On the hAC2, I have 4 VLANs - 100 (wired), 101 (trusted network), 102 (Guest network) 103 (zero trust network - printers etc). There are 4 SSIDs - 1 5ghz and 2.4 for Trusted, and a 2.4 for each of the other 2 vlans.
From my wired connections, all access works. Devices are assigned DHCP on VLAN100, and can reach the internet regardless of which port I attach to. From the wireless, however, there seems to be a problem. Previously, the hACLite was working - devices could get out to the internet, get DHCP, etc, just fine. However, once I resolved some configuration issues on the hAC2, devices only seem to work when connected to it.
Code: Select all
# sep/20/2021 16:20:38 by RouterOS 6.48.4
# software id = 40YP-NNZA
#
# model = RB4011iGS+
# serial number = F03A0EA13426
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Ethernet to Centurylink"
set [ find default-name=sfp-sfpplus1 ] comment="Main fiber trunk"
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
add interface=bridge1 name=vlan101 vlan-id=101
add interface=bridge1 name=vlan102 vlan-id=102
add interface=bridge1 name=vlan103 vlan-id=103
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.100.10-192.168.100.199
add name=dhcp_pool1 ranges=192.168.101.10-192.168.101.199
add name=dhcp_pool2 ranges=192.168.102.10-192.168.102.199
add name=dhcp_pool3 ranges=192.168.103.10-192.168.103.199
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan100 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan101 name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=vlan102 name=dhcp3
add address-pool=dhcp_pool3 disabled=no interface=vlan103 name=dhcp4
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1 pvid=100 trusted=yes
add bridge=bridge1 interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether1 vlan-ids=100
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether1 vlan-ids=101
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether1 vlan-ids=102
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether1 vlan-ids=103
/interface list member
add interface=ether1 list=WAN
add list=LAN
/ip address
add address=192.168.100.1/24 interface=vlan100 network=192.168.100.0
add address=192.168.101.1/24 interface=vlan101 network=192.168.101.0
add address=192.168.102.1/24 interface=vlan102 network=192.168.102.0
add address=192.168.103.1/24 interface=vlan103 network=192.168.103.0
add address=192.168.0.2/24 interface=ether1 network=192.168.0.0
/ip arp
add address=192.168.100.2 interface=vlan100 mac-address=2C:56:DC:3A:A4:3A
/ip dhcp-client
# DHCP client can not run on slave interface!
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.100.5 client-id=PS5 mac-address=00:E4:21:55:17:A1 server=\
dhcp1
add address=192.168.100.4 client-id=1:80:fa:5b:25:76:6a mac-address=\
80:FA:5B:25:76:6A server=dhcp1
add address=192.168.101.4 client-id=Imperius mac-address=A4:34:D9:28:48:8A \
server=dhcp2
add address=192.168.100.8 client-id=1:0:d8:61:88:4d:40 mac-address=\
00:D8:61:88:4D:40 server=dhcp1
add address=192.168.101.11 client-id=WorkLaptop mac-address=1C:4D:70:C2:9F:5C \
server=dhcp2
add address=192.168.103.65 client-id=BrotherPrinter mac-address=\
28:56:5A:66:4B:E8 server=dhcp4
add address=192.168.101.88 client-id=Nest mac-address=18:B4:30:BF:99:BA \
server=dhcp3
add address=192.168.101.8 client-id=SarahLaptop mac-address=7C:B2:7D:E6:11:85 \
server=dhcp2
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=8.8.8.8,192.168.0.1 gateway=\
192.168.100.1
add address=192.168.101.0/24 dns-server=8.8.8.8,192.168.0.1 gateway=\
192.168.101.1
add address=192.168.102.0/24 dns-server=8.8.8.8,192.168.0.1 gateway=\
192.168.102.1
add address=192.168.103.0/24 dns-server=8.8.8.8,192.168.0.1 gateway=\
192.168.103.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=\
1935,3478-3480,3659,10000-10099,42127 in-interface=bridge1 protocol=tcp \
to-addresses=192.168.100.5
add action=dst-nat chain=dstnat dst-address-type="" dst-port=\
3074,3478-3480,3659,6000 in-interface=bridge1 protocol=udp to-addresses=\
192.168.100.5
/ip route
add distance=1 gateway=192.168.0.1
/system clock
set time-zone-name=America/Denver
/system identity
set name=MainRouter
/tool sniffer
set filter-ip-address=192.168.100.201/32
Code: Select all
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] comment="Guest Bedroom Wireless"
set [ find default-name=ether5 ] comment="Office Wireless"
set [ find default-name=ether6 ] comment="Khellendros desktop PC"
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
add interface=bridge1 name=vlan101 vlan-id=101
add interface=bridge1 name=vlan102 vlan-id=102
add interface=bridge1 name=vlan103 vlan-id=103
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1 trusted=yes
add bridge=bridge1 interface=ether5 trusted=yes
add bridge=bridge1 interface=ether6 pvid=100 trusted=yes
add bridge=bridge1 interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1,ether3,ether5,bridge1 untagged=ether6 \
vlan-ids=100
add bridge=bridge1 tagged=ether3,ether5,sfp-sfpplus1,bridge1 vlan-ids=101
add bridge=bridge1 tagged=ether3,ether5,sfp-sfpplus1,bridge1 vlan-ids=102
add bridge=bridge1 tagged=ether3,ether5,sfp-sfpplus1,bridge1 vlan-ids=103
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
all wan-interface-list=all
/ip address
add address=192.168.100.200/24 interface=vlan100 network=192.168.100.0
add address=192.168.101.200 interface=vlan101 network=192.168.101.200
add address=192.168.102.200 interface=vlan102 network=192.168.102.200
add address=192.168.103.200 interface=vlan103 network=192.168.103.200
/ip arp
add address=192.168.100.2 interface=vlan100 mac-address=2C:56:DC:3A:A4:3A
add address=192.168.100.1 interface=vlan100 mac-address=2C:C8:1B:9B:A1:69
/ip dns
set servers=8.8.8.8
/ip route
add distance=1 gateway=192.168.100.1
/system clock
set time-zone-name=America/Denver
/system identity
set name=MainSwitch
/system routerboard settings
set boot-os=router-os
/tool traffic-monitor
add interface=bridge1 name=tmon1
hAC2 (Main Wireless - currently working)
Code: Select all
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
add interface=bridge1 name=vlan101 vlan-id=101
add interface=bridge1 name=vlan102 vlan-id=102
add interface=bridge1 name=vlan103 vlan-id=103
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk,wpa2-eap eap-methods="" mode=dynamic-keys \
name=Public supplicant-identity=""
add authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys name=Printer \
supplicant-identity=""
add authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys name=Networked \
supplicant-identity=""
add authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys name=Guest \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country="united states" \
disabled=no installation=indoor mode=ap-bridge security-profile=Public \
ssid=OuterHeaven-2.4 vlan-id=101 vlan-mode=use-tag wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no installation=\
indoor mode=ap-bridge security-profile=Public ssid=OuterHeaven vlan-id=\
101 vlan-mode=use-tag wps-mode=disabled
add comment="No-Internet VLAN103" disabled=no keepalive-frames=disabled \
mac-address=2E:C8:1B:A7:AF:FF master-interface=wlan1 multicast-buffering=\
disabled name=wlan3 security-profile=Printer ssid=OuterPrinter vlan-id=\
103 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=\
push-button-virtual-only
add comment="Internet-allowed security devices" disabled=no keepalive-frames=\
disabled mac-address=2E:C8:1B:A7:AF:FE master-interface=wlan1 \
multicast-buffering=disabled name=wlan4 security-profile=Guest ssid=\
Foxhound vlan-id=102 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=\
0 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan3 comment="No-Internet VLAN103"
set wlan4 comment="Internet-allowed security devices"
/interface wireless nstreme
set wlan1 enable-polling=no
set wlan2 enable-polling=no
set *A comment="No-Internet VLAN103"
set *B comment="Internet-allowed security devices"
/ip pool
add name=dhcp ranges=192.168.0.50-192.168.0.99
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1 trusted=yes
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan3
add bridge=bridge1 interface=wlan4
add bridge=bridge1 interface=ether2 trusted=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 untagged=ether2,ether3,ether4,ether5 \
vlan-ids=100
add bridge=bridge1 tagged=ether1,wlan1,wlan2 vlan-ids=101
add bridge=bridge1 tagged=ether1,wlan4 vlan-ids=102
add bridge=bridge1 tagged=ether1,wlan3 vlan-ids=103
/interface wireless cap
set interfaces=wlan2,wlan1
/ip address
add address=192.168.100.202/24 interface=vlan100 network=192.168.100.0
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.0 netmask=24
add address=192.168.100.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=\
192.168.100.1 netmask=24
add address=192.168.101.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=\
192.168.101.1 netmask=24
add address=192.168.102.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=\
192.168.102.1 netmask=24
add address=192.168.103.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=\
192.168.103.1 netmask=24
/ip dns
set servers=192.168.0.1,8.8.8.8
/ip route
add distance=1 gateway=192.168.100.1
/system clock
set time-zone-name=America/Denver
/system identity
set name=MikrotikWirelessMain
Code: Select all
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country="united states" \
disabled=no installation=indoor mode=ap-bridge ssid=OuterHeaven-2.4 \
vlan-id=101 vlan-mode=use-tag wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no mode=ap-bridge \
ssid=OuterHeaven vlan-id=101 vlan-mode=use-tag wps-mode=disabled
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
add interface=bridge1 name=vlan101 vlan-id=101
add interface=bridge1 name=vlan102 vlan-id=102
add interface=bridge1 name=vlan103 vlan-id=103
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys name=Printer \
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Guest \
supplicant-identity=""
/interface wireless
add comment="No-Internet VLAN103" disabled=no keepalive-frames=disabled \
mac-address=0A:55:31:F9:EF:A7 master-interface=wlan1 multicast-buffering=\
disabled name=wlan3 security-profile=Printer ssid=OuterPrinter vlan-id=\
103 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=\
push-button-5s
add comment="Secured network devices" disabled=no keepalive-frames=disabled \
mac-address=0A:55:31:F9:EF:A8 master-interface=wlan1 multicast-buffering=\
disabled name=wlan4 security-profile=Guest ssid=Foxhound vlan-id=102 \
vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan3 comment="No-Internet VLAN103"
set wlan4 comment="Secured network devices"
/interface wireless nstreme
set *B comment="No-Internet VLAN103"
set *C comment="Secured network devices"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=ether3 pvid=100
add bridge=bridge1 interface=ether4 pvid=100
add bridge=bridge1 interface=ether2 pvid=100 trusted=yes
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan3
add bridge=bridge1 interface=wlan4
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 untagged=ether2,ether3,ether4,ether5 \
vlan-ids=100
add bridge=bridge1 tagged=ether1,wlan3 vlan-ids=101
add bridge=bridge1 tagged=ether1 untagged=wlan4 vlan-ids=102
add bridge=bridge1 tagged=ether1 untagged=wlan3 vlan-ids=103
/ip address
add address=192.168.100.201/24 interface=vlan100 network=192.168.100.0
/ip route
add distance=1 gateway=192.168.100.1
add distance=1 gateway=192.168.101.1
/system clock
set time-zone-autodetect=no time-zone-name=America/Denver
/system identity
set name=Cuddle-Access
Code: Select all
AE:58:32:6A:0A:C7@wlan2: connected, signal strength -53
AE:58:32:6A:0A:C7@wlan2: disconnected, received deauth: sending station leaving (3)
and
Code: Select all
AC:67:84:AD:5B:B7@wlan2: connected, signal strength -24
AC:67:84:AD:5B:B7@wlan2: disconnected, received disassoc: sending station leaving (8)