I have created 2 different bridges, one for wired devices and another one for the wireless ones. My idea is to allow unrestricted communication in the wired->wireless direction, and only some specific communication in the reverse direction. However, even though all the information I find implies that the communication across bridges is unrestricted by default, I can't get devices across the two different bridges to communicate. Devices on both bridges can access the internet, and they can both also access the router IP on both networks (192.168.1.1 and 192.168.2.1).
My entire configuration is as follows:
Code: Select all
# jan/13/2023 07:55:41 by RouterOS 7.5
# software id = 3NFC-4UGM
#
# model = RBD53iG-5HacD2HnD
# serial number = HDB08D5DAFZ
/interface bridge
add name=local
add name=wlan-bridge
/interface ethernet
set [ find default-name=ether5 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce \
country=spain disabled=no frequency=2452 mode=ap-bridge ssid=wlan-sc-2 \
wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac country=spain disabled=no \
frequency=auto mode=ap-bridge ssid=wlan-sc-5 wps-mode=disabled
/interface vlan
add interface=ether1 mtu=1488 name=vlan-pepephone vlan-id=20
/interface list
add name=list-bridge
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest \
supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=1A:FD:74:DF:40:C2 master-interface=wlan1 name=\
wlan-guest security-profile=guest ssid=lawifi wds-default-bridge=local \
wps-mode=disabled
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=local name=dhcp1
add address-pool=dhcp_pool1 interface=wlan-bridge name=dhcp2
/interface bridge port
add bridge=local interface=ether2
add bridge=local interface=ether3
add bridge=local interface=ether4
add bridge=wlan-bridge interface=wlan1
add bridge=wlan-bridge interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=list-bridge
/interface list member
add interface=local list=list-bridge
add interface=wlan-bridge list=list-bridge
/ip address
add address=192.168.1.1/24 interface=local network=192.168.1.0
add address=192.168.2.1/24 interface=wlan-bridge network=192.168.2.0
/ip dhcp-client
add interface=vlan-pepephone
/ip dhcp-server lease
add address=192.168.1.137 mac-address=1C:69:7A:A0:4E:3F server=dhcp1
add address=192.168.1.132 mac-address=D8:5E:D3:06:59:AB server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.137 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=1.1.1.1,212.230.135.1 gateway=\
192.168.2.1
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=\
vlan-pepephone protocol=icmp
add action=drop chain=input comment="block everything else" in-interface=\
vlan-pepephone
/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan-pepephone
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh port=3242
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Madrid
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=list-bridge
/tool mac-server mac-winbox
set allowed-interface-list=list-bridge