Community discussions

MikroTik App
 
passt
just joined
Topic Author
Posts: 11
Joined: Fri May 22, 2020 7:39 pm

virtual wifi interface can't connect internet

Mon May 25, 2020 11:53 pm

I have a working network with VLANs for Guest and Work already - without any Mikrotik components. Our router is DHCP server and seperates Guest and Work vlans. Guest wifi is allowed only to access internet. Work wifi has access to our LAN - so far so normal.

Now I want to test and configure MikroTik cAP ac with this constellation. I did the configuration of the cAP access point via webconfig in the wireless section only. The configuration for the wlan1 and wlan2 interfaces (2ghz and 5ghz) is the same, so I write the configuration for one of the interfaces only.

Work wifi - wlan1 wireless interface
Mode: ap bridge
SSID: Work
Security profile: profile-work
WPS Mode: disabled
Country: germany
Frequency Mode: regulatory-domain (this is demanded, because of germany)
VLAN mode: use tag
VLAN ID: 10

Guest wifi - virtual interface
Master Interface: wlan1 wireless interface
Mode: ap bridge
SSID: Guest
Security Profile: profile-guest
WPS Mode: disabled
VLAN Mode: use tag
WLAN ID: 15

The result is that Work wifi works perfectly. The clients receive an ip address and can connect to LAN and or internet. Whereas Guest wifi can't connect internet. My mobile connects to Guest wifi and receives an ip address by our router, but it can't connect the internet. My ubuntu laptop isn't assigned an ip address at all.

Can anybody help?

Peter
 
passt
just joined
Topic Author
Posts: 11
Joined: Fri May 22, 2020 7:39 pm

Re: virtual wifi interface can't connect internet

Wed Jun 03, 2020 11:22 am

Hm, no answer yet. Is there any information missing which I should provide to you?

Peter
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: virtual wifi interface can't connect internet

Wed Jun 03, 2020 11:28 am

Hm, no answer yet. Is there any information missing which I should provide to you?

Peter
Issue is probably not in the wifi setup part. Where is the DHCP server for the VLAN ID=15? Where does that VLAN connect to, compared to the VLAN ID=10.
 
passt
just joined
Topic Author
Posts: 11
Joined: Fri May 22, 2020 7:39 pm

Re: virtual wifi interface can't connect internet

Wed Jun 03, 2020 12:04 pm

VLAN15 and VLAN10 have their DHCP server both from our firewall. The firewall has one network interface which is designated for these VLANs only.

An already existing installation with an AccessPoint from Lancom works without any problems. Which means that the configuration of VLAN and DHCP on the firewall should be correct.

I will now reset the MikroTik cAP ac completely and do my desired configuration again. Possibly I have inserted errors, which I overlook now.
 
passt
just joined
Topic Author
Posts: 11
Joined: Fri May 22, 2020 7:39 pm

Re: virtual wifi interface can't connect internet

Tue Jun 16, 2020 5:56 pm

I reseted and reconfigured the cAP ac, but still it shows the same result - successfull connection with SSID Work, but no connection with SSID Guest.

As I wrote in my first post I already have configured an Access Point from Lancom which works successfully in the same constellation of VLAN and Wifi Work and Guest. So I don't think the configuration of the DHCP server on our router shoutd be the problem.

Here is my config:
# jun/16/2020 16:37:37 by RouterOS 6.47
# software id = EK22-3R0R
#
# model = RBcAPGi-5acD2nD
# serial number = B9320B001B18
/interface bridge
add admin-mac=C4:AD:34:85:FC:6A auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=vlan_default vlan-id=1
add interface=bridge name=vlan_gast vlan-id=15
add interface=bridge name=vlan_intern vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=profile-Gast supplicant-identity=MikroTik wpa2-pre-shared-key=<guest-pw>
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=profile-intern supplicant-identity=MikroTik wpa2-pre-shared-key=<intern-pw>
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=germany disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wlan2ghz-intern security-profile=\
    profile-intern ssid=WIFI@in vlan-id=10 vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=germany disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wlan5ghz-intern security-profile=\
    profile-intern ssid=WIFI@in vlan-id=10 vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:85:FC:6B master-interface=wlan2ghz-intern multicast-buffering=disabled name=vlan2ghz-gast security-profile=profile-Gast ssid=WIFI@gast vlan-id=15 \
    vlan-mode=use-tag wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:85:FC:6C master-interface=wlan5ghz-intern multicast-buffering=disabled name=vlan5ghz-gast security-profile=profile-Gast ssid=WIFI@gast vlan-id=15 \
    vlan-mode=use-tag wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan2ghz-intern
add bridge=bridge comment=defconf interface=wlan5ghz-intern
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=LAN
/ip address
add address=10.10.0.68/22 interface=ether1 network=10.10.0.0
/ip dns
set allow-remote-requests=yes servers=10.10.0.254
/system clock
set time-zone-name=Europe/Berlin
/system logging
add topics=dhcp
add action=echo topics=dhcp
/system ntp client
set enabled=yes primary-ntp=10.10.0.254 server-dns-names=ptbtime1.ptb.de,ptbtime2.ptb.de,ptbtime3.ptb.de
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
(SSID Work = WIFI@in)

I'm frustrated and need help :(
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: virtual wifi interface can't connect internet

Tue Jun 16, 2020 6:37 pm

Maybe this video can help:
Mikrotik Tutorial no: 22 - Creating Multiple WIFI SSID for VLAN based Network
https://www.youtube.com/watch?v=i-qQo06ow7Y
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: virtual wifi interface can't connect internet

Tue Jun 16, 2020 6:44 pm

You have to add slave wlan interfaces to bridge:
/interface bridge port
add bridge=bridge interface=vlan2ghz-gast
add bridge=bridge interface=vlan5ghz-gast

And then you probably need to do something with VLAN setup, curently cAP is configured as dumb switch without any idea about VLANs ... wlan interfaces themselves deal with VLAN tags, bridge interface as well (by the way of vlan interfaces, BTW using vlan with VID=1 probably masks some problems away because it's default setting in many places, but you never know where packets are tagged and where they're not). But the big problem is ether1, currently it's implicitly all-tagged trunk interface. Good practice is to explicitly configure VLANs on bridge, have a look at this tutorial to see how that's done in ROS.
 
passt
just joined
Topic Author
Posts: 11
Joined: Fri May 22, 2020 7:39 pm

Re: virtual wifi interface can't connect internet

Fri Jul 10, 2020 6:17 pm

The tutorial for Acess Points describes nearly exact my situation. Except for I want to configure two VLANs only (work and guest) and want to use ether1 as the trunk port. Ether1 should also have a fixed IP address from LAN, which I can use to configure the Access Point. From VLAN work and guest it should not be allowed to configure the AP. In difference to the tutorial where an additional and third VLAN is used to allow configuration of the AP.
This my configuration:
### VLAN Overview
# 10 = BLUE Work
# 15 = GREEN Guest
### 99 = BASIS VLAN i want to leave out


### Wifi setup
# Blue SSID
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="blue password"
/interface wireless set [ find default-name=wlan1 ] ssid=BLUE_SSID frequency=auto mode=ap-bridge disabled=no
# Green SSID
/interface wireless security-profiles add name=GREEN_PROFILE authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="green password"
/interface wireless add name=wlan2 ssid=GREEN_SSID master-interface=wlan1 security-profile=GREEN_PROFILE disabled=no


### Bridge
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no


### Access Ports
# ingress behavior
/interface bridge port
# Blue, Green VLAN
add bridge=BR1 interface=wlan1 pvid=10
add bridge=BR1 interface=wlan2 pvid=15
# egress behavior
/interface bridge vlan
# Blue, Green VLAN
add bridge=BR1 untagged=wlan1 vlan-ids=10
add bridge=BR1 untagged=wlan2 vlan-ids=15


### Trunk Ports
# ingress behavior
/interface bridge port
# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether1
# egress behavior
/interface bridge vlan
# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASIS_VLAN)
set bridge=BR1 tagged=ether1 [find vlan-ids=10]
set bridge=BR1 tagged=ether1 [find vlan-ids=15]
# The following step I left out, because I don't want use the third VLAN 99
# add bridge=BR1 tagged=BR1,ether1 vlan-ids=99


### IP Addressing & Routing
# LAN facing AP's Private IP address on a BASIS_VLAN
# /interface vlan add interface=BR1 name=BASIS_VLAN vlan-id=99
# /ip address add address=192.168.0.3/24 interface=BASIS_VLAN
# Instead of the two previous steps I want a fixed IP address for ether1 
/ip address add address=10.10.0.68/24 interface=ether1
# The Router's IP this AP will use
/ip route add distance=1 gateway=10.10.0.254


### VLAN Security
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2]
# Only allow ingress packets WITH tags on Trunk Ports
/interface bridge port 
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]


### MAC Server settings
# Ensure only visibility and availability from BASIS_VLAN, the MGMT network
/interface list add name=BASIS
# /interface list member add interface=BASIS_VLAN list=BASIS
# Instead of previous step I want to add ether1 to the interface list BASIS
/interface list member add interface=ether1 list=BASIS

/ip neighbor discovery-settings set discover-interface-list=BASIS
/tool mac-server mac-winbox set allowed-interface-list=BASIS
/tool mac-server set allowed-interface-list=BASIS


### Turn on VLAN mode
# Up to this last step, the AP works as desired, i.e. two separate VLANs are published via WiFi.
# As soon as I activate the last step, no more IP addresses are distributed over the VLANs and the AP is also not reachable over the fixed IP address.

/interface bridge set BR1 vlan-filtering=yes
What is wrong with my changes to the original configuration?
Peter
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: virtual wifi interface can't connect internet

Fri Jul 10, 2020 6:41 pm

Problems start here as you can see highlighted the entries dont belong in wifi settings!!

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=germany disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wlan2ghz-intern security-profile=\
profile-intern ssid=WIFI@in vlan-id=10 vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=germany disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wlan5ghz-intern security-profile=\
profile-intern ssid=WIFI@in vlan-id=10 vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:85:FC:6B master-interface=wlan2ghz-intern multicast-buffering=disabled name=vlan2ghz-gast security-profile=profile-Gast ssid=WIFI@gast vlan-id=15 \
vlan-mode=use-tag wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:85:FC:6C master-interface=wlan5ghz-intern multicast-buffering=disabled name=vlan5ghz-gast security-profile=profile-Gast ssid=WIFI@gast vlan-id=15 \
vlan-mode=use-tag
wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 wps-mode=disabled
...........

MISSING PVID settings etc, that need to be here NOT in the wlan definitions!!

Remember this informs the router on INGRESS so that the router knows what to do with incoming packets (like assign or tag them with vlanXX for access ports)
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 (trunk port no tagging/pvid required but good idea to use ingress filtering here)
add bridge=bridge comment=defconf interface=wlan2ghz-intern???????????? pvid=XX and the bit about accepting priority and untagged frames
add bridge=bridge comment=defconf interface=wlan5ghz-intern??????????? pvid=YY and the bit about accepting priority and untagged frames

Finally Totally need Bridge VLAN settings to handle the egress part of VLAN
ex from my capac
/interface bridge vlan
add bridge=bridgeHallway tagged=ether1 untagged=DevicesHallway vlan-ids=45 (my main 2ghz WLan)
add bridge=bridgeHallway tagged=ether1 untagged=VisitorWIFI vlan-ids=200 (my virtual 5ghz WLAN
add bridge=bridgeHallway tagged=ether1,bridgeHallway untagged=Hallway5G \ (my main 5ghz WLan)
 
passt
just joined
Topic Author
Posts: 11
Joined: Fri May 22, 2020 7:39 pm

Re: virtual wifi interface can't connect internet

Wed Jul 15, 2020 6:50 pm

Thanks, anav. Your hint to configure "vlan-mode=no-tag" in wifi settings has almost led me to the goal. Now I can connect to the WiFis successfully. BUT it's not possible to manage the cAP via the IP address which I have assigned to ether1.

I have changed my config due to the Tutorial for Access Points - see my previous post #8.

Here is my current configuration:
(some comments are refering to differences I did to the tutorial's config)
(for simplicity, the configuration only includes the 2Ghz wifi)
# WLAN Netze erstellen
/interface wireless security-profiles
  add name=prof_intern authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=pw-intern
  add name=prof_gast authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=pw-gast
/interface wireless
# kein VLAN mit no-tag setzen
  set [find default-name=wlan1] name=wlan2ghz-intern ssid=MICK@in security-profile=prof_intern frequency=auto mode=ap-bridge disabled=no
  add name=vlan2ghz-gast ssid=MICK@gast security-profile=prof_gast master-interface=wlan2ghz-intern mode=ap-bridge disabled=no

/interface bridge 
# turn off VLAN mode while config
  add name=BR1 protocol-mode=none vlan-filtering=no

# Access Ports
# ingress
/interface bridge port
  add bridge=BR1 interface=wlan2ghz-intern pvid=10
  add bridge=BR1 interface=vlan2ghz-gast pvid=15
# egress
/interface bridge vlan
  add bridge=BR1 untagged=wlan2ghz-intern vlan-ids=10
  add brdige=BR1 untagged=vlan2ghz-gast vlan-ids=15

#Trunk Port(s)
# ingress
/interface bridge port
  add bridge=BR1 interface=ether1
# egress
/interface bridge vlan
  set bridge=BR1 tagged=ether1 [find vlan-ids=10]
  set bridge=BR1 tagged=ether1 [find vlan-ids=15]
# add bridge=BR1 tagged=BR1,ether1 vlan-ids=99

# LAN facing AP's Private IP address on a BASIS_VLAN
# /interface vlan
#  add interface=BR1 name=BASIS_VLAN vlan-id=99
# /ip address
#  add address=192.168.0.3/24 interface=BASIS_VLAN
# I want to access via ether1 with fixed IP
/ip address
  add 10.10.0.68/24 interface=ether1
/ip route
  add distance=1 gateway=10.10.0.254

# VLAN Security
# Only allow ingress packets without tags on Access Ports
/interface bridge port
  set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2ghz-intern]
  set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=vlan2ghz-gast]
# Only allow ingress packets WITH tags on Trunk Ports
/interface bridge port 
  set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]

# MAC Server Security
/interface list
  add name=BASIS
/interface list member
# available from BASIS_VLAN only
#  add interface=BASIS_VLAN list=BASIS
# I want this from ether1 only
  add interface=ether1 list=BASIS
/ip neighbor discovery-settings
  set discover-interface-list=BASIS
/tool mac-server mac-winbox
  set allowed-interface-list=BASIS
/tool mac-server
  set allowed-interface-list=BASIS

# Turn on VLAN mode
/interface bridge
  set BR1 vlan-filtering=yes
As soon as I turn on vlan-filtering I can't access the cAP-ac anymore via its fixed IP address. BUT wlan1 and wlan2 are working successfully the way I wished for.

What is the final step of the configuration which allows to manage the cAP via the IP address I have assigned to ether1?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: virtual wifi interface can't connect internet

Wed Jul 15, 2020 7:34 pm

Not sure how to describe as your setup is a bit different from mine, but I can point you to the salient bits.

/ip neighbor discovery-settings
set discover-interface-list=capwin

/interface list member
add interface=ether1 list=WAN
add interface=wifi-1 list=LAN
add interface=wifi-2 list=LAN
add interface=wifi-3 list=LAN
add interface=homevlan list=LAN
add interface=homevlan list=capwin


In other words I didnt create an extra vlan 99, the capac is on my homevlan
/ip address
add address=192.168.0.xxx/24 interface=homevlan network=192.168.0.0

/tool mac-server mac-winbox
set allowed-interface-list=capwin

winbox is also enabled..... allowed access is the homevlan.

Reviewing your setup, you should be able to access the capac
if the IP address of the capac is a legit IP on the VLAN99 network.
If so, the capac seems fine, do you vlan99 configured on the main router??

After another look, I think the problem is here....... You are missing interface member assignment.
/interface list member
# available from BASIS_VLAN only
# add interface=BASIS_VLAN list=BASIS
# I want this from ether1 only
add interface=ether1 list=BASIS

I am not sure if its necessary to associate ether1 to the Basis list, BUT you should associate the vlan99 with the basis list.

add interface=BASIS_VLAN list=BASIS
If this doesnt work (then change ether1 to LAN or WAN list as well but I dont think that matters, its the missing association that I believe is key.
 
passt
just joined
Topic Author
Posts: 11
Joined: Fri May 22, 2020 7:39 pm

Re: virtual wifi interface can't connect internet

Tue Oct 19, 2021 6:24 pm

@anav
Sorry for not getting back to you on your last reply. I put the cAPac aside for over a year now. However, now I want to try again.
/interface wireless security-profiles
  add name=prof_intern authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=pw-intern
  add name=prof_gast authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=pw-gast
/interface wireless
  set [find default-name=wlan1] name=wlan2ghz-intern ssid=MICK@in security-profile=prof_intern frequency=auto mode=ap-bridge disabled=no
  add name=vlan2ghz-gast ssid=MICK@gast security-profile=prof_gast master-interface=wlan2ghz-intern mode=ap-bridge disabled=no

/interface bridge 
# turn off VLAN mode while config
  add name=BR1 protocol-mode=none vlan-filtering=no

# Access Ports
# ingress
/interface bridge port
  add bridge=BR1 interface=wlan2ghz-intern pvid=10
  add bridge=BR1 interface=vlan2ghz-gast pvid=15
# egress
/interface bridge vlan
  add bridge=BR1 untagged=wlan2ghz-intern vlan-ids=10
  add brdige=BR1 untagged=vlan2ghz-gast vlan-ids=15

#Trunk Port(s)
# ingress
/interface bridge port
  add bridge=BR1 interface=ether1
# egress
/interface bridge vlan
  set bridge=BR1 tagged=ether1 [find vlan-ids=10]
  set bridge=BR1 tagged=ether1 [find vlan-ids=15]

/ip address
  add 10.10.0.68/24 interface=ether1
/ip route
  add distance=1 gateway=10.10.0.254

# VLAN Security
# Only allow ingress packets without tags on Access Ports
/interface bridge port
  set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2ghz-intern]
  set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=vlan2ghz-gast]
# Only allow ingress packets WITH tags on Trunk Ports
/interface bridge port 
  set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]

# MAC Server Security
/interface list
  add name=BASIS
/interface list member
  add interface=ether1 list=BASIS
/ip neighbor discovery-settings
  set discover-interface-list=BASIS
/tool mac-server mac-winbox
  set allowed-interface-list=BASIS
/tool mac-server
  set allowed-interface-list=BASIS

# Turn on VLAN mode
/interface bridge
  set BR1 vlan-filtering=yes
As I wrote already, as soon as I activate vlan-filtering=yes in the last step I can't access the cAPac anymore, but wifi for intern and gast with VLAN works as wished.
Our company's LAN on ether1 has no VLAN ID or better it has the default VLAN ID=1 for no VLAN is configured. Do I have to create pvid=vlan-id=1 as bridge port or bridge vlan?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: virtual wifi interface can't connect internet

Tue Oct 19, 2021 6:37 pm

Let me fix it for you:

/ip address
add 10.10.0.68/24 interface=ether1BR1

/interface list member
add interface=ether1BR1 list=BASIS

More about different bridge personalities.
 
passt
just joined
Topic Author
Posts: 11
Joined: Fri May 22, 2020 7:39 pm

Re: virtual wifi interface can't connect internet

Thu Oct 21, 2021 6:17 pm

I thought first your answer is my enlightment, but the cAPac tells me there is no difference if I configure ether1 or bridge BR1 for IP address and as member of this interface list. The result is the same,as soon as vlan filtering is activated on bridge BR1 I can't access the cAPac anymore, but Wifi intern and Wifi gast are working as whished.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: virtual wifi interface can't connect internet

Thu Oct 21, 2021 7:23 pm

OK, so ether1 is supposed to allow only tagged frames on ingress. Which VLAN (10 or 15) is supposed to allow management access? As it is now, RB can be accessed over ether1 using untagged access.
 
passt
just joined
Topic Author
Posts: 11
Joined: Fri May 22, 2020 7:39 pm

Re: virtual wifi interface can't connect internet

Fri Oct 22, 2021 9:40 am

None of the vlan should allow management access. I want to access the cAPac by the IP address assigned to ether1 and which is member of our Ethernet LAN without vlan (or the default vlan=1).
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: virtual wifi interface can't connect internet

Fri Oct 22, 2021 2:38 pm

Post your current config just to be sure we see what device is running. Execute /export hide-sensitive file=anynameyouwish, fetch the resulting file, open it with text editor and copy-paste contents here inside [code] [/code] environment. What you posted so far is series of commands you are supposed to execute, but doesn't show exact result (because end result depends on previous state of configuration).

However:
  1. interfaces, which are made ports of bridge, should not be directly used for anything else. While ROS doesn't barf on that, it's incorrect never the less. If port is bridged, then whatever L3 config made on it isn't exclusive to that port any more because on L2 it becomes member of bridged/switched network.
    So you really should move your IP address to BR1 and all other references of ether1 (e.g. interface list membership) should be moved to BR1.
  2. you have to allow also untagged frames on ingress for ether1. So your config should look something like
    # Allow ingress packets WITH and WITHOUT tags on Trunk Ports or else untagged management via ether1 won't work.
    /interface bridge port 
      set bridge=BR1 ingress-filtering=yes frame-types=admit-all [find interface=ether1]
    
    Note that in this case, both BR1 interface and ether1 will use (implicit default) value of PVID=1.
 
passt
just joined
Topic Author
Posts: 11
Joined: Fri May 22, 2020 7:39 pm

Re: virtual wifi interface can't connect internet

Fri Oct 22, 2021 5:36 pm

Thanks mkx, finally, finally it works! Now I use the IP for the bridge BR1 and to allow ingress-filtering for frame-types=admin-all on ether1 did the trick.
This is my final configuration:
# oct/22/2021 14:17:54 by RouterOS 6.49
# software id = EK22-3R0R
#
# model = RBcAPGi-5acD2nD
# serial number = B9320B001B18
/interface bridge
add admin-mac=C4:AD:34:85:FC:6A auto-mac=no comment=defconf name=BR1 \
    protocol-mode=none vlan-filtering=yes
/interface list
add name=BASIS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=profil_intern \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=profil_gast \
    supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge name=wlan2ghz-intern security-profile=profil_intern ssid=\
    KICK@in wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge name=wlan5ghz-intern security-profile=\
    profil_intern ssid=KICK@in wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:85:FC:6B \
    master-interface=wlan2ghz-intern multicast-buffering=disabled name=\
    vlan2ghz-gast security-profile=profil_gast ssid=KICK@gast wds-cost-range=\
    0-4294967295 wds-default-bridge=BR1 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:85:FC:6C \
    master-interface=wlan5ghz-intern multicast-buffering=disabled name=\
    vlan5ghz-gast security-profile=profil_gast ssid=KICK@gast wds-cost-range=\
    0-4294967295 wds-default-bridge=BR1 wds-default-cost=0 wps-mode=disabled
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2ghz-intern pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan5ghz-intern pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=vlan2ghz-gast pvid=15
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=vlan5ghz-gast pvid=15
add bridge=BR1 ingress-filtering=yes interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=BASIS
/interface bridge vlan
add bridge=BR1 tagged=ether1 untagged=wlan2ghz-intern,wlan5ghz-intern \
    vlan-ids=10
add bridge=BR1 tagged=ether1 untagged=vlan2ghz-gast,vlan5ghz-gast vlan-ids=15
/interface list member
add interface=BR1 list=BASIS
/ip address
add address=10.10.10.77/24 interface=BR1 network=10.10.10.0
/ip dns
set allow-remote-requests=yes servers=10.10.10.254
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!BASIS
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=*2000010
/ip route
add distance=1 gateway=10.10.10.254
/system ntp client
set enabled=yes primary-ntp=10.10.10.254 server-dns-names=\
    0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=BASIS
/tool mac-server mac-winbox
set allowed-interface-list=BASIS
I edited the configuration on state of the default config for 192.168.88.1. So I could remove a few config lines which were obsolete and without any effect. But can I delete the firewall rules as well and without any effect?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: virtual wifi interface can't connect internet

Fri Oct 22, 2021 6:41 pm

Since the device is not border gateway and assuming management access via untagged is trusted, you can safely disable/remove all firewall rules. Or to be on the safe side leave the rules for chain=input ...

I'm wondering if this setting is needed:
/ip dns
set allow-remote-requests=yes servers=10.10.10.254

If this device is nowhere mentioned as DNS resolver for your untagged network, then you should set allow-remote-requests=no just to be on the safe side.
 
passt
just joined
Topic Author
Posts: 11
Joined: Fri May 22, 2020 7:39 pm

Re: virtual wifi interface can't connect internet

Mon Oct 25, 2021 4:58 pm

The device isn't border gateway so I disabled allow-remote-requests and I removed the firewall rules with chain=forward only.

Unfortunately I notice that I still can access the device's webconfig by it's IP address and this is allowed from each network segment. That means I can access the webconfig from Wifi@gast, from Wifi@intern and LAN. LAN is wished to but especially Wifi@gast shouldn't be allowed to. From Wifi@gast ping at the IP address isn't allowed, but when gast user enters the right IP address he will access cAPac's webcfg.

Is it possible to prohibit access to the device from Wifi@gast?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: virtual wifi interface can't connect internet

Mon Oct 25, 2021 7:40 pm

Your Mikrotik currently doesn't interact with traffic on wireless, it only passes it between ether1 and wireless interfaces. If wireless user is able to connect mikrotik, then it's going via main gateway and you have to block unwanted traffic there.

Who is online

Users browsing this forum: Bing [Bot] and 48 guests