Community discussions

MikroTik App
 
jfreak53
newbie
Topic Author
Posts: 45
Joined: Fri Oct 04, 2019 3:18 am

Guest network doesn't have internet

Thu Jun 03, 2021 4:22 am

I've got an RB3011 setup as the main network router, working great. I've then got a Cap AC for wireless, I've got the cap setup with the main two WLANS set for staff, it's set in WISP AP mode and Bridge mode. The staff WLANS grab IP from the 3011 just fine, 88.0/24 range, no problem there.

The 3011's IP is 192.168.88.253.

I've setup a DHCP server, network range of 1.0/24 on the cap itself to manage guest network separate from the main network. When you connect to the guest network, it gets a 1.0 range of IP, no problem, I can even ping the 1.1 gateway just fine, but no internet.

Below is my export from the cap. Thanks for any help! I'm stuck on this last part, the rest is working great.
# jun/02/2021 15:02:37 by RouterOS 6.45.9
# software id = BE21-KY3S
#
# model = RBcAPGi-5acD2nD
# serial number = BECD0CA97359
/interface bridge
add admin-mac=48:8F:5A:3A:BF:CF auto-mac=no comment=defconf name=bridge
add name=guestbridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto hide-ssid=yes installation=\
    indoor mode=ap-bridge ssid=PayneStaff wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto hide-ssid=\
    yes installation=indoor mode=ap-bridge ssid=PayneStaff5G \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys name=guest supplicant-identity="" \
    unicast-ciphers=tkip,aes-ccm
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:3A:BF:D0 \
    master-interface=wlan1 multicast-buffering=disabled name=GuestWifi \
    security-profile=guest ssid=WFDGuest wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=guestbridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether1
add bridge=guestbridge interface=GuestWifi
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
add disabled=yes interface=GuestWifi list=LAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=guestbridge network=\
    192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    bridge
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 \
    gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    192.168.1.0/24
/system clock
set time-zone-name=America/Chicago
/system identity
set name="CAP ac"
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
 
jfreak53
newbie
Topic Author
Posts: 45
Joined: Fri Oct 04, 2019 3:18 am

Re: Guest network doesn't have internet

Thu Jun 03, 2021 5:00 pm

Any thoughts?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Guest network doesn't have internet

Thu Jun 03, 2021 6:59 pm

Why do you thing both configs are not necessary.
Please post RB3011 as well.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Guest network doesn't have internet

Thu Jun 03, 2021 7:04 pm

Quicklook on capac.

Two bridges, wrong only need one
You dont need any DHCP service on the capac, should be done on RB3011
Why is ether 1 from the RB3011 not on the bridge??
The address associated with the Capac should be an address on the management vlan.
 
jfreak53
newbie
Topic Author
Posts: 45
Joined: Fri Oct 04, 2019 3:18 am

Re: Guest network doesn't have internet

Fri Jun 04, 2021 4:43 am

I am sorry, I figured since I was doing the DHCP on the CAP all the work and problems were on the CAP, not the 3011, figured since the problem was on the CAP I didn't need to post the 3011. There is no need to be rude please, I was asking for help simply in what I did wrong.

Two bridges, wrong only need one
In many tutorials in the past I've read guest wifi with separated DHCP has always had a secondary Bridge. How do I connect the guest wifi to internet without? When I try to connect guest wifi to bridge1, it errors out and says it can't since it's a virtual device. So I've always made a secondary bridge.

You dont need any DHCP service on the capac, should be done on RB3011
Normally I would do a DHCP relay, but I've had issues with that in the past, I figured I would just bypass that since it's guest and just run dhcp on the CAP. Will that not work at all?

Why is ether 1 from the RB3011 not on the bridge??
I didn't post the config for 3011, how do you know it's not on bridge?

The address associated with the Capac should be an address on the management vlan.
It is, it's static IP is on the main subnet, 192.168.88.24.

Please find the 3011 config below:
# jun/03/2021 20:39:32 by RouterOS 6.46.8
# software id = 6VXV-BCXG
#
# model = RB3011UiAS
# serial number = E14F0EB8C16A
/interface bridge
add admin-mac=2C:C8:1B:1C:0F:AB auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.253/24 comment=defconf interface=ether2 network=\
    192.168.88.0
add address=74.84.116.138/30 interface=ether1 network=74.84.116.136
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.253 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.253 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=ether1 \
    src-address=192.168.1.0/24
/ip route
add distance=1 gateway=74.84.116.137
/system clock
set time-zone-name=America/Chicago
/system identity
set name=PayneRouter
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Thanks for your help, I really appreciate you taking the time!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Guest network doesn't have internet

Fri Jun 04, 2021 6:23 am

Hmm good question.
I always use vlans when using multiple subnets.
How were you proposing to send wifi to a CAPAC and yet have the capac IP address (control of it) not in the guest network??
Were you intending to use a home wifi on the capac and a guest wifi? what about IOT devices ?

You also have an ip address assigned to ether2 and not the bridge, on purpose??
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Guest network doesn't have internet

Fri Jun 04, 2021 3:42 pm

The reason your configuration on the cAP is not working, is due to the src-nat rule. It is using out-interface-list=WAN and the only interface-list=WAN is ether1. In your case, the bridge interface will be your WAN and the guestbridge will be your LAN. But I would not changing the interface-list to reflect this. It will cause you to loose IP connectivity to the cAP from your non-guest LAN due to the other Firewall Filter filter=input rules. You should change these rules to allow access from the Bridge Interface and not from the guestbridge. You should also change the filter=forward rules to block access to the LAN IP scope from guestbridge.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Guest network doesn't have internet

Fri Jun 04, 2021 6:30 pm

Disagree with the 2 toads................... you should not need any firewall rules on the capac as you should not use it as a router when you have the RB3011.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Guest network doesn't have internet

Sat Jun 05, 2021 1:33 am

On the cAP config (without going through all lines one by one), some important concepts to remember:

1. When an interface is added to a bridge port, it becomes a slave interface. "IP address", "interface list membership" becomes irrelevant on the interface, as the setting of the bridge is used.
2 MT in its default config and firewall uses two interface lists: LAN and WAN. LAN membership allows all kinds of access, WAN blocks most access, and is a trigger for NAT/masquerade
3. By adding ether1 to the bridge, most settings for ether1 and firewall do not apply anymore (like WAN interface list membership). Setting LAN interface list membership to interfaces is not used because of bridge ports used.
4. Access from the Guestbridge should me NAT/masquerade if going via the other bridge to ether1 in this setup. Default Interface lists LAN/WAN are not specific enough to indicate this correctly (Setting "bridge" in the WAN list would trigger the NAT rule, but disturb the working of the private wifi.) Either create a new list, or use the interface ("bridge" or "Guestbridge") itself in the NAT rule, or some other filter ( like src IP address).
5. I can imagine that having Guests on a separate subnet feels safe. However from a security managers point of view the current setup is unacceptable. Your Guests are safe and well behind the Firewall rules, even hiding their IP address in the NAT/masquerade. They have full access to all the private IP addresses and to the Internet. A perfect spot from where to shoot you in the back. You can add some protection for your "back" with extra firewall filters, but still your Guests are in a safe-house, that cannot be monitored from the private (main) network.

PS: having visitors, suppliers, guests, services ..., bringing their own AP-style device (with NAT based access) and hooking it up, wired or wireless, to your important/industrial network (for getting internet access for their services), is a nightmare for the security manager of that network. It happens so often, and on a large network is not easy to detect. ("That HVAC service is better when our vendor gets the logging in real time, they just have to connect a little black box to your network. IT can you get a cable in here for them?")

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], Cr4shOnPc, emunt6, Florian, Google [Bot], stef70 and 80 guests