Community discussions

MikroTik App
 
heizenberg
just joined
Topic Author
Posts: 5
Joined: Wed Feb 22, 2023 3:40 am
Location: Albuquerque, New Mexico

No internet guest VLAN

Fri Feb 24, 2023 1:04 am

Hello,

Just got my RB5009 and wanted to set up two VLANs, 10 and 107, with three SSIDs: Main, Guest, and IoT on ether2 port.
Main SSID will be on vlan 10 and Guest, IOT SSIDs will be on vlan 107
I can access the internet on the Main SSID, but there is no internet on the Guest and IoT SSIDs.


/interface bridge
add admin-mac=48:A9:8A:25:6B:67 auto-mac=no comment=defconf name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1[WAN]"
set [ find default-name=ether2 ] name="ether2[ASUS]"
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=bridge1 name="vlan10[LAN]" vlan-id=10
add interface=bridge1 name="vlan107[IoT]" vlan-id=107
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-10 ranges=10.0.0.15-10.0.0.254
add name="dhcp_vlan10[LAN]" ranges=10.0.10.15-10.0.10.254
add name="dhcp_vlan107[IoT]" ranges=10.0.107.2-10.0.107.254
/ip dhcp-server
add address-pool=dhcp-10 interface=bridge1 lease-time=8h name=defconf
add address-pool="dhcp_vlan107[IoT]" interface="vlan107[IoT]" lease-time=2d name="dhcp107[IoT]"
add address-pool="dhcp_vlan10[LAN]" interface="vlan10[LAN]" lease-time=2d name="dhcp10[LAN]"
/interface bridge port
add bridge=bridge1 comment=defconf interface="ether2[ASUS]"
add bridge=bridge1 comment=defconf interface=ether3
add bridge=bridge1 comment=defconf interface=ether4
add bridge=bridge1 comment=defconf disabled=yes interface=ether5
add bridge=bridge1 comment=defconf disabled=yes interface=ether6
add bridge=bridge1 comment=defconf disabled=yes interface=ether7
add bridge=bridge1 comment=defconf disabled=yes interface=ether8
add bridge=bridge1 comment=defconf disabled=yes interface=sfp-sfpplus1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface="vlan107[IoT]" pvid=107
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface="vlan10[LAN]" pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 tagged="vlan10[LAN],ether2[ASUS]" vlan-ids=10
add bridge=bridge1 tagged="vlan107[IoT],ether2[ASUS]" vlan-ids=107
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface="ether1[WAN]" list=WAN
add interface=bridge1 list=VLAN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge1 network=192.168.88.0
add address=10.0.0.1/24 interface=bridge1 network=10.0.0.0
add address=10.0.10.1/24 interface="vlan10[LAN]" network=10.0.10.0
add address=10.0.107.1/24 interface="vlan107[IoT]" network=10.0.107.0
/ip dhcp-client
add comment=defconf interface="ether1[WAN]"
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.5 gateway=10.0.0.1
add address=10.0.10.0/24 dns-server=1.1.1.1 gateway=10.0.10.1
add address=10.0.107.0/24 dns-server=1.1.1.1 gateway=10.0.107.1
add address=192.168.88.0/24 comment=defconf dns-server=10.0.0.5 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.5 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=reject chain=input comment="Winbox on WAN" dst-port=8291 in-interface-list=WAN protocol=tcp reject-with=icmp-network-unreachable
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No internet guest VLAN

Fri Feb 24, 2023 7:03 pm

Keep it simple and consistent, turn bridge subnet into a vlan, so the bridge does nothing but bridging..........makes life far less complicated.
Quick and dirty change !

/interface vlan
add interface=bridge1 name=homeVLAN5 vlan-id=5
add interface=bridge1 name="vlan10[LAN]" vlan-id=10
add interface=bridge1 name="vlan107[IoT]" vlan-id=107


/ip dhcp-server
add address-pool=dhcp-10 interface=homeVLAN5 lease-time=8h name=defconf
add address-pool="dhcp_vlan107[IoT]" interface="vlan107[IoT]" lease-time=2d name="dhcp107[IoT]"
add address-pool="dhcp_vlan10[LAN]" interface="vlan10[LAN]" lease-time=2d name="dhcp10[LAN]"


/ip address
add address=10.0.0.1/24 interface=vlanHOME5 network=10.0.0.0
add address=10.0.10.1/24 interface="vlan10[LAN]" network=10.0.10.0
add address=10.0.107.1/24 interface="vlan107[IoT]" network=10.0.107.0


Since you also needed to modify your Interface List Members anyway.......................
/interface list member
add comment=defconf interface=vlanHOME5 list=LAN
add interface="vlan10[LAN]" list=LAN
add interface=vlan107[loT]" list=LAN

add comment=defconf interface="ether1[WAN]" list=WAN

DONE!!
+++++++++++++++++++++++++++++++++++++++++++++++++

Now with a coherent approach to subnets the rest should be easier to figure out.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No internet guest VLAN

Fri Feb 24, 2023 9:01 pm

SSIDs are determined by the RADIO settings not the router.
The vlans attributable to a port or WLAN are determined by the /interface bridge port and /interface bridge vlan settings.

What is clear is that you have two WLANs on the RB5009 assigned. Do you think this is correct??
Clearly not the RB5009 has no wireless so these entries are completely bogus......
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface="vlan107[IoT]" pvid=107
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface="vlan10[LAN]" pvid=10


Thus I will assume what you mean is that the ASUS is a smart Access POint that can read vlan tags..........
Thus we will trunk both vlans to etherport2, for the ASUS to then deal with.

/interface bridge port
add bridge=bridge1 comment=defconf ingress-filtering=yes frame-types=admit-only-tagged-vlans interface=ether2
add bridge=bridge1 comment=defconf ingress-filtering=yes frame-types=admit-prioirity-and-untagged interface=ether3 pvid=5
add bridge=bridge1 comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=5

add bridge=bridge1 comment=defconf disabled=yes interface=ether5
add bridge=bridge1 comment=defconf disabled=yes interface=ether6
add bridge=bridge1 comment=defconf disabled=yes interface=ether7
add bridge=bridge1 comment=defconf disabled=yes interface=ether8
add bridge=bridge1 comment=defconf disabled=yes interface=sfp-sfpplus1


/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2 vlan-ids=10,107
add bridge=bridge1 tagged=bridge untagged=ether3,ether4 vlan-ids=5


/interface list member
add interface=vlanHOME5 list=LAN
add interface="vlan10[LAN]" list=LAN
add interface="vlan107[IoT]" list=LAN
add comment=defconf interface="ether1[WAN]" list=WAN
add interface=vlanHOME5 list=MANAGE


Lets look at your logic...................
What is the purpose of these two rules.......
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN

the first one gives only those on the home bridge full access to the router, presumably you did this so that you the admin could config the router.
However the following rule then gives everyone the same full access to the router.............???
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN



Better to use MANAGE interface list....... and if you need to further narrow it down, use src-address-list by making a firewall address list containing only Admin IPs.
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=accept chain=input comment="Allow admin to routerVLAN" in-interface-list=MANAGE
add action=accept chain=input comment="users to router services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to router services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"  { Caution:  make this the last rule you implement }
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
IP neighbors discovery should use MANAGE interface list as well as
IP mac winbox mac setting.........
 
heizenberg
just joined
Topic Author
Posts: 5
Joined: Wed Feb 22, 2023 3:40 am
Location: Albuquerque, New Mexico

Re: No internet guest VLAN

Sat Feb 25, 2023 8:28 am

anav, thank you so much for your helpful feedback I really appreciate it.

What is clear is that you have two WLANs on the RB5009 assigned. Do you think this is correct??
Clearly not the RB5009 has no wireless so these entries are completely bogus......
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface="vlan107[IoT]" pvid=107
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface="vlan10[LAN]" pvid=10
haha agreed, I wasn't really sure what am I doing to be honest.
------------------------------------------------------------------------------
Thus I will assume what you mean is that the ASUS is a smart Access POint that can read vlan tags
Yes, I have created the vlans on the ASUS access point.
------------------------------------------------------------------------------
What is the purpose of these two rules.......
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
the first one gives only those on the home bridge full access to the router, presumably you did this so that you the admin could config the router.
However the following rule then gives everyone the same full access to the router.............???
Thanks for the explanation, I thought these would help but clearly not lol.
------------------------------------------------------------------------------
/interface bridge port
add bridge=bridge1 comment=defconf ingress-filtering=yes frame-types=admit-only-tagged-vlans interface=ether2
add bridge=bridge1 comment=defconf ingress-filtering=yes frame-types=admit-prioirity-and-untagged interface=ether3 pvid=5
add bridge=bridge1 comment=defconf ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=5
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2 vlan-ids=10,107
add bridge=bridge1 tagged=bridge untagged=ether3,ether4 vlan-ids=5
Might be a stupid question: Since I'm not using ether3 and ether4, can I simply use ether2 here?

Rudimentary network diagram:
Image
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No internet guest VLAN

Sat Feb 25, 2023 5:04 pm

Thanks for the explanation, I thought these would help but clearly not lol.

No your intent was good, you wanted to be able to config the router and the other rule is more like the original default ensuring all users had access to needed services.
All I was saying is that you need to tweak the rules to
a. only let the admin access the router for config purposes
b. allow users only to the needed services, typically DNS and sometimes also NTP.

Might be a stupid question: Since I'm not using ether3 and ether4, can I simply use ether2 here?

Not at all, the setup depends on your requirements!!
I only put them there because on your original config
a. they were not disabled like the other ports....
b. they were included as bridge ports!!!
c. thus concluded that devices were attached.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 890
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: No internet guest VLAN

Sat Feb 25, 2023 11:54 pm

Just got my RB5009 and wanted to set up two VLANs, 10 and 107, with three SSIDs: Main, Guest, and IoT on ether2 port.
Main SSID will be on vlan 10 and Guest, IOT SSIDs will be on vlan 107
I can access the internet on the Main SSID, but there is no internet on the Guest and IoT SSIDs.
Perhaps I haven't had enough coffee, but can you explain how you are going to have 3 SSIDs using only two vlans? (specifically, what do tyou mean by "and Guest, IOT SSIDs will be on vlan 107"?

How will the Guest and IoT wifi devices get ip addresses? And how will they be kept separate? What is the point of the two different SSIDs on the same vlan?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No internet guest VLAN

Sun Feb 26, 2023 4:54 am

I thought about that also, but he wants to have two different SSIDs per one vlan, thats up to the OP.
All users on those two ssids will be on the same vlan and see each other at layer2, not isolated.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 890
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: No internet guest VLAN

Sun Feb 26, 2023 9:58 am

Looking more closely at his diagram, his IoT SSID is on the 2.4Ghz band and the Guest SSID is on the 5GHz band. While that's possible to do, (I have seen Guest24 and Guest5 used), will using two different SSID names even allow the firewall to distinguish what is connected to Guest from what is connected to IoT?

What I do is have the same SSID for both bands (and mulitple APs). I think this provides a more seamless experience for mobile devices (that may lose access to one band before the other).

But about the only thing I have that moves around is my mobile phone with it's connection to my Wifi. Most other wifi devices are fixed location IoT (Amazon Echos, Google Home, etc). And anything I use for high volume has a wired connection. Even my Amazon Firestick has a wired Ethernet/USB power supply, even though the Amazon Ethernet adapter is limited to 100Mbps it is still a preferable to wifi in my opinion.
Last edited by Buckeye on Mon Feb 27, 2023 1:46 am, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11442
Joined: Thu Mar 03, 2016 10:23 pm

Re: No internet guest VLAN

Sun Feb 26, 2023 11:12 am

... will using two different SSID names even allow the firewall to distinguish what is connected to Guest from what is connected to IoT?
No, firewall doesn't know anything about SSIDs, it only knows about L3+L4 stuff (IP addresses, TCP/UDP ports) and L2 interfaces it's working with. Now, if firewall runs on AP device, then this would work because it would see all wifi interfaces directly. As soon as there's some L2 network between wifi interface and firewall this information is not available any more. Hence need for separate VLAN (in VLAN case, firewall sees vlan interface as L2 interface it's working with).
Or if wireless is run by CAPsMAN with manager running on firewall device and local forwarding disabled. In this case wifi interfaces appear on CAPsMAN manager device and firewall again has access to "actual" L2 interfaces. But personally I wouldn't go in this direction, it has plenty of drawbacks that aren't offset by benefits in this particular use case (single AP).
 
heizenberg
just joined
Topic Author
Posts: 5
Joined: Wed Feb 22, 2023 3:40 am
Location: Albuquerque, New Mexico

Re: No internet guest VLAN

Sun Feb 26, 2023 7:42 pm

I am a bit limited to an access point with external antennas because the rent house that I live in is old and doesn't have any Ethernet cables routed in the ceiling.

vlan 10 - LAN ports 1-4, Main wifi 2.5Ghz, Main wifi 5Ghz
vlan 107 (with client isolation) - Guest wifi 2.5Ghz, Guest wifi 5Ghz

here is the script that will create the vlans on the access point:
#!/bin/sh

# Mapping
# eth0 - LAN 1
# eth1 - LAN 2
# eth2 - LAN 3
# eth3 - LAN 4
# eth4 - WAN
# eth5 - Main wifi 2.4Ghz
# eth6 - Main wifi 5Ghz
# wl0.1 - Guest wifi 2.4Ghz
# wl1.1 - Guest wifi 5Ghz

# Remove interfaces from br0
brctl delif br0 eth4
brctl delif br0 wl0.1
brctl delif br0 wl1.1

# Create VLAN interfaces and bring them up
ip link add link eth4 name eth4.10 type vlan id 10
ip link add link eth4 name eth4.107 type vlan id 107
ip link set eth4.10 up
ip link set eth4.107 up

# Add VLAN interfaces to br0 and create br1
brctl addif br0 eth4.10
brctl addbr br1
brctl addif br1 eth4.107
brctl addif br1 wl0.1
brctl addif br1 wl1.1
ip link set br1 up

# Set interface names in NVRAM
nvram set lan_ifnames="eth0 eth1 eth2 eth3 eth5 eth6 eth4.10"
nvram set lan1_ifnames="wl0.1 wl1.1 eth4.107"
nvram set lan1_ifname="br1"
nvram set br0_ifnames="eth0 eth1 eth2 eth3 eth5 eth6 eth4.10"
nvram set br1_ifnames="wl0.1 wl1.1 eth4.107"
nvram set br1_ifname="br1"

# Enable AP isolation on wl0.1 and wl1.1
nvram set wl0.1_ap_isolate="1"
nvram set wl1.1_ap_isolate="1"

# Restart eapd and ethswctl
killall eapd
eapd
ethswctl -c hw-switch
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No internet guest VLAN

Sun Feb 26, 2023 7:59 pm

No worries, I see what you are doing!

The config should be working, are you having issues......
If so please post the latest config on the MT device.
 
heizenberg
just joined
Topic Author
Posts: 5
Joined: Wed Feb 22, 2023 3:40 am
Location: Albuquerque, New Mexico

Re: No internet guest VLAN

Thu Mar 09, 2023 3:57 am

Sorry for the late reply; I got hit with COVID. I ended up getting rid of the ASUS and got the EAP653, and set up three SSIDs for the three VLANs. All three SSIDs seem to work well. The problem is that I don't get internet on ether3, ether4, and ether5.
/interface bridge
add admin-mac=48:A9:8A:25:6B:67 auto-mac=no comment=defconf name=bridge1
add name=docker
/interface ethernet
set [ find default-name=ether1 ] name="ether1[WAN]"
set [ find default-name=ether2 ] name="ether2[EAP653]"
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface veth
add address=10.10.0.5/24 gateway=10.10.0.1 name="veth[docker]"
/interface vlan
add interface=bridge1 name="vlan7[Home]" vlan-id=7
add interface=bridge1 name="vlan100[Guest]" vlan-id=100
add interface=bridge1 name="vlan107[IoT]" vlan-id=107
/container mounts
add dst=/etc/pihole name=etc_pihole src=/usb1/appdata/pihole/etc_pihole-unbound
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=/usb1/appdata/pihole/etc_pihole_dnsmasq-unbound
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name="dhcp_vlan7[Home]" ranges=10.0.0.21-10.0.0.254
add name="dhcp_vlan100[Guest]" ranges=10.0.100.10-10.0.100.254
add name="dhcp_vlan107[IoT]" ranges=10.0.107.5-10.0.107.254
/ip dhcp-server
add address-pool="dhcp_vlan7[Home]" interface="vlan7[Home]" lease-time=8h name="dhcp7[Home]"
add address-pool="dhcp_vlan107[IoT]" interface="vlan107[IoT]" lease-time=2d name="dhcp107[IoT]"
add address-pool="dhcp_vlan100[Guest]" interface="vlan100[Guest]" lease-time=8h name="dhcp100[Guest]"
/system logging action
add disk-file-count=3 disk-file-name=usb1/log/log name=usb target=disk
/container
add entrypoint=/s6-init envlist=pihole_env interface="veth[docker]" mounts=etc_pihole,dnsmasq_pihole root-dir=usb1/appdata/pihole start-on-boot=yes
/container config
set ram-high=256.0MiB registry-url=https://registry-1.docker.io tmpdir=usb1/pull_temp
/container envs
add key=TZ name=pihole_env value=America/New_York
add key=WEBPASSWORD name=pihole_env value=passlol
add key=FTLCONF_LOCAL_IPV4 name=pihole_env value=10.10.0.5
add key=REV_SERVER name=pihole_env value=true
add key=REV_SERVER_DOMAIN name=pihole_env value=local
add key=REV_SERVER_TARGET name=pihole_env value=10.0.0.1
add key=REV_SERVER_CIDR name=pihole_env value=10.10.0.0/24
add key=HOSTNAME name=pihole_env value=mt-pihole
add key=DOMAIN_NAME name=pihole_env value=mt-pihole.local
add key=PIHOLE_WEBPORT name=pihole_env value=80
add key=WEBTHEME name=pihole_env value=default-dark
add key=PIHOLE_DNS_ name=pihole_env value=127.0.0.1#5335
add key=DNSSEC name=pihole_env value=true
add key=DNSMASQ_LISTENING name=pihole_env value=single
/interface bridge port
add bridge=bridge1 comment=defconf disabled=yes interface="ether2[EAP653]"
add bridge=bridge1 comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=7
add bridge=bridge1 comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=7
add bridge=bridge1 comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=7
add bridge=bridge1 comment=defconf disabled=yes interface=ether6
add bridge=bridge1 comment=defconf disabled=yes interface=ether7
add bridge=bridge1 comment=defconf disabled=yes interface=ether8
add bridge=bridge1 comment=defconf disabled=yes interface=sfp-sfpplus1
add bridge=docker interface="veth[docker]"
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface="ether2[EAP653]"
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 tagged="bridge1,ether2[EAP653]" vlan-ids=100,107
add bridge=bridge1 tagged=bridge1 untagged=ether3,ether4,ether5 vlan-ids=7
/interface list member
add comment=defconf disabled=yes interface=bridge1 list=LAN
add comment=defconf interface="ether1[WAN]" list=WAN
add interface="vlan100[Guest]" list=LAN
add interface="vlan107[IoT]" list=LAN
add interface="vlan7[Home]" list=LAN
add interface="vlan7[Home]" list=MANAGE
/ip address
add address=10.0.0.1/24 interface="vlan7[Home]" network=10.0.0.0
add address=10.10.0.1/24 interface=docker network=10.10.0.0
add address=10.0.107.1/24 interface="vlan107[IoT]" network=10.0.107.0
add address=10.0.100.1/24 interface="vlan100[Guest]" network=10.0.100.0
/ip dhcp-client
add comment=defconf interface="ether1[WAN]"
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.10.0.5,10.0.0.5 gateway=10.0.0.1
add address=10.0.100.0/24 dns-server=10.10.0.5,10.0.0.5 gateway=10.0.100.1 netmask=24
add address=10.0.107.0/24 dns-server=1.1.1.1,9.9.9.9 gateway=10.0.107.1 netmask=24
/ip dns static
add address=10.10.0.5 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="users to router services" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to router services" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=input comment="Allow admin to routerVLAN" in-interface-list=MANAGE
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat src-address=10.10.0.0/24
/ip service
set telnet disabled=yes
set ftp address=10.0.0.0/24 port=201
set www disabled=yes
set ssh address=10.0.0.0/24 port=2207
set api disabled=yes
set winbox port=7291
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/New_York
/system logging
set 0 action=usb
set 1 action=usb
set 2 action=usb
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No internet guest VLAN  [SOLVED]

Thu Mar 09, 2023 2:10 pm

(1) You have a duplicate rule issue for eap........
/interface bridge port
add bridge=bridge1 comment=defconf disabled=yes interface="ether2[EAP653]"
add bridge=bridge1 comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=7
add bridge=bridge1 comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=7
add bridge=bridge1 comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=7
add bridge=bridge1 comment=defconf disabled=yes interface=ether6
add bridge=bridge1 comment=defconf disabled=yes interface=ether7
add bridge=bridge1 comment=defconf disabled=yes interface=ether8
add bridge=bridge1 comment=defconf disabled=yes interface=sfp-sfpplus1
add bridge=docker interface="veth[docker]"
add bridge=bridge1 Frame-types=admit-only-vlan-tagged interface="ether2[EAP653]"[/size]


It would seem to me that that:
a. ether2 should not be disabled and being a trunk port for three vlans
b. ether2 should be allowing only tagged frames and thus you need only one bridge port for ether2

/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface="ether2[EAP653]"
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=7
add bridge=bridge1 ingress-filtering=yeframe-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=7
add bridge=bridge1 ingress-filtering=ye frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=7


(2) THe Bridge vlan rules are not quite right......... Where is the third vlan (third SSID) on ether2 ???
/interface bridge vlan
add bridge=bridge1 tagged="bridge1,ether2[EAP653]" vlan-ids=100,107
add bridge=bridge1 tagged=bridge1 untagged=ether3,ether4,ether5 vlan-ids=7

TO:
/interface bridge vlan
add bridge=bridge1 tagged="bridge1,ether2[EAP653]" vlan-ids=100,107
add bridge=bridge1 tagged=bridge1,ether2 untagged=ether3,ether4,ether5 vlan-ids=7


(3) mac-server should be set to none.....
/tool mac-server
set allowed-interface-list=NONE
set allowed-interface-list=MANAGE


(4) For consistency and purpose
/ip neighbor discovery-settings
set discover-interface-list=MANAGE


(5) Your firewall rules are disorganized, keep the chains together and of course your rules are also out of order (as disorganized tends to lead to do) within chains its as if you dont understand firewall rules.

For example You have this rule fairly high and where it is by default so nothing wrong there.....
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

But then after some forward chain rules you have more input chain rules like this one'
add action=accept chain=input comment="users to router services" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to router services" dst-port=53 in-interface-list=LAN protocol=tc
p

Do you honestly think the latter rules will ever be used and WHY??

(6) I fail to see the purpose of the second src-nat masquerade rule???????
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat src-address=10.10.0.0/24


(7) FTP should be disabled its not a secure access method.....

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

AS TO YOUR PREDICAMENT with ether3,4,5 thats simple, after cleaning up the above you need to
finish vlan filtering config like so.......
/interface bridge
add admin-mac=48:A9:8A:25:6B:67 auto-mac=no comment=defconf name=bridge1 vlan-filtering=yes
Last edited by anav on Fri Mar 10, 2023 1:58 pm, edited 1 time in total.
 
heizenberg
just joined
Topic Author
Posts: 5
Joined: Wed Feb 22, 2023 3:40 am
Location: Albuquerque, New Mexico

Re: No internet guest VLAN

Fri Mar 10, 2023 7:43 am

After making the changes, it works perfectly! I must admit that I am a complete newbie when it comes to firewall rules
I'll rearrange my rules and delete the second src-nat rule.
it appears that this rule
add action=drop chain=forward comment="drop all else" 
blocked access to the pihole container at 10.10.0.5

Thank you very much, @anav, for your valuable and informative answer!

Who is online

Users browsing this forum: abdullanetworking, Amazon [Bot], loloski, uxertxo and 53 guests