Currently, I have a setup where my RB4011 is placed between the AGCOMBO (current ISP) and a PtoMP bridge (station bridge spoke to an AC bridge HUB), which is connected to an output of the RB4011.
I am adding VLANs only to a portion of the network at this time. I’ve set all ports of the hAP ac2 as trunks to carry all VLANs, with plans to optimize the VLAN table later.
Initially, I wanted to keep the IoT subnet on 192.168.1.0/24 to avoid changing IPs and routes of existing nodes, but I encountered conflicts. I then configured the subnet to 192.168.10.xxx. This allowed the RB4011 to reach the network, but the other devices are receiving an IP from the RB4011’s DHCP that differs from what I had manually assigned to them, causing access issues.
The problem is that while the RB4011 pings the AGCOMBO and Google correctly, it cannot reach the devices. These devices remain isolated, as if there were a physical barrier rather than a network connection. I suspect there may be issues with the routing. My intention was to set up a route for all nodes to point to the RB4011, but I’m not sure where the configuration is going wrong.
I’ve also tried configuring some forwarding rules between the RB4011 and AGCOMBO to allow access from the external environment during debugging, but these haven’t worked.
I would appreciate any advice on how to better configure this network to resolve the access and routing issues between the devices and the RB4011.
RB4011
# 1970-01-02 00:44:11 by RouterOS 7.16.1
# software id = YIFI-TGP1
#
# model = RB4011iGS+
# serial number = F0260E3AB466
/caps-man configuration
add country=italy datapath.local-forwarding=yes .vlan-id=20 .vlan-mode=\
use-tag name=Config_WORK security.authentication-types=wpa-psk,wpa2-psk \
ssid=WiFi_WORK
add country=italy datapath.local-forwarding=yes .vlan-id=30 .vlan-mode=\
use-tag name=Config_GUEST security.authentication-types=wpa-psk,wpa2-psk \
ssid=WiFi_GUEST
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=ether_to_WAN
set [ find default-name=ether2 ] comment=CAPs-3-sala
set [ find default-name=ether3 ] comment=CAPs-1-cantina
set [ find default-name=ether4 ] comment=CAPs-2-lab
set [ find default-name=ether5 ] comment=LINK_PTMP
/interface vlan
add comment=IoT interface=bridge1 name=VLAN10 vlan-id=10
add comment=Privata interface=bridge1 name=VLAN20 vlan-id=20
add comment=Ospiti interface=bridge1 name=VLAN30 vlan-id=30
add comment=MNGM interface=bridge1 name=VLAN99 vlan-id=99
/caps-man datapath
add bridge=bridge1 client-to-client-forwarding=no name=datapath1 vlan-mode=\
use-tag
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/iot lora servers
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip pool
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool20 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool30 ranges=192.168.30.2-192.168.30.254
add name=dhcp_pool99 ranges=192.168.99.2-192.168.99.254
/port
set 0 name=serial0
set 1 name=serial1
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
disabled=yes disabled=yes name=zt1 port=9993
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge1
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config_WORK \
slave-configurations=Config_GUEST
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=10
add bridge=bridge1 interface=ether3 pvid=20
add bridge=bridge1 interface=ether4 pvid=30
add bridge=bridge1 interface=ether5 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=ether3,ether2,ether4,ether5 vlan-ids=10
add bridge=bridge1 tagged=ether2,ether3,ether4,ether5 vlan-ids=20
add bridge=bridge1 tagged=ether2,ether3,ether4,ether5 vlan-ids=30
add bridge=bridge1 tagged=ether2,ether3,ether4,ether5 vlan-ids=99
/ip address
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
add address=192.168.99.1/24 interface=VLAN99 network=192.168.99.0
add address=192.168.1.3/24 comment="Static IP for WAN" interface=ether1 \
network=192.168.1.0
/ip dhcp-server
add address-pool=dhcp_pool1 interface=VLAN10 name=dhcp1
add address-pool=dhcp_pool20 interface=VLAN20 name=dhcp20
add address-pool=dhcp_pool30 interface=VLAN30 name=dhcp30
add address-pool=dhcp_pool99 interface=VLAN99 name=dhcp99
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.3
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=8.8.8.8 gateway=192.168.30.1
add address=192.168.99.0/24 dns-server=8.8.8.8 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall nat
add action=dst-nat chain=dstnat comment=prt-frw-HOA_raspi dst-address=\
192.168.1.3 dst-port=8123 protocol=tcp to-addresses=192.168.10.244 \
to-ports=8123
add action=dst-nat chain=dstnat comment=prt-frw-IOT-NR_raspiiot dst-address=\
192.168.1.3 dst-port=9995 protocol=tcp to-addresses=192.168.10.246 \
to-ports=1880
add action=dst-nat chain=dstnat comment=prt-frw-IOT-NR_raspiiot dst-address=\
192.168.1.3 dst-port=9995 protocol=udp to-addresses=192.168.10.246 \
to-ports=1880
add action=dst-nat chain=dstnat comment=prt-frw-lora_g_ChripS_raspilora \
dst-address=192.168.1.3 dst-port=9997 protocol=tcp to-addresses=\
192.168.10.249 to-ports=8080
add action=dst-nat chain=dstnat comment=prt-frw-lora_g_ChripS_raspilora \
dst-address=192.168.1.3 dst-port=9997 protocol=udp to-addresses=\
192.168.10.249 to-ports=8080
add action=dst-nat chain=dstnat comment=prt-frw-lora_g_NR_raspilora \
dst-address=192.168.1.3 dst-port=9996 protocol=udp to-addresses=\
192.168.10.249 to-ports=1880
add action=dst-nat chain=dstnat comment=prt-frw-lora_g_SSH_raspilora \
dst-address=192.168.1.3 dst-port=9994 protocol=tcp to-addresses=\
192.168.10.249 to-ports=22
add action=dst-nat chain=dstnat comment=prt-frw-HOA_raspi dst-address=\
192.168.1.3 dst-port=8123 protocol=tcp to-addresses=192.168.10.244 \
to-ports=8123
add action=dst-nat chain=dstnat comment=prt-frw-IOT-NR_raspiiot dst-address=\
192.168.1.3 dst-port=9995 protocol=tcp to-addresses=192.168.10.246 \
to-ports=1880
add action=dst-nat chain=dstnat comment=prt-frw-IOT-NR_raspiiot dst-address=\
192.168.1.3 dst-port=9995 protocol=udp to-addresses=192.168.10.246 \
to-ports=1880
add action=dst-nat chain=dstnat comment=prt-frw-lora_g_ChripS_raspilora \
dst-address=192.168.1.3 dst-port=9997 protocol=tcp to-addresses=\
192.168.10.249 to-ports=8080
add action=dst-nat chain=dstnat comment=prt-frw-lora_g_ChripS_raspilora \
dst-address=192.168.1.3 dst-port=9997 protocol=udp to-addresses=\
192.168.10.249 to-ports=8080
add action=dst-nat chain=dstnat comment=prt-frw-lora_g_NR_raspilora \
dst-address=192.168.1.3 dst-port=9996 protocol=udp to-addresses=\
192.168.10.249 to-ports=1880
add action=dst-nat chain=dstnat comment=prt-frw-lora_g_SSH_raspilora \
dst-address=192.168.1.3 dst-port=9994 protocol=tcp to-addresses=\
192.168.10.249 to-ports=22
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade comment="NAT for Internet access"
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main \
suppress-hw-offload=no
/system note
set show-at-login=no
SXTsq lite 2 - 1st (and unique, for the moment, spoke).
# 2024-11-14 13:40:25 by RouterOS 7.12.1
# software id = TGDA-J80N
#
# model = RBSXTsq2nD
# serial number = 935F088F2F42
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=italy disabled=no \
frequency=auto mode=station-bridge nv2-security=enabled radio-name=\
CANTINA ssid=LINK_PTMP station-roaming=enabled wireless-protocol=nv2
/interface ethernet
set [ find default-name=ether1 ] advertise="10M-baseT-half,10M-baseT-full,100M\
-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full"
/interface vlan
add interface=bridge1 name=VLAN99 vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 hw=no interface=ether1
/interface detect-internet
set detect-interface-list=all
/ip address
add address=192.168.10.222/24 interface=bridge1 network=192.168.10.0
add address=192.168.99.222/24 interface=VLAN99 network=192.168.99.0
/ip dns
set servers=8.8.8.8
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=CANTINA
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=193.204.114.232
add address=193.204.114.233
/system package update
set channel=development
SXT2 - AC bridge - HUB device:
# nov/14/2024 13:42:31 by RouterOS 6.47.10
# software id = 24XI-Z525
#
# model = RBSXTG-2HnD
# serial number = E2200FBAAE75
/interface bridge
add ingress-filtering=yes name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=italy disabled=no \
mode=ap-bridge nv2-preshared-key=alvise nv2-security=enabled radio-name=\
MASTER ssid=LINK_PTMP wds-mode=dynamic wireless-protocol=nv2
/interface vlan
add interface=bridge1 name=VLAN99 vlan-id=99
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=ether1 list=LAN
add comment=defconf interface=wlan1 list=WAN
/ip address
add address=192.168.10.223/24 comment=defconf interface=bridge1 network=\
192.168.10.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping distance=1 gateway=192.168.10.1
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MASTER-BAITA
/system ntp client
set enabled=yes primary-ntp=193.204.114.232 secondary-ntp=193.204.114.233
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
AC-bridge hAPac2: distribute VLANS to devices + wifi
# nov/14/2024 13:37:26 by RouterOS 6.49.13
# software id = RDEZ-NLWV
#
# model = RBD52G-5HacD2HnD
# serial number = HGG09JPQ53D
/interface bridge
add ingress-filtering=yes name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] country=italy disabled=no frequency=auto \
installation=indoor mode=ap-bridge ssid=baita_sp
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=bridge1 name=VLAN99 vlan-id=99
add interface=bridge1 name=vlan10 vlan-id=10
add comment=guest interface=bridge1 name=vlan20 vlan-id=20
add comment=WORK interface=bridge1 name=vlan30 vlan-id=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add name=profile1 supplicant-identity=""
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether4
add bridge=bridge1 ingress-filtering=yes interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=ether1,ether2,ether3,ether4,wlan1,wlan2,ether5 \
vlan-ids=10
add bridge=bridge1 tagged=ether1,ether2,ether3,ether4,ether5,wlan1,wlan2 \
vlan-ids=20
add bridge=bridge1 tagged=ether1,ether2,ether3,ether4,ether5,wlan1,wlan2 \
vlan-ids=30
add bridge=bridge1 tagged=ether1,ether2,ether3,ether4,ether5,wlan1,wlan2 \
vlan-ids=99
/ip address
add address=192.168.10.220 interface=bridge1 network=192.168.10.1
add address=192.168.99.223 interface=VLAN99 network=192.168.99.0
/ip dhcp-relay
add dhcp-server=192.168.1.1 disabled=no interface=bridge1 name=relay1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip route
add distance=1 gateway=192.168.10.1
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=hAPac2-baita
You do not have the required permissions to view the files attached to this post.