Community discussions

MikroTik App
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Wlan has no internet access but lan has internet access

Sat Jan 14, 2023 3:05 pm

Hi guys,
in continuation from this thread viewtopic.php?t=192493
i'm at lost :? .
the problem is accessing from WLAN has no internet connection, but from LAN no issue.
please find the config export as below, and I would appreciate a new set of eyes to see what I missed here.
# jan/14/2023 20:00:57 by RouterOS 6.49.7
# software id = T9PD-VUT8
#
# model = RB941-2nD
# serial number = HCR087MNR5P
/interface bridge
add name=Bridge_LAN
/interface list
add name=WAN
add name=Sys
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=\
    dynamic-keys name=E3User supplicant-identity="" unicast-ciphers=\
    tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] country=indonesia disabled=no frequency=auto \
    installation=indoor mode=ap-bridge security-profile=E3User ssid=E3Cipanas
/ip pool
add name=LAN ranges=192.168.27.2-192.168.27.254
add name=Sys ranges=192.168.88.2-192.168.88.10
/ip dhcp-server
add add-arp=yes address-pool=LAN disabled=no interface=Bridge_LAN lease-time=\
    12h name=DHCP_LAN
add add-arp=yes address-pool=Sys disabled=no interface=ether4 name=DHCP_Sys
/interface bridge port
add bridge=Bridge_LAN interface=ether2
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=wlan1
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=Sys
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface=ether1 list=WAN
add interface=ether4 list=Sys
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=wlan1 list=LAN
add interface=ether4 list=LAN
/ip address
add address=192.168.88.1/24 interface=ether4 network=192.168.88.0
add address=192.168.27.1/24 interface=Bridge_LAN network=192.168.27.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.27.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.27.1
add address=192.168.88.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input connection-state=new dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox address=192.168.27.0/24,192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=Marge
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
Thank you so very much
 
erlinden
Forum Guru
Forum Guru
Posts: 2043
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Wlan has no internet access but lan has internet access

Sat Jan 14, 2023 3:08 pm

Do you get an IP address when connected through wireless?
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: Wlan has no internet access but lan has internet access

Sat Jan 14, 2023 3:21 pm

Do you get an IP address when connected through wireless?
yep, checked in my mobile phone, and in leases is assigned IP address for my mobile phone in WLAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19843
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wlan has no internet access but lan has internet access

Sat Jan 14, 2023 3:35 pm

(1) Any reason why you are doing this........ its for advanced usage and not regular usage......... Suggesting remove it!!
/interface bridge settings
set use-ip-firewall=yes


(2) Change this to NONE this setting is not well known and has caused funny issues in the past......
/interface detect-internet
set detect-interface-list=WAN

(3) Lets look at the logic of your firewall rules......... ( by the way I like the drop rule as the last rule )

add action=accept chain=input connection-state=new dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input in-interface-list=LAN


First you let all lan users access to dns services only, on the routerfor protocol udp, but not for TCP ?
Then you let all lan users access to all ports on the router.

a. so the first rule would make no sense as the second rule allows the same thing and a lot more. { logic problem }
b. why are you letting all user full access to the router including config. { security problem }

MODIFY TO.
add action=accept chain=input src-address-list=Authorized
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"


Note1: Authorized is a firewall address list comprised of
a. admin IP address if on regular LAN ( optional )
b. admin IP address on sys LAN ( desktop )
c. admin IP address on sys LAN ( ipad/laptop )
c. admin IP address on wireguard remote warrior access ( optional )

Note2: wording new connection state is NOT required in the config.

Note3: The winbox addresses will not conflict as they are wider in scope and you refine them to particular IPs in firewall settings...... You may need to add a wireguard remote subnet if you decided you want to be able to access the router whilst away from on site, as you may have it setup on both an iphone and a laptop

(4) You have to decide what the purpose of sys LAN is?
Bit confusing at the moment because you dont have it labelled as your mac server mac-winbox interface list but you do have it for your neighbours discovery setting ? Just a tad inconsistent.
My recommendation, and assuming your sys lan is basically for having a separate safe way to config the router but you still want to be able to work from the regular LAN.........
Then simply change the IP neighbours discovery to LAN interface list as well!!

(5) I note that there is no routing between sys lan and regular LAN, as there is no allow rule for such and you have the proper drop all else rule at the end of the forward chain! :-)
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: Wlan has no internet access but lan has internet access

Sat Jan 14, 2023 4:42 pm

(1) Any reason why you are doing this........ its for advanced usage and not regular usage......... Suggesting remove it!!
/interface bridge settings
set use-ip-firewall=yes
Hi Anav, great to hear from you :D
This is referring to the early research why i can't get the LAN to have internet access, came across a thread with this as suggestion and give it a try. when it seems that i forgot to add the “/ip dhcp-server network gateway=…” silly me, so removed this, & it's DONE!
(2) Change this to NONE this setting is not well known and has caused funny issues in the past......
/interface detect-internet
set detect-interface-list=WAN
Done, set to none
(3) Lets look at the logic of your firewall rules......... ( by the way I like the drop rule as the last rule )
yes, you should like the drop rules, i took it from the following viewtopic.php?t=180838 :D
add action=accept chain=input connection-state=new dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input in-interface-list=LAN


First you let all lan users access to dns services only, on the routerfor protocol udp, but not for TCP ?
Then you let all lan users access to all ports on the router.

a. so the first rule would make no sense as the second rule allows the same thing and a lot more. { logic problem }
b. why are you letting all user full access to the router including config. { security problem }

MODIFY TO.
add action=accept chain=input src-address-list=Authorized
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
added
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp

i don't add the authorized list yet, as for now as an admin i would like to have the freedom to access the routerbox from any lan or wlan and especially for ether 4 if it comes to that using mac address.
please cmiiw

Note1: Authorized is a firewall address list comprised of
a. admin IP address if on regular LAN ( optional )
b. admin IP address on sys LAN ( desktop )
c. admin IP address on sys LAN ( ipad/laptop )
c. admin IP address on wireguard remote warrior access ( optional )

Note2: wording new connection state is NOT required in the config.

Note3: The winbox addresses will not conflict as they are wider in scope and you refine them to particular IPs in firewall settings...... You may need to add a wireguard remote subnet if you decided you want to be able to access the router whilst away from on site, as you may have it setup on both an iphone and a laptop
my RB-941 is still running os 6, i'm not sure if wireguard is available.
(4) You have to decide what the purpose of sys LAN is?
Bit confusing at the moment because you dont have it labelled as your mac server mac-winbox interface list but you do have it for your neighbours discovery setting ? Just a tad inconsistent.
My recommendation, and assuming your sys lan is basically for having a separate safe way to config the router but you still want to be able to work from the regular LAN.........
Then simply change the IP neighbours discovery to LAN interface list as well!!
hmm... my logic is follow, from LAN i am able to access using IP. from only ether 4 I am able to access router using ip &/or Mac address, just in case some clicking disable bridge for all lan (it happens...)
but cmiiw if there is another way more better.
(5) I note that there is no routing between sys lan and regular LAN, as there is no allow rule for such and you have the proper drop all else rule at the end of the forward chain! :-)
hmm... not sure i follow on this. so i should have a rule in firewall to allow forward between sys lan & regular lan ?
for my issue, in using sys ethernet i am able to access internet from both ordinary lan under bridge and sys port.
I am unable to get internet access from wlan.
and i don't have any issue if i'm connected using sys & unable to ping or access other client in regular lan, if this rule is supposedly to allow me to do so ? please cmiiw

my latest config as follows and my mobile phone is still unable to access the internet
# jan/14/2023 21:40:01 by RouterOS 6.49.7
# software id = T9PD-VUT8
#
# model = RB941-2nD
# serial number = HCR087MNR5P
/interface bridge
add name=Bridge_LAN
/interface list
add name=WAN
add name=Sys
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=\
    dynamic-keys name=E3User supplicant-identity="" unicast-ciphers=\
    tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] country=indonesia disabled=no frequency=auto \
    installation=indoor mode=ap-bridge security-profile=E3User ssid=E3Cipanas
/ip pool
add name=LAN ranges=192.168.27.2-192.168.27.254
add name=Sys ranges=192.168.88.2-192.168.88.10
add name=Wlan ranges=192.168.28.2-192.168.28.254
/ip dhcp-server
add add-arp=yes address-pool=LAN disabled=no interface=Bridge_LAN lease-time=\
    12h name=DHCP_LAN
add add-arp=yes address-pool=Sys disabled=no interface=ether4 name=DHCP_Sys
/interface bridge port
add bridge=Bridge_LAN interface=ether2
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=Sys
/interface list member
add interface=ether1 list=WAN
add interface=ether4 list=Sys
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=wlan1 list=LAN
add interface=ether4 list=LAN
/ip address
add address=192.168.88.1/24 interface=ether4 network=192.168.88.0
add address=192.168.27.1/24 interface=Bridge_LAN network=192.168.27.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.27.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.27.1
add address=192.168.88.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=drop chain=forward
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.27.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox address=192.168.27.0/24,192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=Marge
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19843
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wlan has no internet access but lan has internet access

Sat Jan 14, 2023 5:44 pm

What is the purpose of this rule. Get rid of it or disable it for now..........
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=192.168.27.0/24


I also dont understand your setup for wlan in terms of IP Pool , for troubleshooting purposes lets get rid of 'strange" config items...

Namely this offending orphan
add name=Wlan ranges=192.168.28.2-192.168.28.254

you have one bridge with one IP pool..............
The bridge is defined in terms of pool, ip address, dhcp server and dhcp server-network.
I have no idea what the effect of that ip pool entry has but for now get rid of it or disable it as I suspect the wlan devices never get an IP address..................
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: Wlan has no internet access but lan has internet access

Sat Jan 14, 2023 6:00 pm

What is the purpose of this rule. Get rid of it or disable it for now..........
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=192.168.27.0/24


I also dont understand your setup for wlan in terms of IP Pool , for troubleshooting purposes lets get rid of 'strange" config items...

Namely this offending orphan
add name=Wlan ranges=192.168.28.2-192.168.28.254

you have one bridge with one IP pool..............
The bridge is defined in terms of pool, ip address, dhcp server and dhcp server-network.
I have no idea what the effect of that ip pool entry has but for now get rid of it or disable it as I suspect the wlan devices never get an IP address..................
sorry was trying out stuff randomly from the net, one of them wds, it seems for ap to ap bridging, the setup automatically created that you mention :D
all connected to wlan seems doesn't have an internet access, but from lan (any lan port) I am able to get access.weird, is there something that i missed in creating wlan?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19843
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wlan has no internet access but lan has internet access

Sat Jan 14, 2023 6:03 pm

Nope, it should work you attached wlan to bridge, and thats all that is needed.
So it would appear youve made an error in the wifi settings somewhere.

On my wifi there is not much to screw up.


Wireless Settings.
a. mode = ap bridge
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: Wlan has no internet access but lan has internet access

Sat Jan 14, 2023 6:17 pm

i'll try to separate the wlan from bridge, see if it makes any difference. will give it a try tomorrow.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19843
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wlan has no internet access but lan has internet access

Sat Jan 14, 2023 6:26 pm

For what purpose, its right to be on the bridge,
but review to see if your wifi settings are okay
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: Wlan has no internet access but lan has internet access

Sun Jan 15, 2023 5:01 am

For what purpose, its right to be on the bridge,
but review to see if your wifi settings are okay
well i've separated the wlan, set it own dhcp, gateway & assigned a new address. and it work.
wlan is working but somehow when under bridge is not working.

does wlan need to be assigned it's own ip ?
# jan/15/2023 10:02:00 by RouterOS 6.49.7
# software id = T9PD-VUT8
#
# model = RB941-2nD
# serial number = HCR087MNR5P
/interface bridge
add name=Bridge_LAN
/interface list
add name=WAN
add name=Sys
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=\
    dynamic-keys name=E3User supplicant-identity="" unicast-ciphers=\
    tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=indonesia disabled=no \
    frequency=2417 mode=ap-bridge security-profile=E3User ssid=E3Cipanas \
    wds-default-bridge=Bridge_LAN
/ip pool
add name=LAN ranges=192.168.27.10-192.168.27.254
add name=Sys ranges=192.168.88.2-192.168.88.10
add name=WLAN ranges=192.168.28.2-192.168.28.250
/ip dhcp-server
add add-arp=yes address-pool=LAN disabled=no interface=Bridge_LAN lease-time=\
    12h name=DHCP_LAN
add add-arp=yes address-pool=Sys disabled=no interface=ether4 name=DHCP_Sys
add address-pool=WLAN disabled=no interface=wlan1 name=DHCP_Wlan
/interface bridge port
add bridge=Bridge_LAN interface=ether2
add bridge=Bridge_LAN interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=Sys
/interface list member
add interface=ether1 list=WAN
add interface=ether4 list=Sys
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=wlan1 list=LAN
add interface=ether4 list=LAN
/ip address
add address=192.168.88.1/24 interface=ether4 network=192.168.88.0
add address=192.168.27.1/24 interface=Bridge_LAN network=192.168.27.0
add address=192.168.28.1/24 interface=wlan1 network=192.168.28.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.27.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.27.1
add address=192.168.28.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.28.1
add address=192.168.88.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox address=192.168.27.0/24,192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=Marge
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: Wlan has no internet access but lan has internet access

Sun Jan 15, 2023 5:32 am

anyway, this should suffice for now. at least both lan & wlan now able to access internet.
 
User avatar
rumahnetmks
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Mon Dec 21, 2020 10:00 am

Re: Wlan has no internet access but lan has internet access

Sun Jan 15, 2023 6:04 am

At first post I see you include wlan interface as Bridge Port, but you want to set it to have different IP network with the Bridge network. Of course it doesnt work since if you insist to make wlan as member of Bridge port, you must use Bridge network to make it work.
I see your main goal is to make different network for wlan users, so the workaround is to remove that wlan from bridge port and then setup its own network. (that you set it up at your last config).
OR you can using VLAN. With VLAN even wlan is member of bridge port, it can have its own network (different from the bridge network).

CMIIW
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: Wlan has no internet access but lan has internet access

Sun Jan 15, 2023 6:50 am

At first post I see you include wlan interface as Bridge Port, but you want to set it to have different IP network with the Bridge network. Of course it doesnt work since if you insist to make wlan as member of Bridge port, you must use Bridge network to make it work.
I see your main goal is to make different network for wlan users, so the workaround is to remove that wlan from bridge port and then setup its own network. (that you set it up at your last config).
OR you can using VLAN. With VLAN even wlan is member of bridge port, it can have its own network (different from the bridge network).

CMIIW
the first setup, only have 1 ip network (27) within bridge and wlan is a member of the bridge. with this setup, LAN able to get internet but WLAN doesn't get internet. the other set of network ip 88 is assigned for another port ether 4 (sys)

on the last post then I take out wlan from bridge and set it as its own, this then solved the wlan getting internet acces but using different network. lan is 27, wlan is 28.

've read the other thread and other source of setting up, the setup of wlan under 1 bridge should work, but not in my case tho.
I've rebooted the router. enabled and renabled bridges & wlan interface. still nothing.
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: Wlan has no internet access but lan has internet access

Sun Jan 15, 2023 7:44 am

well this is another happy problem.

I want to create 2 SSID
1 for IOT (192,168.28.0/24)
1 for Guest ((192,168.29.0/24)

I tried to combine the 2 into 1 bridge, doesn't work. both IOT & Guest no internet.
Unbridge both of them, set dhcp server, assigned address, add gateway & the whole shebang.
IOT as the main wlan is able to access internet
Guest no luck with internet.
below is my config, a fresh set of eyes is very much welcome, Thank you!
# jan/15/2023 14:39:50 by RouterOS 6.49.7
# software id = T9PD-VUT8
#
# model = RB941-2nD
# serial number = HCR087MNR5P
/interface bridge
add name=Bridge_LAN
/interface list
add name=WAN
add name=Sys
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=\
    dynamic-keys name=E3User supplicant-identity="" unicast-ciphers=\
    tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=E3IOT \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=indonesia disabled=no \
    frequency=2472 mode=ap-bridge security-profile=E3IOT ssid=E3IOT \
    wds-default-bridge=Bridge_LAN
add disabled=no keepalive-frames=disabled mac-address=1A:FD:74:39:10:18 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan2 ssid=\
    E3Cipanas wds-cost-range=0 wds-default-cost=0 wps-mode=push-button-5s
/ip hotspot profile
set [ find default=yes ] hotspot-address=192.168.27.1
/ip pool
add name=LAN ranges=192.168.27.10-192.168.27.250
add name=Sys ranges=192.168.88.2-192.168.88.10
add name=wlan_IOT ranges=192.168.28.10-192.168.28.250
add name=wlan_guest ranges=192.168.29.10-192.168.29.250
/ip dhcp-server
add add-arp=yes address-pool=LAN disabled=no interface=Bridge_LAN lease-time=\
    12h name=DHCP_LAN
add add-arp=yes address-pool=Sys disabled=no interface=ether4 name=DHCP_Sys
add add-arp=yes address-pool=wlan_IOT disabled=no interface=wlan1 lease-time=\
    12h name=DHCP_WLANIIOT
add add-arp=yes address-pool=wlan_guest disabled=no interface=wlan2 \
    lease-time=12h name=DHCP_WLANGuest
/ip hotspot
add address-pool=wlan_IOT interface=wlan2 name=HotSpot_Server
/interface bridge port
add bridge=Bridge_LAN interface=ether2
add bridge=Bridge_LAN interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=Sys
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface=ether1 list=WAN
add interface=ether4 list=Sys
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=wlan1 list=LAN
add interface=ether4 list=LAN
add list=LAN
/ip address
add address=192.168.88.1/24 interface=ether4 network=192.168.88.0
add address=192.168.27.1/24 interface=Bridge_LAN network=192.168.27.0
add address=192.168.28.1/24 interface=wlan1 network=192.168.28.0
add address=192.168.29.1/24 interface=wlan2 network=192.168.29.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.27.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.27.1
add address=192.168.28.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.28.1
add address=192.168.29.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.29.1
add address=192.168.88.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip hotspot user
add name=E3Guest server=HotSpot_Server
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox address=\
    192.168.27.0/24,192.168.28.0/24,192.168.29.0/24,192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Asia/Jayapura
/system identity
set name=Marge
/system logging
add topics=wireless
add topics=dhcp
add topics=bridge
add topics=dns
add topics=error
add topics=hotspot
add topics=interface
add topics=wireless
add topics=firewall
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19843
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wlan has no internet access but lan has internet access

Sun Jan 15, 2023 3:20 pm

Very annoying you keep changing the requirements which tells me you dont know what you want LOL.
Having multiple SSIDs with different groups of users is a totally different scenario. :-) Will look at this later..
 
User avatar
rumahnetmks
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Mon Dec 21, 2020 10:00 am

Re: Wlan has no internet access but lan has internet access

Sun Jan 15, 2023 3:58 pm

For many network managed inside a mikrotik router, Just suggestion to using Bridge VLAN Filtering bro. Nothing wrong if not using vlan, but with vlan more convenient, expandable in future.
For my self I only use an ethernet that not become default bridge member port, just for backup emergency access ONLY. In case accidentally I cant access the router (config mistake or anything).

I have been there since I learn mikrotik only from tutorial around. That time, like this, adding new segment network must release that ethernet port from default bridge, so I can set DHCP Server from that port since it's not a slave port anymore.

Back to your setting, I see wlan2 (Guest) are slave of Wlan1(IOT). As far as I know, does slave interface cant have it's own dhcp server?
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=indonesia disabled=no frequency=2472 mode=ap-bridge security-profile=E3IOT ssid=E3IOT wds-default-bridge=Bridge_LAN
add disabled=no keepalive-frames=disabled mac-address=1A:FD:74:39:10:18 master-interface=wlan1 multicast-buffering=disabled name=wlan2 ssid=E3Cipanas wds-cost-range=0 wds-default-cost=0 wps-mode=push-button-5s
That's why from the start I encourage you to use VLAN. For ethernet port you can simply make that port leave as member port of default bridge since it's physical port. But for your hAP-Lite? That wlan2 is VIRTUAL WLAN not another physical wlan. Wlan2 is virtual interface which is a slave of its master wlan1.

Then the hotspot?
/ip hotspot profile set [ find default=yes ] hotspot-address=192.168.27.1
/ip pool add name=LAN ranges=192.168.27.10-192.168.27.250
add name=Sys ranges=192.168.88.2-192.168.88.10
add name=wlan_IOT ranges=192.168.28.10-192.168.28.250
add name=wlan_guest ranges=192.168.29.10-192.168.29.250
/ip dhcp-server add add-arp=yes address-pool=LAN disabled=no interface=Bridge_LAN lease-time=12h name=DHCP_LAN
add add-arp=yes address-pool=Sys disabled=no interface=ether4 name=DHCP_Sys
add add-arp=yes address-pool=wlan_IOT disabled=no interface=wlan1 lease-time=12h name=DHCP_WLANIIOT
add add-arp=yes address-pool=wlan_guest disabled=no interface=wlan2 lease-time=12h name=DHCP_WLANGuest
/ip hotspot add address-pool=wlan_IOT interface=wlan2 name=HotSpot_Server

Server hotspot interface=wlan2 address pool=wlan_IOT
while add DHCP area address pool wlan_IOT interface=wlan1 :shock:
then hotspot profile set [ find default=yes ] hotspot-address=192.168.27.1 which DHCP_LAN address :shock:
I really confuse.

CMIIW.
Last edited by rumahnetmks on Sun Jan 15, 2023 4:28 pm, edited 1 time in total.
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: Wlan has no internet access but lan has internet access

Sun Jan 15, 2023 4:10 pm

Very annoying you keep changing the requirements which tells me you dont know what you want LOL.
Having multiple SSIDs with different groups of users is a totally different scenario. :-) Will look at this later..

Lol
My thinking was getting at least all lan n wlan getting internet access. Then start exploring this multi ssid thingy.

Anyway i managed to get all in 1 bridge i've used default configuration that comes with the router. Strangely it all works under 1 bridge.

Now i am able to get 2 ssid up. Without vlan tho. Will spare some time to explore vlan setup
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: Wlan has no internet access but lan has internet access

Sun Jan 15, 2023 4:13 pm

For many network managed inside a mikrotik router, Just suggestion to using Bridge VLAN Filtering bro. Nothing wrong if not using vlan, but with vlan more convenient, expandable in future.
For my self I only use an ethernet that not become default bridge member port, just for backup emergency access ONLY. In case accidentally I cant access the router (config mistake or anything).

I have been there since I learn mikrotik only from tutorial around. That time, like this, adding new segment network must release that ethernet port from default bridge, so I can set DHCP Server from that port since it's not a slave port anymore.

Back to your setting, I see wlan2 (Guest) are slave of Wlan1. As far as I know, does slave interface cant have it's own dhcp server?
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=indonesia disabled=no frequency=2472 mode=ap-bridge security-profile=E3IOT ssid=E3IOT wds-default-bridge=Bridge_LAN
add disabled=no keepalive-frames=disabled mac-address=1A:FD:74:39:10:18 master-interface=wlan1 multicast-buffering=disabled name=wlan2 ssid=E3Cipanas wds-cost-range=0 wds-default-cost=0 wps-mode=push-button-5s
That's why from the start I encourage you to use VLAN. For ethernet port you can simply make that port leave as member port of default bridge since it's physical port. But for your hAP-Lite? That wlan2 is VIRTUAL WLAN not another physical wlan. Wlan2 is virtual interface which is a slave of its master wlan1.

CMIIW.
Yep2, gonna spare sometime to explore the vlan.
And yes the wlan2 virtual interface can't be assigned dhcp server, found this out the hard way when i try to set up a hotspot hahhaa.

So yes, next step gonna have to explore vlan. For now should be suitable until i have the time n focus to explore more.
 
User avatar
rumahnetmks
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Mon Dec 21, 2020 10:00 am

Re: Wlan has no internet access but lan has internet access

Sun Jan 15, 2023 4:42 pm

Default config, all interface in bridge (except ether1 as WAN) DHCP server at bridge interface. All client get default Bridge network IPs, must be can connect internet.
Of course SSID even one is slave interface, as long as it's part of that default Bridge port, surely it can get Bridge network IPs and get internet.

All your trouble before happened because you want that slave interfaces have their own network IPs, different from the default Bridge IPs. Without using VLAN, but using routed interface.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19843
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wlan has no internet access but lan has internet access  [SOLVED]

Sun Jan 15, 2023 10:52 pm

You still have that setting I informed you to get rid of, does nothing. in interface list members!!!
add list=LAN

/interface bridge
add name=Bridge_LAN vlan-filtering=yes { Add as last step in config }
/interface vlan
add interface=Bridge_LAN name=vlanHOME27 vlan-ids=27
add interface=Bridge_LAN name=vlanSYS88 vlan-ids=88
add interface=Bridge_LAN name=vlanIOT28 vlan-ids=28
add interface=Bridge_LAN name=vlanGUEST29 vlan-ids=29
/interface list { no need seen thus far, for separate interface list of sys but an Admin list makes sense! }
add name=WAN
add name=LAN
add name=Admin
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=\
dynamic-keys name=E3User supplicant-identity="" unicast-ciphers=\
tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=E3IOT \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=indonesia disabled=no \
frequency=2472 mode=ap-bridge security-profile=E3IOT ssid=E3IOT
{ REMOVED bridge from wireless setting }
add disabled=no keepalive-frames=disabled mac-address=1A:FD:74:39:10:18 \
master-interface=wlan1 multicast-buffering=disabled name=wlan2 ssid=\
E3Cipanas wds-cost-range=0 wds-default-cost=0 wps-mode=push-button-5s
/ip hotspot profile
set [ find default=yes ] hotspot-address=192.168.28.1
{ hotspot is now on vlanIOT28 }
/ip pool
add name=LAN ranges=192.168.27.10-192.168.27.250
add name=Sys ranges=192.168.88.2-192.168.88.10
add name=wlan_IOT ranges=192.168.28.10-192.168.28.250
add name=wlan_guest ranges=192.168.29.10-192.168.29.250

/ip dhcp-server { removed arp settings here, no reason provided for using them }
add address-pool=LAN disabled=no interface=vlanHOME27 lease-time=\
12h name=DHCP_LAN
add a address-pool=Sys disabled=no interface=vlanSYS88 name=DHCP_Sys
add address-pool=wlan_IOT disabled=no interface=vlanIOT28 lease-time=\
12h name=DHCP_WLANIIOT
add address-pool=wlan_guest disabled=no interface=vlanGUEST29 \
lease-time=12h name=DHCP_WLANGuest
/ip hotspot
add address-pool=wlan_IOT interface=vlanIOT28 name=HotSpot_Server
/interface bridge port
add bridge=Bridge_LAN interface=ether2 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=27
add bridge=Bridge_LAN interface=ether3 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=27
add bridge=Bridge_LAN interface=ether4 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=88
add bridge=Bridge_LAN interface=wlan1 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=28
add bridge=Bridge_LAN interface=wlan2 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=29
/interface bridge vlan
add bridge=Bridge_LAN tagged=Bridge_Lan untagged=ether2,ether3 vlan-ids=27
add bridge=Bridge_LAN tagged=Bridge_Lan untagged=ether4 vlan-ids=88
add bridge=Bridge_LAN tagged=Bridge_Lan untagged=wlan1 vlan-ids=28
add bridge=Bridge_LAN tagged=Bridge_Lan untagged=wlan2 vlan-ids=29

/ip neighbor discovery-settings
set discover-interface-list=Admin

/interface detect-internet
set detect-interface-list=NONE
/interface list member
add interface=ether1 list=WAN

add interface=vlanHOME27 list=LAN
add interface=vlanSYS88 list=LAN
]add interface=vlanIOT28 list=LAN
add interface=vlanGUEST29 list=LAN
add interface=vlanHOME27 list=Admin
add interface=vlanSYS88 list=Admin

/ip address
add address=192.168.88.1/24 interface=vlanSYS88 network=192.168.88.0
add address=192.168.27.1/24 interface=vlanHOME27 network=192.168.27.0
add address=192.168.28.1/24 interface=vlanIOT28 network=192.168.28.0
add address=192.168.29.1/24 interface=vlanGUEST29 network=192.168.29.0
/ip dhcp-client
add disabled=no interface=ether1

/ip dhcp-server network
add address=192.168.27.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
gateway=192.168.27.1
add address=192.168.28.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
gateway=192.168.28.1
add address=192.168.29.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
gateway=192.168.29.1
add address=192.168.88.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment="allow admin access" in-interface-list=Admin
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid

add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat disabled=yes
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip hotspot user
add name=E3Guest server=HotSpot_Server
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes

set winbox address=\ NO< guests and IOT should not have access !!!!
192.168.27.0/24, 192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Asia/Jayapura
/system identity
set name=Marge
/system logging
add topics=wireless
add topics=dhcp
add topics=bridge
add topics=dns
add topics=error
add topics=hotspot
add topics=interface
add topics=wireless
add topics=firewall
/tool mac-server
set allowed-interface-list=none

/tool mac-server mac-winbox
set allowed-interface-list=ADMIN[/b]
/tool mac-server ping
set enabled=no
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: Wlan has no internet access but lan has internet access

Mon Jan 16, 2023 1:23 am

You still have that setting I informed you to get rid of, does nothing. in interface list members!!!
add list=LAN

/interface bridge
add name=Bridge_LAN vlan-filtering=yes { Add as last step in config }
/interface vlan
add interface=Bridge_LAN name=vlanHOME27 vlan-ids=27
add interface=Bridge_LAN name=vlanSYS88 vlan-ids=88
add interface=Bridge_LAN name=vlanIOT28 vlan-ids=28
add interface=Bridge_LAN name=vlanGUEST29 vlan-ids=29
/interface list { no need seen thus far, for separate interface list of sys but an Admin list makes sense! }
add name=WAN
add name=LAN
add name=Admin
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=\
dynamic-keys name=E3User supplicant-identity="" unicast-ciphers=\
tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=E3IOT \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=indonesia disabled=no \
frequency=2472 mode=ap-bridge security-profile=E3IOT ssid=E3IOT
{ REMOVED bridge from wireless setting }
add disabled=no keepalive-frames=disabled mac-address=1A:FD:74:39:10:18 \
master-interface=wlan1 multicast-buffering=disabled name=wlan2 ssid=\
E3Cipanas wds-cost-range=0 wds-default-cost=0 wps-mode=push-button-5s
/ip hotspot profile
set [ find default=yes ] hotspot-address=192.168.28.1
{ hotspot is now on vlanIOT28 }
/ip pool
add name=LAN ranges=192.168.27.10-192.168.27.250
add name=Sys ranges=192.168.88.2-192.168.88.10
add name=wlan_IOT ranges=192.168.28.10-192.168.28.250
add name=wlan_guest ranges=192.168.29.10-192.168.29.250

/ip dhcp-server { removed arp settings here, no reason provided for using them }
add address-pool=LAN disabled=no interface=vlanHOME27 lease-time=\
12h name=DHCP_LAN
add a address-pool=Sys disabled=no interface=vlanSYS88 name=DHCP_Sys
add address-pool=wlan_IOT disabled=no interface=vlanIOT28 lease-time=\
12h name=DHCP_WLANIIOT
add address-pool=wlan_guest disabled=no interface=vlanGUEST29 \
lease-time=12h name=DHCP_WLANGuest
/ip hotspot
add address-pool=wlan_IOT interface=vlanIOT28 name=HotSpot_Server
/interface bridge port
add bridge=Bridge_LAN interface=ether2 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=27
add bridge=Bridge_LAN interface=ether3 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=27
add bridge=Bridge_LAN interface=ether4 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=88
add bridge=Bridge_LAN interface=wlan1 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=28
add bridge=Bridge_LAN interface=wlan2 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=29
/interface bridge vlan
add bridge=Bridge_LAN tagged=Bridge_Lan untagged=ether2,ether3 vlan-ids=27
add bridge=Bridge_LAN tagged=Bridge_Lan untagged=ether4 vlan-ids=88
add bridge=Bridge_LAN tagged=Bridge_Lan untagged=wlan1 vlan-ids=28
add bridge=Bridge_LAN tagged=Bridge_Lan untagged=wlan2 vlan-ids=29

/ip neighbor discovery-settings
set discover-interface-list=Admin

/interface detect-internet
set detect-interface-list=NONE
/interface list member
add interface=ether1 list=WAN

add interface=vlanHOME27 list=LAN
add interface=vlanSYS88 list=LAN
]add interface=vlanIOT28 list=LAN
add interface=vlanGUEST29 list=LAN
add interface=vlanHOME27 list=Admin
add interface=vlanSYS88 list=Admin

/ip address
add address=192.168.88.1/24 interface=vlanSYS88 network=192.168.88.0
add address=192.168.27.1/24 interface=vlanHOME27 network=192.168.27.0
add address=192.168.28.1/24 interface=vlanIOT28 network=192.168.28.0
add address=192.168.29.1/24 interface=vlanGUEST29 network=192.168.29.0
/ip dhcp-client
add disabled=no interface=ether1

/ip dhcp-server network
add address=192.168.27.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
gateway=192.168.27.1
add address=192.168.28.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
gateway=192.168.28.1
add address=192.168.29.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
gateway=192.168.29.1
add address=192.168.88.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment="allow admin access" in-interface-list=Admin
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid

add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat disabled=yes
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip hotspot user
add name=E3Guest server=HotSpot_Server
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes

set winbox address=\ NO< guests and IOT should not have access !!!!
192.168.27.0/24, 192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Asia/Jayapura
/system identity
set name=Marge
/system logging
add topics=wireless
add topics=dhcp
add topics=bridge
add topics=dns
add topics=error
add topics=hotspot
add topics=interface
add topics=wireless
add topics=firewall
/tool mac-server
set allowed-interface-list=none

/tool mac-server mac-winbox
set allowed-interface-list=ADMIN[/b]
/tool mac-server ping
set enabled=no

Thanks for this anav, will give it a shot and update here.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19843
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wlan has no internet access but lan has internet access

Mon Jan 16, 2023 1:41 am

I noted one error, which means there could be others. :-(
/tool mac-server mac-winbox
set allowed-interface-list=ADMIN[/b]

Should be
/tool mac-server mac-winbox
set allowed-interface-list=Admin[/b]
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: Wlan has no internet access but lan has internet access

Mon Jan 16, 2023 5:45 am

I noted one error, which means there could be others. :-(
/tool mac-server mac-winbox
set allowed-interface-list=ADMIN[/b]

Should be
/tool mac-server mac-winbox
set allowed-interface-list=Admin[/b]
Thank you again & no worries, I'll double check when implementing it.
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: Wlan has no internet access but lan has internet access

Mon Jan 16, 2023 8:52 am

I noted one error, which means there could be others. :-(
/tool mac-server mac-winbox
set allowed-interface-list=ADMIN[/b]

Should be
/tool mac-server mac-winbox
set allowed-interface-list=Admin[/b]
Thank you Anav,

the configs works very well :D :lol: ,
I've switched around the hotspot from IOT to guests tho

# jan/16/2023 13:47:38 by RouterOS 6.49.7
# software id = T9PD-VUT8

# model = RB941-2nD
# serial number = HCR087MNR5P
/interface bridge
add name=Bridge_LAN vlan-filtering=yes
/interface vlan
add interface=Bridge_LAN name=vlanAdmin88 vlan-id=88
add interface=Bridge_LAN name=vlanGUEST29 vlan-id=29
add interface=Bridge_LAN name=vlanHOME27 vlan-id=27
add interface=Bridge_LAN name=vlanIOT28 vlan-id=28
/interface list
add name=WAN
add name=LAN
add name=Admin
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=\
    dynamic-keys name=E3User supplicant-identity="" unicast-ciphers=\
    tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=\
    dynamic-keys name=E3IOT supplicant-identity="" unicast-ciphers=\
    tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=indonesia disabled=no \
    frequency=2472 mode=ap-bridge security-profile=E3IOT ssid=E3IOT
add disabled=no keepalive-frames=disabled mac-address=1A:FD:74:39:10:18 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan2 \
    security-profile=E3User ssid=E3Guest wds-cost-range=0 wds-default-cost=0 \
    wps-mode=push-button-5s
/ip hotspot profile
set [ find default=yes ] hotspot-address=192.168.29.1
/ip pool
add name=LAN ranges=192.168.27.10-192.168.27.250
add name=Admin ranges=192.168.88.2-192.168.88.10
add name=wlan_IOT ranges=192.168.28.10-192.168.28.250
add name=wlan_guest ranges=192.168.29.10-192.168.29.250
/ip dhcp-server
add address-pool=LAN disabled=no interface=vlanHOME27 lease-time=12h name=\
    DHCP_LAN
add address-pool=Admin disabled=no interface=vlanAdmin88 name=DHCP_Admin
add address-pool=wlan_IOT disabled=no interface=vlanIOT28 lease-time=12h \
    name=DHCP_WLANIIOT
add address-pool=wlan_guest disabled=no interface=vlanGUEST29 lease-time=12h \
    name=DHCP_WLANGuest
/ip hotspot
add address-pool=wlan_guest disabled=no interface=vlanGUEST29 name=\
    HotSpot_Server
/queue tree
add bucket-size=0.01 max-limit=12M name=UP parent=ether1 queue=default
add name="1. VOIP_" packet-mark=VOIP parent=UP priority=1 queue=default
add name="2. DNS_" packet-mark=DNS parent=UP priority=2 queue=default
add name="3. ACK_" packet-mark=ACK parent=UP priority=3 queue=default
add name="4. UDP_" packet-mark=UDP parent=UP priority=3 queue=default
add name="5. ICMP_" packet-mark=ICMP parent=UP priority=4 queue=default
add name="6. HTTP_" packet-mark=HTTP parent=UP priority=5 queue=default
add name="7. HTTP_BIG_" packet-mark=HTTP_BIG parent=UP priority=6 queue=\
    default
add name="8. QUIC_" packet-mark=QUIC parent=UP priority=7 queue=default
add bucket-size=0.01 max-limit=12M name=DOWN parent=Bridge_LAN queue=default
add name="1. VOIP" packet-mark=VOIP parent=DOWN priority=1 queue=default
add name="2. DNS" packet-mark=DNS parent=DOWN priority=2 queue=default
add name="3. ACK" packet-mark=ACK parent=DOWN priority=3 queue=default
add name="4. UDP" packet-mark=UDP parent=DOWN priority=3 queue=default
add name="5. ICMP" packet-mark=ICMP parent=DOWN priority=4 queue=default
add name="6. HTTP" packet-mark=HTTP parent=DOWN priority=5 queue=default
add name="7. HTTP_BIG" packet-mark=HTTP_BIG parent=DOWN priority=6 queue=\
    default
add name="8. QUIC" packet-mark=QUIC parent=DOWN priority=7 queue=default
add name="9. OTHER" packet-mark=OTHER parent=DOWN queue=default
/interface bridge port
add bridge=Bridge_LAN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2 pvid=27
add bridge=Bridge_LAN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=27
add bridge=Bridge_LAN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=88
add bridge=Bridge_LAN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1 pvid=28
add bridge=Bridge_LAN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2 pvid=29
/ip neighbor discovery-settings
set discover-interface-list=Admin
/interface bridge vlan
add bridge=Bridge_LAN tagged=Bridge_LAN untagged=ether2,ether3 vlan-ids=27
add bridge=Bridge_LAN tagged=Bridge_LAN untagged=ether4 vlan-ids=88
add bridge=Bridge_LAN tagged=Bridge_LAN untagged=wlan1 vlan-ids=28
add bridge=Bridge_LAN tagged=Bridge_LAN untagged=wlan2 vlan-ids=29
/interface list member
add interface=ether1 list=WAN
add interface=vlanHOME27 list=LAN
add interface=vlanAdmin88 list=LAN
add interface=vlanIOT28 list=LAN
add interface=vlanGUEST29 list=LAN
add interface=vlanHOME27 list=Admin
add interface=vlanAdmin88 list=Admin
/ip address
add address=192.168.88.1/24 interface=vlanAdmin88 network=192.168.88.0
add address=192.168.27.1/24 interface=vlanHOME27 network=192.168.27.0
add address=192.168.28.1/24 interface=vlanIOT28 network=192.168.28.0
add address=192.168.29.1/24 interface=vlanGUEST29 network=192.168.29.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.27.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.27.1
add address=192.168.28.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.28.1
add address=192.168.29.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.29.1
add address=192.168.88.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="allow admin access" in-interface-list=\
    Admin
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=drop chain=forward
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip hotspot user
add name=E3Guest server=HotSpot_Server
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
set api disabled=yes
set winbox address=192.168.27.0/24,192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=Marge
/system scheduler
add interval=10m name=SystemStateScheduler on-event=TelegramSystemState \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add comment="jan/02/1970 00:00:32" interval=1m name=LogToTG-FailedLogin \
    on-event=LogToTG-FailedLogin policy=read,write,policy,test start-time=\
    startup
add comment="jan/16/2023 13:44:06" interval=1m name=LogToTG-SuccessLogin \
    on-event=LogToTG-SuccessLogin policy=read,write,policy,test start-time=\
    startup
add name=SendReportAfterReboot on-event=\
    ":delay 60\r\
    \n/system script run ReportGenerationRouterBoot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=12h name=UpdatePackageChecker on-event=NotifTGRouterOSUpdate \
    policy=read,write,policy,test start-time=startup
add comment="jan/16/2023 00:14:36" disabled=yes interval=3h name=LogToEmail \
    on-event=SendingLogToEmail policy=read,write,policy,test start-time=\
    startup
/system script
add dont-require-permissions=yes name=TGBotSenderScript owner=Seno@E3 policy=\
    read,write,policy,test source=":local BotToken \"XXX\";\r\
    \n:local ChatID \"-1001781133257\";\r\
    \n:local ParseMode \"html\";\r\
    \n:local DisableWebPagePreview True;\r\
    \n:local SendText \$MessageText;\r\
    \n\r\
    \n:local tgUrl \"https://api.telegram.org/bot\$BotToken/sendMessage\\\?cha\
    t_id=\$ChatID&text=\$SendText&parse_mode=\$ParseMode&disable_web_page_prev\
    iew=\$DisableWebPagePreview\";\r\
    \n\r\
    \n/tool fetch http-method=get url=\$tgUrl output=none;"
add dont-require-permissions=no name=SendingLogToTelegram owner=E3 policy=\
    read,write,policy,test source="# BEGIN SETUP\r\
    \n#Change this to the name of your schedule (the date/time stamp is saved \
    in the schedule's comment).\r\
    \n:local scheduleName \"GeneralLogToTelegram\"\r\
    \n\r\
    \n#Get System Name\r\
    \n:local DeviceName [/system identity get name];\r\
    \n\r\
    \n#This currently detects two strings. It can be changed to more or less s\
    trings if desired. Remove: || message~\"login failure\" if you only want t\
    o use one string, or if you want more strings, add this same code at the e\
    nd (but before the last two end brackets).\r\
    \n:local startBuf [:toarray [/log find topics~\"error\" || topics~\"critic\
    al\" || topics~\"system\" || topics~\"script\" || topics~\"gsm\" || topics\
    ~\"interface\" || topic~\"pppoe\" || topic~\"system\"]]\r\
    \n\r\
    \n#Edit the quoted items for strings you want to be filtered out of the re\
    sults. For example, if you want all \"logged in\" logs found, but you do n\
    ot want any of the \"logged in via telnet\" logs included, simply include \
    the word \"telnet\" in the array and these logs will be excluded. Double q\
    uote additional strings and separate them with semi-colons. If you don't w\
    ant any logs filtered, simply declare the variable :local removeThese with\
    out any curly braces. curly braces sample as follow {\"testing\";\"whateve\
    r string you want\"}\r\
    \n:local removeThese {\"login\";\"logged\";\"2admin\";\"LOGMON\"}\r\
    \n\r\
    \n# END SETUP\r\
    \n# warn if schedule does not exist\r\
    \n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\
    \n  /log warning \"[LOGMON] ERROR: Schedule does not exist. Create schedul\
    e and edit script to match name\"\r\
    \n}\r\
    \n# get last time\r\
    \n:local lastTime [/system scheduler get [find name=\"\$scheduleName\"] co\
    mment]\r\
    \n# for checking time of each log entry\r\
    \n:local currentTime\r\
    \n# log message\r\
    \n:local message\r\
    \n# final output\r\
    \n:local output\r\
    \n:local keepOutput false\r\
    \n# if lastTime is empty, set keepOutput to true\r\
    \n:if ([:len \$lastTime] = 0) do={\r\
    \n  :set keepOutput true\r\
    \n}\r\
    \n:local counter 0\r\
    \n# loop through all log entries that have been found\r\
    \n:foreach i in=\$startBuf do={\r\
    \n# loop through all removeThese array items\r\
    \n  :local keepLog true\r\
    \n  :foreach j in=\$removeThese do={\r\
    \n#   if this log entry contains any of them, it will be ignored\r\
    \n    :if ([/log get \$i message] ~ \"\$j\") do={\r\
    \n      :set keepLog false\r\
    \n    }\r\
    \n  }\r\
    \n  :if (\$keepLog = true) do={\r\
    \n   :set message [/log get \$i message]\r\
    \n#   LOG DATE\r\
    \n#   depending on log date/time, the format may be different. 3 known for\
    mats\r\
    \n#   format of jan/01/2002 00:00:00 which shows up at unknown date/time. \
    Using as default\r\
    \n    :set currentTime [ /log get \$i time ]\r\
    \n#   format of 00:00:00 which shows up on current day's logs\r\
    \n   :if ([:len \$currentTime] = 8 ) do={\r\
    \n     :set currentTime ([:pick [/system clock get date] 0 11].\" \".\$cur\
    rentTime)\r\
    \n    } else={\r\
    \n#     format of jan/01 00:00:00 which shows up on previous day's logs\r\
    \n     :if ([:len \$currentTime] = 15 ) do={\r\
    \n        :set currentTime ([:pick \$currentTime 0 6].\"/\".[:pick [/syste\
    m clock get date] 7 11].\" \".[:pick \$currentTime 7 15])\r\
    \n      }\r\
    \n   }\r\
    \n#   if keepOutput is true, add this log entry to output\r\
    \n   :if (\$keepOutput = true) do={\r\
    \n     :set output (\$output.\$currentTime.\" \".\$message.\"%0A%0A %E2%84\
    %B9 \")\r\
    \n   }\r\
    \n#   if currentTime = lastTime, set keepOutput so any further logs found \
    will be added to output\r\
    \n#   reset output in the case we have multiple identical date/time entrie\
    s in a row as the last matching logs\r\
    \n#   otherwise, it would stop at the first found matching log, thus all f\
    ollowing logs would be output\r\
    \n    :if (\$currentTime = \$lastTime) do={\r\
    \n     :set keepOutput true\r\
    \n     :set output \"\"\r\
    \n   }\r\
    \n  }\r\
    \n#   if this is last log entry\r\
    \n  :if (\$counter = ([:len \$startBuf]-1)) do={\r\
    \n#   If keepOutput is still false after loop, this means lastTime has a v\
    alue, but a matching currentTime was never found.\r\
    \n#   This can happen if 1) The router was rebooted and matching logs stor\
    ed in memory were wiped, or 2) An item is added\r\
    \n#   to the removeThese array that then ignores the last log that determi\
    ned the lastTime variable.\r\
    \n#   This resets the comment to nothing. The next run will be like the fi\
    rst time, and you will get all matching logs\r\
    \n   :if (\$keepOutput = false) do={\r\
    \n#     if previous log was found, this will be our new lastTime entry    \
    \_ \r\
    \n     :if ([:len \$message] > 0) do={\r\
    \n        :set output (\$output.\$currentTime.\" \".\$message.\"%0A%0A %E2\
    %84%B9 \")\r\
    \n      }\r\
    \n    }\r\
    \n  }\r\
    \n  :set counter (\$counter + 1)\r\
    \n}\r\
    \n# If we have output, save new date/time, and send email\r\
    \nif ([:len \$output] > 0) do={\r\
    \n  /system scheduler set [find name=\"\$scheduleName\"] comment=\$current\
    Time\r\
    \n  \r\
    \n#to get ouput value to be printed\r\
    \n#:log info \"value is: \$output\"\r\
    \n  \r\
    \n  :local MessageText \"%F0%9F%A4%96 <b>\$DeviceName: </b>General Logs Re\
    port %0A%0A %E2%84%B9 \$output\";\r\
    \n   \r\
    \n#get TGBotSenderScript to send\r\
    \n  :local SendTelegramMessage [:parse [/system script get TGBotSenderScri\
    pt source]];\r\
    \n  \$SendTelegramMessage MessageText=\$MessageText;\r\
    \n  /log info \"[LOGMON] New <b>General</b> logs found, sending Telegram M\
    essage\"\r\
    \n}"
add dont-require-permissions=no name=TelegramSystemState owner=Seno@E3 \
    policy=read,write,policy,test source=":local DeviceName [/system identity \
    get name];\r\
    \n:local freemem ([/system resource get free-memory] / 1024 / 1024);\r\
    \n:local totmem ([/system resource get total-memory] / 1024 / 1024);\r\
    \n:local freehddspace ([/system resource get free-hdd-space] / 1024 / 1024\
    );\r\
    \n:local totalhddspace ([/system resource get total-hdd-space] / 1024 / 10\
    24);\r\
    \n:local cpuload ([/system resource get cpu-load]);\r\
    \n:local up ([/system resource get uptime]);\r\
    \n\r\
    \n:local MessageText \"%F0%9F%A4%96  <b>\$DeviceName:<u> System Status</u>\
    </b> %0A%E2%8C%9B <b> CPU = </b><i>\$cpuload % </i>  %0A%F0%9F%90%8F <b> F\
    ree Ram =  </b><i>\$freemem / \$totmem MB</i> %0A%F0%9F%93%80  <b>Free Spa\
    ce = </b><i>\$freehddspace / \$totalhddspace</i> %0A%E2%8F%B0 <b> Uptime =\
    \_</b><i>\$up</i>\"\r\
    \n\r\
    \n#get TGBotSenderScript to send\r\
    \n:local SendTelegramMessage [:parse [/system script  get TGBotSenderScrip\
    t source]];\r\
    \n\$SendTelegramMessage MessageText=\$MessageText;"
add dont-require-permissions=yes name=LogToTG-FailedLogin owner=E3 policy=\
    read,write,policy,test source="# BEGIN SETUP\r\
    \n#Change this to the name of your schedule (the date/time stamp is saved \
    in the schedule's comment).\r\
    \n:local scheduleName \"LogToTG-FailedLogin\"\r\
    \n\r\
    \n#Get System Name\r\
    \n:local DeviceName [/system identity get name];\r\
    \n\r\
    \n#This currently detects two strings. It can be changed to more or less s\
    trings if desired. Remove: || message~\"login failure\" if you only want t\
    o use one string, or if you want more strings, add this same code at the e\
    nd (but before the last two end brackets).\r\
    \n:local startBuf [:toarray [/log find where topics~\"critical\" || messag\
    e~\"login\"]]\r\
    \n\r\
    \n#Edit the quoted items for strings you want to be filtered out of the re\
    sults. For example, if you want all \"logged in\" logs found, but you do n\
    ot want any of the \"logged in via telnet\" logs included, simply include \
    the word \"telnet\" in the array and these logs will be excluded. Double q\
    uote additional strings and separate them with semi-colons. If you don't w\
    ant any logs filtered, simply declare the variable :local removeThese with\
    out any curly braces. curly braces sample as follow {\"testing\";\"whateve\
    r string you want\"}\r\
    \n:local removeThese\r\
    \n\r\
    \n# END SETUP\r\
    \n# warn if schedule does not exist\r\
    \n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\
    \n  /log warning \"[LOGMON] ERROR: Schedule does not exist. Create schedul\
    e and edit script to match name\"\r\
    \n}\r\
    \n# get last time\r\
    \n:local lastTime [/system scheduler get [find name=\"\$scheduleName\"] co\
    mment]\r\
    \n# for checking time of each log entry\r\
    \n:local currentTime\r\
    \n# log message\r\
    \n:local message\r\
    \n# final output\r\
    \n:local output\r\
    \n:local keepOutput false\r\
    \n# if lastTime is empty, set keepOutput to true\r\
    \n:if ([:len \$lastTime] = 0) do={\r\
    \n  :set keepOutput true\r\
    \n}\r\
    \n:local counter 0\r\
    \n# loop through all log entries that have been found\r\
    \n:foreach i in=\$startBuf do={\r\
    \n# loop through all removeThese array items\r\
    \n  :local keepLog true\r\
    \n  :foreach j in=\$removeThese do={\r\
    \n#   if this log entry contains any of them, it will be ignored\r\
    \n    :if ([/log get \$i message] ~ \"\$j\") do={\r\
    \n      :set keepLog false\r\
    \n    }\r\
    \n  }\r\
    \n  :if (\$keepLog = true) do={\r\
    \n   :set message [/log get \$i message]\r\
    \n#   LOG DATE\r\
    \n#   depending on log date/time, the format may be different. 3 known for\
    mats\r\
    \n#   format of jan/01/2002 00:00:00 which shows up at unknown date/time. \
    Using as default\r\
    \n    :set currentTime [ /log get \$i time ]\r\
    \n#   format of 00:00:00 which shows up on current day's logs\r\
    \n   :if ([:len \$currentTime] = 8 ) do={\r\
    \n     :set currentTime ([:pick [/system clock get date] 0 11].\" \".\$cur\
    rentTime)\r\
    \n    } else={\r\
    \n#     format of jan/01 00:00:00 which shows up on previous day's logs\r\
    \n     :if ([:len \$currentTime] = 15 ) do={\r\
    \n        :set currentTime ([:pick \$currentTime 0 6].\"/\".[:pick [/syste\
    m clock get date] 7 11].\" \".[:pick \$currentTime 7 15])\r\
    \n      }\r\
    \n   }\r\
    \n#   if keepOutput is true, add this log entry to output\r\
    \n   :if (\$keepOutput = true) do={\r\
    \n     :set output (\$output.\$currentTime.\" \".\$message.\"%0A%0A %F0%9F\
    %9A%AB \")\r\
    \n   }\r\
    \n#   if currentTime = lastTime, set keepOutput so any further logs found \
    will be added to output\r\
    \n#   reset output in the case we have multiple identical date/time entrie\
    s in a row as the last matching logs\r\
    \n#   otherwise, it would stop at the first found matching log, thus all f\
    ollowing logs would be output\r\
    \n    :if (\$currentTime = \$lastTime) do={\r\
    \n     :set keepOutput true\r\
    \n     :set output \"\"\r\
    \n   }\r\
    \n  }\r\
    \n#   if this is last log entry\r\
    \n  :if (\$counter = ([:len \$startBuf]-1)) do={\r\
    \n#   If keepOutput is still false after loop, this means lastTime has a v\
    alue, but a matching currentTime was never found.\r\
    \n#   This can happen if 1) The router was rebooted and matching logs stor\
    ed in memory were wiped, or 2) An item is added\r\
    \n#   to the removeThese array that then ignores the last log that determi\
    ned the lastTime variable.\r\
    \n#   This resets the comment to nothing. The next run will be like the fi\
    rst time, and you will get all matching logs\r\
    \n   :if (\$keepOutput = false) do={\r\
    \n#     if previous log was found, this will be our new lastTime entry    \
    \_ \r\
    \n     :if ([:len \$message] > 0) do={\r\
    \n        :set output (\$output.\$currentTime.\" \".\$message.\"%0A%0A %F0\
    %9F%9A%AB \")\r\
    \n      }\r\
    \n    }\r\
    \n  }\r\
    \n  :set counter (\$counter + 1)\r\
    \n}\r\
    \n# If we have output, save new date/time, and send email\r\
    \nif ([:len \$output] > 0) do={\r\
    \n  /system scheduler set [find name=\"\$scheduleName\"] comment=\$current\
    Time\r\
    \n\r\
    \n #Send Telegram Notif\r\
    \n  :local MessageText \"%F0%9F%A4%96<b>\$DeviceName:</b> Critical Notifca\
    tion %0A%0A%F0%9F%9A%AB \$output\";\r\
    \n   \r\
    \n#get TGBotSenderScript to send\r\
    \n  :local SendTelegramMessage [:parse [/system script get TGBotSenderScri\
    pt source]];\r\
    \n  \$SendTelegramMessage MessageText=\$MessageText;\r\
    \n  /log info \"[LOGMON] Login <b>Failure</b> logs found, sending Telegram\
    \_Message\"\r\
    \n}"
add dont-require-permissions=yes name=LogToTG-SuccessLogin owner=E3 policy=\
    read,write,policy,test source="# BEGIN SETUP\r\
    \n#Change this to the name of your schedule (the date/time stamp is saved \
    in the schedule's comment).\r\
    \n:local scheduleName \"LogToTG-SuccessLogin\"\r\
    \n\r\
    \n#Get System Name\r\
    \n:local DeviceName [/system identity get name];\r\
    \n\r\
    \n#This currently detects two strings. It can be changed to more or less s\
    trings if desired. Remove: || message~\"login failure\" if you only want t\
    o use one string, or if you want more strings, add this same code at the e\
    nd (but before the last two end brackets).\r\
    \n:local startBuf [:toarray [/log find where topics~\"account\" ]]\r\
    \n\r\
    \n#Edit the quoted items for strings you want to be filtered out of the re\
    sults. For example, if you want all \"logged in\" logs found, but you do n\
    ot want any of the \"logged in via telnet\" logs included, simply include \
    the word \"telnet\" in the array and these logs will be excluded. Double q\
    uote additional strings and separate them with semi-colons. If you don't w\
    ant any logs filtered, simply declare the variable :local removeThese with\
    out any curly braces. curly braces sample as follow {\"testing\";\"whateve\
    r string you want\"}\r\
    \n:local removeThese \r\
    \n\r\
    \n# END SETUP\r\
    \n# warn if schedule does not exist\r\
    \n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\
    \n  /log warning \"[LOGMON] ERROR: Schedule does not exist. Create schedul\
    e and edit script to match name\"\r\
    \n}\r\
    \n# get last time\r\
    \n:local lastTime [/system scheduler get [find name=\"\$scheduleName\"] co\
    mment]\r\
    \n# for checking time of each log entry\r\
    \n:local currentTime\r\
    \n# log message\r\
    \n:local message\r\
    \n# final output\r\
    \n:local output\r\
    \n:local keepOutput false\r\
    \n# if lastTime is empty, set keepOutput to true\r\
    \n:if ([:len \$lastTime] = 0) do={\r\
    \n  :set keepOutput true\r\
    \n}\r\
    \n:local counter 0\r\
    \n# loop through all log entries that have been found\r\
    \n:foreach i in=\$startBuf do={\r\
    \n# loop through all removeThese array items\r\
    \n  :local keepLog true\r\
    \n  :foreach j in=\$removeThese do={\r\
    \n#   if this log entry contains any of them, it will be ignored\r\
    \n    :if ([/log get \$i message] ~ \"\$j\") do={\r\
    \n      :set keepLog false\r\
    \n    }\r\
    \n  }\r\
    \n  :if (\$keepLog = true) do={\r\
    \n   :set message [/log get \$i message]\r\
    \n#   LOG DATE\r\
    \n#   depending on log date/time, the format may be different. 3 known for\
    mats\r\
    \n#   format of jan/01/2002 00:00:00 which shows up at unknown date/time. \
    Using as default\r\
    \n    :set currentTime [ /log get \$i time ]\r\
    \n#   format of 00:00:00 which shows up on current day's logs\r\
    \n   :if ([:len \$currentTime] = 8 ) do={\r\
    \n     :set currentTime ([:pick [/system clock get date] 0 11].\" \".\$cur\
    rentTime)\r\
    \n    } else={\r\
    \n#     format of jan/01 00:00:00 which shows up on previous day's logs\r\
    \n     :if ([:len \$currentTime] = 15 ) do={\r\
    \n        :set currentTime ([:pick \$currentTime 0 6].\"/\".[:pick [/syste\
    m clock get date] 7 11].\" \".[:pick \$currentTime 7 15])\r\
    \n      }\r\
    \n   }\r\
    \n#   if keepOutput is true, add this log entry to output\r\
    \n   :if (\$keepOutput = true) do={\r\
    \n     :set output (\$output.\$currentTime.\" \".\$message.\"%0A%0A %E2%9C\
    %85 \")\r\
    \n   }\r\
    \n#   if currentTime = lastTime, set keepOutput so any further logs found \
    will be added to output\r\
    \n#   reset output in the case we have multiple identical date/time entrie\
    s in a row as the last matching logs\r\
    \n#   otherwise, it would stop at the first found matching log, thus all f\
    ollowing logs would be output\r\
    \n    :if (\$currentTime = \$lastTime) do={\r\
    \n     :set keepOutput true\r\
    \n     :set output \"\"\r\
    \n   }\r\
    \n  }\r\
    \n#   if this is last log entry\r\
    \n  :if (\$counter = ([:len \$startBuf]-1)) do={\r\
    \n#   If keepOutput is still false after loop, this means lastTime has a v\
    alue, but a matching currentTime was never found.\r\
    \n#   This can happen if 1) The router was rebooted and matching logs stor\
    ed in memory were wiped, or 2) An item is added\r\
    \n#   to the removeThese array that then ignores the last log that determi\
    ned the lastTime variable.\r\
    \n#   This resets the comment to nothing. The next run will be like the fi\
    rst time, and you will get all matching logs\r\
    \n   :if (\$keepOutput = false) do={\r\
    \n#     if previous log was found, this will be our new lastTime entry    \
    \_ \r\
    \n     :if ([:len \$message] > 0) do={\r\
    \n        :set output (\$output.\$currentTime.\" \".\$message.\"%0A%0A %E2\
    %9C%85 \")\r\
    \n      }\r\
    \n    }\r\
    \n  }\r\
    \n  :set counter (\$counter + 1)\r\
    \n}\r\
    \n# If we have output, save new date/time, \r\
    \nif ([:len \$output] > 0) do={\r\
    \n  /system scheduler set [find name=\"\$scheduleName\"] comment=\$current\
    Time\r\
    \n\r\
    \n#Send Telegram Notif\r\
    \n  :local MessageText \"%F0%9F%A4%96<b>\$DeviceName:</b> Account Activiti\
    es Log %0A%0A%E2%9C%85 \$output\";\r\
    \n   \r\
    \n#get TGBotSenderScript to send\r\
    \n  :local SendTelegramMessage [:parse [/system script get TGBotSenderScri\
    pt source]];\r\
    \n  \$SendTelegramMessage MessageText=\$MessageText;\r\
    \n  /log info \"[LOGMON] Account <b>Actitvity</b> logs found, sending Tele\
    gram Message\"\r\
    \n}"
add dont-require-permissions=no name=ReportGenerationRouterBoot owner=Seno@E3 \
    policy=ftp,read,write,policy,test source=":delay 5\r\
    \n\r\
    \n:local reportBody \"\"\r\
    \n\r\
    \n:local deviceName [/system identity get name]\r\
    \n:local deviceDate [/system clock get date]\r\
    \n:local deviceTime [/system clock get time]\r\
    \n:local hwModel [/system routerboard get model]\r\
    \n:local rosVersion [/system package get system version]\r\
    \n:local currentFirmware [/system routerboard get current-firmware]\r\
    \n:local upgradeFirmware [/system routerboard get upgrade-firmware]\r\
    \n\r\
    \n\r\
    \n:set reportBody (\$reportBody . \"Router Reboot Report for \$deviceName\
    \\n\")\r\
    \n:set reportBody (\$reportBody . \"Report generated on \$deviceDate at \$\
    deviceTime\\n\\n\")\r\
    \n\r\
    \n:set reportBody (\$reportBody . \"Hardware Model: \$hwModel\\n\")\r\
    \n:set reportBody (\$reportBody . \"RouterOS Version: \$rosVersion\\n\")\r\
    \n:set reportBody (\$reportBody . \"Current Firmware: \$currentFirmware\\n\
    \")\r\
    \n:set reportBody (\$reportBody . \"Upgrade Firmware: \$upgradeFirmware\")\
    \r\
    \nif ( \$currentFirmware < \$upgradeFirmware) do={\r\
    \n:set reportBody (\$reportBody . \"NOTE: You should upgrade the RouterBOA\
    RD firmware!\\n\")\r\
    \n}\r\
    \n\r\
    \n:set reportBody (\$reportBody . \"\\n\\n=== Critical Log Events ===\\n\"\
    \_)\r\
    \n\r\
    \n:local x\r\
    \n:local ts\r\
    \n:local msg\r\
    \nforeach i in=([/log find where topics~\"critical\"]) do={\r\
    \n:set \$ts [/log get \$i time]\r\
    \n:set \$msg [/log get \$i message]\r\
    \n:set \$reportBody (\$reportBody  . \$ts . \" \" . \$msg . \"\\n\" )\r\
    \n}\r\
    \n\r\
    \n:set reportBody (\$reportBody . \"\\n=== end of report ===\\n\")\r\
    \n\r\
    \n/tool e-mail send subject=\"[\$deviceName] Router Reboot Report\" to=\"d\
    ermawas@gmail.com\" body=\$reportBody"
add dont-require-permissions=no name=SendingLogToEmail owner=Seno@E3 policy=\
    read,write,policy,test source="# BEGIN SETUP\r\
    \n#Change this to the name of your schedule (the date/time stamp is saved \
    in the schedule's comment).\r\
    \n:local scheduleName \"LogToEmail\"\r\
    \n\r\
    \n#Put your email address here.\r\
    \n:local emailAddress \"dermawas@gmail.com\"\r\
    \n\r\
    \n#This currently detects two strings. It can be changed to more or less s\
    trings if desired. Remove: || message~\"login failure\" if you only want t\
    o use one string, or if you want more strings, add this same code at the e\
    nd (but before the last two end brackets).\r\
    \n:local startBuf [:toarray [/log find topics~\"error\" || topics~\"critic\
    al\" || topics~\"system\" || topics~\"script\" || topics~\"gsm\" || topics\
    ~\"dhcp\" || topics~\"interface\" || topic~\"account\" || topic~\"pppoe\" \
    ]]\r\
    \n\r\
    \n#Edit the quoted items for strings you want to be filtered out of the re\
    sults. For example, if you want all \"logged in\" logs found, but you do n\
    ot want any of the \"logged in via telnet\" logs included, simply include \
    the word \"telnet\" in the array and these logs will be excluded. Double q\
    uote additional strings and separate them with semi-colons. If you don't w\
    ant any logs filtered, simply declare the variable :local removeThese with\
    out any curly braces. curly braces sample as follow {\"testing\";\"whateve\
    r string you want\"}\r\
    \n:local removeThese \r\
    \n\r\
    \n# END SETUP\r\
    \n# warn if schedule does not exist\r\
    \n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\
    \n  /log warning \"[LOGMON] ERROR: Schedule does not exist. Create schedul\
    e and edit script to match name\"\r\
    \n}\r\
    \n# get last time\r\
    \n:local lastTime [/system scheduler get [find name=\"\$scheduleName\"] co\
    mment]\r\
    \n# for checking time of each log entry\r\
    \n:local currentTime\r\
    \n# log message\r\
    \n:local message\r\
    \n# final output\r\
    \n:local output\r\
    \n:local keepOutput false\r\
    \n# if lastTime is empty, set keepOutput to true\r\
    \n:if ([:len \$lastTime] = 0) do={\r\
    \n  :set keepOutput true\r\
    \n}\r\
    \n:local counter 0\r\
    \n# loop through all log entries that have been found\r\
    \n:foreach i in=\$startBuf do={\r\
    \n# loop through all removeThese array items\r\
    \n  :local keepLog true\r\
    \n  :foreach j in=\$removeThese do={\r\
    \n#   if this log entry contains any of them, it will be ignored\r\
    \n    :if ([/log get \$i message] ~ \"\$j\") do={\r\
    \n      :set keepLog false\r\
    \n    }\r\
    \n  }\r\
    \n  :if (\$keepLog = true) do={\r\
    \n   :set message [/log get \$i message]\r\
    \n#   LOG DATE\r\
    \n#   depending on log date/time, the format may be different. 3 known for\
    mats\r\
    \n#   format of jan/01/2002 00:00:00 which shows up at unknown date/time. \
    Using as default\r\
    \n    :set currentTime [ /log get \$i time ]\r\
    \n#   format of 00:00:00 which shows up on current day's logs\r\
    \n   :if ([:len \$currentTime] = 8 ) do={\r\
    \n     :set currentTime ([:pick [/system clock get date] 0 11].\" \".\$cur\
    rentTime)\r\
    \n    } else={\r\
    \n#     format of jan/01 00:00:00 which shows up on previous day's logs\r\
    \n     :if ([:len \$currentTime] = 15 ) do={\r\
    \n        :set currentTime ([:pick \$currentTime 0 6].\"/\".[:pick [/syste\
    m clock get date] 7 11].\" \".[:pick \$currentTime 7 15])\r\
    \n      }\r\
    \n   }\r\
    \n#   if keepOutput is true, add this log entry to output\r\
    \n   :if (\$keepOutput = true) do={\r\
    \n     :set output (\$output.\$currentTime.\" \".\$message.\"\\r\\r\")\r\
    \n   }\r\
    \n#   if currentTime = lastTime, set keepOutput so any further logs found \
    will be added to output\r\
    \n#   reset output in the case we have multiple identical date/time entrie\
    s in a row as the last matching logs\r\
    \n#   otherwise, it would stop at the first found matching log, thus all f\
    ollowing logs would be output\r\
    \n    :if (\$currentTime = \$lastTime) do={\r\
    \n     :set keepOutput true\r\
    \n     :set output \"\"\r\
    \n   }\r\
    \n  }\r\
    \n#   if this is last log entry\r\
    \n  :if (\$counter = ([:len \$startBuf]-1)) do={\r\
    \n#   If keepOutput is still false after loop, this means lastTime has a v\
    alue, but a matching currentTime was never found.\r\
    \n#   This can happen if 1) The router was rebooted and matching logs stor\
    ed in memory were wiped, or 2) An item is added\r\
    \n#   to the removeThese array that then ignores the last log that determi\
    ned the lastTime variable.\r\
    \n#   This resets the comment to nothing. The next run will be like the fi\
    rst time, and you will get all matching logs\r\
    \n   :if (\$keepOutput = false) do={\r\
    \n#     if previous log was found, this will be our new lastTime entry    \
    \_ \r\
    \n     :if ([:len \$message] > 0) do={\r\
    \n        :set output (\$output.\$currentTime.\" \".\$message.\"\\r\\r\")\
    \r\
    \n      }\r\
    \n    }\r\
    \n  }\r\
    \n  :set counter (\$counter + 1)\r\
    \n}\r\
    \n# If we have output, save new date/time, and send email\r\
    \nif ([:len \$output] > 0) do={\r\
    \n  /system scheduler set [find name=\"\$scheduleName\"] comment=\$current\
    Time\r\
    \n  /tool e-mail send to=\"\$emailAddress\" subject=\"\\F0\\9F\\A4\\96 \\E\
    2\\84\\B9 Marge alert \$currentTime\" body=\"\$output\"\r\
    \n  /log info \"[LOGMON] New logs found, sending email\"\r\
    \n}\r\
    \n#Other Notes, If you would rather run a script or whatever (instead of s\
    ending email), simply remove the email config line at the top, and change \
    the \"/tool email\" line near the bottom to do whatever you want.\r\
    \n"
add dont-require-permissions=no name=NotifTGRouterOSUpdate owner=Seno@E3 \
    policy=read,write,policy,test source="# Constants\r\
    \n:local DeviceName [/system identity get name];\r\
    \n:local MessageText \"%F0%9F%A4%96 <b>\$DeviceName: </b>%0A %E3%8A%99 \";\
    \r\
    \n\r\
    \n\r\
    \n# Check Update\r\
    \n:local MyVar [/system package update check-for-updates as-value];\r\
    \n:local Chan (\$MyVar -> \"channel\");\r\
    \n:local InstVer (\$MyVar -> \"installed-version\");\r\
    \n:local LatVer (\$MyVar -> \"latest-version\");\r\
    \n\r\
    \n\r\
    \n:if (\$InstVer = \$LatVer) do={\r\
    \n    :set MessageText  (\$MessageText . \"System OS is up to date\");\r\
    \n} else={\r\
    \n    \r\
    \n    :set MessageText  (\"\$MessageText New version \$LatVer is available\
    ! <a href=\\\"https://mikrotik.com/download/changelogs\\\">Changelogs</a>.\
    \_[Installed version \$InstVer, Channel \$Chan].\");\r\
    \n}\r\
    \n    #get TGBotSenderScript to send\r\
    \n    :local SendTelegramMessage [:parse [/system script  get TGBotSenderS\
    cript source]];\r\
    \n    \$SendTelegramMessage MessageText=\$MessageText;"
/tool e-mail
set address=smtp.gmail.com from=dermawas@gmail.com port=587 start-tls=yes \
    user=dermawas@gmail.com
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Admin
/tool netwatch
add down-script=":local DeviceName [/system identity get name];\r\
    \n\r\
    \n:local MessageText \"%F0%9F%A4%96  <b>\$DeviceName:</b><b>Internet conne\
    ction is Down  </b>\";\r\
    \n\r\
    \n#Create MSG Tosend\r\
    \n:local SendTelegramMessage [:parse [/system script  get TGBotSenderScrip\
    t source]];\r\
    \n\r\
    \n#Create Script to get the sender to send Telegram msg\r\
    \n\$SendTelegramMessage MessageText=\$MessageText;" host=8.8.8.8 \
    up-script=":local DeviceName [/system identity get name];\r\
    \n\r\
    \n:local MessageText \"%F0%9F%A4%96  <b>\$DeviceName:</b>%F0%9F%8E%8A <b>I\
    nternet connection is UP  </b>\";\r\
    \n\r\
    \n#Create MSG Tosend\r\
    \n:local SendTelegramMessage [:parse [/system script  get TGBotSenderScrip\
    t source]];\r\
    \n\r\
    \n#Create Script to get the sender to send Telegram msg\r\
    \n\$SendTelegramMessage MessageText=\$MessageText;"
 
wangmauler
just joined
Posts: 1
Joined: Fri Apr 19, 2024 1:11 am

Re: Wlan has no internet access but lan has internet access

Fri Apr 19, 2024 1:28 am

Hey all - I've had a Mikrotik RB4011iGS for years now, last had it setup about 2 years ago and it was (at the time) in a working state. I've since plugged it back in to a new place I've moved into, with an Aris SB8200 > the mikrotik.

With my current config, I can get internet okay on the ethernet ports, however WiFi connects just as the previous people had posted in this thread, but no internet access. I get an IP on WiFi devices and I see them on the interface lists in WinBox, but no internet.

It's been a long while and I'm very much used to the Auto-Magic world of cloud based Meraki devices now - been a long time since I configured something as...configurable...as Mikrotik devices.

Can someone help me pinpoint why it's not bridging or talking to the internet? Thanks in advance, and I also apologize for the most-definitely-existence-of-numerous errors and poor setup of this config below:
# 2024-04-18 17:53:31 by RouterOS 7.14.2
# software id = GXJ9-F0DI
#
# model = RB4011iGS+5HacQ2HnD
# serial number = REDACTED
/interface bridge
add admin-mac=REDACTED auto-mac=no comment=defconf name=bridge-LAN port-cost-mode=short
/interface wireless
set [ find default-name=wlan2 ] band=2ghz-b/g/n country="united states3" installation=indoor mode=ap-bridge name=w00t-2g ssid=w00t-2g wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan1 ] band=5ghz-n/ac disabled=no frequency=auto installation=indoor mode=ap-bridge name=w00t-5g ssid=w00t-5g wireless-protocol=802.11 \
    wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge-LAN lease-time=10m name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge-LAN comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf interface=w00t-5g internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf interface=w00t-2g internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge-LAN list=LAN
add interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge-LAN network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.1.254 client-id=REDACTED mac-address=REDACTED server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge-LAN type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/New_York
/system leds
add interface=w00t-2g leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
add interface=w00t-2g leds=wlan2_tx-led type=interface-transmit
add interface=w00t-2g leds=wlan2_rx-led type=interface-receive
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19843
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wlan has no internet access but lan has internet access

Sat Apr 20, 2024 4:52 pm

After a quick perusal of your config nothing stands out.


For this line. Remove the netmask in case you entered it manually, normally it doesnt show onconfig.
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.1.1 netmask=24

Also if not using IPV6, ensure you disable it in IPV6 services and you can remove all the fw rules and address lists associated.

Who is online

Users browsing this forum: Ahrefs [Bot], bali2006, jaclaz, Majestic-12 [Bot] and 22 guests