Guest wireless almost working - help to finish?

a752412341 · Thu Feb 26, 2015 12:13 pm

Hi all, I almost have this working, but I think I'm probably missing something simple.

I have a Mikrotik 951G with 2 ADSL lines using PPoE. I am using mangle rules to mark the packets on upload to split the traffic between the channels.

Ether1 is LAN
Ether2 and 3 are the ADSL links

I have configured the wireless interface to be called wifi350 and to be part of a bridge with ether1-LAN. The bridge is called BridgeLAN and is on 192.168.27.0/24

I have configured a VAP called wifiGuest to be part of another bridge called bridgeGuest Internet. This bridge is on 192.168.26.0/24

[admin@MikroTik] /interface> export
# feb/26/2015 09:38:23 by RouterOS 6.27
# software id = YLWZ-WLQA
#
/interface bridge
add name="bridgeGuest Internet"
add name=bridgeLAN
/interface ethernet
set [ find default-name=ether1 ] comment=LAN name=ether1-LAN
set [ find default-name=ether2 ] comment="ADSL Link 1" l2mtu=1526 mtu=1508 name=ether2-WAN1
set [ find default-name=ether3 ] comment="ADSL Link 2" l2mtu=1526 mtu=1508 name=ether3-WAN2
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes l2mtu=1492 master-port=ether1-LAN mtu=1492
/interface pppoe-client
add allow=pap,chap disabled=no interface=ether2-WAN1 keepalive-timeout=10 max-mru=1500 max-mtu=1500 mrru=1600 name=pppoe-WAN1 password=[] use-peer-dns=yes user=[]
add allow=pap,chap disabled=no interface=ether3-WAN2 keepalive-timeout=10 max-mru=1500 max-mtu=1500 mrru=1600 name=pppoe-WAN2 password=[] use-peer-dns=yes user=[]
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" wpa2-pre-shared-key=[]
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=Guest supplicant-identity="" wpa2-pre-shared-key=[]
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=LAN supplicant-identity="" wpa2-pre-shared-key=[]
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-ht-below country="united kingdom" disabled=no frequency=2472 ht-ampdu-priorities=0,1,2,3,4,5,6,7 l2mtu=2290 mode=ap-bridge name=wifi350 security-profile=LAN ssid=wifi350
add disabled=no l2mtu=2290 mac-address=4E:5E:0C:78:A5:79 master-interface=wifi350 name=wifiGuest security-profile=Guest ssid=Guest wds-cost-range=0 wds-default-cost=0
/interface bridge port
add bridge=bridgeLAN interface=ether1-LAN
add bridge=bridgeLAN interface=wifi350
add bridge="bridgeGuest Internet" interface=wifiGuest
/interface ovpn-server server
set certificate=server cipher=blowfish128,aes128,aes192,aes256 default-profile=OpenVPNprofile enabled=yes require-client-certificate=yes
[admin@MikroTik] /interface>

I have rules 0 and 1 in firewall filter to drop traffic between LAN and Guest, and Guest and LAN.

[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0    ;;; drop traffic from LAN to Guest
      chain=input action=drop src-address=192.168.27.0/24 dst-address=192.168.26.0/24 log=no log-prefix=""

1    ;;; Drop traffic from Guest to LAN
      chain=input action=drop src-address=192.168.26.0/24 dst-address=192.168.27.0/24 log=no log-prefix=""

2    ;;; LAN traffic can go anywhere
      chain=forward action=accept in-interface=bridgeLAN log=no log-prefix=""

3    ;;; Established traffic
      chain=forward action=accept connection-state=established log=no log-prefix=""

4    ;;; Related traffic
      chain=forward action=accept connection-state=related log=no log-prefix=""

5    ;;; ICMP
      chain=forward action=accept protocol=icmp log=no log-prefix=""

6    ;;; cam allow incoming traffic
      chain=forward action=accept protocol=tcp dst-address=192.168.27.4 dst-port=21392 log=yes log-prefix=""

7    ;;; HS3 allow incoming traffic
      chain=forward action=accept protocol=tcp dst-address=192.168.27.8 dst-port=44443 log=yes log-prefix=""

8    ;;; VPN allow incoming traffic
      chain=input action=accept protocol=tcp dst-port=1194 log=no log-prefix=""

9    ;;; HS3 HSTOUCH allow incoming traffic
      chain=forward action=accept protocol=tcp dst-address=192.168.27.8 dst-port=44444 log=yes log-prefix=""

10    ;;; Drop the rest
      chain=forward action=drop log=no log-prefix=""

11    chain=output action=accept log=no log-prefix=""

12    ;;; LAN traffic can go anywhere
      chain=input action=accept in-interface=bridgeLAN log=no log-prefix=""

13    ;;; Established traffic
      chain=input action=accept connection-state=established log=no log-prefix=""

14    ;;; Related traffic
      chain=input action=accept connection-state=related log=no log-prefix=""

15    ;;; ICMP
      chain=input action=accept protocol=icmp limit=5,5 log=no log-prefix=""

16    ;;; Drop the rest
      chain=input action=drop log=no log-prefix=""

[admin@MikroTik] /ip firewall filter>

and I have a srcNAT rule (rule 7) to provide outbound internet for 192.168.26.0/24.

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0    ;;; CAM  incoming
      chain=dstnat action=dst-nat to-addresses=192.168.27.4 protocol=tcp dst-address=[publicip] dst-port=21392 log=no log-prefix=""

1    ;;; HS3 incoming
      chain=dstnat action=dst-nat to-addresses=192.168.27.8 protocol=tcp dst-address=[publicip] dst-port=44443 log=no log-prefix=""

2    ;;; HS3 HSTOUCH incoming
      chain=dstnat action=dst-nat to-addresses=192.168.27.8 protocol=tcp dst-address=[publicip] dst-port=44444 log=yes log-prefix=""

3    ;;; CAM hairpin NAT
      chain=srcnat action=masquerade src-address=192.168.27.0/24 dst-address=192.168.27.4 log=no log-prefix=""

4    ;;; HS3 hairpin NAT
      chain=srcnat action=masquerade src-address=192.168.27.0/24 dst-address=192.168.27.8 log=no log-prefix=""

5    ;;; Outbound Internet Access
      chain=srcnat action=masquerade src-address=192.168.27.0/24 out-interface=all-ppp log=no log-prefix=""

6 X  ;;; Outbound VPN Internet Access
      chain=srcnat action=masquerade src-address=192.168.25.0/24 log=no log-prefix=""

7    ;;; Outbound Guest Internet
      chain=srcnat action=masquerade src-address=192.168.26.0/24 out-interface=all-ppp log=no log-prefix=""
[admin@MikroTik] /ip firewall nat>

I also have an address on the .26 network

[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#   ADDRESS            NETWORK         INTERFACE
0   192.168.27.254/24  192.168.27.0    bridgeLAN
1   192.168.26.254/24  192.168.26.0    bridgeGuest Internet
2 D [publicip]/32   [ispgateway]   pppoe-WAN2-624792
3 D [publicip]/32   [ispgateway]   pppoe-WAN1-620284
[admin@MikroTik] /ip address>

When i connect to guest wifi, I get a DHCP address ok of 26.51 with a gateway of 192.168.26.254. The DNS servers are set (in the DHCP server rules) to be the ISPs' dns servers

I find I can ping internet addresses ok, but DNS is not working. Windows says "limited" access. ping google.co.uk says "ping request could not find host"

Any pointers much appreciated!

a752412341 · Sun Mar 01, 2015 9:25 am

Anyone point me in the right direction please? Thanks

skillful · Sun Mar 01, 2015 3:32 pm

You need to add a rule in firewall filter to forward packets originating from the bridgeGuest interface and place the rule before the forward drop rule.

/ip firewall filter
add chain=forward action=accept place-before=3 in-interface="bridgeGuest Internet" comment="forward bridge guest packets"

a752412341 · Sun Mar 01, 2015 10:12 pm

Brilliant. Thanks Skillful, that worked

Guest wireless almost working - help to finish?

Guest wireless almost working - help to finish?

Re: Guest wireless almost working - help to finish?

Re: Guest wireless almost working - help to finish?

Re: Guest wireless almost working - help to finish?

Who is online