Page 1 of 1
Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sat Oct 27, 2018 12:23 am
by anav
Hi there, using a cap AC (no capsman) but attached to a hex router via ethernet.
I have established two main wifi Radio networks, 1x5Ghz and 1x2.4Ghz with no issues.
I wanted to add a virtual AP to the AC network for Guest usage.
Everything seems fairly simple as using the capAC in the basic setup it was received in upon delivery and of course updated to the latest SW version (no vlans setup yet, and wps and wmm disabled).
Wireless Settings:
Mode - AP bridge
SSID - Guests
Master Interface - (The name of the parent AC SSID)
Security Profile - unique for guests
I applied the setup and the Virtual AP is visible when I do a scan of available networks
BUT, when I connect with the password it states, no internet connection.
Conclusion: Wifi is working tx/rcv, but unable to get to the LAN?
What am I missing?
I also added the Virtual AP to the Interface List, but that still didn't do the trick. I don't think I need to do anything on the hex router but am I missing something simple on the cap AC??
LAN - Guests (is also now added)
Perhaps I have something left to do wrt the Bridge part of the interface but what, if its already identified as part of the Parent 5Ghz AP??
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sat Oct 27, 2018 1:03 am
by xvo
If you want clients of that guest AP to be treated somehow special (limited access, limited speed, etc) you need to create a different ip configuration attached to it: address, dhcp-server and a set of firewall rules to define that special behaviour.
And since everything seems to be configured on your hex - you either need to configure vlans (that will deliver these two different ip configs from hex to desired wlan interfaces on cap), or let the cap do part of the job for guest wlan clients.
On the other hand, if you just want guests on separate AP, and that's it - all you need is to add this virtual interface to the same bridge, where all your wlan interfaces are.
Either way some ip config is needed.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sun Oct 28, 2018 8:14 pm
by anav
If you want clients of that guest AP to be treated somehow special (limited access, limited speed, etc) you need to create a different ip configuration attached to it: address, dhcp-server and a set of firewall rules to define that special behaviour.
And since everything seems to be configured on your hex - you either need to configure vlans (that will deliver these two different ip configs from hex to desired wlan interfaces on cap), or let the cap do part of the job for guest wlan clients.
On the other hand, if you just want guests on separate AP, and that's it - all you need is to add this virtual interface to the same bridge, where all your wlan interfaces are.
Either way some ip config is needed.
Hi xvo, I have been reading many of your replies on the forums, and just wanted to state I find them very helpful (big thanks!).
Okay I got it working without any IP configuration.
All I was missing was adding the virtual interface to the bridge
BY WAY OF ASSIGNING IT A PORT
Is that what you meant by adding to the bridge??
It works fine but what I am wondering now is if it is possible to ensure the guest users have ONLY access to the internet without using VLANs?
I suspect the answer is no and will thus finally have to bite the bullet and enter the confusing world of VLANSs. I just wish there was a clear cut method or steps that was coherent.
I did read someones reply on one thread it might have been yours on a logical approach that simplified the mess everyone seems to come up with or suggest.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sun Oct 28, 2018 10:27 pm
by xvo
Hi xvo, I have been reading many of your replies on the forums, and just wanted to state I find them very helpful (big thanks!).
Always a pleasure to hear, thanks!
Okay I got it working without any IP configuration.
All I was missing was adding the virtual interface to the bridge BY WAY OF ASSIGNING IT A PORT
Is that what you meant by adding to the bridge??
Yes, that's right.
It works fine but what I am wondering now is if it is possible to ensure the guest users have ONLY access to the internet without using VLANs?
I suspect the answer is no and will thus finally have to bite the bullet and enter the confusing world of VLANSs. I just wish there was a clear cut method or steps that was coherent.
I did read someones reply on one thread it might have been yours on a logical approach that simplified the mess everyone seems to come up with or suggest.
There are some ways to limit the access between devices on the same bridge without the use of VLANs, but they won't work in your case (or it will be too difficult to configure and manage such a config), because you use two devices, not one.
For example you can rather easily configure some filters on a bridge on the cAP, for guest wlan to be separated from other two wlans, but devices connected to the hEX directly will be still visible from that guest wlan. So you will need to add some filters to the hEX as well.
My point is, in your case configuring VLANs on the bridge is actually a rather simple task, once you understand, how to do it - less than 10 additional lines in the config on both devices
And more: it is easy to understand such config, easy to maintain it, and easy to extend.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sun Oct 28, 2018 11:52 pm
by anav
Wonderful xvo, that is great news to hear.
What I assume is that I will need to identify/create a VLAN for the guest wifi, call it VLAN100 on the HEX
I will have to create an address group and DHCP server for the VLAN (as I do want these device to get a different LAN nomenclature, lets call it 192.168.100.0/24)
I will need to create the necessary pool as well.
I am not at all sure on the cap AC access point, what changes I will need to make, other than somehow link the Guest SSID, to the VLAN created on the HEX.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Mon Oct 29, 2018 12:43 am
by xvo
Wonderful xvo, that is great news to hear.
What I assume is that I will need to identify/create a VLAN for the guest wifi, call it VLAN100 on the HEX
I will have to create an address group and DHCP server for the VLAN (as I do want these device to get a different LAN nomenclature, lets call it 192.168.100.0/24)
I will need to create the necessary pool as well.
I am not at all sure on the cap AC access point, what changes I will need to make, other than somehow link the Guest SSID, to the VLAN created on the HEX.
To make a config even more readable and kind of symmetric, when I need to use vlans in configuration, I prefer to make all traffic to be tagged by some vlan-id when inside the router, opposed to what you are trying to describe - when you leave all non-guest traffic untagged inside the bridge (or it can be called the default vlan with vlan-id=1).
But that's no big difference, I'll write you a little guide how to make one vlan, and then it would be easy to move any other traffic inside it's own vlan just in the same way.
So, step by step.
On hEX:
1) You create a vlan-interface for guest users
on you bridge.
2) Attach an address and dhcp server to this vlan-interface.
These two steps you've already described yourself (VLAN100 with vlan-id=100)
3) Then in
/interface bridge vlan you add the port leading to the cAP
and the bridge itself as
tagged ports for vlan-ids=100.
That will: a) make the port leading to your cAP a trunk port for your guest vlan and b) make a connection from the vlan-interface VLAN100 (and ip config configured on it) to the vlan-id=100 configured on the bridge.
4) Enter safe mode and enable vlan-filtering on the bridge.
If everything still works - leave the safe mode, and you are finished with configuring the hEX foe now.
Then proceed to cAP.
As you don't need access to the guest ip config from the cAP itself, configuration here will be even simplier:
5) Almost the same as step (3), but you add to
/interface bridge vlan as tagged port: the port leading to hEX
and your virtual AP.
6) In configuration for your virtual AP you set vlan-id=100 vlan-mode=use-tag
7) Once again - safe mode and enabling vlan-filtering on the bridge.
Almost done.
Now return to your hEX and there you need to add some rules to you firewall preventing access from VLAN100 to the rest of your LAN.
If you use default firewall, then one rule
at the bottom will be enough:
/ip firewall filter action=drop chain=forward in-interface=VLAN100 out-interface-list=!WAN
That's all
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Mon Oct 29, 2018 2:27 am
by anav
Good timing, I just create about five vlans on the hex and for each:
a. identified as a unique interface/VLAN with my homebridge as the master interface (homebridge created long ago and my lan is on this interface).
b. assigned address
c. assigned DHCP and network, and
d. assigned pool
The instructions were a bit confusing. I will provide my interpretation to see if I am close:
1) When you said create vlan interface for guest users on your bridge, I assumed this meant my current bridge, which my LAN resides.
(in other words no need to create a new bridge).
2) Next you want me to go to BRIDGE winbox menu selection (not interface menu selection nor interface list )? This was a bit hard to fathom but since I knew ports selections were not on the interface menu but under BRIDGE menu item.
So under the port sub menu I selected the physical port that applies for all traffic actually.
Under the generalsub-tab
a. selected interface as the guest-wifi interface
b. selected bridge .. my 'homebridge'
Under the Vlan sub-tab
c. selected PVID 100.
two things unsure, under the general sub-tab, a trusted checkbox is defaulted to unchecked and I left it that way.
under the vlan sub-tab, I also left the defaults in place, admit all frames and left ingress filtering and tag stacking unchecked.
Note: By the way the ethernet cabling path in my location, goes through two switches to get there, one managed but its not setup and one un-managed. I wont fiddle with those switches until a later date, so hopefully I can just assume they will be dummy switches till then (since they let everything pass). I have two mikrotik 5 port managed switches at the ready in case I have to have better fidelity, but trying to avoid layers of complication at this point.
There is a VLAN selection under BRIDGE but its not clear what you wanted me to do here if anything??? I ignored it.
4), Okay I had to go back to interfaces to select HomeBridge and find the VLAN filtering box, and then realized it was quicker if I had stayed in Bridge and simply doubleclicked on the Bridge itself (I was looking for it in the sub-tabs LOL).
a. selected vlan filtering in the checkbox which opened a popup mene and there I replaced PVID1 with PVID100
Router kicked me out (but I had safe mode selected to nothing lost).
It appears it does not like me to assign PVID 100 and checking vlan filtering here.
So kind of lost at the moment.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Mon Oct 29, 2018 11:12 am
by xvo
1) When you said create vlan interface for guest users on your bridge, I assumed this meant my current bridge, which my LAN resides.
(in other words no need to create a new bridge).
Yes, you can use your default bridge.
2) Next you want me to go to BRIDGE winbox menu selection (not interface menu selection nor interface list )? This was a bit hard to fathom but since I knew ports selections were not on the interface menu but under BRIDGE menu item.
So under the port sub menu I selected the physical port that applies for all traffic actually.
Under the generalsub-tab
a. selected interface as the guest-wifi interface
b. selected bridge .. my 'homebridge'
Everything done right up to this point.
Under the Vlan sub-tab
c. selected PVID 100.
Revert it back to PVID 1 (at least for now) - this setting defines what vlan tag will be added to
ingress untagged frames, you don't need to change this behaviour.
two things unsure, under the general sub-tab, a trusted checkbox is defaulted to unchecked and I left it that way.
under the vlan sub-tab, I also left the defaults in place, admit all frames and left ingress filtering and tag stacking unchecked
.
Leave it as is for now.
Note: By the way the ethernet cabling path in my location, goes through two switches to get there, one managed but its not setup and one un-managed. I wont fiddle with those switches until a later date, so hopefully I can just assume they will be dummy switches till then (since they let everything pass). I have two mikrotik 5 port managed switches at the ready in case I have to have better fidelity, but trying to avoid layers of complication at this point.
Unmanaged switches ignore vlan tags so they are unlikely to spoil anything for you.
There is a VLAN selection under BRIDGE but its not clear what you wanted me to do here if anything??? I ignored it.
This is exactly the section where the most of relevant part of config has to be done - (3) and (5) in my original post.
4), Okay I had to go back to interfaces to select HomeBridge and find the VLAN filtering box, and then realized it was quicker if I had stayed in Bridge and simply doubleclicked on the Bridge itself (I was looking for it in the sub-tabs LOL).
a. selected vlan filtering in the checkbox which opened a popup mene and there I replaced PVID1 with PVID100
Router kicked me out (but I had safe mode selected to nothing lost).
It appears it does not like me to assign PVID 100 and checking vlan filtering here.
So kind of lost at the moment.
Revert PVID 100 back to PVID 1 - that is why you was kicked from the device.
Just as in port settings it defines the default behaviour for untagged frames, so once you change it - it disrupts the whole connection between ip config that is attached directly to the bridge from all other ports that have PVID set to default values.
I suggest you to change PVID settings for bridge and ports only after you either have a guaranteed access to a device through one of the vlans.
Or you can remove one port from bridge (temporarily) and make sure you have emergency connection to your device through it.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Mon Oct 29, 2018 1:52 pm
by anav
Wont have time to work on this until later but the Bridge VLAN tab has the following selection (talking HEX).
Bridge - assume my home bridge goes here
VLAN ID - assume pvid 100 goes here
Tagged - ?
Untagged - ?
There are two more entries but they do not look modifiable
current tagged and current untagged
Also why above does it state VLAN IDs plural?
Now in the cap AC, would it be the same?
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Mon Oct 29, 2018 4:38 pm
by xvo
Wont have time to work on this until later but the Bridge VLAN tab has the following selection (talking HEX).
Bridge - assume my home bridge goes here
VLAN ID - assume pvid 100 goes here
Tagged - ?
Untagged - ?
There are two more entries but they do not look modifiable
current tagged and current untagged
Also why above does it state VLAN IDs plural?
Now in the cap AC, would it be the same?
That’s right.
And in my post I wrote wich ports you need to configure as tagged (currently you don’t need any access - untagged - ports for your guest vlan).
It’s plural because you can specify multiple vlan ids if they have the same ports to be tagged.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Tue Oct 30, 2018 1:34 am
by anav
Clear as mud right now, and thus posting a bit of my pertinent config to see where I am off the rails........
I have a single bridge, called 'homebridge' its active on port 2 on the router and is wired through various switches (consider them unmanaged) to all devices. Two end points are capACs where I want the vlans to go to eventually, right now showing a single VLAN, which is to go to one of the cap ACs.
HEX
/interface ethernet
set [ find default-name=ether5 ] comment=Port5 name=Bell_eth5 speed=100Mbps
set [ find default-name=ether1 ] comment=Port1 name=Eastlink_eth1 speed=\
100Mbps
set [ find default-name=ether2 ] comment=LAN1-Home speed=100Mbps
set [ find default-name=ether3 ] comment=LAN1-Home speed=100Mbps
set [ find default-name=ether4 ] comment=LAN2-DMZ speed=100Mbps
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=HomeBridge \
protocol-mode=none
/interface vlan
add interface=HomeBridge name=GuestWifi_T&B_V100 vlan-id=100
add interface=Bell_eth5 name=vlanbell vlan-id=35
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
/ip pool
add name=dhcp-HomeLAN ranges=192.168.0.33-192.168.0.254
add name=dhcp_WIFI_T&B ranges=192.168.100.5-192.168.100.50
/ip dhcp-server
add address-pool=dhcp-HomeLAN disabled=no interface=HomeBridge lease-time=1d \
name=HoMeLAN
add address-pool=dhcp_DMZ disabled=no interface=ether4 name=DMZLAN
add address-pool=dhcp_WIFI_T&B disabled=no interface=GuestWifi_T&B_V100 name=\
"Wifi-Guests T&B_Server"
/interface bridge port
add bridge=HomeBridge comment=defconf interface=ether2
add bridge=HomeBridge comment=defconf interface=ether3
/interface bridge vlan
add bridge=HomeBridge tagged=ether2 vlan-ids=100
/interface list member
add comment=defconf interface=HomeBridge list=LAN
add comment=defconf interface=Eastlink_eth1 list=WAN
add interface=vlanbell list=WAN
add interface=ether4 list=LAN
/ip address
add address=192.168.0.1/24 interface=HomeBridge network=192.168.0.0
add address=192.168.2.1/24 interface=ether4 network=192.168.2.0
add address=192.168.100.0/24 interface=GuestWifi_T&B_V100 network=\
192.168.100.0
cAP AC
...
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
/interface bridge
add admin-mac=C\ auto-mac=no comment=defconf name=bridge
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=\
dynamic-keys name=Guests_T&B supplicant-identity="" wpa2-pre-shared-key=\
/interface wireless
/interface vlan
add interface=Basement_Guests name=Guests_T&B_VLAN vlan-id=100
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=DevicesAP
add bridge=bridge comment=defconf interface=Basement_WIFI
add bridge=bridge interface=Basement_Guests pvid=100
/interface bridge vlan
add bridge=bridge tagged=Guests_T&B_VLAN vlan-ids=100
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=Basement_WIFI list=LAN
add interface=DevicesAP list=LAN
add interface=Basement_Guests list=LAN
/interface wireless access-list
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
bridge
/system clock
set time-zone-name=America/Halifax
/system logging
add topics=wireless,debug
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Tue Oct 30, 2018 12:29 pm
by xvo
1) On HEX this line:
/interface bridge vlan
add bridge=HomeBridge tagged=ether2 vlan-ids=100
must include the bridge itself:
/interface bridge vlan
add bridge=HomeBridge tagged=HomeBridge,ether2 vlan-ids=100
On cAP AC it is really a little messy
2) This:
/interface vlan
add interface=Basement_Guests name=Guests_T&B_VLAN vlan-id=100
has to be configued on top of the bridge:
/interface vlan
add interface=bridge name=Guests_T&B_VLAN vlan-id=100
3) No pvid needed here:
/interface bridge port
add bridge=bridge interface=Basement_Guests pvid=100
4) Just like on the hEX, this:
/interface bridge vlan
add bridge=bridge tagged=Guests_T&B_VLAN vlan-ids=100
has lo be like this:
/interface bridge vlan
add bridge=bridge tagged=bridge,Basement_Guests vlan-ids=100
5) And you need to add to wireless settings for Basement_Guests:
vlan-mode=use-tag vlan-id=100
And maybe you'll also need to adjust your interface lists on cAP if you use them somewhere: you still have ether1 as WAN left from default config.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Wed Oct 31, 2018 3:43 am
by anav
All changes implemented and ready to test it shortly.
In terms of the cap AC setup. Let me recap.
a. its in ap bridge mode and not router mode so not sure why the default config has ether1 in WAN mode.
b. ether1 is active and is physically attached to the network, strangely the cap AC seems to be happily acting as an access point in this configuration.
c. ether2 is not active and not connected so I should probably disable it (x it off, or grey it out).
However, since its working fine I am loathe to change ether 1 from WAN to the more accurate LAN interface designation.
Ideas??
Since my firewall rules are drop all else and i dont implicitly allow VLAN to LAN traffic does this mean that such cross lan attempts would be blocked?
(Would the router attempt to route between the VLAN and the LAN?) All the traffic is on the hex bridge and on the same physical port into/out of the hex?
At some point will the router will try to route 192.168.100.X device that is looking for 192.168.0.x device ???
Do I have to create a masquerade rule for VLAN traffic?
Do I have to create a route for VLAN traffic?
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Wed Oct 31, 2018 12:02 pm
by xvo
All changes implemented and ready to test it shortly.
In terms of the cap AC setup. Let me recap.
a. its in ap bridge mode and not router mode so not sure why the default config has ether1 in WAN mode.
b. ether1 is active and is physically attached to the network, strangely the cap AC seems to be happily acting as an access point in this configuration.
c. ether2 is not active and not connected so I should probably disable it (x it off, or grey it out).
However, since its working fine I am loathe to change ether 1 from WAN to the more accurate LAN interface designation.
Ideas??
"ap bridge" is a mode for wireless radio, it has nothing to do with the overall config of the router.
The type of config that you need to have on a cAP:
1) one bridge with all ports in it
2) no nat, firewall, dhcp-server, etc.
3) dhcp-client on the bridge
4) guest vlan configured on the bridge
5) two wireless interfaces configured
6) additional virtual wireless interface to participate in guest vlan
And that's pretty much all you need.
Which way to get there - from blank, from one of quickset presets (WISP AP in
bridge mode should be the closest) or from what you have now - is up to you.
I always prefer to start from blank.
Since my firewall rules are drop all else and i dont implicitly allow VLAN to LAN traffic does this mean that such cross lan attempts would be blocked?
(Would the router attempt to route between the VLAN and the LAN?) All the traffic is on the hex bridge and on the same physical port into/out of the hex?
At some point will the router will try to route 192.168.100.X device that is looking for 192.168.0.x device ???
Do I have to create a masquerade rule for VLAN traffic?
Do I have to create a route for VLAN traffic?
We are talking about the firewall on hEX, right?
It will try to route between LAN and guest VLAN by default.
But I suggest you to move step by step.
First you make sure that you guest vlan is configured properly, and you can reach both to internet and the rest of you LAN from it.
And only then you proceed to firewall to make some restrictions.
You masquerade rule has to be universal, so that it will apply both to traffic from LAN and from guest VLAN:
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
And as both the LAN and guest VLAN networks are directly connected to the router, no additional routes are needed.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Wed Oct 31, 2018 2:05 pm
by anav
Okay, all setup as I think it should be BUT no internet.
After persusing below it seems that, If I had to guess, the issue could be the fact that
I have a virtual AP: Basement Guests and I have
an associated VLAN: Guests_T&B_VLAN
I might have mixed up some nomenclature somewhere. I note on the hex I use the name: GuestWifi_T&B_V100
HEX Take 2
interface ethernet
set [ find default-name=ether5 ] comment=Port5 name=Bell_eth5 speed=100Mbps
set [ find default-name=ether1 ] comment=Port1 name=Eastlink_eth1 speed=\
100Mbps
set [ find default-name=ether2 ] comment=LAN1-Home speed=100Mbps
set [ find default-name=ether4 ] comment=LAN2-DMZ speed=100Mbps
/interface bridge
add admin-mac=auto-mac=no comment=defconf name=HomeBridge \
protocol-mode=none
/interface vlan
add interface=HomeBridge name=GuestWifi_T&B_V100 vlan-id=100
add interface=Bell_eth5 name=vlanbell vlan-id=35
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp-HomeLAN ranges=192.168.0.33-192.168.0.254
add name=dhcp_DMZ ranges=192.168.2.2-192.168.2.100
add name=dhcp_WIFI_T&B ranges=192.168.100.5-192.168.100.50
/ip dhcp-server
add address-pool=dhcp-HomeLAN disabled=no interface=HomeBridge lease-time=1d \
name=HoMeLAN
add address-pool=dhcp_DMZ disabled=no interface=ether4 name=DMZLAN
add address-pool=dhcp_WIFI_T&B disabled=no interface=GuestWifi_T&B_V100 name=\
"Wifi-Guests T&B_Server"
/interface bridge port
add bridge=HomeBridge comment=defconf interface=ether2
add bridge=HomeBridge comment=defconf interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set allow-fast-path=no icmp-rate-limit=100 rp-filter=loose
/interface bridge vlan
add bridge=HomeBridge tagged=ether2,HomeBridge vlan-ids=100
/interface list member
add comment=defconf interface=HomeBridge list=LAN
add comment=defconf interface=Eastlink_eth1 list=WAN
add interface=vlanbell list=WAN
add interface=ether4 list=LAN
/ip address
add address=192.168.0.1/24 interface=HomeBridge network=192.168.0.0
add address=192.168.2.1/24 interface=ether4 network=192.168.2.0
add address=192.168.100.0/24 interface=GuestWifi_T&B_V100 network=\
192.168.100.0
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment=\
"Drop invalid/malformed packets" connection-state=invalid \
log-prefix=INVALID
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
HomeBridge log-prefix="ALLOWED LAN 2 WAN TRAFFIC" out-interface-list=WAN \
src-address=192.168.0.0/24
add action=accept chain=forward comment="ENABLE DMZ to WAN" in-interface=\
ether4 log=yes log-prefix="ALLOWED LAN 2 WAN TRAFFIC" out-interface-list=\
WAN src-address=192.168.2.0/24
add action=drop chain=forward comment=\
"DROP ALL other FORWARD traffic" log=yes log-prefix=\
"FORWARD DROP ALL"
And now the cap AC Take 2
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] disabled=yes speed=100Mbps
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=Guests_T&B_VLAN vlan-id=100
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-Ceee country=canada disabled=no distance=indoors frequency=\
auto mode=ap-bridge name=Basement_WIFI security-profile=BasementLogin \
ssid=TT_B wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan1 ] disabled=no distance=indoors frequency=2462 \
mode=ap-bridge name=DevicesAP security-profile=RemoteDevicesBasement \
ssid=RD1 wireless-protocol=802.11 wps-mode=disabled
add disabled=no mac-address= master-interface=Basement_WIFI \
name=Basement_Guests security-profile=Guests_T&B ssid=Guests_T&B vlan-id=\
100 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=\
disabled
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=DevicesAP
add bridge=bridge comment=defconf interface=Basement_WIFI
add bridge=bridge interface=Basement_Guests
/interface bridge vlan
add bridge=bridge tagged=Guests_T&B_VLAN,bridge vlan-ids=100
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=Basement_WIFI list=LAN
add interface=DevicesAP list=LAN
add interface=Basement_Guests list=LAN
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
bridge
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Wed Oct 31, 2018 4:52 pm
by xvo
On hEX you forgot to allow traffic from Guest.... to WAN
On cAP, that:
/interface bridge vlan
add bridge=bridge tagged=Guests_T&B_VLAN,bridge vlan-ids=100
has to be this:
/interface bridge vlan
add bridge=bridge tagged=Guests_T&B_VLAN,Basement_Guests vlan-ids=100
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Wed Oct 31, 2018 6:12 pm
by anav
Hi xvo,
I hope you can understand my confusion on your last post as in an earlier post you stated for the cap AC
that instead of this:
/interface bridge vlan
add bridge=bridge tagged=Guests_T&B_VLAN vlan-ids=100
I should have this:
/interface bridge vlan
add bridge=bridge tagged=bridge,Basement_Guests vlan-ids=100
In your latest post, you are suggesting its still not correct and it needs modifying to this:
/interface bridge vlan
add bridge=bridge tagged=Guests_T&B_VLAN,Basement_Guests vlan-ids=100
(in effect stating it wasnt the bridge that needed adding in the tagged selection but the virtual AP interface and VLAN that need to be tagged.)
Which begs the question on the
/interface bridge vlan,
what needs to be identified as tagged.
a. bridge? (cap AC default bridge)
b. Basement_Guests (the virtual AP created from the parent WIFI interface )
c. Guest_T&B_VLAN (the vlan interface running off the virtual AP, Basement Guests).
So basically also need a specific forward rule for VLAN to WAN?
In other words when the 192.16.8.100.x traffic reaches the router it is not forwarded to the internet because its being dropped?
Can I safely assume that the same occurs if the 192.168.100x traffic is requesting/heading towards 192.168.0.X destinations?
or do I have to explicitly state
Traffic from VLAN, to LAN drop?
I should add that I have not used vlan filtering anywhere in the config?
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Wed Oct 31, 2018 6:34 pm
by xvo
After a couple of days with just another similar topic I started to mix things up
))
The correct setting for cAP will be:
/interface bridge vlan
add bridge=bridge tagged=ether1,Basement_Guests vlan-ids=100
You are right about firewall rules - need one rule to allow from Guest to WAN.
From Guest to LAN and DMZ will be dropped by the last rule.
However you also need to setup a proper input chain - as for now you are not limiting access to your router at all.
And another moment about firewall - you also can use in-interface or in-interface-list instead of src-address for your rules.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Wed Oct 31, 2018 6:43 pm
by anav
No worries, I only showed the forward rules for sake of brevity. I have many input rules.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Wed Oct 31, 2018 10:29 pm
by anav
Hi xvo,
In my current forward rules I probably go overboard as I have
source address (192.168.0.0/24)
In-Inteface: HomeBridge
Out-Interface List: WAN
But I do that to distinguish which address source on the home bridge I am delineating.
Thus my intention for the VLAN to WAN allow forward chain is the following
source address VLANIP: (192.168.100.0/24)
In-Interface: HomeBridge
Out-Interface List: WAN.
It seems you are recommending
source address, leave blank
In-interface: GuestWifi_T&B_V100
Out-Interface list: WAN
I think both accomplish the same thing but which is better?
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Wed Oct 31, 2018 11:40 pm
by xvo
Hi xvo,
In my current forward rules I probably go overboard as I have
source address (192.168.0.0/24)
In-Inteface: HomeBridge
Out-Interface List: WAN
But I do that to distinguish which address source on the home bridge I am delineating.
Thus my intention for the VLAN to WAN allow forward chain is the following
source address VLANIP: (192.168.100.0/24)
In-Interface: HomeBridge
Out-Interface List: WAN.
It seems you are recommending
source address, leave blank
In-interface: GuestWifi_T&B_V100
Out-Interface list: WAN
I think both accomplish the same thing but which is better?
Hi.
They do the same thing indeed, and there's almost non-existing number of scenarios when they can act differently.
However, the approach I suggest have one less condition to check - so less load to the CPU.
And checking in/out-interface(-list) being the least cpu-intense of all checks (except for maybe connection-state), I always prefer it over dst/src-address(-list), when the logic allow it.
Not if there is a huuuge difference for a home use
Aside from firewall, have you got everything else running as it supposed to?
Or still something stays in the way?
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Thu Nov 01, 2018 3:33 am
by anav
Still no joy.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Thu Nov 01, 2018 10:38 am
by xvo
Just another suggestion: test with cAP attached directly to hEX (with no switches in between) - there's still a tiny chance, that they can mess with the process.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Fri Nov 02, 2018 2:56 am
by anav
Hi xvo, thanks for your patience. I do have a way of connecting the cap directly to the router via ethernet cable but tis a bit difficult and will keep it in mind as a last resort.
The two switches in the way are a managed switch DLINK DGS-1100-24 with no settings (default) and close to the cap AC a 16 port unmanaged zyxel switch.
I just reviewed the dlink settings and there is nothing on it that should prevent all traffic from flowing.
General settings
Ports - default
Jumbo State - disabled
Clock settings - correct
Port based VLAN - disabled
Managment VLAN: Vid 1, State: disabled
Assymetric VLAN State: disabled
Auto Video VLAN: disabled
Voice VLAN: disabled
Vlan settings 802.1q
VID: 1
Name: VLAN001
Tagged Member Ports: blank (nil entries)
Untagged Member Ports: eth01-eth24
VLAN Type: blank (nil entry)
VLAN Interface Table
Ports: eth1-eth24, Vlan Type: Hybrid, Ingress checking: enabled, Acceptable Frame Type: Admit ALL
OKAY THIS POST I am using to TALK my way through the setup, so perhaps you can pick out where I have gone wrong from the following ;conversational approach:
Hex.
Bridge Name = "HomeBridge"
Port Eth2 is associated with the HomeBridge and is the port that goes to the Dlink Switch and to all locations.
HomeLAN (my wired LAN) is also on the HomeBridge
I created a VLAN (Vid=100) with name "GuestWifi_T&B_V100" with interface being the HomeBridge.
I created a dhcp pool for the VLAN
I created and address list for the VLAN (linked to the above vlan interface)
I created a DHCP Server for the VLAN ( (linked to the above vlan interface, and linked to the dhcp pool above)
I created a DHCP Network for the VLAN *****
**** There is no obvious link to the interface in the Network settings?? I did put in
- Network of 192.168.100.0/24
- Gateway IP of 192.168.100.1
- DNS Server IP of 192.168.100.1
Under IP Routes, the applicable VLAN Line entry show: DAC - the VLAN Interface with distance 0 and states is reachable.
For the INTERFACE MENU, when selecting the actual Bridge Entry in the Table area, and its VLAN Tab, the selection of VLAN filtering is NOT checked.
For the BRIDGE MENU, under the VLAN TAB, the HomeBridge is selected for bridge, and tagged elements include the HomeBridge and Ether2.
Lastly for FW rules. I have Forward DROP ALL ELSE rule in place as last rule and thus created a VLAN to WAN accept rule
source address 192.168.100.0/24
In-interface: VLAN-interface
Out-Interface-List: WAN
On the Cap AC
I ensured that the VLAN interface I created now has the same name.
The cap AC is running in default mode (like an AP I suppose).
Eth 1 is WAN and is connected physically to the unmanaged zyxel 16 port switch.
Eth 2 is not used.
The Cap AC has a bridge with default name: Bridge
I have two existing WIFI networks as there are two radios
There is a 2G network called DevicesAP and a 5AC network called Basement_WIFI
I created a Virtual AP called Basement_Guests off of the 5AC network.
For Bridge port interface purposes
eth1 connected to WAN is port 0 (designated port)
I put 2GHZ network on port 2 (designated port)
I put 5AC network on port 3 (designated port)
I put Virtual AP on port 4 (disabled port) ??????
On the Interface list, under LAN i have both wifi networks, the Virtual AP and the VLAN BUT NO BRIDGE *****,
WAN is ether 1.
***** This is different from the Hex where the entries for m LAN are only HomeBridge (and eth4 which connects to my DMZ lan), and udner WAN my two ISPs.
The error could be here??
I am thinking that the proper entry here for Lan Interface on the capAC should be BRIDGE only ????
For the INTERFACE MENU, when selecting the actual Bridge Entry in the Table area, and its VLAN Tab, the selection of VLAN filtering is NOT checked.
For the BRIDGE MENU, under the VLAN TAB, the "Bridge" is selected for bridge, and tagged elements include the Basement_Guests and Ether1. ###
### Tagged ports is slightly different from the Hex, ether2 is the physical ethernet port for the hex and ether1 for the cap AC so that is consistent, however, on the hex we have identified the bridge but on the capAC we have identified the Virtual Access Point (and not the bridge)???????????
Address List: The only address list showing on the cap AC is the HomeLAN 192.168.0.1 list. Perhaps because the capAC is assigned a LANIP from the hex that this shows up. I do not remember assigning a list but if there was a default 192.168.88.X list I probably replaced with the Homelan list.
No DCHP networks or servers identified, no dhcp pools, no FW rules.
Under IP routes I see:
DAS 0.0.0.0/0 192.168.0.1 reachable
DAC 192.168.0.1 bridge reachable preferred source 192.168.0.xx (lanip of the bridge)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
If nothing of the above warrants concern or change and you would like to see the config again let me know.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Fri Nov 02, 2018 10:17 am
by xvo
I see no structural flaws: so the last thing left to do is to enable vlan filtering for bridges on both devices.
Answers to your questions:
1) I suggested to connect cAP to hEX directly only temporarily - to debug their config and get them running 100% as they should, and only then to deal with any potential problems caused by the environment.
2) Addition of interfaces to the interface lists on cAP does't make much of a difference: as you have all ports on it added to the same bridge, there is actually no WAN or LAN interfaces - they are all LAN. These list are mostly used in firewall (that you don't need on a cAP) and to define the ports from which you can access to winbox etc.
To make this part consistent with overall config you can remove all ports from WAN list and all ports to the LAN list, but again - it won't make any difference in the behaviour. with current config
3) Concerning the difference of tagged ports listed under /interface bridge vlan on two devices: on hEX your vlan connects the guest ip config hosted on vlan interface to the trunk port, on cAP your vlan connects trunk port to the guest AP, so the whole system connects guest ip config to the guest ap - exactly as it should. That explains the difference.
The absence of bridge among tagged ports on cAP (together with absence of vlan interface) can also be explained by the fact, that you don't really need the cAP itself to have any ip address inside guest vlan.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Fri Nov 02, 2018 1:51 pm
by anav
Okay I will try the VLAN filtering.
Not sure what function this does but the last time we tried it at least on the hex, in safe mode, it didnt like it LOL.
On the Bridge Vlan checkbox after selecting VLAN filtering, there is only one option to enter a VLAN,
Right now it defaults to PVID1
Should I entere PVID100? and if so What happens when I add other VLANS??
Do I keep Admit ALL for Frame Types?
Do I check off ingress filtering or leave it unchecked?
(same for both units?)
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Fri Nov 02, 2018 1:59 pm
by xvo
Okay I will try the VLAN filtering.
Not sure what function this does but the last time we tried it at least on the hex, in safe mode, it didnt like it LOL.
On the Bridge Vlan checkbox after selecting VLAN filtering, there is only one option to enter a VLAN,
Right now it defaults to PVID1
Should I entere PVID100? and if so What happens when I add other VLANS??
Do I keep Admit ALL for Frame Types?
Do I check off ingress filtering or leave it unchecked?
(same for both units?)
Checking this checkbox enables the whole vlan configuration
))
Without it all vlan config is simply ignored, and the bridge works just like before you started
Don't change PVID and anything else, only check the checkbox.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Fri Nov 02, 2018 2:17 pm
by anav
Done, and still not working.
Something is preventing the devices using the virtual AP from a. getting dhcp assigned and b. no internet.
I wonder if because I am connected to homelan on my smart phone, when I try to connect to the vlan, the smartphone isnt able to switch IP structures (unlikely).
So what do you recommend I setup on the managed switch then?
PORT that comes from the HEX?
PORT that goes to the zyxel Unmanaged Switch.
If you dont see any errors on my actual config, the discussion config, then we can assume that its not the hex or capAC and thus it has to be the switch LOL.
Yes, I know try it direct............ I will do this some time today but I also want to start thinking about the managed switch setup.
Is there any log setup on the hex or capAC I can setup to try and figure out where the blockage is occuring? "packet sniffer" ?
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Fri Nov 02, 2018 2:26 pm
by xvo
Done, and still not working.
Something is preventing the devices using the virtual AP from a. getting dhcp assigned and b. no internet.
I wonder if because I am connected to homelan on my smart phone, when I try to connect to the vlan, the smartphone isnt able to switch IP structures (unlikely).
So what do you recommend I setup on the managed switch then?
PORT that comes from the HEX?
PORT that goes to the zyxel Unmanaged Switch.
If you dont see any errors on my actual config, the discussion config, then we can assume that its not the hex or capAC and thus it has to be the switch LOL.
Yes, I know try it direct............ I will do this some time today but I also want to start thinking about the managed switch setup.
Is there any log setup on the hex or capAC I can setup to try and figure out where the blockage is occuring? "packet sniffer" ?
The checkbox is checked on both devices?
Then let's wait until you connect them directly to eliminate all external influence.
If it doesn't help, then post both configs again: maybe there's something else that I missed.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Fri Nov 02, 2018 3:10 pm
by anav
Yes both checked in safe mode and nothing bad happened so safe mode is off.
Operations direct connect commences today. Actually I have a spare (second ethernet cable, diverted from an unused location box, before the basement was recently finished, so I have a direct line to the patch panel going to the basement. I will plug that directly into the POE device for the capAC and directly at the other end into physical port 3 on the Hex.
Port 3 is also homelan
Port 3 is also on the bridge
However, it looks like on the hex I will have to modify the BRIDGE VLAN menu to also tag this port??? ( so it will be homebridge, ether2 and ether3)
By the way, there is now a second entry on the Bridge VLAN menu and it starts with a D. ( I didnt put it there, one of those magical mikrotik made it miracles LOL)
There is the HOMEBRIDGE ENTRY where I entered the tags and below that as follows:
D - HomeBridge - (vlanid) 1 - (current tagged) blank - (current untagged) HomeBridge, ether2
Now ether3 my second LAN port on the hex is showing as a disabled port (role). I cannot find anywhere where to enable it? I am assuming its simply showing disabled due to not being connected to any devices and thus not "live". However it seems to be preventing it from being displayed on the tagged list on teh Bridge VLAN menu and well as on that second entry. Normal?
(its (ether3) also showing as italic text, vice straight up and down as normal text)
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Fri Nov 02, 2018 3:46 pm
by xvo
Yes both checked in safe mode and nothing bad happened so safe mode is off.
Operations direct connect commences today. Actually I have a spare (second ethernet cable, diverted from an unused location box, before the basement was recently finished, so I have a direct line to the patch panel going to the basement. I will plug that directly into the POE device for the capAC and directly at the other end into physical port 3 on the Hex.
Port 3 is also homelan
Port 3 is also on the bridge
However, it looks like on the hex I will have to modify the BRIDGE VLAN menu to also tag this port??? ( so it will be homebridge, ether2 and ether3)
If you use ether3 to connect directly to cAP, that's right - you need to set it as tagged as well.
By the way, there is now a second entry on the Bridge VLAN menu and it starts with a D. ( I didnt put it there, one of those magical mikrotik made it miracles LOL)
There is the HOMEBRIDGE ENTRY where I entered the tags and below that as follows:
D - HomeBridge - (vlanid) 1 - (current tagged) blank - (current untagged) HomeBridge, ether2
That is right - it is the default vlan with PVID=1 on which the rest of your LAN continues to run.
Nothing unexpected here.
Now ether3 my second LAN port on the hex is showing as a disabled port (role). I cannot find anywhere where to enable it? I am assuming its simply showing disabled due to not being connected to any devices and thus not "live". However it seems to be preventing it from being displayed on the tagged list on teh Bridge VLAN menu and well as on that second entry. Normal?
(its (ether3) also showing as italic text, vice straight up and down as normal text)
Nothing wrong here either.
Just plug anything in it, and it will also emerge as untagged for vlan 1 (of course if you haven't already changed it to be the part of a guest vlan).
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sat Nov 03, 2018 5:11 pm
by anav
My backup ethernet cable is showing nothing but shorts so I suspect it was damaged in renovations.
Thus I used the current cable (from Dlink Switch to Zyxel Switch) plugged it directly into the capAC POE device at one end and directly plugged it into ether 3 of the Hex at the other end.
Same result no internet for the VLAN.
I did ensure that the Two WIFI networks worked from the cap AC in this configuration.
Only the Virtual AP running on the VLAN didnt work.
I want it to be clear that the Virtual AP worked fine without a VLAN in place.
I am posting the latest config for you to have a look at.
( I tried sniffing vlan traffic using packet sniffer on both hex and capAC and got zero hits not even a quark byte.)
HEX
# model = RouterBOARD 750G r3
/interface ethernet
set [ find default-name=ether5 ] comment=Port5 name=Bell_eth5 speed=100Mbps
set [ find default-name=ether1 ] comment=Port1 name=Eastlink_eth1 speed=\
100Mbps
set [ find default-name=ether2 ] comment=LAN1-Home speed=100Mbps
set [ find default-name=ether3 ] comment=LAN1-Home speed=100Mbps
set [ find default-name=ether4 ] comment=LAN2-DMZ speed=100Mbps
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=HomeBridge \
protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=HomeBridge name=GuestWifi_T&B_V100 vlan-id=100
add interface=Bell_eth5 name=vlanbell vlan-id=35
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp-HomeLAN ranges=192.168.0.33-192.168.0.254
add name=dhcp_DMZ ranges=192.168.2.2-192.168.2.100
add name=dhcp_WIFI_T&B ranges=192.168.100.5-192.168.100.50
/ip dhcp-server
add address-pool=dhcp-HomeLAN disabled=no interface=HomeBridge lease-time=1d \
name=HoMeLAN
add address-pool=dhcp_DMZ disabled=no interface=ether4 lease-time=1d name=\
DMZLAN
add address-pool=dhcp_WIFI_T&B disabled=no interface=GuestWifi_T&B_V100 \
lease-time=1d name="Wifi-Guests T&B_Server"
/interface bridge port
add bridge=HomeBridge comment=defconf interface=ether2
add bridge=HomeBridge comment=defconf interface=ether3
/ip settings
set allow-fast-path=no icmp-rate-limit=100 rp-filter=loose
/interface bridge vlan
add bridge=HomeBridge tagged=ether2,HomeBridge,ether3 vlan-ids=100
/interface list member
add comment=defconf interface=HomeBridge list=LAN
add comment=defconf interface=Eastlink_eth1 list=WAN
add interface=vlanbell list=WAN
add interface=ether4 list=LAN
add interface=ether3 list=LAN
/ip address
add address=192.168.0.1/24 interface=HomeBridge network=192.168.0.0
add address=192.168.2.1/24 interface=ether4 network=192.168.2.0
add address=192.168.100.0/24 interface=GuestWifi_T&B_V100 network=\
192.168.100.0
/ip dhcp-server network
add address=192.168.0.0/24 comment=HomeLAN_Network dns-server=192.168.0.1 \
gateway=192.168.0.1
add address=192.168.2.0/24 comment=DMZLan_Network dns-server=192.168.2.1 \
gateway=192.168.2.1
add address=192.168.100.0/24 comment=Guests_T&B dns-server=192.168.100.1 \
gateway=192.168.100.1
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=LAN src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="DROP ALL ELSE" log-prefix=\
"INPUT DROP ALL"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
HomeBridge log-prefix="ALLOWED LAN 2 WAN TRAFFIC" out-interface-list=WAN \
src-address=192.168.0.0/24
add action=accept chain=forward comment="ENABLE DMZ to WAN" in-interface=\
ether4 log=yes log-prefix="ALLOWED LAN 2 WAN TRAFFIC" out-interface-list=\
WAN src-address=192.168.2.0/24
add action=accept chain=forward comment="ENABLE VLAN100 to WAN" in-interface=\
GuestWifi_T&B_V100 log=yes log-prefix="ALLOWED GuestVLAN TRAFFIC" \
out-interface-list=WAN src-address=192.168.100.0/24
add action=accept chain=forward comment=\
"Allow Port Forwarding - DSTNAT" connection-nat-state=dstnat
add action=accept chain=forward comment=Admin_for_Septic dst-address=\
192.168.2.0/24 in-interface=HomeBridge src-address=192.168.0.xx
add action=drop chain=forward comment=\
"DROP ALL other FORWARD traffic" log=yes log-prefix=\
"FORWARD DROP ALL"
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN Users" \
ipsec-policy=out,none out-interface=Eastlink_eth1
add action=masquerade chain=srcnat comment="SCR_NAT FOR LAN USERS" \
out-interface=vlanbell
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - TCP" disabled=yes dst-port=53 protocol=\
tcp
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - UDP" disabled=yes dst-port=53 protocol=\
udp
CapAC
# model = RouterBOARD cAP Gi-5acD2nD
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] disabled=yes speed=100Mbps
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface vlan
add interface=bridge name=GuestWifi_T&B_V100 vlan-id=100
/interface list
add name=WAN
add name=LAN
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-Ceee country=canada disabled=no distance=indoors frequency=\
auto mode=ap-bridge name=Basement_WIFI security-profile=BasementLogin \
ssid=TT_B wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan1 ] disabled=no distance=indoors frequency=2462 \
mode=ap-bridge name=DevicesAP security-profile=RemoteDevicesBasement \
ssid=RD1 wireless-protocol=802.11 wps-mode=disabled
add disabled=no mac-address=master-interface=Basement_WIFI \
name=Basement_Guests security-profile=Guests_T&B ssid=Guests_T&B vlan-id=\
100 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=\
disabled
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=DevicesAP [my 2.4ghz network]
add bridge=bridge comment=defconf interface=Basement_WIFI [my 5ghz network]
add bridge=bridge interface=Basement_Guests [my virtual AP]
/interface bridge vlan
add bridge=bridge tagged=Basement_Guests,ether1 vlan-ids=100
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=Basement_WIFI list=LAN
add interface=DevicesAP list=LAN
add interface=Basement_Guests list=LAN
add interface=GuestWifi_T&B_V100 list=LAN
/interface wireless access-list
add mac-address=
add mac-address=
add interface=DevicesAP mac-address= vlan-mode=no-tag
What other information can I provide from both devices or packet sniffer tests etc, that I can run that can assist in troubleshooting??
Re: Adding Virtual AP to cAP AC -Missing a Step? [SOLVED]
Posted: Sat Nov 03, 2018 5:54 pm
by xvo
Found this:
/ip address
add address=192.168.0.1/24 interface=HomeBridge network=192.168.0.0
add address=192.168.2.1/24 interface=ether4 network=192.168.2.0
add address=192.168.100.0/24 interface=GuestWifi_T&B_V100 network=\
192.168.100.0
Unless it's a typo in the post, looks like a reason to me
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sat Nov 03, 2018 6:21 pm
by anav
Well &^%^ me! Awesome pickup.
When you come to Canada, I will have a cold beer waiting for you, heck a whole case for all the trouble I have put your through for one little typo.
I will fix and try right away!
Okay, partial success!!!
I now get an IP and connect to the router through the capAC.
However no internet connection (unable to browse).
Perhaps now I will invoke logging rules and use packet sniffer to see what is going on.
A quick look at the Logs shows the iP being assigned and then Forward Drop rules being applied to the traffic.
Upon closer inspection its dropping traffic from 192.168.100.xx (my smart phone) to and address on my home lan 192.168.0.xx
(this is actually a good thing as it is supposed to be dropped).
No indication of any other traffic.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sat Nov 03, 2018 6:46 pm
by xvo
Well &^%^ me! Awesome pickup.
When you come to Canada, I will have a cold beer waiting for you, heck a whole case for all the trouble I have put your through for one little typo.
I will fix and try right away!
Okay, partial success!!!
I now get an IP and connect to the router through the capAC.
However no internet connection (unable to browse).
Perhaps now I will invoke logging rules and use packet sniffer to see what is going on.
A quick look at the Logs shows the iP being assigned and then Forward Drop rules being applied to the traffic.
Upon closer inspection its dropping traffic from 192.168.100.xx (my smart phone) to and address on my home lan 192.168.0.xx
(this is actually a good thing as it is supposed to be dropped).
No indication of any other traffic.
I think the reason is that you force everybody to use your router as DNS server, but haven't allowed Guest VLAN clients to use it
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sat Nov 03, 2018 7:07 pm
by anav
Hi xvo,
I have looked at wireshark (sniffer tool output) and I see the DHCP ACK which confirms IP assignement.
Then you are correct, there looks to be a DNS problem.
Howevever if you look at my DSTNAT RULES, the force DNS rules are currently inactive for troubleshooting purposes (
DISABLED)"
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN Users" \
ipsec-policy=out,none out-interface=Eastlink_eth1
add action=masquerade chain=srcnat comment="SCR_NAT FOR LAN USERS" \
out-interface=vlanbell
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - TCP" disabled=yes dst-port=53 protocol=\
tcp
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - UDP" disabled=yes dst-port=53 protocol=\
udp
{On my packet sniffer outputs}
(1) What I am seeing is (lines shaded in blue) many internet requests (most of them
DNS requests) as follows:
a. the ones I am doing myself through the browser (google, yahoo etc) to try and reach search engine sites and
b. the hidden stuff ones effing phone does on your behalf (firehose.us-east-1.amazonaws.com, api.instabridge.com, icloud.com,
One that I have no clue about.........
c. 192.168.100.50","224.0.0.251","
MDNS","154","Standard query 0x0000 PTR _companion-link._tcp.local, "QU" question PTR _homekit._tcp.local, "QU" question PTR _sleep-proxy._udp.local, "QU" question OPT"
another that I have no clue about
d. 192.168.100.50","224.0.0.251",
"IGMPv2","56","Membership Report group 224.0.0.251"
(2) Then I am seeing many lines (shaded in pink) which are ICMP requests/replies/ between the smart phone and the router.
a. 192.168.100.50","192.168.100.1","ICMP","122","Echo (ping) request id=0x002a, seq=0/0, ttl=64 (reply in 25)"
b. 192.168.100.1","192.168.100.50","ICMP","122","Echo (ping) reply id=0x002a, seq=0/0, ttl=64 (request in 24)"
So, am I having DNS issues or ICMP issues?
Its not quite clear here what is going on as the other wifi networks on the capAC have no issues with gaining access to the internet.
OH I am blind as a bat........
I have to include ALLOW DNS queries to the VLAN as well in my input rules.
Thanks for the helping the IT cripple.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sat Nov 03, 2018 7:16 pm
by xvo
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sat Nov 03, 2018 7:28 pm
by anav
Okay, it worked but I am confused.
I added the guest vlan to the interface list for LAN and voila magic it worked.
BUT...........
I already had.
a. homebridge on the lan interface list
b. ether2 on the lan interface list
c. ether3 on the lan interface list
d. ether4 on the lan interface list
Since ether2, ether3 and the vlan are on the homebridge AND
Since the vlan is also on ether 2 (or latest testing 3)
WHY DO I NEED TO ADD VLAN TO INTERFACE LIST TO GET INTERNET CONNECTIVITY FOR A RULE THAT STATES LAN INTERFACE LIST???????
in actuality I think I should only need to identify
homebridge (which covers ether2, ether3 and Vlan)
ether4 (for the dmz)
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sat Nov 03, 2018 8:21 pm
by xvo
Okay, it worked but I am confused.
I added the guest vlan to the interface list for LAN and voila magic it worked.
BUT...........
I already had.
a. homebridge on the lan interface list
b. ether2 on the lan interface list
c. ether3 on the lan interface list
d. ether4 on the lan interface list
Since ether2, ether3 and the vlan are on the homebridge AND
Since the vlan is also on ether 2 (or latest testing 3)
WHY DO I NEED TO ADD VLAN TO INTERFACE LIST TO GET INTERNET CONNECTIVITY FOR A RULE THAT STATES LAN INTERFACE LIST???????
in actuality I think I should only need to identify
homebridge (which covers ether2, ether3 and Vlan)
ether4 (for the dmz)
Nope.
You need homebridge, ether4 and VLAN:
ether2 and ether3 are slave interfaces to the bridge, so they doesn't make any difference
but VLAN interface have it's own IP config - that was the whole point - to make it independent from the bridge.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sat Nov 03, 2018 10:10 pm
by anav
Good to know, now I can add the other vlans I have been planning;
Much thanks!
Forget the Ghost Busters, call XVO!!
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sat Nov 03, 2018 10:19 pm
by xvo
Good to know, now I can add the other vlans I have been planning;
Much thanks!
Forget the Ghost Busters, call XVO!!
You are welcome!
I'll try not to forget about the beer you mentioned
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sat Nov 03, 2018 10:51 pm
by anav
Well I only have Carlsberg and Sol at the moment LOL.
So when I reactivate my DNS force rules, they will also apply to vlan users?
Reason I ask is that I just had a look at them and all they do is
identify TCP and UDP (port53) and the action is redirect.
I dont indicate from any source to any source, just redirect,
So where are they being redirected then.................
Am I to assume the router function of redirect when selecting the DSTNAT chain basically forces all users to use the DNS servers I have identified in
IP DNS.......
I have a question for IP DNS as well,
Right now I see a listing (white text boxes) for four entries I created (google1, google2 and dyndns1 and dyndns) after that I see two (in blue text boxes) ;abelled as dynamic servers and strangely enough they are from my second ISP, and not my primary ISP. I checked the dhcp client entry to confirm these were its DNS servers and I also noticed that USE PEER DNS was checked off.
When looking at my primary ISP VLAN bell, I noted that USE PEER DNS was not checked off.
Thus my questions are
1. Redirect how does it work?
2. USE PEER DNS, what does it mean if I do or dont check this off, and in my case what is the optimal scenario?
3. If I force users via redirect does it start at the top of the list and work its way down if not available?
I am going to give it a go to answer my questions.
First, the redirect is not directly related to USE PEER DNS vs IP DNS entries, it forces all users to go to the router for DNS entries even if they try to use their own DNS server.
In other words they will be forced to use what I have set in IP DNS (or the servers denoted in the USE PEER DNS).
BUT in my DHCP Servers I delinate the router to be used as the DNS Server, for example for my VLAN, the DNS Server is 192.168.100.1
Therefore, I am assuming that the redirect function maybe doesnt go to the IP DNS settings, maybe it goes to what is set in DHCP NEtworks?
And then the router checks what is set in IP DNS and uses that unless, USE PEER DNS is selected and that takes priority??
From my readings, using the ISP DNS servers is what is accomplished by USE PEER DNS. This also takes priority over the IP DNS servers I may have entered manually.
So in my case the second ISPs DNS servers are what is being used by my entire LAN?????
So I am still not certain how redirect works as the rule in place is vague.
I am not sure what is better to use like google or dydns dns servers via IP DNS settings OR use PEER DNS and use my ISP DNS servers.......
Perhaps if I have both and for some strange reason both sets of ISP DNS servers are not available the router will try the others????
Finally, there is the question of DNS Cache.
Good idea? Bad idea? How is it envoked?
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sun Nov 04, 2018 12:37 am
by xvo
1. Redirect is like dst-nat to the router itself. So if you redirect all DNS requests it means that the will be served by you router, without the client knowing it. Even if it will try to use some external DNS.
2. use-peer-dns only means that you will get the addresses of DNS servers from remote peer to use for the router itself (and pass to other devices in your network if needed).
If you want to use you service provider's DNS server - set it to yes, if you want to use only google's DNS of whatever - set it to no, and add at least one manually. Simple as that.
3. If you force clients to use your DNS, they will use only your DNS, even if they try to use different one.
That means if you do so you need to be sure that:
a) You have set allow-remote-requests=yes in /ip dns
b) You have at least one external server listed in your /ip dns (either from your provider or manually): for your router to have a source where to get dns info.
с) You allow TCP and UDP access on port 53 to your router (input chain) to all devices in your network.
в) You don't allow these access to outside of your network.
You can also configure your DHCP server to pass clients the info only about servers you want (/ip dhcp-server network).
And of course you can do all the above not for all your network at once, but have different settings for every part.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sun Nov 04, 2018 12:49 am
by anav
I kinda figured that out but, I am looking for the nuance............
For example if I set in the DHCP Network to use (for my vlan) 192.168.100.1 and (for my lan) 192.168.0.1
Then maybe I dont need the redirect rule????
How would somebody use a different DNS???
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sun Nov 04, 2018 1:06 am
by xvo
I also find such measures unnecessary in home environment.
Someone can always set it manually on the device's network settings.
But who cares?! It's a guest network anyway.
If someone among your guest have set his laptop/phone to always use google dns, so let it use it - less load and unneeded cache on your router.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sun Nov 04, 2018 1:14 am
by anav
Okay so a user manual setting on a computer will override the DHCP network setting and thus the redirect rule is required (for the office setting)
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sun Nov 04, 2018 1:24 am
by xvo
Okay so a user manual setting on a computer will override the DHCP network setting and thus the redirect rule is required (for the office setting)
Yes. For office internal network it makes more sense.
Especially if you need everybody to use some special dns service - with security and content filters for example.
But still not for the guest network
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sun Nov 04, 2018 2:41 am
by anav
But that goes to my point about nothing specific in the redirect rule.
How would I exclude the VLAN from that rule in NAT when no source or destination is identified?
Also I am not quite sure if you answered the question, where does the redirect send the request to at first hop?
To DHCP network setting or
to the IP DNS setting ??
+++++++++++++++++++++++++++++++
I added a second VLAN to my network, this time the Device AP wifi network to vlan 30. Seemed pretty straightforward but where I messed up is the HomeBridge on the Hex.
I added a second entry for VLAN and tagged homebridge and ether3 and of course selected vlan30. No joy,
Then I noticed that the Line entry for VLAN stated "VLAN IDs" plural. So I deleted the additional VLAN entry on the bridge and on the existing just added 30, ie 100,30
For some reason this worked LOL.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sun Nov 04, 2018 10:49 am
by xvo
But that goes to my point about nothing specific in the redirect rule.
How would I exclude the VLAN from that rule in NAT when no source or destination is identified?
Just add source to the rule (
in-interface or
src-address)
Also I am not quite sure if you answered the question, where does the redirect send the request to at first hop?
To DHCP network setting or
to the IP DNS setting ??
To the router's IP address.
You can use redirect to any type of traffic.
In you case it is then processed by DNS server (IP --> DNS) which either already has the DNS entry in the cache or will try to get it from on of the DNS servers that it has access itself.
DHCP Network setting only passes info about available DNS servers when DHCP-server is leasing the address, it has nothing to do with DNS requests at all.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sun Nov 04, 2018 4:38 pm
by anav
Okay, the easiest would be to make up an address list of the VLANS that dont need the redirect and then state in the force redirect DNS rules for all but not Vlan interfaces.
in address list entry (under advanced tab): NOT Vlan_Interfaces
Would look like the following (disabled for now):
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - TCP" disabled=yes dst-port=53 protocol=\
tcp src-address-list=!VLAN_Interfaces
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - UDP" disabled=yes dst-port=53 protocol=\
udp src-address-list=!VLAN_Interfaces
add address=192.168.100.0/24 list=VLAN_Interfaces
add address=192.168.30.0/24 list=VLAN_Interfaces
add address=192.168.45.0/24 list=VLAN_Interfaces
Q1. Is this a reasonable approach?
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
As I may have noted, I have a second VLAN now working for devices on the cap AC1 in the basement.
I attempted another VLAN for the upstairs Cap AC2 and hitting the no internet connection wall. Determined to sort it out first before looking for a second set of eyes.
Still no joy on third VLAN. I am going to now route the first two vlans back through
a. first the zyxel switch and if all is still working then
b. the dlink switch will be added into the mix.
If everything still works then I am missing something in the config and will post, If things do not work with the changes then I will know that my third VLAN has switch interruptus at play and that the settings are likely good. If its determined to be the DLINK switch then I will need help configuring that properly so things do work.
I can now confirm the DLINK is the problem. The zyxel 16 port unmanaged switch does not cause any issues between the hex and the CapAC unit. THe Dlink stops it cold even though its all in default mode, nothing assigned etc etc.
Q2. What would be causing the conflict?
Default PVID of 1 for all traffic? Management VLAN??
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sun Nov 04, 2018 10:18 pm
by mkx
Regarding Q2: my pretty aged D-Link DES-1210-28 seemingly works with VLANs enabled all the time. By default all ports are configured as untagged members of VLAN 1 so seemingly it works as dummy switch.
So it seems that it really can't be used as dummy switch ... if it is to pass VLAN-tagged frames, it has to be properly configured.
Re: Adding Virtual AP to cAP AC -Missing a Step?
Posted: Sun Nov 04, 2018 11:44 pm
by anav
Thanks mkx,
Just finished configuring the switch and I am happy as a clam LOL.
I had faith that the hex when adding vlans to the bridge automatically thinks of itself as a trunk port.
I had bit of angst with the DLINK because its input methods are weak but managed to figure it out.
So I have a trunk port attached to the cable coming from the Hex and anything leading to devices which are part of a VLAN are hybrid and the vlans identified.
Works like a charm.
The only issue left outstanding is whether or not to use ENABLE Ingress Filtering (I have it disabled for now and all is working).
I dont quite understand its functionality......
From below I gather its both a security and efficiency feature. My fear is that untagged packets might get dropped somehow due to the vagueness in the below explanation.
In any case, unless absolutely necessary.............
A port on a switch where packets are flowing into the switch, and VLAN decisions must be made, is referred to as an
ingress port. If ingress filtering is enabled for a port, the switch examines the VLAN information in the packet header (if
present) and decides whether or not to forward the packet.
If the packet is tagged with VLAN information, the ingress port first determines if the ingress port itself is a member of the
tagged VLAN. If it is not, the packet is dropped. If the ingress port is a member of the 802.1Q VLAN, the switch determines
if the destination port is a member of the 802.1Q VLAN. If it is not, the packet is dropped. If the destination port is a
member of the 802.1Q VLAN, the packet is forwarded and the destination port transmits it to its attached network segment.
If the packet is not tagged with VLAN information, the ingress port tags the packet with its own PVID as a VID (if the port
is a tagging port). The switch then determines if the destination port is a member of the same VLAN (has the same VID) as
the ingress port. If it does not, the packet is dropped. If it has the same VID, the packet is forwarded and the destination port
transmits it on its attached network segment.
This process is referred to as ingress filtering, and is used to conserve bandwidth within the switch, by dropping packets that
are not on the same VLAN as the ingress port at the point of reception. This eliminates the subsequent processing of packets
that is just dropped by the destination port.
