Community discussions

 
Technetium
newbie
Topic Author
Posts: 46
Joined: Sun Oct 16, 2016 10:56 pm

Router - AP with WIFI guest on VLAN don't work

Tue Aug 06, 2019 1:11 am

I have a router hAP and a cAP as separate access point who has to manage the wifi network "local lan" and "guest".
Local lan wifi is sent on untagged eth1 of cAP
Guest Wifi is on a virtual interfaces with vlan=20 of physical radio interfaces.

Image

The hAP router seems not receiving the traffic on vlan20. The DHCP server on vlan interface is marked red. Guest wifi cannot obtain ip addresses.
Local lan WIFI is working.


hAP config is
/interface bridge
add admin-mac=4C:5E:0C:07:63:3C arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp \
    name=WAN1
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether5-WAN2
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 band=2ghz-g/n country=italy \
    disabled=no distance=indoors frequency=auto frequency-mode=\
    regulatory-domain hide-ssid=yes mode=ap-bridge ssid=Tss tx-power=25 \
    tx-power-mode=all-rates-fixed wireless-protocol=802.11
/interface vlan
add interface=ether5-WAN2 name=vlan-guest vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add name=peer1 passive=yes
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool2 ranges=10.0.2.2-10.0.2.254
add name=pool-ovpn ranges=10.255.255.2-10.255.255.254
add name=dhcp_pool4 ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool4 disabled=no interface=vlan-guest name=\
    dhcp_server_guest
/ppp profile
add interface-list=LAN local-address=192.168.1.1 name=Ovpn-profile \
    remote-address=dhcp
add interface-list=LAN local-address=pool-ovpn name=OVPN-profile2 \
    remote-address=pool-ovpn
/system logging action
set 1 disk-file-count=1
/interface bridge port
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5-WAN2
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN1 list=WAN
add interface=wlan1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5-WAN2 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether5-WAN2 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 default-profile=OVPN-profile2 \
    enabled=yes port=1200 require-client-certificate=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=192.168.2.1/24 interface=ether5-WAN2 network=192.168.2.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=WAN1
/ip dhcp-server lease
add address=192.168.1.254 client-id=1:6c:3b:6b:ed:b3:5f disabled=yes \
    mac-address=6C:3B:6B:ED:B3:5F server=defconf
add address=192.168.1.251 client-id=1:64:d1:54:46:af:ee mac-address=\
    64:D1:54:46:AF:EE server=defconf
add address=192.168.1.2 client-id=1:74:4d:28:67:6f:e0 mac-address=\
    74:4D:28:67:6F:E0 server=defconf
/ip dhcp-server network
add address=10.0.2.0/24 dns-server=192.168.178.1,8.8.8.8,8.8.4.4 gateway=\
    10.0.2.1
add address=10.255.255.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 \
    netmask=24
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input connection-state=new dst-port=1200 protocol=tcp
add action=accept chain=input comment="Intercomunicazione POOL VPN" \
    dst-address=10.255.255.0/24 src-address=192.168.1.0/24
add action=accept chain=input comment="Intercomunicazione POOL VPN" \
    dst-address=192.168.1.0/24 src-address=10.255.255.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-mark=!WAN2 connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting comment="Accept da WAN1" dst-address=\
    192.168.178.0/24
add action=accept chain=prerouting comment="Accept da WAN2" dst-address=\
    10.0.2.0/24
add action=mark-connection chain=prerouting comment="Mangle AP WIFI" \
    connection-state=new in-bridge-port=ether4 in-interface-list=all \
    new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN1 new-connection-mark=WAN1 passthrough=yes
# in/out-interface matcher not possible when interface (ether5-WAN2) is slave - use master instead (bridge)
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether5-WAN2 new-connection-mark=WAN2 passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "Voip connection mark WAN2" connection-mark=no-mark dst-address-type=\
    !local in-interface=bridge new-connection-mark=Voip_WAN2 passthrough=yes \
    src-address=192.168.1.250
add action=mark-connection chain=prerouting comment="PCC stream WAN1" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge \
    new-connection-mark=WAN1 passthrough=yes per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting comment="PCC stream WAN2" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge \
    new-connection-mark=WAN2 passthrough=yes per-connection-classifier=\
    both-addresses:2/1
add action=mark-routing chain=prerouting comment=\
    "Voip routing mark WAN2_mark chain prerouting" connection-mark=Voip_WAN2 \
    in-interface=bridge new-routing-mark=WAN2-mark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=\
    bridge new-routing-mark=WAN1-mark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=\
    bridge new-routing-mark=WAN2-mark passthrough=yes
add action=mark-routing chain=output comment=\
    "Voip routing mark WAN2_mark chain output" connection-mark=Voip_WAN2 \
    new-routing-mark=WAN2-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1 new-routing-mark=\
    WAN1-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2 new-routing-mark=\
    WAN2-mark passthrough=yes
add action=mark-packet chain=postrouting connection-mark=Voip_WAN2 \
    new-packet-mark=fromVoip
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes log=yes log-prefix=OVPN \
    src-address=10.255.255.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping comment="WAN 2 marked route" distance=1 gateway=\
    192.168.43.1 routing-mark=WAN2-mark
add check-gateway=ping comment="WAN 1 marked route" distance=1 gateway=\
    192.168.178.1 routing-mark=WAN1-mark
add comment="Default route WAN 1" distance=1 gateway=192.168.178.1
add comment="Defult route WAN 2" distance=1 gateway=192.168.43.1
/ip ssh
set forwarding-enabled=remote
/ppp secret
add name=Utente1 profile=OVPN-profile2 service=ovpn
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=hAP
/system logging
add topics=ovpn,debug
/system ntp client
set enabled=yes
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

cAP config
/interface bridge
add admin-mac=74:4D:28:67:6F:E0 auto-mac=no comment=defconf name=bridge
add name=bridge-guest pvid=20 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country=italy disabled=no distance=indoors frequency=auto \
    frequency-mode=regulatory-domain installation=indoor mode=ap-bridge ssid=\
    AppNET wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=3 band=5ghz-a/n/ac \
    channel-width=20/40/80mhz-XXXX country=italy disabled=no distance=indoors \
    frequency=auto frequency-mode=regulatory-domain installation=indoor mode=\
    bridge ssid=AppNET wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan-guest vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=MY-guest \
    supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=MY-net \
    supplicant-identity=""
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=76:4D:28:67:6F:E2 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan2g-guest \
    security-profile=MY-guest ssid=AppNET-GUEST vlan-id=20 vlan-mode=\
    use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=76:4D:28:67:6F:E3 \
    master-interface=wlan2 multicast-buffering=disabled name=wlan5g-guest \
    security-profile=MY-guest ssid=AppNET-GUEST vlan-id=20 vlan-mode=\
    use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=wlan2g-guest name=vlan20-2g vlan-id=20
add interface=wlan5g-guest name=vlan20-5g vlan-id=20
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge-guest interface=wlan2g-guest
add bridge=bridge-guest interface=wlan5g-guest
add bridge=bridge-guest interface=vlan-guest
add bridge=bridge-guest interface=vlan20-5g
add bridge=bridge-guest interface=vlan20-2g
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    bridge
add dhcp-options=hostname,clientid disabled=no interface=bridge-guest
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Rome
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1795
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Router - AP with WIFI guest on VLAN don't work

Tue Aug 06, 2019 1:31 am

Hello

wrt hac
ether5 participates in bridge (is a slave): it cant operate as an independent interface: not for ip address, vlan, firewall, ...

* hence the vlan should be defined on bridge.
* vlan ip should be assigned to "vlan-guest" interface
 
Technetium
newbie
Topic Author
Posts: 46
Joined: Sun Oct 16, 2016 10:56 pm

Re: Router - AP with WIFI guest on VLAN don't work

Tue Aug 06, 2019 9:30 am

So how can i receive untagged traffic in the bridge (to use local LAN) and tagged traffic (vlan-20) out of the bridge ?
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1795
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Router - AP with WIFI guest on VLAN don't work

Wed Aug 07, 2019 3:42 pm

So how can i receive untagged traffic in the bridge (to use local LAN) ...?
untagged of ether5 will just be "forwarded" to bridge and cpu
So how can i receive ... and tagged traffic (vlan-20) out of the bridge ?
tagged will be received by vlan on the bridge

Todo:
migrate vlan to bridge
migrate vlan ip to vlan interface
configure vlan filtering to only allow that vlan over ether5. this can be through bridge interface or over switch.

Have a look at this threadfor vlan info: viewtopic.php?f=13&t=143620
and this wiki for switch based: https://wiki.mikrotik.com/wiki/Manual:S ... p_Examples
 
sindy
Forum Guru
Forum Guru
Posts: 4021
Joined: Mon Dec 04, 2017 9:19 pm

Re: Router - AP with WIFI guest on VLAN don't work

Wed Aug 07, 2019 10:54 pm

There is no point in having VLAN 20 out of the bridge, it can stay there.

At the cAP, set both the "local" and "guest" wireless interfaces along with ether1 as member ports of the only bridge, remove any /interface vlan, and configure the guest wireless interface with vlan-id=20 vlan-mode=use-tag.

At the hAP, make the ether5 (and possibly other ethernet ports) a member port of the only bridge, and set an /interface vlan with vlan-id=20 interface=the-bridge-name. Now attach the IP configuration (IP address, DHCP server) for "local" to the bridge itself, and attach the IP configuration for "guest" to the /interface vlan.

Once you check that it works, set firewall rules preventing clients of "guest" network from accessing the "local" network, based on src-address(-list) and/or in-interface(-list) to identify the source and dst-address(-list) and/or out-interface(-list) to identify the destination.

If you have more than just ether5 in the bridge at the hAP, and you want to prevent VLAN 20 from being accessible (tagged) on those other ports, you have to configure the pre-requisites for vlan-filtering on the bridge and set vlan-filtering to yes.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 58 guests