Guest Network Unable to get out to Internet

mcginley50 · Fri May 19, 2023 7:05 pm

I have a WiFi network set up with Two Unifi Access Points and a Mikrotik router.

Network : 192.168.1.0/24
Guest : 10.1.21.0/24

The Guest network is assigning IP addresses but users are unable to get out to the network. The Access Point that is used to cater for the guests is on Ether3 LAN port on the router. This had been working for a period of time but only stopped recently and I cannot figure out how to get it up and running again.

Any help would be greatly appreciated. Config is below.

[admin@Hartes] > export

# may/19/2023 17:02:06 by RouterOS 6.49.7
# software id = 0RUF-MX7T
#
# model = RB951G-2HnD
# serial number = DE350F
/interface bridge
add admin-mac=DC:2C:6E:A3:AB:D5 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=ireland distance=indoors frequency=auto installation=indoor ssid=\
    MikroTik-A3ABD9 wireless-protocol=nv2-nstreme-802.11
/interface vlan
add interface=ether3 name=vlan21_guest vlan-id=21
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add disabled=no interface=bridge name=defconf
/ip pool
add name=pool_vlan21 ranges=10.1.21.2-10.1.21.250
/ip dhcp-server
add address-pool=pool_vlan21 disabled=no interface=vlan21_guest lease-time=30m \
    name=dhcp_vlan21
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=wlan1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan1 list=WAN
add interface=ether1 list=LAN
add interface=bridge list=LAN
/interface wireless cap
set bridge=bridge interfaces=wlan1
/ip address
add address=10.1.21.0/24 interface=vlan21_guest network=10.1.21.0
add address=192.168.1.0/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf disabled=no interface=wlan1
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf gateway=0.0.0.0 netmask=24
add address=10.1.21.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.1.21.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip route
add disabled=yes distance=1 gateway=192.168.1.254
/system clock
set time-zone-name=Europe/Dublin
/system identity
set name=*******
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@Hartes] >

2frogs · Fri May 19, 2023 11:01 pm

Your IP addresses for the router are set incorrectly. Should be:

ip address/ 
add address=10.1.21.1/24 interface=vlan21_guest network=10.1.21.0
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0

mcginley50 · Sun May 21, 2023 10:03 pm

I've corrected the IP addresses of the router but still unable to get out to the net.

[admin@Hartes] > export
# may/21/2023 20:00:44 by RouterOS 6.49.7
# software id = 0RUF-MX7T
#
# model = RB951G-2HnD
# serial number = DE350F5408E7
/interface bridge
add admin-mac=DC:2C:6E:A3:AB:D5 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=ireland distance=indoors frequency=auto installation=indoor ssid=\
MikroTik-A3ABD9 wireless-protocol=nv2-nstreme-802.11
/interface vlan
add interface=ether3 name=vlan21_guest vlan-id=21
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add disabled=no interface=bridge name=defconf
/ip pool
add name=pool_vlan21 ranges=10.1.21.2-10.1.21.250
/ip dhcp-server
add address-pool=pool_vlan21 disabled=no interface=vlan21_guest lease-time=30m \
name=dhcp_vlan21
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=wlan1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan1 list=WAN
add interface=ether1 list=LAN
add interface=bridge list=LAN
/interface wireless cap
set bridge=bridge interfaces=wlan1
/ip address
add address=10.1.21.1/24 interface=vlan21_guest network=10.1.21.0
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf disabled=no interface=wlan1
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf gateway=0.0.0.0 netmask=24
add address=10.1.21.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.1.21.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip route
add distance=1 gateway=192.168.1.254
/system clock
set time-zone-name=Europe/Dublin
/system identity
set name=Hartes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@Hartes] >

Buckeye · Sun May 21, 2023 10:29 pm

You added an interface (vlan21_guest), but have not added it to any list.

When you say you can't get to the net, do you mean that ping 1.1.1.1 does not work? Or do you mean that ping one.one.one.one does not work?

If these are windows host on the guest network, what does cmd command line show for ipconfig /all ?

mcginley50 · Sun May 21, 2023 10:38 pm

I can ping the default gateway but cannot ping 8.8.8.8

Results from IP Config /all below.

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TP-Link Wireless USB Adapter
Physical Address. . . . . . . . . : 7C-C2-C6-0E-57-E6
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::91d4:c9ac:4e49:af7d%15(Preferred)
IPv4 Address. . . . . . . . . . . : 10.1.21.247(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday 21 May 2023 19:49:47
Lease Expires . . . . . . . . . . : Sunday 21 May 2023 20:50:37
Default Gateway . . . . . . . . . : 10.1.21.1
DHCP Server . . . . . . . . . . . : 10.1.21.1
DHCPv6 IAID . . . . . . . . . . . : 427606726
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-27-25-89-87-A4-BB-6D-CA-FE-DD
DNS Servers . . . . . . . . . . . : 8.8.8.8
8.8.4.4
NetBIOS over Tcpip. . . . . . . . : Enabled

mcginley50 · Sun May 21, 2023 10:39 pm

You added an interface (vlan21_guest), but have not added it to any list.

When you say you can't get to the net, do you mean that ping 1.1.1.1 does not work? Or do you mean that ping one.one.one.one does not work?

If these are windows host on the guest network, what does cmd command line show for ipconfig /all ?

Can you expand on the first part, I'm not sure what you mean by vlan21_guest is not added to a list?

Buckeye · Mon May 22, 2023 12:23 am

Before suggesting fixes, you need to have a reasonable plan. Then the configuration should be much easier. What was the sequence you used to configure your router, and what guides/documentation did you use?

I would suggest going back and rethinking your whole config, because it is far from "standard". See New User Pathway To Config Success for some useful links to other info. And if you expect more help, provide a network diagram. See New User Posting For Assistance for some guidelines about what is expected.

Why is your wifi your "WAN" interface?

I would first get the guest vlan working, then apply firewall. See The DEFACTO DEFAULT FIREWALL Setup for help understanding the firewall. You need to block networks the guest should not be able to connect to first (your local networks you do not want the guest to be able to access), then allow everything from guest network (so the internet can be reached). You need to modify both the input chain (for access to the router itself) and the forward chain (traffic that is routed by the router, received on one interface and forwarded out another).

And next question: is the UniFi access point vlan 241 set up with guest policy? I don't use the guest policy on my UAP-AC-LR access points, so I am not sure, but it can limit what networks the SSID is allowed to access. Ref: What exactly does "Apply guest policies" do?

Can you expand on the first part, I'm not sure what you mean by vlan21_guest is not added to a list?

This part:

/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan1 list=WAN
add interface=ether1 list=LAN
add interface=bridge list=LAN

You have bridge (and I don't think you should have ether1-ether5) since these are members of bridge. And now I noticed you have your vlan21_guest as a subinterface of ether3 (instead of bridge), and ether3 is part of the bridge. That's not correct.

anav · Mon May 22, 2023 11:05 pm

Dogs breakfast leads to more errors
One bridge, and vlans for all subnets makes the doctor go away and the config work like butta

Guest Network Unable to get out to Internet

Guest Network Unable to get out to Internet

Re: Guest Network Unable to get out to Internet

Re: Guest Network Unable to get out to Internet

Re: Guest Network Unable to get out to Internet

Re: Guest Network Unable to get out to Internet

Re: Guest Network Unable to get out to Internet

Re: Guest Network Unable to get out to Internet

Re: Guest Network Unable to get out to Internet

Who is online