Community discussions

MikroTik App
 
User avatar
Trapizomba
just joined
Topic Author
Posts: 11
Joined: Wed May 13, 2015 1:25 am

Help with subnet for wifi 2.4GHz

Fri Sep 09, 2022 5:29 am

Hi people! How are you?

After research and hours of testing I can't make it works... Unfortunately...

I need to set a subnet exclusive to the wifi 2.4GHz interface with access to Internet, local DNS server and local NTP server.

Do not want to use VLANs and do not need mesh (for the 2.4GHz WiFi).

Can you help me, please? :(

The network diagram is:
Image

The main router (gateway) configuration export:
# sep/08/2022 23:07:22 by RouterOS 7.5
# software id = FZPI-1FMU
#
# model = RB760iGS

/interface bridge
add admin-mac=74:4D:28:AD:73:42 auto-mac=no comment=defconf name=bridge
add admin-mac=3E:C6:77:F7:7D:13 auto-mac=no name=bridge-iot
/interface ethernet
set [ find default-name=ether1 ] name=ether1-lan
set [ find default-name=ether2 ] name=ether2-wan
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes poe-out=off
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=ether2-wan \
    keepalive-timeout=30 name=pppoe user=cliente@cliente
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] add-default-route=no use-network-apn=no \
    use-peer-dns=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-pool1 ranges=192.168.1.101-192.168.1.254
add name=dhcp-iot ranges=192.168.2.11-192.168.2.100
/ip dhcp-server
add address-pool=dhcp-pool1 allow-dual-stack-queue=no interface=bridge name=\
    dhcp-srv1
add address-pool=dhcp-iot allow-dual-stack-queue=no interface=bridge-iot \
    name=dhcp-iot
/port
set 0 name=serial0
/caps-man aaa
set called-format=mac mac-format=""
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether1-lan
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=loose
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
    forward=no max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether2-wan list=WAN
add interface=pppoe list=WAN
add interface=bridge-iot list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=192.168.15.2/24 comment="Enable to acess ISP Bridged Modem" \
    interface=ether2-wan network=192.168.15.0
add address=192.168.2.1/24 interface=bridge-iot network=192.168.2.0
/ip cloud
set update-time=no
/ip dhcp-server alert
add disabled=no interface=ether1-lan valid-server=3E:C6:77:F7:7D:13
/ip dhcp-server lease
add address=192.168.1.10 client-id=1:4c:5e:c:d5:3b:49 mac-address=\
    4C:5E:0C:D5:3B:49 server=dhcp-srv1
add address=192.168.1.4 client-id=1:e4:8d:8c:9f:8c:23 mac-address=\
    E4:8D:8C:9F:8C:23 server=dhcp-srv1
add address=192.168.1.2 client-id=1:64:d1:54:c6:8d:2e mac-address=\
    64:D1:54:C6:8D:2E server=dhcp-srv1
add address=192.168.1.8 mac-address=04:18:D6:06:7F:E3 server=dhcp-srv1
add address=192.168.1.32 comment="Pi-Hole DNS" mac-address=B8:27:EB:61:D9:8E \
    server=dhcp-srv1 use-src-mac=yes
add address=192.168.1.31 comment="NTP Server" mac-address=D8:B0:4C:F0:00:55 \
    server=dhcp-srv1 use-src-mac=yes
add address=192.168.1.3 mac-address=CC:2D:E0:E1:23:42 server=dhcp-srv1
/ip dhcp-server network
add address=192.168.1.0/24 comment="DHCP Server Subnet 1" dns-server=\
    192.168.1.32 gateway=192.168.1.1 netmask=24 ntp-server=192.168.1.31
add address=192.168.2.0/24 comment="DHCP Server Subnet 2" dns-server=\
    192.168.1.32 gateway=192.168.2.1 netmask=24 ntp-server=192.168.1.31
/ip dns
set servers=192.168.1.32
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
add address=192.168.1.32 name=pi.hole
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=192.168.1.0/24 list=LAN-Subnets
add address=192.168.2.0/24 list=LAN-Subnets
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop all coming from WAN" \
    in-interface=pppoe log-prefix=DROP-FROM-WAN
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop NTP out" \
    connection-state="" dst-port=123 log=yes log-prefix=NTP-OUT: \
    out-interface-list=!LAN protocol=udp
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=pppoe
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
/ip firewall mangle
add action=mark-packet chain=prerouting in-interface=ether2-wan \
    layer7-protocol=*1 log=yes log-prefix=BLCK-EXE-DWNLD new-packet-mark=\
    EXE-pckt passthrough=no
/ip firewall nat
add action=accept chain=srcnat comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" log-prefix=\
    MASQ
add action=dst-nat chain=dstnat connection-type="" dst-limit=\
    1,5,dst-address/1m40s dst-port=53 log-prefix="[RED]DNS-OUT[UDP]" \
    protocol=udp src-address=!192.168.1.32 to-addresses=192.168.1.32 \
    to-ports=53
add action=dst-nat chain=dstnat dst-port=53 log-prefix="[RED]DNS-OUT[TCP]" \
    protocol=tcp src-address=!192.168.1.32 to-addresses=192.168.1.32 \
    to-ports=53
add action=dst-nat chain=dstnat dst-port=123 in-interface-list=LAN \
    log-prefix="[RED]NTP-OUT[UDP]" protocol=udp to-addresses=192.168.1.31 \
    to-ports=123
add action=dst-nat chain=dstnat dst-port=123 log-prefix="[RED]NTP-OUT[TCP]" \
    protocol=tcp to-addresses=192.168.1.31 to-ports=123
/ip firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN log=yes \
    log-prefix=DHCP-DISCOVER protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop bogon IP's (Disrupt CAPsMAN!)" dst-address-list=bad_ipv4 \
    log-prefix=DROP-BOGON
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_dst_ipv4 log-prefix=DROP-BOGON-IP4:
add action=accept chain=prerouting comment=\
    "defconf: accept ISP bridge from WAN" in-interface=pppoe log-prefix=\
    ACC-NOT-GLOBAL: protocol=tcp src-address=192.168.15.1 src-port=80
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface=pppoe log-prefix=DROP-NOT-GLOBAL: src-address-list=\
    not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address=192.168.1.0/24 \
    in-interface=pppoe
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" in-interface-list=LAN \
    src-address-list=!LAN-Subnets
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" in-interface-list=LAN \
    src-address=!192.168.1.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN \
    log-prefix=ACCEPT-RAW-LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface=pppoe log-prefix=\
    ACCEPT-RAW-WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" disabled=yes \
    protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
    tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
    tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
    tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
    tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
    tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
    tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" disabled=yes \
    port=0 protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" disabled=yes \
    icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" disabled=yes \
    icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" disabled=\
    yes icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
    disabled=yes icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" disabled=\
    yes icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
    disabled=yes icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" disabled=yes \
    icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " disabled=yes \
    icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" disabled=yes \
    protocol=icmp
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.1.0/24
set api-ssl disabled=yes
/ip traffic-flow
set enabled=yes interfaces=pppoe
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
    not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
    not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
    not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" \
    dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 \
    src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=\
    "defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \
    jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment=\
    "defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment=\
    "defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 \
    hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" \
    icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=\
    2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=\
    3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=\
    4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: Mobile home agent address discovery" icmp-options=144:0-255 \
    protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: Mobile home agent address discovery" icmp-options=145:0-255 \
    protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" \
    icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" \
    icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" \
    icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" \
    icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 \
    icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
    icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 \
    icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
    icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 \
    icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
    icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=\
    equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet \
    protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=\
    equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet \
    protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=\
    equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet \
    protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=\
    icmpv6
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=RTR-GATEWAY
/system logging
add disabled=yes prefix=NTP-LOGs topics=ntp
add disabled=yes topics=dns
add disabled=yes topics=pppoe
add topics=dhcp,debug
add disabled=yes prefix=CAPS topics=caps,debug
add disabled=yes prefix=WIFI topics=wireless,debug
add disabled=yes prefix=RAW topics=raw,info
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.1.31
/system routerboard settings
set auto-upgrade=yes
/system watchdog
set ping-timeout=2m watch-address=1.1.1.1
/tool bandwidth-server
set enabled=no
/tool graphing
set store-every=hour
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no


And... The RBcAPGi-5acD2nD config export is:
# sep/21/2022 01:02:14 by RouterOS 7.5
# software id = ER1U-M8FA
#
# model = RBcAPGi-5acD2nD
# 
/interface bridge
add admin-mac=74:4D:XX:XX:XX:XX auto-mac=no name=bridge
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=brazil disabled=no \
frequency-mode=superchannel installation=indoor mode=ap-bridge ssid=HomeWiFi \
wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=iot-wlan-pwd supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=etsi disabled=no \ 
frequency=2447 mode=ap-bridge security-profile=iot-wlan-pwd ssid=iotwifi \
    wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/system ntp key
add key-id=1
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge interface=wlan2
add bridge=bridge interface=wlan1
/ip settings
set rp-filter=loose
/interface detect-internet
set detect-interface-list=LAN
/interface list member
add interface=bridge list=LAN
/ip address
add address=192.168.1.7/24 interface=bridge network=192.168.1.0
/ip dns
set servers=192.168.1.22
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=XPTO
/system logging
add disabled=yes topics=wireless,debug
add disabled=yes topics=interface,debug
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=192.168.1.20 auth-key=1
add address=192.168.1.1
/tool mac-server
set allowed-interface-list=LAN
Last edited by Trapizomba on Wed Sep 21, 2022 7:28 am, edited 3 times in total.
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Help with subnet for wifi 2.4GHz

Fri Sep 09, 2022 8:41 am

Do not want to use VLANs and do not need mesh.
Why don't you want to use VLAN?
What does mesh have to do with this?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help with subnet for wifi 2.4GHz

Fri Sep 09, 2022 4:40 pm

:Your request is illogical.
You want the router to provide DHCP to a bunch of different LANs but somehow push this over a managed switch.
When you want to open your mind to logical processes that work, I can be of assistance otherwise moving on.
 
User avatar
Trapizomba
just joined
Topic Author
Posts: 11
Joined: Wed May 13, 2015 1:25 am

Re: Help with subnet for wifi 2.4GHz

Fri Sep 09, 2022 6:05 pm

:Your request is illogical.
You want the router to provide DHCP to a bunch of different LANs but somehow push this over a managed switch.
When you want to open your mind to logical processes that work, I can be of assistance otherwise moving on.

VLAN, then? Right? Let's go!

Can you help, please?

Your assistance is really appreciated!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help with subnet for wifi 2.4GHz

Fri Sep 09, 2022 7:39 pm

1 - assign vlans for EVERY SUBNET
2 - make it clear which is your management subnet
a. where all smart devices will have their IP on, (typically set manually on both the smart device and the mT dhcp leases for that vlan).
b. where admin will normally access the router for config purposes, could be a normal trusted lan for example.
c. create an interface list item for MANAGE and assign the trusted vlan to this interface list as a member
d. ensure neighbours discovery and mac winbox setting use this interface list (MANAGE)
3. assign interface of each vlan upon creation to the single bridge.
4. each vlan gets 4 items, ip address, ip pool, dhcp server and dhcp server network
5. Create /interface bridge ports
6. Create /interface bridge vlans to match
7. Adjust firewall rules to ensure needed traffic is allowed.
8. Make Changes to LAN Interface List ( remove bridge and add all vlans typically)
9 . Enable vlan filtering on the bridge itself.
10. view /export to see if any errors crop up........

Help for firewall rules.
viewtopic.php?t=180838

Suggest the easiest thing to do when configuring a bridge is to use one port on the router to do the configuration and to keep in your back pocket to access the router in an emerg where router bridge hickups...............
viewtopic.php?t=181718

Guidance on vlans using this method......
viewtopic.php?t=143620
 
User avatar
Trapizomba
just joined
Topic Author
Posts: 11
Joined: Wed May 13, 2015 1:25 am

Re: Help with subnet for wifi 2.4GHz

Sun Sep 18, 2022 10:11 am

Hi!

Sorry for the late response... I was dealing with some personal questions...

I'm having a little trouble understanding some things... so I humbly ask for comprension and patience from the colleagues of the forum...

Here is the print of neighbors connected to my gateway (192.168.1.1):
#  INTERFACE   ADDRESS4      BOARD                VERSION                          
0  ether1-lan                                                                      
   bridge                                                                          
1  ether1-lan  192.168.1.2   CRS326-24G-2S+       7.5 (stable) Aug/30/2022 09:25:53
   bridge                                                                          
2  ether1-lan  192.168.1.3   RB962UiGS-5HacT2HnT  7.5 (stable) Aug/30/2022 09:25:53
   bridge                                                                          
3  ether1-lan  192.168.1.4   RB951G-2HnD          7.5 (stable) Aug/30/2022 09:25:53
   bridge                                                                          
4  ether1-lan  192.168.1.5   RB960PGS             7.5 (stable) Aug/30/2022 09:25:53
   bridge                                                                          
5  ether1-lan  192.168.1.6   RB962UiGS-5HacT2HnT  7.5 (stable) Aug/30/2022 09:25:53
   bridge                                                                          
6  ether1-lan  192.168.1.7   RBcAPGi-5acD2nD      7.5 (stable) Aug/30/2022 09:25:53
   bridge                                                                          
7  ether1-lan  192.168.1.9   RB260GSP             1.17                             
   bridge                                                                          
8  ether1-lan  192.168.1.10  RB951G-2HnD          7.5 (stable) Aug/30/2022 09:25:53
   bridge                                                                          
9  ether1-lan  192.168.1.11  RBcAPGi-5acD2nD      7.5 (stable) Aug/30/2022 09:25:53
   bridge

Below is the print of neighbors connected to my "main" switch (192.168.1.2) CRS326-24G-2S+ (Running RouterOS):
 #  INTERFACE  ADDRESS4       BOARD                VERSION                          
 0  ether2     192.168.1.4    RB951G-2HnD          7.5 (stable) Aug/30/2022 09:25:53
    bridge                                                                          
 1  ether4     192.168.1.6    RB962UiGS-5HacT2HnT  7.5 (stable) Aug/30/2022 09:25:53
    bridge                                                                          
 2  ether6                                                                          
    bridge                                                                          
 3  ether6     192.168.1.1    RB760iGS             7.5 (stable) Aug/30/2022 09:25:53
    bridge                                                                          
 4  ether6     192.168.1.7    RBcAPGi-5acD2nD      7.5 (stable) Aug/30/2022 09:25:53
    bridge                                                                          
 5  ether6     192.168.1.9    RB260GSP             1.17                             
    bridge                                                                          
 6  ether6     192.168.1.10   RB951G-2HnD          7.5 (stable) Aug/30/2022 09:25:53
    bridge                                                                          
 7  ether6     192.168.1.11   RBcAPGi-5acD2nD      7.5 (stable) Aug/30/2022 09:25:53
    bridge                                                                          
 8  ether8     192.168.1.3    RB962UiGS-5HacT2HnT  7.5 (stable) Aug/30/2022 09:25:53
    bridge                                                                          
 9  ether8     192.168.1.5    RB960PGS             7.5 (stable) Aug/30/2022 09:25:53
    bridge                                                                          
10  ether8     192.168.1.121                                                        
    bridge

Just for clarifying a little bit the scenario: The CRS326-24G-2S+ isn't direct connected to the gateway (due to physical impossibilities to route UTP cables). There is a RBcAPGi-5acD2nD (192.168.1.7) making the "interconnection" between the gateway and the switch.

Well... Now my questions:

1. How should I configure the trunk on the switch?
2. What trunk setup I will need to do on RBcAPGi (that makes the physical "connection" between the gateway and switch)?
3. Is there any way to test a VLAN setup between two connected mikrotik devices without disrupting the LAN? How?

Thank you!!!
 
User avatar
Ca6ko
Member
Member
Posts: 499
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: Help with subnet for wifi 2.4GHz

Tue Sep 20, 2022 12:44 pm

Do not want to use VLANs and do not need mesh.
I would set up a capsman.
Then all the wlan interfaces would be collected on one device. Combine them in a bridge, configure all network settings and routing.
Capsman will build all the necessary connections on its own
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help with subnet for wifi 2.4GHz

Tue Sep 20, 2022 2:18 pm

I am not a fan of capsman as it adds a layer of complexity to the equation but for this many APs it may make sense.
My experience setting up a device for wifi ( AP/Switch ) is very good, and it can be done in minutes without capsman and I prefer that method.
Simple clean.

If you go the capsman route, be prepared to lose any remaining hair you have LOL.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help with subnet for wifi 2.4GHz

Tue Sep 20, 2022 2:21 pm

Can you confirm that the ONLY ROUTER in the mix (or MT device acting as a router) is the 760 and the rest of the MT devices are acting as AP/switches or switches??
Can you confirm throughout this entire network you are only using two subnets, one for LAN traffic all users, and one for iot devices ??
 
User avatar
Trapizomba
just joined
Topic Author
Posts: 11
Joined: Wed May 13, 2015 1:25 am

Re: Help with subnet for wifi 2.4GHz

Wed Sep 21, 2022 7:58 am

Do not want to use VLANs and do not need mesh.
I would set up a capsman.
Then all the wlan interfaces would be collected on one device. Combine them in a bridge, configure all network settings and routing.
Capsman will build all the necessary connections on its own

Hi @Ca6ko! How are you?

I think CAPsMAN could be an alternative... Thank you!

Can you confirm that the ONLY ROUTER in the mix (or MT device acting as a router) is the 760 and the rest of the MT devices are acting as AP/switches or switches??
Can you confirm throughout this entire network you are only using two subnets, one for LAN traffic all users, and one for iot devices ??

Hi, @anav! Are you good?

In reality all MT devices are using only one subnet. (By the way: I've just replaced the configuration of the RBcAPGi-5acD2nD with the correct ("cleaned") one at my main post.)

The devices with WiFi interface(s) are configured essentially with a bridge grouping all interfaces together, one IP address assigned to the bridge and that basic routing table...

I can post the config of any other MT device. Just let me know...

A segmented guest 5GHz WiFi network would be nice but not essential.

In another hand the mesh for the 5GHz WiFi is essential (I've already made the mesh config once but, with the upgrade to RouterOS v7 and segmentation in mind, I've cleaned every device).

Once again....
Thank you very much!

Who is online

Users browsing this forum: anav, Bing [Bot], ernieball17, wsantos and 70 guests