I have 2 mikroticks. First one is as main router and second one as AP. wireless on AP is managed by main router CAPsMAN. In capsman I have slave wireless for guests which is assigned to VLAN and
have different DHCP. This all works, but VLAN doesn´t have access to internet and it should be. I tried torch on WAN interface and I can see that VLAN source addresses are not translated and I see there 10.10.10.x
Also on guests wifi on main mikrotik (not created by capsman) I don´t get IP from DHCP, but that wifi also has vlan id 20 and "use tag" mode and DHCP is on interface vlan20.
Internet on others wifi and lan is working without a problem.
Can you help me? Thanks.
Here is my exported config:
Code: Select all
/caps-man channel
add band=5ghz-n/ac name=5g
add band=2ghz-g/n control-channel-width=20mhz frequency=2437,2462,2412 name=24g \
tx-power=8
/interface bridge
add admin-mac=18:FD:74:93:A8:C5 auto-mac=no comment=defconf name=bridge
add disabled=yes name=bridge_hosts
/interface pppoe-client
add add-default-route=yes allow=pap dial-on-demand=yes disabled=no interface=\
ether1 max-mru=1500 max-mtu=1500 mrru=1600 name=pppoe-out1 use-peer-dns=yes \
user=8474
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=wifi_kenod_patro wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge name=wlan2-5g ssid=wifi_kenod_patro_5G wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan20 vlan-id=20
/caps-man datapath
add bridge=bridge local-forwarding=yes name=wifi_dole
add bridge=bridge local-forwarding=yes name=hosts vlan-id=20 vlan-mode=use-tag
/caps-man rates
add basic=12Mbps name=GN supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
group-key-update=1h name=security1
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
group-key-update=1h name=hosts
/caps-man configuration
add channel=24g country="czech republic" datapath=wifi_dole installation=indoor \
mode=ap multicast-helper=full name=wifi24 rates=GN security=security1 ssid=\
wifi_kenod
add channel=5g country="czech republic" datapath=wifi_dole installation=indoor \
mode=ap multicast-helper=full name=wifi5 security=security1 ssid=wifi_kenod
add channel=24g country="czech republic" datapath=hosts installation=indoor \
mode=ap multicast-helper=full name=guests rates=GN security=hosts ssid=\
kenod_guests
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guests \
supplicant-identity=""
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=1A:FD:74:93:A8:C9 \
master-interface=wlan1 multicast-buffering=disabled name=wlan_guests \
security-profile=guests ssid=kenod_guests vlan-id=20 vlan-mode=use-tag \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.254
add name=dhcp_pool1 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=vlan20 name=dhcp1
/user group
add name=homeassistant policy="read,test,api,!local,!telnet,!ssh,!ftp,!reboot,!w\
rite,!policy,!winbox,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp"
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
wifi24 name-format=prefix-identity name-prefix=24G slave-configurations=\
guests
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
wifi5 name-format=prefix-identity name-prefix=5G
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2-5g
add bridge=bridge_hosts disabled=yes interface=wlan_guests
add bridge=bridge_hosts disabled=yes interface=*D
add bridge=bridge_hosts disabled=yes interface=*165
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-out1 list=WAN
add disabled=yes interface=bridge_hosts list=LAN
add interface=vlan20 list=VLAN
/interface wireless access-list
add mac-address=4E:2E:D2:C7:6D:51
/interface wireless cap
set bridge=bridge caps-man-addresses=192.168.1.1 discovery-interfaces=bridge \
interfaces=wlan1
/ip address
add address=192.168.1.1/16 interface=bridge network=192.168.0.0
add address=10.10.10.1/24 disabled=yes interface=bridge_hosts network=\
10.10.10.0
add address=10.10.10.1 interface=vlan20 network=10.10.10.1
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.65 client-id=1:c4:ad:34:5d:34:dd mac-address=\
C4:AD:34:5D:34:DD server=defconf
add address=192.168.1.140 client-id=1:bc:cf:4f:79:4b:9d mac-address=\
BC:CF:4F:79:4B:9D server=defconf
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=8.8.8.8,8.8.8.8 gateway=10.10.10.1
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.1.200 comment=defconf name=router.lan
add address=192.168.1.149 name=home.dankovi.cz
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward connection-state=new disabled=yes \
in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes src-address=192.168.1.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=pppoe-out1 \
src-address=10.10.10.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=443 in-interface=pppoe-out1 protocol=\
tcp to-addresses=192.168.1.149 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface=pppoe-out1 protocol=\
tcp to-addresses=192.168.1.149 to-ports=80
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/16 port=70
set ssh disabled=yes
set api address=192.168.0.0/16
set winbox address=192.168.0.0/16
set api-ssl address=192.168.0.0/16
/ipv6 address
add from-pool=HVfree interface=bridge
/ipv6 dhcp-client
add interface=pppoe-out1 pool-name=HVfree pool-prefix-length=48 rapid-commit=no \
request=prefix use-peer-dns=no
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=RouterOS
/system scheduler
add interval=1d name="Night wifi off at 1 am" on-event=script_wifi_off policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=feb/08/2023 start-time=00:00:00
add interval=1d name="Night wifi on at 6am" on-event=script_wifi_on policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=feb/08/2023 start-time=06:00:00
add interval=1d name="Night down wifi off" on-event=wifi_dole_off policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=feb/11/2023 start-time=01:00:00
add interval=1d name="Night down wifi on" on-event=wifi_dole_on policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=feb/11/2023 start-time=06:00:00
/system script
add dont-require-permissions=no name=script_wifi_off owner=kenod policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"interface wireless disable wlan1\r\
\ninterface wireless disable wlan2-5g"
add dont-require-permissions=no name=script_wifi_on owner=kenod policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"interface wireless enable wlan1\r\
\ninterface wireless enable wlan2-5g"
add dont-require-permissions=no name=wifi_dole_off owner=kenod policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"caps-man manager set enabled=no"
add dont-require-permissions=no name=wifi_dole_on owner=kenod policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"caps-man manager set enabled=yes"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
