Just got my RB5009 and wanted to set up two VLANs, 10 and 107, with three SSIDs: Main, Guest, and IoT on ether2 port.
Main SSID will be on vlan 10 and Guest, IOT SSIDs will be on vlan 107
I can access the internet on the Main SSID, but there is no internet on the Guest and IoT SSIDs.
Code: Select all
/interface bridge
add admin-mac=48:A9:8A:25:6B:67 auto-mac=no comment=defconf name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1[WAN]"
set [ find default-name=ether2 ] name="ether2[ASUS]"
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=bridge1 name="vlan10[LAN]" vlan-id=10
add interface=bridge1 name="vlan107[IoT]" vlan-id=107
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-10 ranges=10.0.0.15-10.0.0.254
add name="dhcp_vlan10[LAN]" ranges=10.0.10.15-10.0.10.254
add name="dhcp_vlan107[IoT]" ranges=10.0.107.2-10.0.107.254
/ip dhcp-server
add address-pool=dhcp-10 interface=bridge1 lease-time=8h name=defconf
add address-pool="dhcp_vlan107[IoT]" interface="vlan107[IoT]" lease-time=2d name="dhcp107[IoT]"
add address-pool="dhcp_vlan10[LAN]" interface="vlan10[LAN]" lease-time=2d name="dhcp10[LAN]"
/interface bridge port
add bridge=bridge1 comment=defconf interface="ether2[ASUS]"
add bridge=bridge1 comment=defconf interface=ether3
add bridge=bridge1 comment=defconf interface=ether4
add bridge=bridge1 comment=defconf disabled=yes interface=ether5
add bridge=bridge1 comment=defconf disabled=yes interface=ether6
add bridge=bridge1 comment=defconf disabled=yes interface=ether7
add bridge=bridge1 comment=defconf disabled=yes interface=ether8
add bridge=bridge1 comment=defconf disabled=yes interface=sfp-sfpplus1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface="vlan107[IoT]" pvid=107
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface="vlan10[LAN]" pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 tagged="vlan10[LAN],ether2[ASUS]" vlan-ids=10
add bridge=bridge1 tagged="vlan107[IoT],ether2[ASUS]" vlan-ids=107
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface="ether1[WAN]" list=WAN
add interface=bridge1 list=VLAN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge1 network=192.168.88.0
add address=10.0.0.1/24 interface=bridge1 network=10.0.0.0
add address=10.0.10.1/24 interface="vlan10[LAN]" network=10.0.10.0
add address=10.0.107.1/24 interface="vlan107[IoT]" network=10.0.107.0
/ip dhcp-client
add comment=defconf interface="ether1[WAN]"
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.5 gateway=10.0.0.1
add address=10.0.10.0/24 dns-server=1.1.1.1 gateway=10.0.10.1
add address=10.0.107.0/24 dns-server=1.1.1.1 gateway=10.0.107.1
add address=192.168.88.0/24 comment=defconf dns-server=10.0.0.5 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.5 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=reject chain=input comment="Winbox on WAN" dst-port=8291 in-interface-list=WAN protocol=tcp reject-with=icmp-network-unreachable
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN