after managing to make the internet access working with your help, I want to setup the following infrastructure with the hEX S (image attached): The three Access Points are for three different apartments. All of them should have internet access, their own network address and DHCP server while not being able to see computers from other networks/access points.
To achieve this I went through a tutorial with the help of a friend who is experienced setting up networks and VLANs. But The result with the current state is, that a (windows) computer connected to VLAN 1 does not get an IP address assigned. We were not able to find the reason for this.
Note: I want the three VLANS to be untagged, since the apartments residents will/can bring their own access points. So I do not want those access points need to be configured to work with a certain VLAN only.
This is the current config:
Code: Select all
[admin@RouterOS] > export hide-sensitive
# oct/16/2022 12:37:58 by RouterOS 6.48.6
# software id = QXQC-WMAZ
#
# model = RB760iGS
# serial number = HD2086154BV
/interface bridge
add admin-mac=18:FD:74:8B:4F:B0 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan101 vlan-id=101
add interface=bridge name=vlan102 vlan-id=102
add interface=bridge name=vlan103 vlan-id=103
add interface=ether1 name=vlan_wan vlan-id=132
/interface ethernet switch port
set 2 default-vlan-id=101
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool101 ranges=192.168.101.10-192.168.101.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool101 disabled=no interface=vlan101 name=dhcp101
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=101
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=102
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=103
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge vlan-ids=102
add bridge=bridge tagged=ether1 vlan-ids=103
add bridge=bridge untagged=ether3 vlan-ids=101
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=vlan_wan list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.101.1/24 interface=vlan101 network=192.168.101.0
add address=192.168.102.1/24 interface=vlan102 network=192.168.102.0
add address=192.168.103.1/24 interface=vlan103 network=192.168.103.0
/ip dhcp-client
add comment=defconf disabled=no interface=vlan_wan
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.101.0/32 dns-server=192.168.88.1,195.43.113.130 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=vlan_wan \
out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=vlan_wan
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Thank you so much in advance!