Page 1 of 1

CAPsMAN and guestwifi, no internet on guestwifi

Posted: Tue Aug 22, 2017 12:00 am
by woodyman
Hi,

I have been browsing internet and this forum for at least a week now but havent been able to find out and solve my issue.

I am using an RB2011UAS-2HnD and two times mAP lite.

i configured:

DHCP client on Ethernet1 (named as WAN)
Bridge "main"
IP adresses 10.10.10.0/24
DHCP pool0 for 10.10.10.2 - 10.10.10.254
Gateway 10.10.10.1
all Lan ports mapped to Main
NAT srcnet masquerade rule created

Bridge "guest"
IP adresses 10.10.20.0/24
DHCP pool1 for 10.10.20.2 - 10.10.20.254
gateway 10.10.20.1
out interface "WAN"
NAT srcnet masquerade rule created

CAPsMan configuration1 mapped to datapath1 which is mapped to Main bridge with ssid "wifi"
CAPsman configuration2 mapped to datapath2 which is mapped to Guest bridge with ssid "wifiguests"

What is working correct:
Internet connectivity over LAN
Internet connectivity over WLAN "wifi"
connect to WLAN "wifiguests" & get IP adress

What is not working:
Connect to internet from "wifiguests"

I hope someone is able to help me out.

Re: CAPsMAN and guestwifi, no internet on guestwifi

Posted: Tue Aug 22, 2017 8:55 am
by karlisi
Please post export of nat rules. In similar configuration I have only one nat rule, not 2, perhaps there is something wrong.

Re: CAPsMAN and guestwifi, no internet on guestwifi

Posted: Tue Aug 22, 2017 10:11 am
by woodyman
Hi, i took an export of complete firewall settings.
Evreything on IP address range 10.10.10.0/24 is working fine. 10.10.20.0/24 does not have internet access
# aug/22/2017 09:06:55 by RouterOS 6.40.1
# software id = 7YSF-D0R9
#
# model = 2011UAS-2HnD
# serial number = ***************
/ip firewall address-list
add address=10.10.10.4 list=Allow_Email
/ip firewall filter
add action=accept chain=input src-address=127.0.0.1
add action=drop chain=input comment="drop all invalid conections" \
    connection-state=invalid
add action=reject chain=output dst-port=110,995,143,993,25,465,587 log=yes \
    log-prefix=rejectports out-interface=WAN protocol=tcp reject-with=\
    icmp-network-unreachable src-address-list=!Allow_Email
add action=reject chain=forward dst-port=110,995,143,993,25,465,587 log=yes \
    log-prefix=rejectports out-interface=WAN protocol=tcp reject-with=\
    icmp-network-unreachable src-address-list=!Allow_Email
add action=accept chain=input comment="Allow all establised connections" \
    connection-state=established
add action=accept chain=input in-interface=!WAN src-address=10.10.10.0/24
add action=accept chain=input in-interface=!WAN src-address=10.10.20.0/24
add action=drop chain=input comment="Drop all" log=yes log-prefix=\
    dropallinput
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN src-address=\
    10.10.20.0/24
add action=masquerade chain=srcnat src-address=10.10.10.0/24

Re: CAPsMAN and guestwifi, no internet on guestwifi

Posted: Tue Aug 22, 2017 12:03 pm
by flynno
Try below rule

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN src-address=10.10.10.0/24

Re: CAPsMAN and guestwifi, no internet on guestwifi

Posted: Tue Aug 22, 2017 12:43 pm
by woodyman
I changed this rule but unfortunately no effect.
Still no internet on guest wifi.
I can see traffic on the bridge but its not connecting to internet at all.

Re: CAPsMAN and guestwifi, no internet on guestwifi

Posted: Tue Aug 22, 2017 2:16 pm
by flynno
Try these rules

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
add action=masquerade chain=srcnat out-interface=main
add action=masquerade chain=srcnat out-interface=guest

Re: CAPsMAN and guestwifi, no internet on guestwifi

Posted: Tue Aug 22, 2017 3:55 pm
by karlisi
You need only one rule in nat chain srcnat.
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
Just curiosity - there are any dropped connections in output chain (rule with many email related ports)? IMHO this rule is useless.

Re: CAPsMAN and guestwifi, no internet on guestwifi

Posted: Tue Aug 22, 2017 4:37 pm
by woodyman
Hi Karlis,

changing the NAT has no effect.

about the rules in fw, if i clean the address list, my main pc is not able to send email anymore. then i will see dropped packets.
Reason i put the rule in, is that i was blocked by my internet provider because of bulk email being send from my IP adres.

br hans

Re: CAPsMAN and guestwifi, no internet on guestwifi

Posted: Tue Aug 22, 2017 9:59 pm
by flynno
IP > Addresses
10.10.10.1/24
10.10.20.1/24

Instead of 10.10.20.0/24 and 10.10.10.0/24

Re: CAPsMAN and guestwifi, no internet on guestwifi

Posted: Tue Aug 22, 2017 11:12 pm
by woodyman
this is what i have already
/ip address
add address=10.10.10.1/24 interface=woodynet network=10.10.10.0
add address=10.10.20.1/24 interface=guests network=10.10.20.0

Re: CAPsMAN and guestwifi, no internet on guestwifi

Posted: Wed Aug 23, 2017 2:11 am
by flynno
Did you check your IP > Router List

guests route should look like

Dst. Address 10.10.20.1/24
Gateway guests reachable
Pref. Source 10.10.20.1

Re: CAPsMAN and guestwifi, no internet on guestwifi

Posted: Wed Aug 23, 2017 8:54 am
by woodyman
it looks almost the same, but as 10.10.10.0/24 is working correct i assume 10.10.20.0/24 setting is correct as well

Image

Re: CAPsMAN and guestwifi, no internet on guestwifi

Posted: Wed Aug 23, 2017 10:36 am
by karlisi
What is not working:
Connect to internet from "wifiguests"
What exactlynot working? http? ping to 8.8.8.8? ping to external ip of router? everything?

Re: CAPsMAN and guestwifi, no internet on guestwifi

Posted: Wed Aug 23, 2017 11:33 am
by woodyman
Hi Karlis,

thanks for the suggestions to test.
Ping 8.8.8.8 is working fine
Ping WAN (public) IP address is working fine

also i tried to ping some other IP adresses (of commonly used websites) this is working fine as well
As soon as i try to ping a url, i recieve an error.
"temporary failure in name resolution"

Do i need to define a dns for my guest network?
Where do i need to do this?

br hans

Re: CAPsMAN and guestwifi, no internet on guestwifi

Posted: Wed Aug 23, 2017 11:40 am
by woodyman
in my DHCP i have nothing configured
Image

i tried to put here 8.8.8.8 to test but its not helping

Re: CAPsMAN and guestwifi, no internet on guestwifi

Posted: Wed Aug 23, 2017 12:31 pm
by flynno
I had issues before with the router not picking up dns settings from ISP
Check to see if the input fields are empty or contain DNS IP's

Go to IP > DNS

You should have DNS IP addresses in the dynamic input fields, maybe update the router to the lastest bugfix if the inputs are empty

System > Packages > Check for updates > Channel > Bugfix only

Re: CAPsMAN and guestwifi, no internet on guestwifi

Posted: Wed Aug 23, 2017 1:45 pm
by woodyman
Hi Flynno

This is not the issue, DNS is picked up correctly.

The 10.10.10.0/24 network is working fine.
The issue is related ONLY to the 10.10.20.0/24 network which i want to use for guests wifi access limited to internet only.

DNS:
Image
DHCP CLIENT:
Image

Re: CAPsMAN and guestwifi, no internet on guestwifi

Posted: Wed Aug 23, 2017 2:24 pm
by flynno
Is the master interface of the guest network set to the main in capsman see image

Re: CAPsMAN and guestwifi, no internet on guestwifi

Posted: Wed Aug 23, 2017 2:34 pm
by woodyman
sure thats done
i can ping ip adresses from guests wifi as well.

Image

Re: CAPsMAN and guestwifi, no internet on guestwifi

Posted: Wed Aug 23, 2017 2:59 pm
by woodyman
Looks like it is solved.

i found a message in internet about teh src-address for nat to be 0.0.0.0/0

this solved the issue

Image

Re: CAPsMAN and guestwifi, no internet on guestwifi

Posted: Wed Aug 23, 2017 11:12 pm
by woodyman
All big tanks for the tips.
It is solved now.