Community discussions

MikroTik App
 
l0kifs
just joined
Topic Author
Posts: 1
Joined: Wed Apr 24, 2019 4:08 pm

CAPsMAN guest network can't access internet

Fri May 27, 2022 11:12 pm

Hi All,

I'm relatively new in Mikrotik and network world so I hope you'll understand and help me :)

I've created master (LAN) and slave (GUEST) networks using CAPsMAN.
The issue is that LAN works perfectly fine. Device connect, receive ip from DHCP and access internet.
But not GUEST. Devices connected to this subnet also receive ip, but can't connect to the internet.

I've read several manuals and can't see the issue.

Here's my config:
# may/27/2022 22:12:28 by RouterOS 7.2.3
# software id = F9Q1-KVIV
#
# model = RB3011UiAS
# serial number = E14E0DB70EF3
/caps-man channel
add band=2ghz-b/g/n frequency=2412 name=channel-2g tx-power=15
add band=5ghz-a/n/ac frequency=5180 name=channel-5g tx-power=15

/interface bridge
add name=br1-lan
add arp=reply-only name=br2-guest

/interface ethernet
set [ find default-name=ether1 ] name=eth1-wan

/interface ovpn-server
add name=ovpn-in1 user=xps

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-pia

/caps-man datapath
add bridge=br1-lan client-to-client-forwarding=yes local-forwarding=no name=\
    datapath1-lan
add bridge=br2-guest client-to-client-forwarding=no local-forwarding=no name=\
    datapath2-guest

/interface pppoe-client
add add-default-route=yes disabled=no interface=eth1-wan name=pppoe-out1 \
    user=Konov

/caps-man rates
add basic=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps name=rate1 supported=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps

/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=security1-lan
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=security2-guest

/caps-man configuration
add channel=channel-2g country=russia3 datapath=datapath1-lan distance=\
    indoors hw-protection-mode=rts-cts installation=indoor mode=ap name=\
    cfg-2g-lan rates=rate1 rx-chains=0,1,2,3 security=security1-lan ssid=\
    main-2g tx-chains=0,1,2,3
add channel=channel-5g country=russia3 datapath=datapath1-lan distance=\
    indoors hw-protection-mode=rts-cts installation=indoor mode=ap name=\
    cfg-5g-lan rates=rate1 rx-chains=0,1,2,3 security=security1-lan ssid=\
    main-5g tx-chains=0,1,2,3
add country=russia3 datapath=datapath2-guest distance=indoors installation=\
    indoor mode=ap name=cfg-2g-guest security=security2-guest ssid=guest-2g
add country=russia3 datapath=datapath2-guest distance=indoors installation=\
    indoor mode=ap name=cfg-5g-guest security=security2-guest ssid=guest-5g

/interface list
add name=WAN
add name=LAN
add name=GUEST

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=pool1-lan ranges=192.168.88.2-192.168.88.254
add name=pool2-guest ranges=192.168.89.2-192.168.89.254
add name=pool3-ovpn ranges=10.8.8.100-10.8.8.199

/ip dhcp-server
add address-pool=pool1-lan interface=br1-lan name=dhcp1-lan
add address-pool=pool2-guest interface=br2-guest name=dhcp2-guest

/port
set 0 name=serial0

/ppp profile
add local-address=10.8.8.1 name=ovpn remote-address=pool3-ovpn

/queue simple
add disabled=yes max-limit=10M/10M name=queue1-guest target=br2-guest

/routing table
add comment=wireguard_pia disabled=no fib name=wireguard-pia

/user group
add name=stat policy="read,test,api,!local,!telnet,!ssh,!ftp,!reboot\
    ,!write,!policy,!winbox,!password,!web,!sniff,!sensitive,!romon,!dude,!res\
    t-api"

/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    disabled=yes disabled=yes name=zt1 port=9993

/caps-man access-list
add action=reject allow-signal-out-of-range=10s disabled=no signal-range=\
    -120..-80 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=\
    -79..120 ssid-regexp=""

/caps-man manager
set enabled=yes

/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn,b \
    master-configuration=cfg-2g-lan name-format=prefix-identity name-prefix=\
    2g slave-configurations=cfg-2g-guest
add action=create-dynamic-enabled hw-supported-modes=an,ac \
    master-configuration=cfg-5g-lan name-format=prefix-identity name-prefix=\
    5g slave-configurations=cfg-5g-guest

/interface bridge port
add bridge=br1-lan interface=ether2
add bridge=br1-lan interface=ether3
add bridge=br1-lan interface=ether4
add bridge=br1-lan interface=ether5
add bridge=br1-lan interface=ether6
add bridge=br1-lan interface=ether7
add bridge=br1-lan interface=ether8
add bridge=br1-lan interface=ether9
add bridge=br1-lan interface=ether10

/interface list member
add interface=eth1-wan list=WAN
add interface=br1-lan list=LAN
add interface=pppoe-out1 list=WAN
add interface=br2-guest list=GUEST
add interface=ovpn-in1 list=LAN
add interface=wireguard-pia list=WAN

/interface ovpn-server server
set auth=sha1 certificate=ovpn-server cipher=aes256 default-profile=ovpn \
    enabled=yes require-client-certificate=yes
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=138.199.18.70 endpoint-port=\
    111 interface=wireguard-pia persistent-keepalive=25s public-key=\
    "1234"
/ip address
add address=192.168.88.1/24 interface=br1-lan network=192.168.88.0
add address=192.168.89.1/24 interface=br2-guest network=192.168.89.0
add address=10.10.153.238 comment=wireguard_pia interface=wireguard-pia \
    network=10.10.153.238

/ip cloud
set ddns-enabled=yes

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.89.0/24 dns-server=192.168.89.1 gateway=192.168.89.1

/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220

/ip firewall address-list
add address=192.168.88.50 disabled=yes list=under_vpn

/ip firewall filter
add action=drop chain=forward comment="Drop invalid connections" \
    connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=drop chain=forward comment="Drop ping from WAN" in-interface-list=\
    WAN protocol=icmp
add action=drop chain=input in-interface-list=WAN protocol=icmp
add action=accept chain=forward comment="Accept connection from WAN to NAS" \
    dst-address=192.168.88.130 dst-port=5001 in-interface-list=WAN \
    log-prefix=" test" protocol=tcp
add action=accept chain=input comment="Accept ovpn connections" dst-port=1194 \
    protocol=tcp
add action=accept chain=forward comment=\
    "Accept only GUEST to WAN connections" in-interface-list=GUEST \
    out-interface-list=WAN
add action=accept chain=forward connection-state=established,related \
    in-interface-list=WAN out-interface-list=GUEST
add action=accept chain=output out-interface-list=GUEST
add action=drop chain=input in-interface-list=GUEST
add action=drop chain=forward in-interface-list=GUEST
add action=accept chain=forward comment="Accept connections within LAN" \
    in-interface-list=LAN out-interface-list=LAN
add action=accept chain=input in-interface-list=LAN
add action=accept chain=output out-interface-list=LAN
add action=accept chain=forward comment="Accept connections from LAN to WAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=output out-interface-list=WAN
add action=accept chain=forward comment=\
    "Accept established and related connections from WAN" connection-state=\
    established,related in-interface-list=WAN out-interface-list=LAN
add action=accept chain=input connection-state=established,related \
    in-interface-list=WAN
add action=drop chain=forward comment="Drop everything else"
add action=drop chain=input
add action=drop chain=output

/ip firewall mangle
add action=mark-routing chain=prerouting comment=wireguard_pia dst-address=\
    !192.168.88.0/24 new-routing-mark=wireguard-pia passthrough=yes \
    src-address-list=under_vpn

/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "Masquarade main internet connection" out-interface=pppoe-out1
add action=masquerade chain=srcnat comment=wireguard_pia out-interface=\
    wireguard-pia
add action=netmap chain=dstnat comment="Forward port from WAN to NAS" \
    dst-port=41414 in-interface-list=WAN protocol=tcp to-addresses=\
    192.168.88.130 to-ports=5001
add action=netmap chain=dstnat disabled=yes dst-port=41414 in-interface-list=\
    LAN protocol=tcp to-addresses=192.168.88.130 to-ports=5001

/ip route
add comment=wireguard_pia disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway=wireguard-pia pref-src="" routing-table=wireguard-pia scope=30 \
    suppress-hw-offload=no target-scope=10

/ppp secret
add name=xps profile=ovpn service=ovpn

/routing rule
add action=lookup comment=wireguard_pia disabled=yes src-address=\
    192.168.88.50/32 table=wireguard-pia

/system clock
set time-zone-name=Europe

/system identity
set name=mikrotik
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: CAPsMAN guest network can't access internet

Sat May 28, 2022 9:50 pm

From what I can see, you instruct the devices in the guest network to use the 3011 as a DNS server (/ip dhcp-server network), but there is no corresponding exception from the action=drop in-interface-list=GUEST rule in chain input of /ip firewall filter, so their DNS queries get dropped.

Other than that:
  • the rules in chain output of /ip firewall filter are effectively equivalent to no rule at all, except that they generate a useless CPU load
  • the rules in chain forward of filter could be optimised - namely, a single action=accept connection-state=established,related rule without any further restrictions could be put to the top and all other action=accept rules matching on connection-state=established,related could be removed, this is the essence of a stateful firewall
  • a rule action=accept in-interface-list=LAN out-interface-list=LAN only makes sense if you have multiple interfaces/subnets in LAN, which is not your case.

Who is online

Users browsing this forum: Bing [Bot], massinia, menyarito and 78 guests