Community discussions

MikroTik App
 
stpaulshobonier
just joined
Topic Author
Posts: 12
Joined: Thu Apr 07, 2022 4:34 am

wifi does not work

Sat Aug 06, 2022 4:46 am

wireless is not working was trying to configure wifi so it has an different dhcp server different than my lan range hope someone can help me

Lan is 192.168.200.1/24
wired Eth 4 192.168.6.1/24
wireless 192.168.50.1/24

here is my config
# feb/16/1970 19:26:39 by RouterOS 7.3.1
# software id = BD8G-SELR
#
# model = RB941-2nD
# serial number = <CENSORED>
/interface bridge
add admin-mac=DC:2C:6E:61:CC:0F auto-mac=no comment=defconf name=bridge
add name=bridge-wireless
add name=bridge2
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country="united states" default-authentication=no disabled=no distance=\
    indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    "St.paul Luthuran church" wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip dhcp-server
add interface=bridge name="Stadic only"
/ip pool
add name=dhcp ranges=192.168.200.10-192.168.200.254
add name=pool2 ranges=192.168.6.2-192.168.6.254
add name=pool-wirteless ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
add address-pool=dhcp disabled=yes interface=bridge name=server1
add address-pool=pool2 interface=bridge2 name=dhcp2
add address-pool=pool-wirteless interface=bridge-wireless name=\
    server-wireless
/queue simple
add max-limit=500k/2M name=Wireless target=192.168.50.0/24
add max-limit=1M/4M name="eth2 6.1/24" target=192.168.6.0/24
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge2 comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=pwr-line1
add bridge=bridge-wireless interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.200.1/24 comment=defconf interface=bridge network=\
    192.168.200.0
add address=192.168.254.3/24 interface=ether1 network=192.168.254.0
add address=192.168.6.1/24 interface=bridge2 network=192.168.6.0
add address=192.168.50.1/24 interface=bridge-wireless network=192.168.50.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.200.3 comment="Church computer" mac-address=\
    EC:A8:6B:94:8E:9E server="Stadic only"
add address=192.168.200.10 comment="Austins Cell phone" disabled=yes \
    mac-address=A8:76:50:1B:85:38 server="Stadic only"
add address=192.168.200.4 comment="church printer" mac-address=\
    00:21:B7:AF:8A:BE server="Stadic only"
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=9.9.9.9,149.112.112.112 \
    gateway=192.168.200.1 netmask=16
add address=192.168.6.0/24 dns-server=9.9.9.9,149.112.112.112 gateway=\
    192.168.6.1 netmask=24
add address=192.168.50.0/24 dns-server=9.9.9.9,149.112.112.112 gateway=\
    192.168.50.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,149.112.112.112
/ip dns static
add address=192.168.200.1 comment=defconf name=router.lan
/ip firewall filter
add action=drop chain=forward comment="do not enable BLOCKED THRU ROUTER" \
    disabled=yes dst-port=!80,443,53,8291 protocol=tcp
add action=drop chain=forward comment="do not enable BLOCKED THRU ROUTER" \
    disabled=yes dst-port=!53 protocol=udp
add action=drop chain=input comment="allow only HTTP HTTPS DNS " dst-port=\
    !80,443,53 protocol=tcp
add action=drop chain=input comment="ALLOW ONLY DNS" dst-port=53 protocol=udp
add action=drop chain=output dst-port=!80,443,53 protocol=tcp
add action=drop chain=output comment="ALLOW ONLY DNS OUT TO INTERNET" \
    dst-port=!53 protocol=udp
add action=drop chain=output comment="blocked OUT TO INTERNET" dst-port=\
    0-65535 protocol=tcp
add action=drop chain=output comment="blocked OUT TO INTERNET" dst-port=\
    0-65535 protocol=udp
add action=drop chain=input comment="blocked to internet" dst-port=0-65535 \
    protocol=tcp
add action=drop chain=input comment="blocked to internet" dst-port=0-65535 \
    protocol=udp
add action=drop chain=forward comment="block guset from lan " dst-address=\
    192.168.200.0/24 src-address=192.168.50.0/24
add action=drop chain=forward comment="ETH2 SEPERATE DHCP 6.1" dst-address=\
    192.168.200.0/24 src-address=192.168.6.0/24
add action=drop chain=forward protocol=ggp
add action=drop chain=forward protocol=st
add action=drop chain=forward protocol=igmp
add action=drop chain=forward protocol=egp
add action=drop chain=forward protocol=ipencap
add action=drop chain=forward protocol=pup
add action=drop chain=forward protocol=hmp
add action=drop chain=forward protocol=xns-idp
add action=drop chain=forward protocol=rdp
add action=drop chain=forward protocol=iso-tp4
add action=drop chain=forward protocol=dccp
add action=drop chain=forward protocol=xtp
add action=drop chain=forward protocol=ddp
add action=drop chain=forward protocol=idpr-cmtp
add action=drop chain=forward protocol=rsvp
add action=drop chain=forward protocol=ipv6-encap
add action=drop chain=forward protocol=gre
add action=drop chain=forward protocol=ipsec-esp
add action=drop chain=forward protocol=ipsec-ah
add action=drop chain=forward protocol=rspf
add action=drop chain=forward protocol=vmtp
add action=drop chain=forward protocol=ospf
add action=drop chain=forward protocol=ipip
add action=drop chain=forward protocol=etherip
add action=drop chain=forward protocol=encap
add action=drop chain=forward protocol=pim
add action=drop chain=forward protocol=vrrp
add action=drop chain=forward protocol=l2tp
add action=drop chain=forward protocol=sctp
add action=drop chain=forward protocol=udp-lite
add action=drop chain=input protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.254.254
/ip service
set www disabled=yes
set www-ssl disabled=no
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=America/Chicago
/system ntp client
set mode=broadcast
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
holvoetn
Forum Guru
Forum Guru
Posts: 1380
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: wifi does not work

Sat Aug 06, 2022 9:53 am

Before we can start:
1- it would help if you also provide a small drawing of how your network looks like. Where does the RB941 fit in, where is the device connecting to internet, where is DHCP server (on which subnet), ...
2- it is advised to post your config between [code] quotes. Much easier to read the post for everyone.
3- when you post your config, make sure any info which is public/secret, is sanitized. Like e.g. your serial number...
4- CLEARLY specify WHAT you want to do (and why). It will help us understand what direction you want to go to. I made an assumption further down.

To get the context correct:
I assume you CAN see the SSID being broadcast by Wifi but your problem is you do not get a valid connection ?
That's something else then "Wifi does not work". The fact you can see the SSID, means wifi DOES work. It's what comes next which is not correct. But that's not wifi anymore. Could even happen if you connect using a cable. (possibly). You understand where I am getting at ? Name the things correctly, it will help to diagnose correctly/faster.
(and I know it is not that obvious for someone not used to this stuff)

Assumptions:
- You want to provide "free wifi" for church members but separate that from normal network traffic ?
- connection from that RB941 towards network is on eth1 ? Please indicate as well on drawing.
- other ethernet ports are not used ?

Questions:
- why do you use 2 bridges ? Using VLAN would be more logical.

Can you provide that drawing please ? It will help a lot. A clear drawing on paper scanned in and posted here is sufficient, it doesn't always have to be a full-blown network diagram using commercial tools :D
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 12497
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wifi does not work

Sat Aug 06, 2022 1:47 pm

You should remove all the firewall rules you added from youtube and stick with the defaults for the main part and yes, one bridge use vlans for the subnets.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
stpaulshobonier
just joined
Topic Author
Posts: 12
Joined: Thu Apr 07, 2022 4:34 am

Re: wifi does not work

Sat Aug 06, 2022 8:56 pm

Here is how I have my network

Eth 1 192.168.254.3. Static from isp modem Frontier
ETH 2 192.168.200.2. PRINTER
ETH3 192.168.200.3. COMPUTER
ETH4. 192.168.6.1/24. DHCP Pastors house
Last edited by stpaulshobonier on Sun Aug 07, 2022 12:25 am, edited 1 time in total.
 
stpaulshobonier
just joined
Topic Author
Posts: 12
Joined: Thu Apr 07, 2022 4:34 am

Re: wifi does not work

Sat Aug 06, 2022 9:08 pm

I want to provide "free wifi" for church members but separate that from normal network traffic


When I said wifi not working it really won't let me connect to SSiD name it says unable to connect
 
erlinden
Forum Guru
Forum Guru
Posts: 1101
Joined: Wed Jun 12, 2013 1:59 pm

Re: wifi does not work

Sun Aug 07, 2022 2:25 pm

You might want to try:
  • select a channel manually (choose either 1/6/11 (2412/2437/2462, use a scanner to get the least used channel)
  • use 20MHz bandwidth (and no extension channel)
  • only use g/n, b is like very very old
What is the logging saying in regards to failing connection?
Have you changed date/time already?

And please provide meaningful information on the questions asked befor.
First the problem, then the solution
 
holvoetn
Forum Guru
Forum Guru
Posts: 1380
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: wifi does not work

Sun Aug 07, 2022 2:26 pm

And please provide meaningful information on the questions asked befor.
I repeat, small drawing, please 8)
 
User avatar
BrateloSlava
Frequent Visitor
Frequent Visitor
Posts: 64
Joined: Mon Aug 09, 2021 10:33 am
Location: Ukraine

Re: wifi does not work

Sun Aug 07, 2022 3:09 pm

I don't like default settings, so I would set it all up in a few steps.

This is the base option. After verifying that everything is working as expected, you should optimize the WiFi channel selection and tweak the firewall rules a bit. Everything, that I wrote below, is given only as a general guide for setting up.

##### Phase 1 - basic setup
### Preparing lists of interfaces
/interface list add name=WAN
/interface list add name=LAN
/interface list add name=Guest


### Create bridge for LAN
/interface bridge add name=bridge1


### Adding Interfaces to Lists (Step 1)
/interface list member add interface=bridge1 list=LAN
/interface list member add interface=ether1 list=WAN


### Search for "neighbor" devices - only for LAN list
/ip neighbor discovery-settings set discover-interface-list=LAN


### Create wireless profile for internal WiFi
/interface wireless security-profiles add authentication-types=wpa2-psk disable-pmkid=yes mode=dynamic-keys name=profile_internal supplicant-identity="" wpa2-pre-shared-key=SuPeR#pAsSw0Rd

### Make settings for Internal WiFi (InternalSSID)
/interface wireless set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode antenna-gain=0 band=2ghz-onlyn channel-width=20/40mhz-XX country="united states" disconnect-timeout=5s distance=indoors frame-lifetime=500 frequency=auto hw-protection-mode=rts-cts hw-retries=5 max-station-count=20 mode=ap-bridge security-profile=profile_internal ssid=InternalSSID wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled disabled=no


### Adding ports to the internal bridge
/interface bridge port add bridge=bridge1 ingress-filtering=no interface=ether2
/interface bridge port add bridge=bridge1 ingress-filtering=no interface=ether3
/interface bridge port add bridge=bridge1 ingress-filtering=no interface=wlan1


### Set the address for the external interface
/ip address add address=192.168.254.3/24 interface=ether1 network=192.168.254.0


### Setting up a DNS server
/ip dns set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1


### Setting the default route
/ip route add disabled=no dst-address=0.0.0.0/0 gateway=192.168.254.254


### Setting up the time zone
/system clock set time-zone-name=America/Chicago


### Сonfigure the client for time synchronization (it is better to replace the servers with those, that are closer to you)
/system ntp client set enabled=yes
/system ntp server set enabled=yes manycast=yes
/system ntp client servers add address=62.149.0.30
/system ntp client servers add address=31.28.161.71


### Set the address for the internal interface
/ip address add address=192.168.200.1/24 interface=bridge1 network=192.168.200.0


### Setting up a DHCP server for the internal network
/ip pool add name=pool-LAN ranges=192.168.200.10-192.168.200.254
/ip dhcp-server add add-arp=yes address-pool=pool-LAN authoritative=after-2sec-delay interface=bridge1 lease-time=1d name=dhcp-LAN use-framed-as-classless=no
/ip dhcp-server network add address=192.168.200.0/24 dns-server=192.168.200.1 domain=loc gateway=192.168.200.1 netmask=24 ntp-server=192.168.200.1

/ip dhcp-server lease add address=192.168.200.3 comment="Church computer" mac-address=EC:A8:6B:94:8E:9E server=dhcp-LAN
/ip dhcp-server lease add address=192.168.200.4 comment="Church printer" mac-address=00:21:B7:AF:8A:BE server=dhcp-LAN
/ip dhcp-server lease add address=192.168.200.10 comment="Austins Cell phone" disabled=yes mac-address=A8:76:50:1B:85:38 server=dhcp-LAN


### Some settings
/ip firewall service-port set ftp disabled=yes
/ip firewall service-port set tftp disabled=yes
/ip firewall service-port set irc disabled=yes
/ip firewall service-port set h323 disabled=yes
/ip firewall service-port set sip disabled=yes
/ip firewall service-port set pptp disabled=yes
/ip firewall connection tracking set icmp-timeout=30s tcp-close-wait-timeout=1m tcp-established-timeout=1h tcp-fin-wait-timeout=2m tcp-last-ack-timeout=30s tcp-syn-received-timeout=1m tcp-syn-sent-timeout=2m tcp-time-wait-timeout=2m udp-stream-timeout=2m udp-timeout=30s
/system routerboard settings set auto-upgrade=yes
/tool bandwidth-server set enabled=no
/ip service set telnet disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip ssh set strong-crypto=yes

### Internal -> Internet
/ip firewall nat add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN

##### Phase 2 - create settings for Pastors house
### Adding Interfaces to Lists (Step 2)
/interface list member add interface=ether4 list=LAN


### Set the address for the Ether4 (Pastors house)
/ip address add address=192.168.6.1/24 interface=ether4 network=192.168.6.0


### Setting up a DHCP server for the Pastors house network
/ip pool add name=pool-house ranges=192.168.6.2-192.168.6.254
/ip dhcp-server add add-arp=yes address-pool=pool-house authoritative=after-2sec-delay interface=ether4 lease-time=1d name=dhcp-house use-framed-as-classless=no
/ip dhcp-server network add address=192.168.6.0/24 dns-server=192.168.6.1 domain=loc gateway=192.168.6.1 netmask=24 ntp-server=192.168.6.1

##### Phase 3 - create free WiFi
### Create virtual WiFi interface
/interface wireless security-profiles add name=profile-free supplicant-identity=""
/interface wireless add arp=reply-only default-forwarding=no disabled=no keepalive-frames=disabled master-interface=wlan1 multicast-buffering=disabled name=wlan-free security-profile=profile-free ssid="St.paul Luthuran church" wds-cost-range=0 wds-default-cost=0 wps-mode=disabled


### Adding Interfaces to Lists (Step 3)
/interface list member add interface=wlan-free list=Guest


### Set the address for virtual WiFi interface
/ip address add address=192.168.50.1/24 interface=wlan-free network=192.168.50.0


### Setting up a DHCP server for virtual WiFi interface
/ip pool add name=pool-free ranges=192.168.50.2-192.168.50.254
/ip dhcp-server add add-arp=yes address-pool=pool-free authoritative=after-2sec-delay interface=wlan-free lease-time=30m name=dhcp-free use-framed-as-classless=no
/ip dhcp-server network add address=192.168.50.0/24 dns-server=208.67.222.222,208.67.220.220,8.8.8.8,8.8.4.4 domain=guest.loc gateway=192.168.50.1 netmask=24 ntp-server=62.149.0.30,31.28.161.71

##### Phase 4 - firewall rules
/ip firewall filter add action=accept chain=input comment="Handle (input) already established, related, untracked connections" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=forward comment="Handle (forward) already established, related, untracked connections" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=output comment="Handle (output) already established, related connections" connection-state=established,related
/ip firewall filter add action=drop chain=input comment="Drop invalid" connection-state=invalid in-interface-list=WAN
/ip firewall filter add action=drop chain=forward connection-state=invalid in-interface-list=WAN
/ip firewall filter add action=drop chain=input comment="TCP non SYN scan attack input" connection-state=new in-interface-list=WAN protocol=tcp tcp-flags=!syn
/ip firewall filter add action=drop chain=forward comment="TCP non SYN scan attack forward" connection-state=new in-interface-list=WAN protocol=tcp tcp-flags=!syn
/ip firewall filter add action=drop chain=input comment="Drop Neighbor Discovery" dst-port=5678 in-interface-list=WAN protocol=udp
/ip firewall filter add action=accept chain=input comment="Allow limited pings" limit=50/5s,2:packet protocol=icmp
/ip firewall filter add action=drop chain=input comment="Drop excess pings" protocol=icmp
/ip firewall filter add action=accept chain=input comment="Allow LAN  ->" in-interface-list=LAN
/ip firewall filter add action=accept chain=forward in-interface-list=LAN
/ip firewall filter add action=accept chain=output out-interface-list=LAN
/ip firewall filter add action=accept chain=forward comment="Allow Guest -> Internet" in-interface-list=Guest out-interface-list=WAN
/ip firewall filter add action=accept chain=output comment="Allow output (new)" connection-state=new
/ip firewall filter add action=log chain=input comment="Log everything else" disabled=yes
/ip firewall filter add action=log chain=forward disabled=yes
/ip firewall filter add action=log chain=output disabled=yes
/ip firewall filter add action=drop chain=input comment="Drop everything else"
/ip firewall filter add action=drop chain=forward
/ip firewall filter add action=drop chain=output

##### Phase 5 - final
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
/ip service set www disabled=yes
/ip service set ssh disabled=yes

It seems that I wrote correctly, although errors are possible. :?

Who is online

Users browsing this forum: Bing [Bot] and 22 guests