Community discussions

MikroTik App
 
User avatar
dnikms
just joined
Topic Author
Posts: 14
Joined: Fri Jun 25, 2021 5:18 pm

WLAN on hap Ac2

Tue Mar 29, 2022 3:27 pm

Hi,

I have set my router from start and changed my local address and dhcp server of course, but few devices are picking up a DHCP from the default 192.168.88.1...
I would appreciate any help.
# mar/29/2022 14:25:17 by RouterOS 7.1.5
# software id = RY13-W6WU
#
# model = RBD52G-5HacD2HnD
# serial number = D7160CB65217
/interface bridge
add name=bridge
/interface vlan
add interface=ether5 name=vlan10 vlan-id=10
/interface list
add name=WAN
add name=LAN
add name=MANAGE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys name=wlan-passwd \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=slovenia disabled=no frequency=auto mode=ap-bridge \
    security-profile=wlan-passwd ssid=Internet2G
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=slovenia disabled=no frequency=auto mode=\
    ap-bridge security-profile=wlan-passwd ssid=Internet5G wireless-protocol=\
    802.11
/ip pool
add name=dhcp ranges=10.0.1.3-10.0.1.254
add name=vlan10_dhcp ranges=10.0.10.2-10.0.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=main_dhcp
add address-pool=vlan10_dhcp interface=vlan10 name=vlan10_dhcp
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan2
add bridge=bridge interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=wlan1 list=LAN
add interface=wlan2 list=LAN
add interface=vlan10 list=MANAGE
/ip address
add address=89.212.x.x/16 interface=ether1 network=89.212.0.0
add address=10.0.1.1/24 interface=bridge network=10.0.1.0
add address=10.0.10.1/24 interface=vlan10 network=10.0.10.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server alert
add disabled=no interface=wlan1
add disabled=no interface=wlan2
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=10.0.10.5 gateway=10.0.1.1 netmask=24
add address=10.0.10.0/24 dns-server=10.0.10.5 gateway=10.0.10.1
/ip dns
set allow-remote-requests=yes servers=10.0.10.5
/ip firewall address-list
add address=10.0.1.10 list=allowed_to_router
add address=10.0.1.20 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add list=ddos-attackers
add list=ddos-target
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input in-interface-list=!LAN
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=accept chain=forward in-interface=bridge out-interface=vlan10
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN \
    out-interface=!bridge
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\
    yes log-prefix=LAN_!LAN src-address=!10.0.1.0/24
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \
    protocol=tcp tcp-flags=syn,ack
add action=add-dst-to-address-list address-list=ddos-target \
    address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=10m chain=detect-ddos
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="jenna HTTP" dst-port=80 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=80
add action=dst-nat chain=dstnat comment="jenna HTTPS" dst-port=443 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=443
add action=dst-nat chain=dstnat comment="lisa HTTP" disabled=yes dst-port=80 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.6 to-ports=80
add action=dst-nat chain=dstnat comment="lisa HTTPS" dst-port=443 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.6 to-ports=443
add action=dst-nat chain=dstnat comment="jenna Tor Relay " dst-port=9001 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=9001
add action=dst-nat chain=dstnat comment="Zabbix Proxy" dst-port=10051 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=10051
add action=dst-nat chain=dstnat comment="Zabbix Proxy" disabled=yes dst-port=\
    10051 in-interface=ether1 protocol=udp to-addresses=10.0.10.5 to-ports=\
    10051
add action=dst-nat chain=dstnat comment="WireGuard VPN UDP" dst-port=51820 \
    in-interface=ether1 protocol=udp to-addresses=10.0.10.5 to-ports=51820
add action=dst-nat chain=dstnat comment="WireGuard VPN TCP" dst-port=51820 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=51820
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-target \
    src-address-list=ddos-attackers
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh port=2121
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=fd12:672e:6f65:8899::/64 list=allowed
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
/ipv6 firewall filter
add action=accept chain=input comment="allow established and related" \
    connection-state=established,related
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses" \
    src-address-list=allowed
add action=drop chain=input
add action=accept chain=forward comment=established,related connection-state=\
    established,related
add action=drop chain=forward comment=invalid connection-state=invalid log=\
    yes log-prefix=ipv6,invalid
add action=drop chain=forward log-prefix=IPV6
/system clock
set time-zone-name=Europe/Ljubljana
/system routerboard settings
set cpu-frequency=auto
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WLAN on hap Ac2

Tue Mar 29, 2022 3:30 pm

What do you mean with 'few devices' ?
When it happens, are they always connected to a certain eth-port or wlan ?
What other dhcp server can you have which may distribute that address range ?
And did you already renew lease from the suspected devices (on those devices themselves) ? Maybe they still remember what they had before and they haven't had the occasion yet to renew automatically (and get an address from the new ranges) ?
 
User avatar
dnikms
just joined
Topic Author
Posts: 14
Joined: Fri Jun 25, 2021 5:18 pm

Re: WLAN on hap Ac2

Tue Mar 29, 2022 3:34 pm

Image
 
User avatar
dnikms
just joined
Topic Author
Posts: 14
Joined: Fri Jun 25, 2021 5:18 pm

Re: WLAN on hap Ac2

Tue Mar 29, 2022 4:02 pm

What do you mean with 'few devices' ?
  • My phone gets correct dhcp IP and my laptops wifi and other phone gets 192.168.88.x IP...
When it happens, are they always connected to a certain eth-port or wlan ?
  • I have tested on wlan1 and wlan2, they still get 192.168.88.x IP...
What other dhcp server can you have which may distribute that address range ?
  • 192.168.88.x doesnt even exists, I only have 10.0.1.1 dhcp and 10.0.10.1 dhcp
And did you already renew lease from the suspected devices (on those devices themselves) ? Maybe they still remember what they had before and they haven't had the occasion yet to renew automatically (and get an address from the new ranges) ?
  • I tried on one Windows machine but that one also still gets 192.168.88.x IP...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11434
Joined: Thu Mar 03, 2016 10:23 pm

Re: WLAN on hap Ac2

Tue Mar 29, 2022 9:02 pm

You can check which DHCP server serves those 192.168.88.x IP addresses. Open settings -> Network & Internet, then click "Change adapter options" under Status -> Advanced network settings. Right click wireless adapter (I'm guessing your windows PC uses that interface to connect to network) and select Status. Then click Details and look for "IPv4 DHCP server" (and while at it, check also the rest of data there).

I'm guessing: your "misbehaving" devices somehow connect to wrong WiFi access point. If you have multiple APs with same wifi security settings (same SSID, same PSK), then it's up to wireless client to select which AP to connect to. Sometimes the selection is a surprise. With shown settings, there's no way this DHCP client would offer lease with 192.168.88.x/24 IP address.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WLAN on hap Ac2

Tue Mar 29, 2022 9:26 pm

Hence my question:
What other dhcp server can you have which may distribute that address range ?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11434
Joined: Thu Mar 03, 2016 10:23 pm

Re: WLAN on hap Ac2

Tue Mar 29, 2022 9:58 pm

Hence my question:
What other dhcp server can you have which may distribute that address range ?
I know ... but I was trying to help OP to verify that ... you know what they say, assumption is mother of all f..kups.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WLAN on hap Ac2

Tue Mar 29, 2022 10:31 pm

(1) There is no such subnet 192.168.88.x ????????? Which one of us is on drugs..........??

(2) The problem I see is that vlan10 should be added specifically as a LAN list member for it to be involved in any rules concerning LAN.

- add action=drop chain=input in-interface-list=!LAN
-add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\
yes log-prefix=LAN_!LAN src-address=!10.0.1.0/24

(3) I would also like to know what is attached to ethernet 5, what kind of device and what the expectations of the OP are with respect to traffic going out this port.
MISSING IN ACTION MIA - /interface bridge vlan settings for vlan10................... should the bridge port have a pvid etc etc etc......

(4) As per usual, the firewall rules are a freakin mess with duplicates and bloatware.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WLAN on hap Ac2

Tue Mar 29, 2022 10:44 pm

Image
How and where did you make this view ?
Because it DOES show that ip range as being part of the device where this screenshot was made from.

So two options I see:
- you're not telling us the complete story - FULL network picture of everything connected directly or indirectly to that device. There has to be SOMETHING which hands out IP addresses in that range. The config you posted does not show any indication of such a server on that device.
- you changed something which is not shown in the config you posted ? I hope you didn't...
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: WLAN on hap Ac2

Tue Mar 29, 2022 11:31 pm

"Last IP" is not necessary the IP of that device ! (most are SNMP contacted by DUDE on 36.2)
Klembord-2.jpg
Or is OP using some static IP addresses?
Secondary addresses of ROS device?
You do not have the required permissions to view the files attached to this post.
 
User avatar
dnikms
just joined
Topic Author
Posts: 14
Joined: Fri Jun 25, 2021 5:18 pm

Re: WLAN on hap Ac2

Wed Mar 30, 2022 10:01 am

I have CSS106-5G-1S on ether5.
Any suggestions what to delete and fix in the firewall rules ?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WLAN on hap Ac2

Wed Mar 30, 2022 11:36 am

ether5=vlan10
Clearly there is something wrong there then.

Remove that itf from bridge to test.
Then see what happens.

Who is online

Users browsing this forum: lmeira, popecix and 27 guests