Community discussions

MikroTik App
 
SirAlex
just joined
Topic Author
Posts: 1
Joined: Sun Jan 22, 2023 4:55 am

Help With Isolating Guest WiFi SSID with VLAN

Mon Jan 23, 2023 12:28 am

Hello,

A newbie question. Any insight is appreciated.

I have 2 Mikrotik devices, one acts as a router and DHCP server and the other acts as wifi AP.
My current home setup
NetworkMap.drawio (1).png
I'm trying to get WLAN3 on vlan 999, and get response from DHCP server on the other device. Currently I'm getting stuck at waiting for DHCP lease. The rest of the network is working perfectly fine.


My configurations on both devices.
# model = CRS305-1G-4S+
/interface bridge
add admin-mac=74:4D:28:B7:42:78 auto-mac=no comment=defconf name=bridge_LAN \
    vlan-filtering=yes
add name=bridge_WAN
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no name=SFP1
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no name=SFP2
set [ find default-name=sfp-sfpplus3 ] auto-negotiation=no name=SFP3
set [ find default-name=sfp-sfpplus4 ] name=SFP4
/interface vlan
add interface=SFP2 name=vlan999 vlan-id=999
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp2 ranges=192.168.0.0/24
add name=dhcp ranges=192.168.0.0/24
add name="dhcp pool" ranges=192.168.99.0/24
add name=dhcp_pool1 ranges=192.168.99.1-192.168.99.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge_LAN name=dhcp2
add address-pool=dhcp_pool1 disabled=no interface=vlan999 name=server1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge_LAN comment=defconf interface=ether1
add bridge=bridge_WAN comment=defconf disabled=yes interface=SFP1
add bridge=bridge_LAN comment=defconf interface=SFP2
add bridge=bridge_LAN comment=defconf interface=SFP3
add bridge=bridge_LAN comment=defconf interface=SFP4
add bridge=bridge_LAN interface=*8
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge_LAN tagged=SFP2 vlan-ids=1
add bridge=bridge_LAN tagged=SFP2 vlan-ids=999
/interface list member
add interface=SFP1 list=WAN
add interface=bridge_LAN list=LAN
add interface=bridge_WAN list=LAN
/ip address
add address=192.168.0.10/16 interface=ether1 network=192.168.0.0
add address=192.168.88.1/16 interface=ether1 network=192.168.0.0
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=SFP1
/ip dhcp-server network
add address=192.168.0.0/16 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.0.10 \
    netmask=16
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=1000 \
    max-concurrent-tcp-sessions=200 servers=8.8.8.8,1.1.1.1
/ip dns static
add address=8.8.8.8 name=google
add address=1.1.1.1 name=cloudflare
/ip firewall address-list
add address=192.168.0.1-192.168.255.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
/ip firewall filter
add action=drop chain=input icmp-options=8:0-255 in-interface=!bridge_LAN log=\
    yes protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=\
    established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=192.168.0.10 log=yes src-address=\
    192.168.0.15
add action=accept chain=forward log=yes src-address=192.168.0.15
add action=drop chain=input log=yes
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=bridge_LAN log=yes log-prefix=!public_from_LAN \
    out-interface=!bridge_LAN
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface=SFP1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=SFP1 log=\
    yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge_LAN \
    log=yes log-prefix=LAN_!LAN src-address=!192.168.0.0/16
add action=drop chain=input dst-port=53 in-interface=SFP1 log=yes protocol=udp
add action=drop chain=input dst-port=53 in-interface=SFP1 log=yes protocol=tcp
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward log=yes src-address=192.168.0.18
/ip firewall nat
add action=masquerade chain=srcnat out-interface=SFP1
/ip route
add distance=1 gateway=192.168.0.10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.0.0/16
set api disabled=yes
set winbox address=192.168.0.0/16
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/Vancouver
/system ntp client
set enabled=yes primary-ntp=209.115.181.110 secondary-ntp=149.56.121.17
/system routerboard settings
set boot-os=router-os
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
# model = RBD53iG-5HacD2HnD
/interface bridge
add fast-forward=no name=LAN_Bridge vlan-filtering=yes
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" management-protection=\
    allowed mode=dynamic-keys name="WiFi Profile" supplicant-identity=""
add authentication-types=wpa2-psk disable-pmkid=yes mode=dynamic-keys name="Guest WiFi" \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce country=canada2 \
    disabled=no frequency=2422 mode=ap-bridge security-profile="WiFi Profile" ssid=MyWifi \
    wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country=\
    canada2 disabled=no mode=ap-bridge security-profile="WiFi Profile" ssid=MyWifi5GHz \
    wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:A0:31:C2 master-interface=\
    wlan1 multicast-buffering=disabled name=wlan3 security-profile="Guest WiFi" ssid=\
    Guest WiFi vlan-id=999 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=\
    disabled
/ip pool
add name="dhcp pool" ranges=192.168.99.0/24
add name=dhcp_pool1 ranges=192.168.99.1-192.168.99.254
/interface bridge port
add bridge=LAN_Bridge interface=wlan1
add bridge=LAN_Bridge interface=wlan2
add bridge=LAN_Bridge interface=ether2
add bridge=LAN_Bridge interface=ether3
add bridge=LAN_Bridge interface=ether4
add bridge=LAN_Bridge interface=ether5
add bridge=LAN_Bridge interface=ether1
add bridge=LAN_Bridge frame-types=admit-only-vlan-tagged interface=wlan3 pvid=999
/interface bridge vlan
add bridge=LAN_Bridge tagged=ether1 untagged=wlan3 vlan-ids=999
add bridge=LAN_Bridge tagged=ether1 untagged=ether2,wlan1,wlan2 vlan-ids=1
/ip address
add address=192.168.88.1/16 interface=ether1 network=192.168.0.0
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip route
add distance=1 gateway=192.168.0.10
/system clock
set time-zone-name=America/Vancouver
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Help With Isolating Guest WiFi SSID with VLAN

Mon Jan 23, 2023 8:55 am

Regarding CRS: since SFP-2 is member of bridge, you should configure VLANs entirely on bridge. Check this tutorial, it should give you plenty of good ideas. Since most of traffic is untagged, you want to make SFP-2 a hybrid port (untagged with default setting of pvid=1 plus tagged for VID 999).

Regarding hAP ac3: omit the line regarding VLAN ID=1 from /interface bridge vlan and move IP address to bridge interface. Ether1 should be a hybrid port, it has to match SFP-2 settings ... and the rest of ports, members of "default VLAN" need it untagged as well. Which includes wlan1 and wlan2.

Bridge can be confusing because it has a few personalities. This tutorial explains the whole lot of it.

Who is online

Users browsing this forum: syslog and 45 guests