Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Guest network - vlan no internet access  [SOLVED]

Post Reply
 
Bolendox
just joined
Topic Author
Posts: 6
Joined: Wed Mar 13, 2024 9:25 am

Guest network - vlan no internet access

Sun Mar 17, 2024 12:39 pm

Hi, I created a WiFi network for guests, dhcp works, it assigns me an IP, but I can't access the internet from this network, . I tried disabling firewall rules and bogons. Below I upload the config
Code: Select all
# 2024-03-17 11:28:58 by RouterOS 7.14.1
# software id = AUFB-4CQ1
#
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add comment="BRIDGE LAN" name=LAN protocol-mode=none vlan-filtering=yes
add comment="WTK BRIDGE" name=WAN protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment=WTK mac-address=1321231231
set [ find default-name=ether2 ] comment=1/1
set [ find default-name=ether3 ] comment=1/2 disabled=yes
set [ find default-name=ether4 ] comment=2/1
set [ find default-name=ether5 ] comment=2/2
/interface wireguard
add listen-port=12232 mtu=1420 name="WIREGUARD VPN"
/interface vlan
add interface=LAN name=GUEST_VLAN_10 vlan-id=10
/interface list
add name=mactel
/interface wifi datapath
add bridge=LAN name=guest vlan-id=10
/interface wifi security
add authentication-types=wpa2-psk disable-pmkid=yes disabled=no encryption=ccmp,gcmp,ccmp-256,gcmp-256 group-encryption=ccmp name="Wifi prywatne" wps=disable
add authentication-types=wpa2-psk comment="GUEST NETWORK" disable-pmkid=yes disabled=no encryption=ccmp,ccmp-256 name="Guest network" wps=disable
/interface wifi configuration
add channel.band=5ghz-a .width=20/40/80mhz country=Poland disabled=no mode=ap name="Wifi konfig" security="Wifi prywatne" ssid=Piorun5
add channel.band=5ghz-a .width=20/40/80mhz country=Poland datapath.vlan-id=10 disabled=no mode=ap name="GUEST NETWORK" security="Guest network" security.authentication-types=wpa2-psk .disable-pmkid=yes .wps=disable
/interface wifi
set [ find default-name=wifi2 ] channel.band=2ghz-ax .width=20/40mhz configuration="Wifi konfig" configuration.mode=ap .ssid=Mikroboj2 disabled=no name=2 security="Wifi prywatne" security.authentication-types=wpa2-psk .encryption=ccmp,gcmp,ccmp-256,gcmp-256 .group-encryption=ccmp
set [ find default-name=wifi1 ] channel.band=5ghz-ax .width=20/40/80mhz configuration="Wifi konfig" configuration.mode=ap .ssid=Mikromen5 disabled=no name=5 security="Wifi prywatne" security.authentication-types=wpa3-psk .encryption=ccmp,gcmp,ccmp-256,gcmp-256
add comment="virtual wifi interface for guest" configuration="GUEST NETWORK" configuration.mode=ap .ssid=MikroGuest datapath.bridge=LAN .interface-list=all .vlan-id=10 disabled=no interworking.internet=no mac-address=7A:9A:18:30:DE:D5 master-interface=5 name="Guest Network" security="Guest network" security.authentication-types=wpa2-psk
/ip pool
add name="PULA LAN " ranges=10.27.0.70-10.27.0.244
add name="guest pool" ranges=10.27.10.1-10.27.10.254
/ip dhcp-server
add add-arp=yes address-pool="PULA LAN " interface=LAN name=dhcp_ether2
add address-pool="guest pool" interface=GUEST_VLAN_10 name="guest network"
/interface bridge port
add bridge=WAN interface=ether1
add bridge=LAN interface=ether2
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
add bridge=LAN interface=5
add bridge=LAN interface=2
add bridge=LAN frame-types=admit-only-vlan-tagged interface="Guest Network" pvid=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=LAN tagged="Guest Network,LAN" vlan-ids=10
/interface list member
add interface=ether2 list=mactel
/ip address
add address=10.27.0.11/24 interface=LAN network=10.27.0.0
add address=10.27.2.11/24 disabled=yes interface="WIREGUARD VPN" network=10.27.2.0
add address=10.27.10.0/24 interface=GUEST_VLAN_10 network=10.27.10.0
/ip dhcp-client
add interface=WAN use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.27.0.16 client-id=1:d8:3a:dd:8c:57:47 mac-address=D8:3A:DD:8C:57:47 server=dhcp_ether2
add address=10.27.0.15 client-id=1:74:40:bb:c9:5b:d mac-address=74:40:BB:C9:5B:0D server=dhcp_ether2
/ip dhcp-server network
add address=10.27.0.0/24 dns-server=10.27.0.16 gateway=10.27.0.11 netmask=24
add address=10.27.10.0/24 dns-server=1.1.1.1 gateway=10.27.10.0
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it" list=bogons
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=accept chain=input dst-port=13231 protocol=udp
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST " disabled=yes dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" connection-state=established
add action=accept chain=input comment="Accept to related connections" connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list wylacozne111111111111111" disabled=yes src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood, adjust the limit as needed" icmp-options=8:0 limit=2,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
add action=drop chain=input src-address=115.243.85.101
add action=drop chain=input src-address=188.166.226.191
# in/out-interface matcher not possible when interface (ether2) is slave - use master instead (LAN)
add action=accept chain=input comment="winbox" dst-port=8291 in-interface=ether2 protocol=tcp src-address-list=management
# in/out-interface matcher not possible when interface (ether2) is slave - use master instead (LAN)
add action=drop chain=input comment="blokuje wszystko poza ether2" dst-port=8291 in-interface=!ether2 protocol=tcp
add action=drop chain=forward dst-address=10.27.0.0/24 src-address=10.27.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN src-address=10.27.0.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub disabled=no
add directory=usb2 name=Pliczki
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input port=33434-33534 protocol=udp
add action=accept chain=input dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input ipsec-policy=in,ipsec
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward src-address-list=bad_ipv6
add action=drop chain=forward dst-address-list=bad_ipv6
add action=drop chain=forward hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward ipsec-policy=in,ipsec
/system clock
set time-zone-name=Europe/Warsaw
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mactel
/tool mac-server ping
set enabled=no
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 5500
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Guest network - vlan no internet access

Sun Mar 17, 2024 12:49 pm

It's rather confusing to use the same names for your bridges (WHY MULTIPLE ??) as for some key-interface lists.
WAN/ LAN
I strongly advise to rename them.
And only use 1 bridge.

Probably this part is in error:
Code: Select all
/interface bridge port
add bridge=LAN frame-types=admit-only-vlan-tagged interface="Guest Network" pvid=10
I believe that should be "admit only untagged and priority tagged".
That virtual wifi interface is an access port. So untagged.
Top
 
Bolendox
just joined
Topic Author
Posts: 6
Joined: Wed Mar 13, 2024 9:25 am

Re: Guest network - vlan no internet access

Sun Mar 17, 2024 7:34 pm

It's rather confusing to use the same names for your bridges (WHY MULTIPLE ??) as for some key-interface lists.
WAN/ LAN
I strongly advise to rename them.
And only use 1 bridge.

Probably this part is in error:
Code: Select all
/interface bridge port
add bridge=LAN frame-types=admit-only-vlan-tagged interface="Guest Network" pvid=10
I believe that should be "admit only untagged and priority tagged".
That virtual wifi interface is an access port. So untagged.
1. That is, I should have only lan bridge, and have WAN only as an interface I understand instead of bridge? So bridge I could do as if I have dual wan for example?
2. I've tried several different options and unfortunately it doesn't work. I did based on youtube video "Mikrotik ROS Guest Network using VLANs", but he did on an older version and the menu from WiFi looks completely different.
Top
 
neki
newbie
Posts: 33
Joined: Thu Sep 07, 2023 10:20 am

Re: Guest network - vlan no internet access  [SOLVED]

Sun Mar 17, 2024 10:02 pm

I think that you don't need VLANs at all, if your main goal is to have segregated wifi for guests, you just need firewall rule that will drop traffic between those networks. And even with VLANs you will have to separate them with firewall rule.

Another thing is, that you should "click" your way in Winbox, because your config is full of errors that couldn't be done via GUI.

Internet on guest network probobaly isn't working because of:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN src-address=10.27.0.0/24
You specified src-address in your masquerade rule and your guest network does not fit in that rule. Simply remove the src-address.
Top
 
Bolendox
just joined
Topic Author
Posts: 6
Joined: Wed Mar 13, 2024 9:25 am

Re: Guest network - vlan no internet access

Mon Mar 18, 2024 6:00 pm

I think that you don't need VLANs at all, if your main goal is to have segregated wifi for guests, you just need firewall rule that will drop traffic between those networks. And even with VLANs you will have to separate them with firewall rule.

Another thing is, that you should "click" your way in Winbox, because your config is full of errors that couldn't be done via GUI.

Internet on guest network probobaly isn't working because of:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN src-address=10.27.0.0/24
You specified src-address in your masquerade rule and your guest network does not fit in that rule. Simply remove the src-address.
thanks, src-address was the solution :)
What errors are you referring to exactly? Everything from what I remember I clicked in the gui
Top
 
CGGXANNX
Frequent Visitor
Frequent Visitor
Posts: 64
Joined: Thu Dec 21, 2023 6:45 pm

Re: Guest network - vlan no internet access

Mon Mar 18, 2024 7:35 pm

I think that you don't need VLANs at all, if your main goal is to have segregated wifi for guests, you just need firewall rule that will drop traffic between those networks. And even with VLANs you will have to separate them with firewall rule.
VLAN should still be used, because I am certain that OP would like for the devices to be separated at Layer 2 too. Otherwise, the rogue guests would still be able to sniff traffic, snoop ARP, setup fake DHCP server, etc...
Top
Post Reply

Who is online

Users browsing this forum: Pilo2710 and 12 guests
  4. RouterOS
  5. Beginner Basics