To setup VLANs I referenced this guide: https://github.com/hallzhallz/hallzhall ... %20hEX%20S
For the most part everything looks to be working.
- All devices that should have internet access, have it. (and those that shouldn't don't)
- All wired devices in the same vlan can communicate with each other (aka file sharing works)
- Devices on the internet only vlan look to correctly only have internet access.
Issues
- WiFi devices can not communicate with each other (client to client forwarding is enabled, and they are on the same vlan [based on ip given])
- WiFi and hardwired devices can not communicate
- I can't access the access point configs (even via WinBox) without plugging directly into them, and then I can access both of them.
I know its something I've configured wrong, but I'm lost and can't figure it out.
Initially I had issues getting CAPsMAN to work at all.
what made it function was setting the ProCurve VLAN1 from exclude to untag on ports 1-4
also needed to set the hEX-S Bridge Port <ether3> PVID to 1
Because hEX-S ether5 is unused, the ProCurve can be bypassed while testing is done to get one cAP-ac working, afterwards I'll ether need to reconnect to the ProCurve or get a switch(dumb?) to connect the access points to the hEX-S (preferably through the ProCurve as in the future I'll be running a fiber line to serve the workshop, which needs wired and wireless)
Hardware:
hEX-S, cAP-ac, RB951G (replacing with another cAP-ac) HP ProCurve 1810G - 24 GE
Router OS v6.48.4(stable) [only packages: dhcp, security, system, wireless]
Physical Connections:
hEX-S:
SFP = Unused
ether1 = cable modem
ether2 = pihole/unbound raspbery pi
ether3 = ProCurve port#1
ether4 = DumbSwitch serving game consoles (internet only)
ether5 = Unused
cAP-ac / RB951G
ether1 = ProCurve port#3 /#4
ProCurve
port1 = hEX-S ether3
port3 = RB951G ether1
port4 = cAP-ac ether1
port11 = IP Phone
port13 = Printer
port15,17,19,21 = Computers
port23 = NAS
Configs:
ProCurve:
VLAN1: 1-4=Untag, 5-24=Exclude
VLAN63: 1-4=Tag, 5-12=Untag, 13-24=Exclude
VLAN127: 1-4=Tag, 5-12=Exclude, 13-24=Untag
VLAN191: 1-4 = Tag, 5-24 = Exclude
cAP-ac / RB951G
Due to issues I can't access them remotely, but basically no configs.
I used the reset function with the CAPsMAN option selected, after the reboot I used the QuickSet menu and clicked the option to bridge LAN ports
hEX-S:
Code: Select all
/caps-man channel
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=XX frequency=5220 name=5G-C44
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2412 name=2G-C1
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2417 name=2G-C2
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2422 name=2G-C3
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2427 name=2G-C4
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2432 name=2G-C5
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2437 name=2G-C6
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2442 name=2G-C7
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2447 name=2G-C8
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2452 name=2G-C9
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2457 name=2G-C10
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2462 name=2G-C11
/caps-man configuration
add country=canada datapath.local-forwarding=yes datapath.vlan-id=191 datapath.vlan-mode=use-tag mode=ap name=5G security.authentication-types=wpa-psk,wpa2-psk security.encryption=aes-ccm,tkip security.group-encryption=aes-ccm ssid=SP-5GNet
add country=canada datapath.local-forwarding=yes datapath.vlan-id=191 datapath.vlan-mode=use-tag mode=ap name=2G security.authentication-types=wpa-psk,wpa2-psk security.encryption=aes-ccm,tkip security.group-encryption=aes-ccm ssid=SP-Net
add country=canada datapath.local-forwarding=yes datapath.vlan-id=191 datapath.vlan-mode=use-tag hide-ssid=yes name=5G-Guest ssid=SP-Guest
/interface ethernet
set [ find default-name=ether5 ] poe-out=off
/interface bridge
add admin-mac=08:55:31:FE:6C:25 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/caps-man interface
add channel=2G-C8 configuration=2G disabled=no l2mtu=1600 mac-address=64:D1:54:A4:5F:6D master-interface=none name=RB951G-CR radio-mac=64:D1:54:A4:5F:6D radio-name=64D154A45F6D
add channel=2G-C4 configuration=2G disabled=no l2mtu=1600 mac-address=74:4D:28:A9:8B:76 master-interface=none name=cAPac-LR-2G radio-mac=74:4D:28:A9:8B:76 radio-name=744D28A98B76
add channel=5G-C44 configuration=5G disabled=no l2mtu=1600 mac-address=74:4D:28:A9:8B:77 master-interface=none name=cAPac-LR-5G radio-mac=74:4D:28:A9:8B:77 radio-name=744D28A98B77
/interface vlan
add interface=bridge name=dns-vlan vlan-id=10
add interface=bridge name=guest-vlan vlan-id=191
add interface=bridge name=iot-vlan vlan-id=63
add interface=bridge name=main-vlan vlan-id=127
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=main-pool ranges=10.212.10.101-10.212.10.254
add name=iot-pool ranges=192.168.63.101-192.168.63.254
add name=guest-pool ranges=192.168.191.101-192.168.191.254
/ip dhcp-server
add address-pool=main-pool disabled=no interface=main-vlan name=main-dhcp
add address-pool=iot-pool disabled=no interface=iot-vlan name=iot-dhcp
add address-pool=guest-pool disabled=no interface=guest-vlan name=guest-dhcp
/caps-man access-list
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="P's Quest" disabled=no mac-address=2C:26:17:60:BB:72 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s comment=PS4 disabled=no mac-address=A8:6B:AD:CF:0A:D1 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=63 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Phone -- T (Moto E4)" disabled=no mac-address=D4:63:C6:3D:0F:A0 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Phone -- T (Umidigi Power)" disabled=no mac-address=00:08:22:73:3D:B9 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Phone -- P (Moto E4)" disabled=no mac-address=D0:04:01:7E:F3:E8 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Phone -- P (Pixel 4A)" disabled=no mac-address=7E:90:B0:F8:66:9F signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Phone -- A (Moto E4)" disabled=no mac-address=88:B4:A6:11:4D:E0 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Phone -- A (Nokia 5.3)" disabled=no mac-address=BE:80:62:6B:19:92 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Phone -- A (Nokia 5.3) [5GHz]" disabled=no mac-address=E6:06:EE:7A:C1:F2 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Phone -- S (Moto E4)" disabled=no mac-address=D0:04:01:76:5D:56 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Tablet -- P" disabled=no mac-address=B0:6E:BF:05:3E:89 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s comment=NES-Pi disabled=no mac-address=B8:27:EB:C6:62:6C signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=63 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s comment="Nintendo Switch -- T" disabled=no mac-address=5C:52:1E:66:0C:1E signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=63 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Chromecast -- Computer Room" disabled=no mac-address=E4:F0:42:95:C2:6A signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s comment="3DSXL -- T" disabled=no mac-address=34:AF:2C:F7:5E:81 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=63 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s comment="3DSXL -- P" disabled=no mac-address=18:2A:7B:6B:B6:68 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=63 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s comment="n3DSXL -- T" disabled=no mac-address=CC:FB:65:F3:6A:00 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=63 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s comment="eReader -- Sony PRS-T1" disabled=no mac-address=00:01:36:DD:EC:D1 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=63 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Laptop -- Dell 1720" disabled=no mac-address=00:21:5C:3C:98:0D signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Laptop -- Dell 6400" disabled=no mac-address=00:13:02:AC:B7:E0 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Laptop -- Aspire One ZG5" disabled=no mac-address=00:23:4D:85:A2:AB signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Printer -- Canon imageCLASS MF244dw" disabled=no mac-address=74:C6:3B:B3:1A:2B signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=reject allow-signal-out-of-range=10s comment="-- REJECT --" disabled=no signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge interface=ether2 pvid=10
add bridge=bridge interface=ether3
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=63
add bridge=bridge interface=ether5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=sfp1 pvid=127
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge comment=main-vlan tagged=bridge,ether2,ether3,ether5 vlan-ids=127
add bridge=bridge comment=iot-vlan tagged=bridge,ether3,ether5 untagged=ether4 vlan-ids=63
add bridge=bridge comment=dns-vlan tagged=bridge untagged=ether2 vlan-ids=10
add bridge=bridge comment=guest-vlan tagged=bridge,ether3,ether5 vlan-ids=191
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=main-vlan list=LAN
add interface=iot-vlan list=LAN
add interface=main-vlan list=VLAN
add interface=iot-vlan list=VLAN
add interface=main-vlan list=MGMT
add interface=guest-vlan list=LAN
add interface=guest-vlan list=VLAN
/ip address
add address=10.212.10.3/24 interface=main-vlan network=10.212.10.0
add address=192.168.63.3/24 interface=iot-vlan network=192.168.63.0
add address=10.10.10.3/24 interface=dns-vlan network=10.10.10.0
add address=192.168.191.3/24 interface=guest-vlan network=192.168.191.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=10.212.10.18 comment=Printer mac-address=84:BA:3B:91:A7:C0 server=main-dhcp
add address=192.168.63.18 client-id=1:0:b:82:63:cd:f8 comment="IP Phone" mac-address=00:0B:82:63:CD:F8 server=iot-dhcp
add address=10.212.10.20 comment="Chromecast -- Computer Room" mac-address=E4:F0:42:95:C2:6A server=main-dhcp
/ip dhcp-server network
add address=10.212.10.0/24 comment=main-dhcp gateway=10.212.10.3
add address=192.168.63.0/24 comment=iot-dhcp gateway=192.168.63.3
add address=192.168.191.0/24 comment=guest-dhcp gateway=192.168.191.3
/ip dns
set allow-remote-requests=yes servers=10.10.10.10
/ip dns static
add address=10.212.10.3 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow main-vlan/MGMT access to all router services" in-interface-list=MGMT
add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS UDP" dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS TCP" dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow VLAN ICMP Ping" in-interface-list=VLAN protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="Drop all other traffic"
add action=reject chain=forward comment="Block Nintendo Telemetry" connection-mark=nintendo_telemetry reject-with=icmp-host-unreachable
add action=reject chain=forward comment="Block Internet on Flagged Device" connection-mark=block_internet out-interface-list=WAN reject-with=icmp-host-unreachable
add action=accept chain=forward comment="PI Hole Dashboard Access" dst-address=10.10.10.10 in-interface-list=MGMT
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Pi Hole Internet Access" connection-state=new out-interface-list=WAN src-address=10.10.10.10
add action=accept chain=forward comment="VLAN Internet Access Only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT - enable if need server" connection-nat-state=dstnat connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all other traffic"
/ip firewall mangle
add action=mark-connection chain=forward comment="Flag Nintendo Telemetry" dst-address=52.6.240.127 new-connection-mark=nintendo_telemetry passthrough=yes
add action=accept chain=prerouting comment="Flag: No Internet -- BackupNAS" connection-mark=block_internet src-mac-address=24:5E:BE:3E:D2:3B
add action=accept chain=prerouting comment="Flag: No Internet -- Printer" connection-mark=block_internet src-mac-address=84:BA:3B:91:A7:C0
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=webfig disabled=no
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Toronto
/system identity
set name=hEX-S
/tool graphing interface
add allow-address=10.212.10.0/24 interface=ether1 store-on-disk=no
add allow-address=10.212.10.0/24 interface=main-vlan store-on-disk=no
add allow-address=10.212.10.0/24 interface=iot-vlan store-on-disk=no
/tool graphing resource
add allow-address=10.212.10.0/24 store-on-disk=no
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT