I have a Mikrotik 951G with 2 ADSL lines using PPoE. I am using mangle rules to mark the packets on upload to split the traffic between the channels.
Ether1 is LAN
Ether2 and 3 are the ADSL links
I have configured the wireless interface to be called wifi350 and to be part of a bridge with ether1-LAN. The bridge is called BridgeLAN and is on 192.168.27.0/24
I have configured a VAP called wifiGuest to be part of another bridge called bridgeGuest Internet. This bridge is on 192.168.26.0/24
Code: Select all
[admin@MikroTik] /interface> export
# feb/26/2015 09:38:23 by RouterOS 6.27
# software id = YLWZ-WLQA
#
/interface bridge
add name="bridgeGuest Internet"
add name=bridgeLAN
/interface ethernet
set [ find default-name=ether1 ] comment=LAN name=ether1-LAN
set [ find default-name=ether2 ] comment="ADSL Link 1" l2mtu=1526 mtu=1508 name=ether2-WAN1
set [ find default-name=ether3 ] comment="ADSL Link 2" l2mtu=1526 mtu=1508 name=ether3-WAN2
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes l2mtu=1492 master-port=ether1-LAN mtu=1492
/interface pppoe-client
add allow=pap,chap disabled=no interface=ether2-WAN1 keepalive-timeout=10 max-mru=1500 max-mtu=1500 mrru=1600 name=pppoe-WAN1 password=[] use-peer-dns=yes user=[]
add allow=pap,chap disabled=no interface=ether3-WAN2 keepalive-timeout=10 max-mru=1500 max-mtu=1500 mrru=1600 name=pppoe-WAN2 password=[] use-peer-dns=yes user=[]
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" wpa2-pre-shared-key=[]
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=Guest supplicant-identity="" wpa2-pre-shared-key=[]
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=LAN supplicant-identity="" wpa2-pre-shared-key=[]
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-ht-below country="united kingdom" disabled=no frequency=2472 ht-ampdu-priorities=0,1,2,3,4,5,6,7 l2mtu=2290 mode=ap-bridge name=wifi350 security-profile=LAN ssid=wifi350
add disabled=no l2mtu=2290 mac-address=4E:5E:0C:78:A5:79 master-interface=wifi350 name=wifiGuest security-profile=Guest ssid=Guest wds-cost-range=0 wds-default-cost=0
/interface bridge port
add bridge=bridgeLAN interface=ether1-LAN
add bridge=bridgeLAN interface=wifi350
add bridge="bridgeGuest Internet" interface=wifiGuest
/interface ovpn-server server
set certificate=server cipher=blowfish128,aes128,aes192,aes256 default-profile=OpenVPNprofile enabled=yes require-client-certificate=yes
[admin@MikroTik] /interface>
Code: Select all
[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; drop traffic from LAN to Guest
chain=input action=drop src-address=192.168.27.0/24 dst-address=192.168.26.0/24 log=no log-prefix=""
1 ;;; Drop traffic from Guest to LAN
chain=input action=drop src-address=192.168.26.0/24 dst-address=192.168.27.0/24 log=no log-prefix=""
2 ;;; LAN traffic can go anywhere
chain=forward action=accept in-interface=bridgeLAN log=no log-prefix=""
3 ;;; Established traffic
chain=forward action=accept connection-state=established log=no log-prefix=""
4 ;;; Related traffic
chain=forward action=accept connection-state=related log=no log-prefix=""
5 ;;; ICMP
chain=forward action=accept protocol=icmp log=no log-prefix=""
6 ;;; cam allow incoming traffic
chain=forward action=accept protocol=tcp dst-address=192.168.27.4 dst-port=21392 log=yes log-prefix=""
7 ;;; HS3 allow incoming traffic
chain=forward action=accept protocol=tcp dst-address=192.168.27.8 dst-port=44443 log=yes log-prefix=""
8 ;;; VPN allow incoming traffic
chain=input action=accept protocol=tcp dst-port=1194 log=no log-prefix=""
9 ;;; HS3 HSTOUCH allow incoming traffic
chain=forward action=accept protocol=tcp dst-address=192.168.27.8 dst-port=44444 log=yes log-prefix=""
10 ;;; Drop the rest
chain=forward action=drop log=no log-prefix=""
11 chain=output action=accept log=no log-prefix=""
12 ;;; LAN traffic can go anywhere
chain=input action=accept in-interface=bridgeLAN log=no log-prefix=""
13 ;;; Established traffic
chain=input action=accept connection-state=established log=no log-prefix=""
14 ;;; Related traffic
chain=input action=accept connection-state=related log=no log-prefix=""
15 ;;; ICMP
chain=input action=accept protocol=icmp limit=5,5 log=no log-prefix=""
16 ;;; Drop the rest
chain=input action=drop log=no log-prefix=""
[admin@MikroTik] /ip firewall filter>
Code: Select all
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; CAM incoming
chain=dstnat action=dst-nat to-addresses=192.168.27.4 protocol=tcp dst-address=[publicip] dst-port=21392 log=no log-prefix=""
1 ;;; HS3 incoming
chain=dstnat action=dst-nat to-addresses=192.168.27.8 protocol=tcp dst-address=[publicip] dst-port=44443 log=no log-prefix=""
2 ;;; HS3 HSTOUCH incoming
chain=dstnat action=dst-nat to-addresses=192.168.27.8 protocol=tcp dst-address=[publicip] dst-port=44444 log=yes log-prefix=""
3 ;;; CAM hairpin NAT
chain=srcnat action=masquerade src-address=192.168.27.0/24 dst-address=192.168.27.4 log=no log-prefix=""
4 ;;; HS3 hairpin NAT
chain=srcnat action=masquerade src-address=192.168.27.0/24 dst-address=192.168.27.8 log=no log-prefix=""
5 ;;; Outbound Internet Access
chain=srcnat action=masquerade src-address=192.168.27.0/24 out-interface=all-ppp log=no log-prefix=""
6 X ;;; Outbound VPN Internet Access
chain=srcnat action=masquerade src-address=192.168.25.0/24 log=no log-prefix=""
7 ;;; Outbound Guest Internet
chain=srcnat action=masquerade src-address=192.168.26.0/24 out-interface=all-ppp log=no log-prefix=""
[admin@MikroTik] /ip firewall nat>
I also have an address on the .26 network
Code: Select all
[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.27.254/24 192.168.27.0 bridgeLAN
1 192.168.26.254/24 192.168.26.0 bridgeGuest Internet
2 D [publicip]/32 [ispgateway] pppoe-WAN2-624792
3 D [publicip]/32 [ispgateway] pppoe-WAN1-620284
[admin@MikroTik] /ip address>
When i connect to guest wifi, I get a DHCP address ok of 26.51 with a gateway of 192.168.26.254. The DNS servers are set (in the DHCP server rules) to be the ISPs' dns servers
I find I can ping internet addresses ok, but DNS is not working. Windows says "limited" access. ping google.co.uk says "ping request could not find host"
Any pointers much appreciated!