
set "ether6 - LAN" discover=no
set "ether7 - WIFI" discover=no
set ether8 discover=no
set ether9 discover=no
set ether10 discover=no
set ether11 discover=no
set ether12 discover=no
set ether13 discover=no
/caps-man configuration
add comment="Config Invitado" country=argentina datapath.bridge="Bridge Invitado" name="CAGR - Invitado" security.authentication-types=wpa-psk,wpa2-psk security.encryption=aes-ccm \
    security.group-encryption=aes-ccm ssid=Invitado
add comment="Red WIFI Privada" country=argentina datapath.bridge="Bridge Oficina" hide-ssid=yes name="CAGR - Privada" security.authentication-types=wpa-psk,wpa2-psk security.encryption=aes-ccm \
    security.group-encryption=aes-ccm ssid=Privada
add comment="Config WIFI CCTV" country=argentina datapath.bridge="Bridge CCTV" name="CAGR - CCTV" security.authentication-types=wpa-psk,wpa2-psk security.encryption=aes-ccm security.group-encryption=\
    aes-ccm ssid=CCTV
/ip firewall layer7-protocol
add name=BLOCKED regexp="^.+(facebook.com|youtube).*\$"
add name=WindowsUpdate regexp="^.+(update.microsoft|windowsupdate|download.microsoft|wustat|ntservicepack).*\\\$"
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.199
add name=dhcp_pool_WOficina ranges=192.168.10.10-192.168.10.254
add name=dhcp_pool_WInvitado ranges=192.168.11.10-192.168.11.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface="ether3 LAN" lease-time=1d name=dhcp1
# DHCP server can not run on slave interface!
add address-pool=dhcp disabled=no interface="ether6 - LAN" name=LAN
add address-pool=dhcp_pool_WOficina disabled=no interface="Bridge Oficina" name=dhcp2
add address-pool=dhcp_pool_WInvitado disabled=no interface="Bridge Invitado" name=dhcp3
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration="CAGR - Invitado" name-prefix=OficinaAP slave-configurations="CAGR - Privada,CAGR - CCTV"
/interface bridge port
add bridge="Bridge Oficina" disabled=yes interface="ether7 - WIFI"
add bridge="Bridge Oficina" interface="ether6 - LAN"
add bridge="Bridge Invitado" interface=ether8
/ip address
add address=192.168.0.1/24 interface="ether3 LAN" network=192.168.0.0
add address=200.5.110.86/30 disabled=yes interface="ether1 WAN0" network=200.5.110.84
add address=200.70.58.91/29 disabled=yes interface="ether2 WAN1" network=200.70.58.88
add address=192.168.10.1/24 comment="Direcciones Pool Oficina Oficina" interface="Bridge Oficina" network=192.168.10.0
add address=192.168.11.1 comment="Direcciones Pool Invitado" interface="Bridge Invitado" network=192.168.11.0
add address=192.168.12.1 comment="Direcciones Pool CCTV" interface="Bridge CCTV" network=192.168.12.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface="ether1 WAN0"
add dhcp-options=hostname,clientid disabled=no interface="ether4 - TOTA"
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.11.0/24 gateway=192.168.11.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.0.202 name=app.cagr
add address=192.168.0.127 name=nescribal.cagr
/ip firewall address-list
add address=192.168.0.100-192.168.0.230 list=allowed_to_router
add address=190.98.152.152-190.98.152.200 list=blocked_ips
add address=192.168.10.10-192.168.10.254 list=allowed_to_router_2
/ip firewall filter
add chain=input comment="default configuration" connection-state=established,related
add chain=input disabled=yes src-address-list=allowed_to_router
add chain=input disabled=yes src-address-list=allowed_to_router_2
add chain=input protocol=icmp
add action=drop chain=input disabled=yes log=yes log-prefix=droped
add action=drop chain=forward disabled=yes layer7-protocol=BLOCKED
/ip firewall mangle
add chain=prerouting disabled=yes dst-address=200.5.110.84/30 in-interface="ether3 LAN"
add chain=prerouting disabled=yes dst-address=200.70.58.88/29 in-interface="ether3 LAN"
add chain=prerouting dst-address=10.1.100.0/24 in-interface="ether3 LAN"
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes in-interface="ether1 WAN0" new-connection-mark=WAN0_conn
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes in-interface="ether2 WAN1" new-connection-mark=WAN1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface="ether4 - TOTA" new-connection-mark=WAN_TOTA_conn
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes dst-address-type=!local in-interface="ether3 LAN" new-connection-mark=WAN0_conn per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes dst-address-type=!local in-interface="ether3 LAN" new-connection-mark=WAN0_conn per-connection-classifier=\
    both-addresses:2/1
add action=mark-connection chain=prerouting comment="MARK CONN TOTA" connection-mark=no-mark in-interface="ether3 LAN" new-connection-mark=WAN_TOTA_conn
add action=mark-routing chain=prerouting connection-mark=WAN0_conn disabled=yes in-interface="ether3 LAN" new-routing-mark=to_WAN0
add action=mark-routing chain=prerouting connection-mark=WAN1_conn disabled=yes in-interface="ether3 LAN" new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting comment="MARK ROUTE TOTA" connection-mark=WAN_TOTA_conn in-interface="ether3 LAN" new-routing-mark=to_WAN_TOTA
add action=mark-routing chain=output connection-mark=WAN0_conn disabled=yes new-routing-mark=to_WAN0
add action=mark-routing chain=output connection-mark=WAN1_conn disabled=yes new-routing-mark=to_WAN1
add action=mark-routing chain=output comment="OUT TOTA" connection-mark=WAN_TOTA_conn new-routing-mark=to_WAN_TOTA
add action=mark-packet chain=prerouting comment="Windows Update Marks" disabled=yes layer7-protocol=WindowsUpdate new-packet-mark=ms
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 WAN0"
add action=masquerade chain=srcnat out-interface="ether2 WAN1"
add action=masquerade chain=srcnat out-interface="ether4 - TOTA"
add action=masquerade chain=srcnat comment="NAT Wifi Invitado" out-interface="ether4 - TOTA" src-address=192.168.11.0/24
add action=masquerade chain=srcnat comment="NAT Red WIFI" disabled=yes src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="Regla hairpin para WebServer 80" disabled=yes dst-address=192.168.0.202 dst-port=80 out-interface="ether3 LAN" protocol=tcp src-address=192.168.0.0/24
/ip route
add check-gateway=ping distance=1 gateway=200.5.110.85 routing-mark=to_WAN0
add check-gateway=ping distance=1 gateway=200.70.58.89 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=200.5.110.85
add distance=2 gateway=200.70.5[Codebox=text file=Untitled.txt][/Codebox]8.89
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Sun Feb 18, 2018 9:56 pm

Each bridge has it's own dhcp server.
It doesn't:
/interface bridge
add name="Bridge CCTV"
add name="Bridge Invitado"
add name="Bridge Oficina"

/ip dhcp-server
add address-pool=dhcp disabled=no interface="ether3 LAN" lease-time=1d name=dhcp1
# DHCP server can not run on slave interface!
add address-pool=dhcp disabled=no interface="ether6 - LAN" name=LAN
add address-pool=dhcp_pool_WOficina disabled=no interface="Bridge Oficina" name=dhcp2
add address-pool=dhcp_pool_WInvitado disabled=no interface="Bridge Invitado" name=dhcp3
So no DHCP server is attached to "Bridge CCTV", so I wonder how devices in that network can receive IP addresses.

Next, mask length is missing at some local IP addresses: The value of "network" attribute does not substitute mask length.
/ip address
...
add address=192.168.10.1/24 comment="Direcciones Pool Oficina Oficina" interface="Bridge Oficina" network=192.168.10.0
add address=192.168.11.1 comment="Direcciones Pool Invitado" interface="Bridge Invitado" network=192.168.11.0
add address=192.168.12.1 comment="Direcciones Pool CCTV" interface="Bridge CCTV" network=192.168.12.0
Next, "ip dhcp server network" and "ip pool" are missing for 192.168.12.0/24 (for "Bridge CCTV"), so devices in that network can get no address (no pool) nor default gateway (no network)
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.11.0/24 gateway=192.168.11.1

/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.199
add name=dhcp_pool_WOficina ranges=192.168.10.10-192.168.10.254
add name=dhcp_pool_WInvitado ranges=192.168.11.10-192.168.11.254
Configuration for Officina seems least malformed to me, so the only thing which comes to my mind is that you should try to add "netmask=24" to its "/ip dhcp-server network" configuration and try with a client in that WLAN again. If it works, fix the mistakes in configuration of the remaining two networks.
 
nescribal
just joined
Topic Author
Posts: 15
Joined: Fri Feb 16, 2018 12:20 am

Re: Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Mon Feb 19, 2018 9:21 pm

Hi, thanks in advance.

CCTV it is not configured because I couldn't make to work Invitado and Oficina so you will see it is half configured.
I fixed dhcp-server adding netmask but no luck. I can connect to Invitado, I get an ip but I can't ping gateway.
If I choose client-to-client forwarding on datapath I can get Internet at invitado, so I guess I'm missing some route but I can't find which. Any ideas?
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Mon Feb 19, 2018 10:29 pm

I can connect to Invitado, I get an ip but I can't ping gateway.
If I choose client-to-client forwarding on datapath I can get Internet at invitado, so I guess I'm missing some route but I can't find which. Any ideas?
It sounds like a bug to me because client to client forwarding should affect nothing except whether WLAN clients can talk to each other.
If you can get to internet using this magic, the routes must be set properly, the cause must be something else.

Please check that the dynamically created cAP interfaces are added as dynamic members to "Bridge Invitado" in both cases, i.e. with "datapath.client-to-client-forwarding=no" and with "datapath.client-to-client-forwarding=yes", maybe post here the output of "/interface bridge port print" for both cases.

It would also be fine to see the output of "/ip dhcp-server lease print".
 
nescribal
just joined
Topic Author
Posts: 15
Joined: Fri Feb 16, 2018 12:20 am

Re: Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Mon Feb 19, 2018 11:09 pm

Bridge Invitado datapath.client-to-client-forwarding=no

/caps-man configuration
add comment="Config Invitado" country=argentina datapath.bridge=\
    "Bridge Invitado" datapath.client-to-client-forwarding=no name=\
    "CAGR - Invitado" security.authentication-types=wpa-psk,wpa2-psk \
    security.encryption=aes-ccm security.group-encryption=aes-ccm ssid=Invitado

/interface bridge port print

 0 XI  ether7 - WIFI           Bridge Oficina           0x80         10       none
 1    ether6 - LAN            Bridge Oficina           0x80         10       none
 2 ID cap19                   Bridge Invitado          0x80         10       none
 3  D cap20                   Bridge Oficina           0x80         10       none
 4  D cap21                   Bridge CCTV              0x80         10       none
 5 ID cap22                   Bridge Invitado          0x80         10       none
 6 ID cap23                   Bridge Oficina           0x80         10       none
 7 ID cap24                   Bridge CCTV              0x80         10       none
 8 ID cap25                   Bridge Invitado          0x80         10       none
 9 ID cap26                   Bridge Oficina           0x80         10       none
10 ID cap27                   Bridge CCTV              0x80         10       none
11 ID cap28                   Bridge Invitado          0x80         10       none
12 ID cap29                   Bridge Oficina           0x80         10       none
13 ID cap30                   Bridge CCTV              0x80         10       none
14 ID cap31                   Bridge Invitado          0x80         10       none
15 ID cap32                   Bridge Oficina           0x80         10       none
16 ID cap33                   Bridge CCTV              0x80         10       none
17 ID cap34                   Bridge Invitado          0x80         10       none
18 ID cap35                   Bridge Oficina           0x80         10       none
19 ID cap36                   Bridge CCTV              0x80         10       none

Bridge Invitado datapath.client-to-client-forwarding=yes

add comment="Config Invitado" country=argentina datapath.bridge=\
    "Bridge Invitado" datapath.client-to-client-forwarding=yes name=\
    "CAGR - Invitado" security.authentication-types=wpa-psk,wpa2-psk \
    security.encryption=aes-ccm security.group-encryption=aes-ccm ssid=Invitado

/interface bridge port print

#    INTERFACE               BRIDGE               PRIORITY  PATH-COST    HORIZON
 0 XI  ether7 - WIFI           Bridge Oficina           0x80         10       none
 1    ether6 - LAN            Bridge Oficina           0x80         10       none
 2 ID cap40                   Bridge Invitado          0x80         10       none
 3  D cap41                   Bridge Oficina           0x80         10       none
 4  D cap42                   Bridge CCTV              0x80         10       none
 5 ID cap43                   Bridge Invitado          0x80         10       none
 6 ID cap44                   Bridge Oficina           0x80         10       none
 7 ID cap45                   Bridge CCTV              0x80         10       none
 8 ID cap46                   Bridge Invitado          0x80         10       none
 9 ID cap47                   Bridge Oficina           0x80         10       none
10 ID cap48                   Bridge CCTV              0x80         10       none
11 ID cap49                   Bridge Invitado          0x80         10       none
12 ID cap50                   Bridge Oficina           0x80         10       none
13 ID cap51                   Bridge CCTV              0x80         10       none
14 ID cap52                   Bridge Invitado          0x80         10       none
15 ID cap53                   Bridge Oficina           0x80         10       none
16 ID cap54                   Bridge CCTV              0x80         10       none
17 ID cap55                   Bridge Invitado          0x80         10       none
18 ID cap56                   Bridge Oficina           0x80         10       none
19 ID cap57                   Bridge CCTV              0x80         10       none


/ip dhcp-server lease print

 #   ADDRESS                                     MAC-ADDRESS       HOS SERVER RAT
 0 D 192.168.10.10                               XX:XX:XX:XX:XX:XX    dhcp2 
 1   192.168.10.127                              XX:XX:XX:XX:XX:XX nes dhcp2 
 2 D 192.168.10.12                               XX:XX:XX:XX:XX:XX DES dhcp2 
 3 D 192.168.11.251                              XX:XX:XX:XX:XX:XX and dhcp3 

I printed this, but now works with or without client-to-client forwarding. But now, from invitado, which is on bridge Invitado I can ping ips from bridge Oficina. Why is that?
PS: For reseting configurations, I drop all interfaces in capsman and provision again. Also, I leave client-to-client forwarding on oficina since I want to allow machines on wifi access to machines on LAN. Am I right?
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Mon Feb 19, 2018 11:31 pm

I printed this, but now works with or without client-to-client forwarding.
Hm, that looks like some arp issue.
But now, from invitado, which is on bridge Invitado I can ping ips from bridge Oficina. Why is that?
Surprisingly, a bit of normal behaviour in your spooky castle. It is a router, so it is routing between networks unless you tell it not to do so.

The datapath.client-to-client-forwarding=no can prevent the AP from forwarding frames from STA to STA as they pass through at L2. As soon as the two STAs are associated to different virtual APs, each of which uses a different bridge and IP subnet, the packets are routed between them, so from the perspective of the AP they flow between wireless and wired sides of it and the client-to-client-forwarding setting does not affect them.

So if you want to prevent devices associated to different SSIDs from being able to talk to each other, you have to add some firewall filter rules, such as
/interface list add name=my-lan-bridges
/interface list member add list=my-lan-bridges interface="Bridge Invitado"
/interface list member add list=my-lan-bridges interface="Bridge Oficina"
/interface list member add list=my-lan-bridges interface="Bridge CCTV"
/ip firewall filter add chain=forward in-interface-list=my-lan-bridges out-interface-list=my-lan-bridges action=drop
 
nescribal
just joined
Topic Author
Posts: 15
Joined: Fri Feb 16, 2018 12:20 am

Re: Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Mon Feb 19, 2018 11:35 pm

Thanks you very much Sindy! Now it is clear to me :)
 
nescribal
just joined
Topic Author
Posts: 15
Joined: Fri Feb 16, 2018 12:20 am

Re: Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Tue Feb 20, 2018 12:08 am

I was looking and I don't have /interface list command in my router.

Besides, what I would like is that all devices in Invitado can access only to internet (ether4) and not to bridge Oficina.

What I assume I can do with this filter,

/ip firewall filter add chain=forward in-interface=Bridge Invitado out-interface-list=!ether4 action=drop

But I still can ping from Bridge Invitado ip 192.168.10.127, why?
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Tue Feb 20, 2018 12:25 am

I was looking and I don't have /interface list command in my router.

Besides, what I would like is that all devices in Invitado can access only to internet (ether4) and not to bridge Oficina.

What I assume I can do with this filter,

/ip firewall filter add chain=forward in-interface=Bridge Invitado out-interface-list=!ether4 action=drop

But I still can ping from Bridge Invitado ip 192.168.10.127, why?
I don't understand how you can add out-interface-list to a firewall rule and at the same time be unable to set up an interface list itself.

So if RouterOS 6.34.3 does not support interface lists, you can use several filter rules instead:
/ip firewall filter add chain=forward in-interface="Bridge Oficina" out-interface="Bridge Invitado" action=drop
/ip firewall filter add chain=forward out-interface="Bridge Oficina" in-interface="Bridge Invitado" action=drop
(a pair of rules for each pair of networks is necessary in this case).

The rules must be high enough in the chain, for a quick check make them the first two.

Consider an upgrade to 6.40.6 if you are not ready for the new bridge and switch configuration method used in 6.41 and above. Already 6.40.5 does support interface lists.

As for why you can ping - I don't know where the device with that IP is connected. The rules above work between interfaces with associated IP addresses as these are a result of routing; member interfaces of bridges are not recognized as in-interfaces or out-interfaces (although this may have changed since 6.34.3) Plus your rule was only prohibiting one direction, so if you've initiated the ping in the opposite (not prohibited) direction and there is a rule which permits "established" connection state regardless any other properties of the packets, you could ping anyway.
 
nescribal
just joined
Topic Author
Posts: 15
Joined: Fri Feb 16, 2018 12:20 am

Re: Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Tue Feb 20, 2018 12:47 am

Thank you very much for the advice. I believe I need to upgrade. I have a really old version (6.34).

Can you tell me what should I have in mind to upgrade 6.41? The router suggests that upgrade.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Tue Feb 20, 2018 1:03 am

Thank you very much for the advice. I believe I need to upgrade. I have a really old version (6.34).

Can you tell me what should I have in mind to upgrade 6.41? The router suggests that upgrade.
The router should be suggesting 6.41.2.

6.41 and above changes the way how bridges and switches are configured. Your configuration already seems not to rely on "master ports" so you should have no serious issues. Nevertheless, make a backup of your configuration and download any files you have created (backups or anything else not created automatically by the router itself) to your PC before upgrading. After upgrading the application (which includes a reboot), first go to system -> routerboard and upgrade the firmware, then wait about a minute, then reboot again.

Warning - a backup from one version cannot be used for restore in another version.

There is a small chance that your cAPs will stop working after the upgrade, I don't know when the cAPsMANv1 has been replaced by cAPsMANv2, so you would then need to upgrade all your cAPs as well.
 
nescribal
just joined
Topic Author
Posts: 15
Joined: Fri Feb 16, 2018 12:20 am

Re: Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Tue Feb 20, 2018 3:16 pm

Hi,

I have upgraded my router to 6.41.2 application and firmware.

And all is working as before.

If I'm connected to invitado, I get an Ip from DHCP Server Invitado 192.168.11.x can not ping other ip addresses like 192.168.10.127 from DHCP server on Oficina but I still can ping address bridge oficina 192.168.10.1 even if I add the filters
 
/ip firewall filter add chain=forward in-interface="Bridge Oficina" out-interface="Bridge Invitado" action=drop
/ip firewall filter add chain=forward out-interface="Bridge Oficina" in-interface="Bridge Invitado" action=drop
Why is that?
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Tue Feb 20, 2018 3:37 pm

Why is that?
It is because ip firewall filter chain "forward" only handles packets travelling through the Mikrotik. To deal with incoming or outgoing traffic of the Mikrotik itself, ip firewall filter chains "input" and "output" are used.

It actually makes no difference at which of its several local IP addresses your Mikrotik is accessible. Either it is OK that the wireless clients connected into one of your WLANs have management access to the Mikrotik, and in such case, it is irrelevant via which of its addresses, or it is not OK, but in such case you have to restrict access to all of its addresses.

But besides services providing management access, there are also services like DHCP, DNS, and NTP, which need to be provided to the clients. So the best option is to restrict access to Mikrotik's own ports to anything, with exceptions of DHCP, DNS, and NTP for everyone and with exceptions of management protocols for selected source IPs or for selected interfaces (e.g., anything associated to SSID Officina has management access, anything connected to other SSIDs has not).

BTW, the reason for upgrading was the absence of "/interface list". Maybe you can use that method to block routing between the SSIDs?
 
nescribal
just joined
Topic Author
Posts: 15
Joined: Fri Feb 16, 2018 12:20 am

Re: Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Tue Feb 20, 2018 3:55 pm

Hi,

Really clear your explanation.

I upgraded because I assume that having a new version it is better than the old one (less bugs, etc.).

I don't use the address list because what I want is that SSID privada can access my local lan which is on ether6 and are on the same bridge (oficina). So I isolated SSID Invitado on bridge invitado filtering access from oficina to invitado and from invitado to oficina.

Am I right?
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Tue Feb 20, 2018 4:28 pm

Am I right?
I'm not completely sure. If clients associated to SSIDs "privada" and "officina" share the same bridge and IP subnet, any filtering rule handling IP routing can not affect the traffic between them because it is not routed (L3) but bridged (L2). So whether you put that common bridge as in-interface in one rule and out-interface in another rule, or whether you make it a member of an interface list to which a single rule will refer to as in-interface-list and out-interface-list makes no difference, as the traffic will never leave that bridge. So the fact that the same list is set as both in and out in the same rule, and so packets which would come and leave through the same interface would be matched by that rule, is irrelevant except really complex scenarios involving multiple NAT.

When the CCTV SSID and bridge come into play, you'll need 6 rules the way you do it now, or a single firewall rule and 4 other lines (one interface list and three member interfaces of it). Almost the same effort so the choice is yours.
 
nescribal
just joined
Topic Author
Posts: 15
Joined: Fri Feb 16, 2018 12:20 am

Re: Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Tue Feb 20, 2018 4:39 pm

I think I wasn't clear in my example:

eth6 and SSID Privada are in "bridge Oficina".
SSID Invitado is in "bridge Invitado".

What I did was to avoid routing between Bridge Oficina and Bridge Invitado with that filters, so I assume that because SSID oficina and SSID Invitado are in different bridges they can't reach from each other. Is my assumption correct?
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Tue Feb 20, 2018 4:43 pm

Is my assumption correct?
Yes. I just got a feeling from what you wrote that your reason not to use interface list was that privado and officina would stop seeing each other if done that way.
 
nescribal
just joined
Topic Author
Posts: 15
Joined: Fri Feb 16, 2018 12:20 am

Re: Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Thu Feb 22, 2018 12:00 am

I have one more question,

I was reading the wiki and found on the tips those rules:
/ip firewall address-list
 add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
 add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
 add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
 add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
 add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
 add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
 add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
 add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
 add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
 add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
 add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
 add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
 add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
 add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
 add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
And filter rules
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" dst-address-list=NotPublic in-interface=LAN
add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface=LAN 

Assume that my WAN is ether1 which is connected to other router which is given by my internet provider. I get a local IP from that router for dhcp on my interface eth1. Let's say I configure DHCP on internet provider router that gives to my router on network 10.0.0.1/24. So then, my router gets for example 10.0.0.2 IP on eth1.

Rule 1 says drop all packages that does not come from the router that get in WAN interface. Doesn't that rule drop all packages that comes to my router on that interface? An Rule 2, looks the same but packets thought router ...
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Thu Feb 22, 2018 11:56 am

I have one more question,
...
filter rules
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" dst-address-list=NotPublic in-interface=LAN
add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface=LAN 
Assume that my WAN is ether1 which is connected to other router which is given by my internet provider. I get a local IP from that router for dhcp on my interface eth1. Let's say I configure DHCP on internet provider router that gives to my router on network 10.0.0.1/24. So then, my router gets for example 10.0.0.2 IP on eth1.

Rule 1 says drop all packages that does not come from the router that get in WAN interface. Doesn't that rule drop all packages that comes to my router on that interface? An Rule 2, looks the same but packets thought router ...
Rule 1 says drop all packets which come from "non-public" IP addresses to your router via its WAN interface - it does not say to drop packets which have traversed intermediate devices with such addresses on their way. The source IP address of a packet does not change during routing. So if the gateway on 10.0.0.1 sends anything to you, that will be dropped. If anything comes to you via that gateway, it will not be dropped (well, unless the gateway would src-nat it).

But as either the ISP's gateway itself is the DHCP server for your WAN, or at least the DHCP server shares the subnet with the gateway, you have to provide an exception from that rule for DHCP packets in server->client direction (protocol=udp src-port=67 dst-port=68), because while DHCP discover from client to server uses a broadcast destination IP address, already the DHCP offer from the server to the client comes from the server's unicast IP address (a broadcast address must not be used as source address). This exception is only necessary for the input chain as the gateway only sends the DHCP offers and responses to the Mikrotik itself.

Another exception you need to set up is for icmp, and that one must be present in both the "input" and "forward" chains. Otherwise not only traceroute but also path MTU discovery would break, maybe even something else.

In the other direction, you have to permit DHCP packets from client to server (i.e. swap the src and dst ports in the exception rule) and icmp as well.

Maybe connection tracking saves all that, but I'm not sure about it and even if it does, it is not always enabled.
 
nescribal
just joined
Topic Author
Posts: 15
Joined: Fri Feb 16, 2018 12:20 am

Re: Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Fri Feb 23, 2018 4:57 pm

OKay,

i understand.

And what about NAT on my ether4? I have a rule for src NAT on ether4.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with RB 1100AHX2 - No internet in bridge and can't ping gateway

Fri Feb 23, 2018 5:02 pm

OKay,

i understand.

And what about NAT on my ether4? I have a rule for src NAT on ether4.
Well, I do NOT understand what you're asking. Can you use more words to replace the "what about"?

Who is online

Users browsing this forum: Florian, Laxity, mtctech2024 and 37 guests