For your information:
VLAN 1 = LAN
VLAN 25 = Guest
I have a L009UiGS as router and a cAP ax as AP.
A trunk goes from ether3 on the router to port 1 on the AP.
Port 2 on the AP is the port for VLAN 25, to which guests can connect.
The guest network is distributed via wifi3 and wifi4, wifi 1 and wifi 2 for the LAN network.
WLAN via the guest network also works, you get IPs from the VLAN etc. But wifi via the main LAN network (vlan1) does not work, no address is assigned via DHCP. Why not?
Thank you very much for your help.
My config is below.
Router:
Code: Select all
# 2024-01-03 13:20:11 by RouterOS 7.13
# software id = 00TF-I6FU
#
# model = L009UiGS
# serial number = HFB09AKEH3S
/container mounts
add dst=/etc/pihole name=etc_pihole src=/usb1/pihole/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=/usb1/pihole/etc-dnsmasq.d
/disk
set usb1 type=hardware
/interface bridge
add name=BRIDGE-LAN port-cost-mode=short vlan-filtering=yes
add name=containers port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=PC
set [ find default-name=ether3 ] comment=WLAN
set [ find default-name=ether4 ] comment=Modem
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-SITE-C
/interface veth
add address=172.17.0.2/24 gateway=172.17.0.1 gateway6="" name=pihole
/interface vlan
add interface=BRIDGE-LAN name=vlan-Gast-25 vlan-id=25
add interface=BRIDGE-LAN name=vlan1 vlan-id=1
add interface=ether1 name=vlan7-pppoe vlan-id=7
/interface list
add name=WAN
add name=LAN
/ipv6 pool
add name=ULA-Pool-vlan25 prefix=fd00:8888::/64 prefix-length=64
add name=ULA-Pool-vlan1 prefix=fd00:6969::/64 prefix-length=64
/port
set 0 name=serial0
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=ether1-pppoe \
profile=default-encryption user=0021993121005510104718610001@t-online.de
/queue type
add kind=fq-codel name=FQ-Codel
/queue simple
add max-limit=100M/100M name=queue1 packet-marks=no-mark queue=\
FQ-Codel/FQ-Codel target=ether1-pppoe total-queue=FQ-Codel
/container
add envlist=pihole_envs interface=pihole mounts=etc_pihole,dnsmasq_pihole \
root-dir=usb1/pihole/pihole start-on-boot=yes
/container config
set registry-url=https://registry-1.docker.io/ tmpdir=usb1/pull
/container envs
add key=TZ name=pihole_envs value=Europe/Berlin
add key=WEBPASSWORD name=pihole_envs value=P@ssw0rd
add key=DNSMASQ_USER name=pihole_envs value=root
/interface bridge port
add bridge=BRIDGE-LAN comment=PC frame-types=\
admit-only-untagged-and-priority-tagged interface=ether2 \
internal-path-cost=10 path-cost=10
add bridge=BRIDGE-LAN comment=WLAN interface=ether3 internal-path-cost=10 \
path-cost=10
add bridge=BRIDGE-LAN comment=Modem interface=ether4 internal-path-cost=10 \
path-cost=10
add bridge=containers interface=pihole internal-path-cost=10 path-cost=10
/interface bridge vlan
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether3 vlan-ids=1
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether3 vlan-ids=25
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=BRIDGE-LAN list=LAN
add interface=vlan1 list=LAN
add interface=vlan-Gast-25 list=LAN
add interface=ether1-pppoe list=WAN
add interface=WG-SITE-C list=LAN
add interface=containers list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=162.55.221.136 endpoint-port=\
13231 interface=WG-SITE-C persistent-keepalive=30s public-key=\
"DhIKnOLaU7LfMMulhNo52TKsxXyOpICirxNUeSfbNwo="
/ip address
add address=192.168.20.1/24 comment=Normal interface=vlan1 network=\
192.168.20.0
add address=192.168.25.1/24 comment=Gast interface=vlan-Gast-25 network=\
192.168.25.0
add address=10.0.0.2/30 interface=WG-SITE-C network=10.0.0.0
add address=172.17.0.1/24 comment=Container interface=containers network=\
172.17.0.0
/ip arp
add address=192.168.20.2 interface=vlan1 published=yes
/ip dhcp-server lease
add block-access=yes mac-address=78:9A:18:A7:0F:7D
/ip dhcp-server network
add address=192.168.20.0/24 caps-manager=192.168.20.1 dns-server=172.17.0.2 \
gateway=192.168.20.1 netmask=24 ntp-server=192.168.20.1 wins-server=\
192.168.20.1
add address=192.168.25.0/24 caps-manager=192.168.25.1 dns-server=192.168.25.1 \
gateway=192.168.25.1 netmask=24 ntp-server=192.168.25.1 wins-server=\
192.168.25.1
/ip firewall filter
add action=accept chain=input comment="Alles aus VPN erlauben" in-interface=\
WG-SITE-C
add action=accept chain=input comment="WG Port erlauben" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="BGP Verbindung erlauben" dst-port=179 \
protocol=tcp
add action=accept chain=input comment="ICMP erlauben" protocol=icmp
add action=accept chain=input comment="LAN Traffic erlauben" \
in-interface-list=LAN log-prefix=acceptINPUT
add action=accept chain=input comment=Default connection-state=\
established,related
add action=accept chain=input dst-port=67,68 log=yes log-prefix=dhcp \
protocol=udp
add action=drop chain=input comment="Alles andere Input drop" log=yes \
log-prefix=inputDROP
add action=accept chain=forward comment=\
"Temp da WhatsApp sonst nicht funktioniert" in-interface=vlan-Gast-25
add action=accept chain=forward comment="Gast HTTP, HTTPS erlauben" dst-port=\
80,443 in-interface=vlan-Gast-25 protocol=tcp
add action=accept chain=forward comment="Gast DNS erlauben" dst-port=53,443 \
in-interface=vlan-Gast-25 protocol=udp
add action=drop chain=forward comment="Gast sonst drop" in-interface=\
vlan-Gast-25 log=yes log-prefix="drop gast"
add action=accept chain=forward comment="Von LAN zu Gast erlauben" \
in-interface=vlan1 out-interface=vlan-Gast-25
add action=accept chain=forward connection-state=established,related \
in-interface=vlan-Gast-25 out-interface=vlan1
add action=reject chain=forward comment="Von Gast zu LAN block" in-interface=\
vlan-Gast-25 out-interface=vlan1 reject-with=icmp-admin-prohibited
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Default Forward" connection-state=\
established,related
add action=drop chain=forward comment="Alles andere forward drop" \
connection-state=invalid log-prefix=invalid
add action=accept chain=output comment="Output erlauben"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat src-address=172.17.0.0/24
/ip pool
add name=dhcpLAN next-pool=dhcpLAN ranges=192.168.20.10-192.168.20.200
add name=dhcp-GAST next-pool=dhcp-GAST ranges=192.168.25.10-192.168.25.200
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/16
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.0.0/16
set api-ssl disabled=yes
/ipv6 dhcp-client
add interface=ether1-pppoe request=address
/routing bgp connection
add as=65000 connect=yes disabled=no listen=yes local.address=10.0.0.2 .role=\
ibgp-rr-client name=TO-SITE-C output.network=BGP-OUT remote.address=\
10.0.0.1/32 .as=65000 router-id=10.0.0.2
/routing rule
add action=lookup disabled=no dst-address=192.168.10.0/24 interface=ether1 \
src-address=192.168.22.0/24 table=main
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes multicast=yes
/system ntp client servers
add address=0.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/tool bandwidth-server
set enabled=no
Code: Select all
# 2024-01-03 13:27:37 by RouterOS 7.13
# software id = 5C17-FKE5
#
# model = cAPGi-5HaxD2HaxD
# serial number = HEV0995C7WP
/interface bridge
add name=BRIDGE-LAN port-cost-mode=short vlan-filtering=yes
/interface vlan
add interface=BRIDGE-LAN name=vlan1-lan vlan-id=1
add interface=BRIDGE-LAN name=vlan25-gast vlan-id=25
/interface wifi datapath
add bridge=BRIDGE-LAN disabled=no name=LAN vlan-id=1
add bridge=BRIDGE-LAN disabled=no name=GAST vlan-id=25
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=Gast
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=LAN
/interface wifi configuration
add country=Germany datapath=LAN disabled=no mode=ap name=LAN \
security=LAN ssid="404 Network unavailable"
add country=Germany datapath=GAST disabled=no mode=ap name=Gast \
security=Gast ssid="402 Payment Required"
/interface wifi
set [ find default-name=wifi1 ] configuration=LAN \
configuration.manager=local .mode=ap disabled=no
set [ find default-name=wifi2 ] configuration=LAN \
configuration.manager=local .mode=ap disabled=no
add configuration=Gast configuration.mode=ap disabled=no \
mac-address=7A:9A:18:28:B1:1E master-interface=wifi1 name=wifi3
add configuration=Gast configuration.mode=ap disabled=no \
mac-address=7A:9A:18:28:B1:1F master-interface=wifi2 name=wifi4
/interface bridge port
add bridge=BRIDGE-LAN interface=ether1 internal-path-cost=10 \
path-cost=10
add bridge=BRIDGE-LAN frame-types=\
admit-only-untagged-and-priority-tagged interface=ether2 \
internal-path-cost=10 path-cost=10 pvid=25
add bridge=BRIDGE-LAN frame-types=\
admit-only-untagged-and-priority-tagged interface=wifi1 \
internal-path-cost=10 path-cost=10
add bridge=BRIDGE-LAN frame-types=\
admit-only-untagged-and-priority-tagged interface=wifi2 \
internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether1 untagged=wifi1,wifi2 \
vlan-ids=1
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether1 vlan-ids=25
/interface wifi cap
set certificate=request discovery-interfaces=vlan1-lan
/ip address
add address=192.168.20.3/24 interface=vlan1-lan network=\
192.168.20.0
add address=192.168.25.3/24 interface=vlan25-gast network=\
192.168.25.0
/ip dns
set servers=8.8.8.8
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.20.1 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=CAP
/system note
set show-at-login=no
