Help with CAPsMAN

okw · Sun Apr 28, 2024 7:35 pm

Hello.
I am struggling with CAPsMAN. I have reset my three cAP ac into cAP mode, but when I plug them into the RB, they don't show up in CAPsMAN, or give me any WiFi. What did I do wrong?

Here are the RB settings:

[admin@MikroTik] > export
# 1970-01-02 00:16:41 by RouterOS 7.14.1
# software id = T1HW-1EBQ
#
# model = RB2011UiAS-2HnD
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=Ch01_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=Ch06_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=Ch11_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2467 name=Ch12_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=Ch13_20M_24G tx-power=10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5180 name=Ch36_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5200 name=Ch40_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5220 name=Ch44_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5240 name=Ch48_20M_5G tx-power=20
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_kontor
set [ find default-name=ether3 ] name=eth3_MikrotikAPs
set [ find default-name=ether4 ] name=eth4_gastrofix_wired
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=Router
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=Employee_VLAN vlan-id=10
add interface=BR1 name=Gastrofix_VLAN vlan-id=30
add interface=BR1 name=GuestWIFI_VLAN vlan-id=20
/caps-man datapath
add bridge=BR1 local-forwarding=yes name=datapath-guest vlan-id=20 vlan-mode=use-tag
add bridge=BR1 local-forwarding=yes name=datapath-gastrofix vlan-id=30 vlan-mode=use-tag
/caps-man rates
add basic=9Mbps name="GN Only - No B rates" supported=9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps vht-basic-mcs=""
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security-gastrofix
add name=security-guest
/caps-man configuration
add channel=Ch36_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch36 security=security-guest ssid=Guest_5GHz
add channel=Ch06_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch6 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch11_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch11 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch12_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch12 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch13_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch13 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch36_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch36 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch40_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch40 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch48_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch48 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch44_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch44 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch06_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch6 security=security-guest ssid=Guest_2.4GHz
add channel=Ch11_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch11 security=security-guest ssid=Guest_2.4GHz
add channel=Ch12_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch12 security=security-guest ssid=Guest_2.4GHz
add channel=Ch13_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch13 security=security-guest ssid=Guest_2.4GHz
add channel=Ch40_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch40 security=security-guest ssid=Guest_5GHz
add channel=Ch48_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch48 security=security-guest ssid=Guest_5GHz
add channel=Ch44_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch44 security=security-guest ssid=Guest_5GHz
/caps-man interface
add channel=Ch01_20M_24G channel.frequency=2412 configuration=cfg-2.4-gastrofix-ch11 configuration.frame-lifetime=10ms disabled=yes l2mtu=1600 mac-address=74:4D:28:F9:AF:19 master-interface=none name=Gastrofix_2.4GHz-AP_Bar radio-mac=\
    74:4D:28:F9:AF:19 radio-name=744D28F9AF19
add channel=Ch11_20M_24G channel.frequency=2462 configuration=cfg-2.4-gastrofix-ch11 configuration.frame-lifetime=10ms disabled=yes l2mtu=1600 mac-address=74:4D:28:F9:AA:6C master-interface=none name=Gastrofix_2.4GHz-AP_Chambre radio-mac=\
    74:4D:28:F9:AA:6C radio-name=744D28F9AA6C
add channel=Ch06_20M_24G channel.frequency=2437 configuration=cfg-2.4-gastrofix-ch11 configuration.frame-lifetime=10ms disabled=yes l2mtu=1600 mac-address=C4:AD:34:14:34:2A master-interface=none name=Gastrofix_2.4GHz-AP_Kontor radio-mac=\
    C4:AD:34:14:34:2A radio-name=C4AD3414342A
add channel=Ch12_20M_24G channel.frequency=2467 configuration=cfg-2.4-gastrofix-ch11 configuration.frame-lifetime=10ms disabled=yes l2mtu=1600 mac-address=C4:AD:34:9E:DA:B1 master-interface=none name=Gastrofix_2.4GHz-AP_Messanin radio-mac=\
    C4:AD:34:9E:DA:B1 radio-name=C4AD349EDAB1
add channel=Ch40_20M_5G channel.frequency=5200 configuration=cfg-5ghz-guest-ch36 configuration.frame-lifetime=10ms disabled=yes l2mtu=1600 mac-address=74:4D:28:F9:AF:1A master-interface=none name=Gastrofix_5GHz-AP_Bar radio-mac=74:4D:28:F9:AF:1A \
    radio-name=744D28F9AF1A
add channel=Ch48_20M_5G channel.frequency=5240 configuration=cfg-5ghz-guest-ch36 configuration.frame-lifetime=10ms disabled=yes l2mtu=1600 mac-address=74:4D:28:F9:AA:6D master-interface=none name=Gastrofix_5GHz-AP_Chambre radio-mac=74:4D:28:F9:AA:6D \
    radio-name=744D28F9AA6D
add channel=Ch36_20M_5G channel.frequency=5180 configuration=cfg-5ghz-guest-ch36 configuration.frame-lifetime=10ms disabled=yes l2mtu=1600 mac-address=C4:AD:34:14:34:2B master-interface=none name=Gastrofix_5GHz-AP_Kontor radio-mac=C4:AD:34:14:34:2B \
    radio-name=C4AD3414342B
add channel=Ch44_20M_5G channel.frequency=5220 configuration=cfg-5ghz-guest-ch36 configuration.frame-lifetime=10ms disabled=yes l2mtu=1600 mac-address=C4:AD:34:9E:DA:B2 master-interface=none name=Gastrofix_5GHz-AP_Messanin radio-mac=\
    C4:AD:34:9E:DA:B2 radio-name=C4AD349EDAB2
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=guest_dhcp_pool ranges=192.168.88.20-192.168.88.250
add name=gastrofix_dhcp_pool ranges=192.168.7.120-192.168.7.254
/ip dhcp-server
add address-pool=guest_dhcp_pool interface=GuestWIFI_VLAN lease-time=2h59m name=guest_dhcp_server
add address-pool=gastrofix_dhcp_pool interface=Gastrofix_VLAN lease-time=23h59m59s name=gastrofix_dhcp_server
/port
set 0 name=serial0
/system logging action
set 0 memory-lines=3000
set 1 disk-file-count=10 disk-lines-per-file=3000
/caps-man access-list
add action=accept allow-signal-out-of-range=10s comment="-85..120 accept" disabled=no signal-range=-85..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s comment="-120..-86 reject" disabled=no signal-range=-120..-86 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=eth3_MikrotikAPs
/caps-man provisioning
add action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" disabled=yes hw-supported-modes=gn master-configuration=cfg-5ghz-guest-ch36 name-format=prefix-identity name-prefix=2.4GHz-
add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" disabled=yes hw-supported-modes=ac master-configuration=cfg-5ghz-guest-ch36 name-format=prefix-identity name-prefix=5GHz-
add action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" disabled=yes hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch12 name-format=prefix-identity name-prefix=2.4GHz-
add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" disabled=yes hw-supported-modes=ac master-configuration=cfg-2.4-gastrofix-ch6 name-format=prefix-identity name-prefix=5GHz-
add action=create-enabled comment=CAP_Bar hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch6 name-format=prefix-identity name-prefix=2.4GHz- slave-configurations=cfg-2.4-guest-ch6
add action=create-enabled comment=CAP_Kontor hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch36 name-format=prefix-identity name-prefix=5GHz- slave-configurations=cfg-5ghz-guest-ch36
add action=create-enabled comment=CAP_BAR hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch40 name-format=prefix-identity name-prefix=5GHz- slave-configurations=cfg-5ghz-guest-ch40
add action=create-enabled comment=CAP_Messanin hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch44 name-format=prefix-identity name-prefix=5GHz- radio-mac=C4:AD:34:9E:DA:B2 slave-configurations=cfg-5ghz-guest-ch44
add action=create-enabled comment=CAP_Chambre hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch48 name-format=prefix-identity name-prefix=5GHz- slave-configurations=cfg-5ghz-guest-ch48
add action=create-enabled comment=CAP_Kontor hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch11 name-format=prefix-identity name-prefix=2.4GHz- slave-configurations=cfg-2.4-guest-ch11
add action=create-enabled comment=CAP_Chambre hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch12 name-format=prefix-identity name-prefix=2.4GHz- slave-configurations=cfg-2.4-guest-ch12
add action=create-enabled comment=CAP_Messanin hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch13 name-format=prefix-identity name-prefix=2.4GHz- radio-mac=C4:AD:34:9E:DA:B1 slave-configurations=cfg-2.4-guest-ch13
/interface bridge port
add bridge=BR1 interface=eth3_MikrotikAPs
add bridge=BR1 interface=eth2_kontor
add bridge=BR1 interface=eth4_gastrofix_wired
/interface bridge vlan
add bridge=BR1 tagged=BR1,eth2_kontor vlan-ids=10
add bridge=BR1 tagged=BR1,eth3_MikrotikAPs vlan-ids=20
add bridge=BR1 tagged=BR1,eth3_MikrotikAPs,eth4_gastrofix_wired vlan-ids=30
add bridge=BR1 tagged=BR1,eth2_kontor,eth3_MikrotikAPs,eth4_gastrofix_wired vlan-ids=99
/interface list member
add interface=eth1_WAN list=WAN
add interface=Employee_VLAN list=VLAN
add interface=GuestWIFI_VLAN list=VLAN
add interface=Gastrofix_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=193.90.223.118/24 interface=eth1_WAN network=193.90.223.0
add address=10.0.10.1/24 interface=Employee_VLAN network=10.0.10.0
add address=10.0.10.1/24 interface=GuestWIFI_VLAN network=10.0.10.0
add address=10.0.10.1/24 interface=Gastrofix_VLAN network=10.0.10.0
/ip dhcp-server network
add address=192.168.7.0/24 comment="DHCP for Gastrofix" dns-server=193.75.75.75,192.168.7.1 gateway=192.168.7.1 netmask=24
add address=192.168.88.0/24 comment="DHCP for Guests" dns-server=193.75.75.75,193.75.75.193 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=193.75.75.75,193.75.75.193
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
/system note
set show-at-login=no

vingjfg · Sun Apr 28, 2024 7:39 pm

Hi there.

All cAP are at version 7.14 and can see the manager at l2?

okw · Sun Apr 28, 2024 8:17 pm

cAP is 6.49.10 (stable). RB is 7.14.1. Should I upgrade the cAP?

I see slight cAP traffic in Interfaces -> Interface list.
Not sure where I should look? There is nothing under Wireless -> Radio / Registration table. Everything under CAP Interface is greyed out.

vingjfg · Sun Apr 28, 2024 9:09 pm

Yup, the implementations are incompatible between 6 and 7.

okw · Sun Apr 28, 2024 9:10 pm

I upgraded RB and cAP ac, both to 7.14.3.
Didn't help

vingjfg · Sun Apr 28, 2024 9:16 pm

Do the cAP have l2 connectivity to the rb? Wired?

okw · Sun Apr 28, 2024 9:20 pm

The cAP is wired to eth3. My laptop is wired to eth2, and running Winbox. Neighbours shows the cAP (and of course the RB).

vingjfg · Sun Apr 28, 2024 9:21 pm

Eth3 part of a bridge on which capsman listens

okw · Sun Apr 28, 2024 9:31 pm

Yes, shouldn't it? Or am I misunderstanding something?

vingjfg · Sun Apr 28, 2024 9:38 pm

Totally should. Do you see your cAP's MAC in the bridge host table?

okw · Sun Apr 28, 2024 9:53 pm

I do. Several instances (vlans).

bridge-hosts.png

vingjfg · Sun Apr 28, 2024 10:13 pm

That's good. Do you see the capsman clients on the RB?

vingjfg · Sun Apr 28, 2024 10:14 pm

BTW, the datapath has vlans. In my case that was an issue.

okw · Sun Apr 28, 2024 10:27 pm

Where do I see that? Under CAPsMAN -> Radios? I don't see any there.

vingjfg · Sun Apr 28, 2024 10:31 pm

Wifi -》 remote caps

okw · Sun Apr 28, 2024 10:42 pm

None.
I just discovered there are two almost identical CAPsMAN to enable. One under WiFi and one under Wireless. See image. I tried to disable one and enable the other, and vice versa. No luck.
I know the RB2011 without built-in wireless is missing one of the menu items (I think WiFi).

capsman.png

infabo · Sun Apr 28, 2024 10:45 pm

read the docs. it should clear things up

https://help.mikrotik.com/docs/display/ ... ss'package

okw · Sun Apr 28, 2024 11:02 pm

Can't say it did

vingjfg · Sun Apr 28, 2024 11:09 pm

Can you post the list of packages installed on your rb and cap?

okw · Sun Apr 28, 2024 11:13 pm

RB:
0 wireless 7.14.3 2024-04-17 12:47:58 1688.1KiB
1 routeros 7.14.3 2024-04-17 12:47:58 9.9MiB

cAP:
0 routeros 7.14.3 2024-04-17 12:47:58 11.2MiB

vingjfg · Sun Apr 28, 2024 11:21 pm

Would help to have the same on both.
Can you install the wireless package on the cap as well?

okw · Sun Apr 28, 2024 11:38 pm

Now they both have the same packages and versions.
(I do have a setup on another location with 3 cAP ac (6.49) on a RB2011 (7.10.1) which works well with CAPsMAN, but without vlans).
The reason for the change is to have both POS equipment and guest wifi on the same AP separated by vlans. I suspect some vlan / bridge / datapath problem...(?)

vingjfg · Mon Apr 29, 2024 6:48 am

In my case, I had to select the persistent name assignment, and manually add each wifi interface to the relevant vlan on each device (audience)

Do you see the remote caps on the manager?

okw · Mon Apr 29, 2024 9:52 am

I was hoping to add each cAP Mac address in the interface setup corresponding to where the cAP was located (office, restaurant, etc). But maybe it's easier just doing it manually since it's only 4 cAPs.
It would just be neat to get it working fully capsman wise.

No, I don't see them in the manager.

okw · Mon Apr 29, 2024 10:58 am

Every instance under "/caps-man interface" is disabled by the way (this was part of my previous config, and I just disabled them instead of deleting them). For example:
add channel=Ch11_20M_24G channel.frequency=2462 configuration=cfg-2.4-gastrofix-ch11 configuration.frame-lifetime=10ms disabled=yes l2mtu=1600 mac-address=74:4D:28:F9:AA:6C master-interface=none name=Gastrofix_2.4GHz-AP_Chambre radio-mac=74:4D:28:F9:AA:6C radio-name=744D28F9AA6C

Maybe I should have deleted the disabled lines for readability in the forum.

vingjfg · Mon Apr 29, 2024 11:00 am

Alright then. I'm reading on CAPsMAN with the old Wireless driver.

Immediately, I see that in Wireless -> CAPSMAN Interface -> Manager -> Manager Interface, you have the all/Forbid above the eth3_MikrotikAPs. Can you invert that order? If that doesn't work, can you set the "all" to "forbid:no" and check again?

okw · Mon Apr 29, 2024 11:17 am

I tried setting "all" to "no", with no luck. And I can't change the order.
My previous (no vlans, just a pure guest wifi solution) worked with "all yes" and "eth3 no". So I think this feature sets all to no, then opens up eth3 after. So it's the last instance that overrides.

vingjfg · Mon Apr 29, 2024 4:55 pm

Can you post the configuration (minus the sensitive bits) of your RB and one of the cAP?

infabo · Mon Apr 29, 2024 6:36 pm

Can't say it did

Here is another help page. It explains which ROS packages you need. https://help.mikrotik.com/docs/display/ROS/Wireless

okw · Mon Apr 29, 2024 6:57 pm

Can you post the configuration (minus the sensitive bits) of your RB and one of the cAP?

It's in my first post. I'm not with the cAP now, but can provide it in an hour.
But the cAP is just factory reset with CAP mode. No other settings made.

okw · Mon Apr 29, 2024 7:08 pm

Can't say it did
Here is another help page. It explains which ROS packages you need. https://help.mikrotik.com/docs/display/ROS/Wireless

Cool. I'll check. At the moment, I have routeros + wireless on both the RB (RB2011UiAS-2HnD-IN) and cAP (RBcAPGi-5acD2nD). I'm not if I need new or legacy drivers (wireless or wifi-qcom-ac)?

vingjfg · Mon Apr 29, 2024 8:17 pm

Can you post the configuration (minus the sensitive bits) of your RB and one of the cAP?
It's in my first post. I'm not with the cAP now, but can provide it in an hour.
But the cAP is just factory reset with CAP mode. No other settings made.

Works for me, as long as the configuration you posted is still close to the running one. Post the cAP when you have it.

vingjfg · Mon Apr 29, 2024 8:43 pm

My comments on the configuration of the RB.

protocol-mode=none can be problematic as the bridge then floods the unknown multicast packets on all ports - that includes LACP PDU, LLDP, spanning tree et al. I have a ticket open for this setting breaking the LACP bonds attached to a switch. Unless you have a gigantic reason not to use spanning tree, I recommend to enable it.

/interface bridge
   add name=BR1 protocol-mode=none vlan-filtering=yes

Recommended:

/interface bridge
   set [find name=BR1] protocol-mode=rstp

You have set CAPSMAN to listen to an interface, which itself is a member of the switch, consider moving the CAPSMAN to the bridge.

/caps-man manager interface
   set [ find default=yes ] forbid=yes
   add disabled=no interface=eth3_MikrotikAPs

Recommended:

/caps-man manager interface
   add disabled=no interface=BR1

You have three times the same IP address on three different interfaces, which do not match the dhcp server networks defined later.

/ip address
   add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
   add address=193.90.223.118/24 interface=eth1_WAN network=193.90.223.0
   add address=10.0.10.1/24 interface=Employee_VLAN network=10.0.10.0
   add address=10.0.10.1/24 interface=GuestWIFI_VLAN network=10.0.10.0
   add address=10.0.10.1/24 interface=Gastrofix_VLAN network=10.0.10.0

Recommended:
Pick separate subnets. Example:

/ip address
   set [find interface=GuestWIFI_VLAN] address=10.0.11.1/24
   set [find interface=GuestWIFI_VLAN]  network=10.0.11.0
   set [interface=Gastrofix_VLAN] address=10.0.12.1/24  
   set [interface=Gastrofix_VLAN] network=10.0.10.0

Your firewall is minimalist. My main comment is you are accepting all from the interface list VLAN which includes your guest network, leaving the access to your device fully open from the guest networks.

/ip firewall filter
   add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN

Recommended:
Isolate the guest networks into a separate interface list VLAN-LOWTRUST and limit what they can access on the firewall.

okw · Mon Apr 29, 2024 8:56 pm

It's in my first post. I'm not with the cAP now, but can provide it in an hour.
But the cAP is just factory reset with CAP mode. No other settings made.
Works for me, as long as the configuration you posted is still close to the running one. Post the cAP when you have it.

This is my cAP:

[admin@MikroTik] > export
# 1970-01-02 00:26:05 by RouterOS 7.14.3
# software id = 7ADI-5IA3
#
# model = RBcAPGi-5acD2nD
# serial number = BECD0BB2F884
/interface bridge
add admin-mac=C4:AD:34:9E:E7:74 auto-mac=no comment=defconf name=bridgeLocal
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface wireless cap
# 
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system note
set show-at-login=no

vingjfg · Mon Apr 29, 2024 9:16 pm

This is my cAP:

OK, that is really minimalist

So, there is no DHCP server on VLAN1 (interface BR1, 192.168.0.0/24) on your RB. Do you prefer setting a static IP on the cAP or using DHCP? Or did you remove that info from the RB?

Your bridge on the cAP needs VLAN-filtering, and you still need to define the correct VLAN.

/interface bridge
set [find name=bridgeLocal] vlan-filtering=yes

/interface bridge vlan
   add bridge=bridgeLocal tagged=<whatever interface goes to your RB> vlan-ids=10
   add bridge=bridgeLocal tagged=<whatever interface goes to your RB> vlan-ids=20
   add bridge=bridgeLocal tagged=<whatever interface goes to your RB> vlan-ids=30
   add bridge=bridgeLocal tagged=<whatever interface goes to your RB> vlan-ids=99

okw · Mon Apr 29, 2024 9:18 pm

You have three times the same IP address on three different interfaces, which do not match the dhcp server networks defined later.

/ip address
   add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
   add address=193.90.223.118/24 interface=eth1_WAN network=193.90.223.0
   add address=10.0.10.1/24 interface=Employee_VLAN network=10.0.10.0
   add address=10.0.10.1/24 interface=GuestWIFI_VLAN network=10.0.10.0
   add address=10.0.10.1/24 interface=Gastrofix_VLAN network=10.0.10.0

I don't know what happened in the export/writing here. The three interfaces should indeed be different networks:

add address=192.168.0.1/24 interface=Employee_VLAN network=192.168.0.0
add address=192.168.88.1/24 interface=GuestWIFI_VLAN network=192.168.88.0
add address=192.168.7.1/24 interface=Gastrofix_VLAN network=192.168.7.0

Your firewall is minimalist. My main comment is you are accepting all from the interface list VLAN which includes your guest network, leaving the access to your device fully open from the guest networks.

Again, not sure what happened here. I have a more extensive firewall in place already (but with the current setup (no vlans, and just guest wifi no POS on the cAPs):

/ip firewall address-list
add address=192.168.1.0/24 list=AdminAccess
add address=0.0.0.0/8 list=bogons
add address=172.16.0.0/12 list=bogons
add address=10.0.0.0/8 list=bogons
add address=169.254.0.0/16 list=bogons
add address=127.0.0.0/8 list=bogons
add address=224.0.0.0/4 list=bogons
add address=198.18.0.0/15 list=bogons
add address=192.0.0.0/24 list=bogons
add address=192.0.2.0/24 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=100.64.0.0/10 list=bogons
add address=240.0.0.0/4 list=bogons
add address=192.88.99.0/24 list=bogons
/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=forward dst-address=77.66.21.133 in-interface=AP_bridge
add action=accept chain=input comment="Admin Access to Router" src-address-list=AdminAccess
add action=accept chain=input comment="allow LAN to DNS-TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="allow LAN to DNS-UDP" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="CAPsMAN accept all local traffic" dst-port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 log=yes log-prefix="acceot local loopback CAPsMAN"
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address-type=local src-address-type=local
add action=drop chain=input comment="Drop All Else" log-prefix=DROP-FIREWALL
add action=drop chain=forward dst-address=77.66.21.133 in-interface=AP_bridge
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow all LAN (Office, Guest and POS) Traffic to Internet" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="DROP ALL Else"
add action=accept chain=forward comment="Allow Port Fowarding if required" connection-nat-state=dstnat
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="DROP All Else"
/ip firewall nat
add action=src-nat chain=srcnat comment="Source_NAT for All Users" ipsec-policy=out,none out-interface=eth1_WAN to-addresses=193.90.223.118
add action=redirect chain=dstnat comment="Force Users to Router DNS -TCP" dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment="Force Users to Router DNS -UDP" dst-port=53 protocol=udp
add action=accept chain=srcnat disabled=yes ipsec-policy=out,none out-interface=eth1_WAN
/ip firewall raw
add action=drop chain=prerouting comment="Drop all non-internet networks" src-address-list=bogons

okw · Mon Apr 29, 2024 9:22 pm

This is my cAP:
OK, that is really minimalist

So, there is no DHCP server on VLAN1 (interface BR1, 192.168.0.0/24) on your RB. Do you prefer setting a static IP on the cAP or using DHCP? Or did you remove that info from the RB?

Your bridge on the cAP needs VLAN-filtering, and you still need to define the correct VLAN.
Code: Select all
/interface bridge
set [find name=bridgeLocal] vlan-filtering=yes

/interface bridge vlan
   add bridge=bridgeLocal tagged=<whatever interface goes to your RB> vlan-ids=10
   add bridge=bridgeLocal tagged=<whatever interface goes to your RB> vlan-ids=20
   add bridge=bridgeLocal tagged=<whatever interface goes to your RB> vlan-ids=30
   add bridge=bridgeLocal tagged=<whatever interface goes to your RB> vlan-ids=99

Very minimalist

I thought CAPsMAN would forward all settings needed from the RB to the cAP with provisioning. Just to set the cAP in CAPs mode, and everything would be administrated locally from the RB. Otherwise, I don't get by without local cAP config.

vingjfg · Mon Apr 29, 2024 9:30 pm

As far as I understand, CAPSMAN does a lot but not everything.

Regarding the interface on the RB - have you added BR1 as listening? I am unsure whether eth3 would work as it is a member of the bridge and not a standalone interface.

Another possibility is to define the DHCP option caps-manager=<capsman-server-ip> in the network that covers your cAP.

okw · Mon Apr 29, 2024 10:21 pm

Amazing. Now it provisions the cAPs and I have both Guest and POS wifi. Not sure how secure the current setup is.
Care to take a look?
I have just merged the minimalist one you saw with our current firewall, to accommodate the vlans.
(by the way, the protocol-mode=rstp is enabled in winbox, but not exported, so i guess it's the standard config).

# model = RB2011UiAS-2HnD
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=Ch01_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=Ch06_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=Ch11_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2467 name=Ch12_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=Ch13_20M_24G tx-power=10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5180 name=Ch36_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5200 name=Ch40_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5220 name=Ch44_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5240 name=Ch48_20M_5G tx-power=20
/interface bridge
add name=BR1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_kontor
set [ find default-name=ether3 ] name=eth3_MikrotikAPs
set [ find default-name=ether4 ] name=eth4_gastrofix_wired
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=Router
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=Employee_VLAN vlan-id=10
add interface=BR1 name=Gastrofix_VLAN vlan-id=30
add interface=BR1 name=GuestWIFI_VLAN vlan-id=20
/caps-man datapath
add bridge=BR1 local-forwarding=yes name=datapath-guest vlan-id=20 vlan-mode=use-tag
add bridge=BR1 local-forwarding=yes name=datapath-gastrofix vlan-id=30 vlan-mode=use-tag
/caps-man rates
add basic=9Mbps name="GN Only - No B rates" supported=9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps vht-basic-mcs=""
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security-gastrofix
add name=security-guest
/caps-man configuration
add channel=Ch36_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch36 security=security-guest ssid=Guest_5GHz
add channel=Ch06_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch6 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch11_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch11 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch12_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch12 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch13_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch13 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch36_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch36 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch40_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch40 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch48_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch48 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch44_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch44 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch06_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch6 security=security-guest ssid=Guest_2.4GHz
add channel=Ch11_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch11 security=security-guest ssid=Guest_2.4GHz
add channel=Ch12_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch12 security=security-guest ssid=Guest_2.4GHz
add channel=Ch13_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch13 security=security-guest ssid=Guest_2.4GHz
add channel=Ch40_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch40 security=security-guest ssid=Guest_5GHz
add channel=Ch48_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch48 security=security-guest ssid=Guest_5GHz
add channel=Ch44_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch44 security=security-guest ssid=Guest_5GHz
/caps-man interface
add configuration=cfg-2.4-gastrofix-ch6 disabled=no l2mtu=1600 mac-address=C4:AD:34:9E:E7:76 master-interface=none name=2.4GHz--MikroTik-1 radio-mac=C4:AD:34:9E:E7:76 radio-name=C4AD349EE776
add configuration=cfg-2.4-guest-ch6 disabled=no l2mtu=1600 mac-address=C6:AD:34:9E:E7:76 master-interface=2.4GHz--MikroTik-1 name=2.4GHz--MikroTik-1-1 radio-mac=00:00:00:00:00:00 radio-name=C6AD349EE776
add configuration=cfg-5ghz-gastrofix-ch36 disabled=no l2mtu=1600 mac-address=C4:AD:34:9E:E7:77 master-interface=none name=5GHz--MikroTik-1 radio-mac=C4:AD:34:9E:E7:77 radio-name=C4AD349EE777
add configuration=cfg-5ghz-guest-ch36 disabled=no l2mtu=1600 mac-address=C6:AD:34:9E:E7:77 master-interface=5GHz--MikroTik-1 name=5GHz--MikroTik-1-1 radio-mac=00:00:00:00:00:00 radio-name=C6AD349EE777
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=guest_dhcp_pool ranges=192.168.88.20-192.168.88.250
add name=gastrofix_dhcp_pool ranges=192.168.7.120-192.168.7.254
/ip dhcp-server
add address-pool=guest_dhcp_pool interface=GuestWIFI_VLAN lease-time=2h59m name=guest_dhcp_server
add address-pool=gastrofix_dhcp_pool interface=Gastrofix_VLAN lease-time=23h59m59s name=gastrofix_dhcp_server
/port
set 0 name=serial0
/system logging action
set 0 memory-lines=3000
set 1 disk-file-count=10 disk-lines-per-file=3000
/caps-man access-list
add action=accept allow-signal-out-of-range=10s comment="-85..120 accept" disabled=no signal-range=-85..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s comment="-120..-86 reject" disabled=no signal-range=-120..-86 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
add disabled=no interface=BR1
/caps-man provisioning
add action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" disabled=yes hw-supported-modes=gn master-configuration=cfg-5ghz-guest-ch36 name-format=prefix-identity name-prefix=2.4GHz-
add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" disabled=yes hw-supported-modes=ac master-configuration=cfg-5ghz-guest-ch36 name-format=prefix-identity name-prefix=5GHz-
add action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" disabled=yes hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch12 name-format=prefix-identity name-prefix=2.4GHz-
add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" disabled=yes hw-supported-modes=ac master-configuration=cfg-2.4-gastrofix-ch6 name-format=prefix-identity name-prefix=5GHz-
add action=create-enabled comment=CAP_Bar hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch6 name-format=prefix-identity name-prefix=2.4GHz- slave-configurations=cfg-2.4-guest-ch6
add action=create-enabled comment=CAP_Kontor hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch36 name-format=prefix-identity name-prefix=5GHz- slave-configurations=cfg-5ghz-guest-ch36
add action=create-enabled comment=CAP_BAR hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch40 name-format=prefix-identity name-prefix=5GHz- slave-configurations=cfg-5ghz-guest-ch40
add action=create-enabled comment=CAP_Messanin hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch44 name-format=prefix-identity name-prefix=5GHz- radio-mac=C4:AD:34:9E:DA:B2 slave-configurations=cfg-5ghz-guest-ch44
add action=create-enabled comment=CAP_Chambre hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch48 name-format=prefix-identity name-prefix=5GHz- slave-configurations=cfg-5ghz-guest-ch48
add action=create-enabled comment=CAP_Kontor hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch11 name-format=prefix-identity name-prefix=2.4GHz- slave-configurations=cfg-2.4-guest-ch11
add action=create-enabled comment=CAP_Chambre hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch12 name-format=prefix-identity name-prefix=2.4GHz- slave-configurations=cfg-2.4-guest-ch12
add action=create-enabled comment=CAP_Messanin hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch13 name-format=prefix-identity name-prefix=2.4GHz- radio-mac=C4:AD:34:9E:DA:B1 slave-configurations=cfg-2.4-guest-ch13
/interface bridge port
add bridge=BR1 interface=eth3_MikrotikAPs
add bridge=BR1 interface=eth2_kontor
add bridge=BR1 interface=eth4_gastrofix_wired
/interface bridge vlan
add bridge=BR1 tagged=BR1,eth2_kontor vlan-ids=10
add bridge=BR1 tagged=BR1,eth3_MikrotikAPs vlan-ids=20
add bridge=BR1 tagged=BR1,eth3_MikrotikAPs,eth4_gastrofix_wired vlan-ids=30
add bridge=BR1 tagged=BR1,eth2_kontor,eth3_MikrotikAPs,eth4_gastrofix_wired vlan-ids=99
/interface list member
add interface=eth1_WAN list=WAN
add interface=Employee_VLAN list=VLAN
add interface=GuestWIFI_VLAN list=VLAN
add interface=Gastrofix_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=193.90.223.118/24 interface=eth1_WAN network=193.90.223.0
add address=192.168.0.1/24 interface=Employee_VLAN network=192.168.0.0
add address=192.168.88.1/24 interface=GuestWIFI_VLAN network=192.168.88.0
add address=192.168.7.1/24 interface=Gastrofix_VLAN network=192.168.7.0
/ip dhcp-server network
add address=192.168.7.0/24 comment="DHCP for Gastrofix" dns-server=193.75.75.75,192.168.7.1 gateway=192.168.7.1 netmask=24
add address=192.168.88.0/24 comment="DHCP for Guests" dns-server=193.75.75.75,193.75.75.193 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=193.75.75.75,193.75.75.193
/ip firewall address-list
add address=192.168.1.0/24 list=AdminAccess
add address=0.0.0.0/8 list=bogons
add address=172.16.0.0/12 list=bogons
add address=10.0.0.0/8 list=bogons
add address=169.254.0.0/16 list=bogons
add address=127.0.0.0/8 list=bogons
add address=224.0.0.0/4 list=bogons
add address=198.18.0.0/15 list=bogons
add address=192.0.0.0/24 list=bogons
add address=192.0.2.0/24 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=100.64.0.0/10 list=bogons
add address=240.0.0.0/4 list=bogons
add address=192.88.99.0/24 list=bogons
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="Admin Access to Router" src-address-list=AdminAccess
add action=accept chain=input comment="Allow VLAN to DNS-TCP" dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow VLAN to DNS-UDP" dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="CAPsMAN accept all local traffic" dst-port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 log=yes log-prefix="accept local loopback CAPsMAN"
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address-type=local src-address-type=local
add action=drop chain=input comment="Drop All Else" log-prefix=DROP-FIREWALL
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow all VLAN (Office, Guest and POS) Traffic to Internet" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="DROP ALL Else"
add action=accept chain=forward comment="Allow Port Fowarding if required" connection-nat-state=dstnat
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="DROP All Else"
add action=drop chain=forward dst-address=77.66.21.133 in-interface=BR1
add action=drop chain=forward dst-address=77.66.21.133 in-interface=BR1
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
add action=src-nat chain=srcnat comment="Source_NAT for All Users" ipsec-policy=out,none out-interface=eth1_WAN to-addresses=193.90.223.118
add action=redirect chain=dstnat comment="Force Users to Router DNS -TCP" dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment="Force Users to Router DNS -UDP" dst-port=53 protocol=udp
add action=accept chain=srcnat disabled=yes ipsec-policy=out,none out-interface=eth1_WAN
/ip firewall raw
add action=drop chain=prerouting comment="Drop all non-internet networks" src-address-list=bogons
/lcd interface pages
set 0 interfaces=sfp1,eth1_WAN,eth2_kontor,eth3_MikrotikAPs,eth4_gastrofix_wired,ether5,ether6,ether7,ether8,ether9,ether10
/system note
set show-at-login=no
/tool romon
set enabled=yes

vingjfg · Mon Apr 29, 2024 10:23 pm

Yup, having a look in a second.

vingjfg · Mon Apr 29, 2024 10:54 pm

I suspect there are still issues with the export - for example 192.168.0.1 is assigned twice: once to BASE_VLAN, once to Employee_VLAN.

Firewall filter

The first 4 rules mask all the rest for the chain=input. Checking is easy: do you see the counters below the 4th rule incrementing?

/ip firewall filter
   add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
   add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
   add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
   add action=drop chain=input comment=Drop
   add action=accept chain=input comment="accept established,related" connection-state=established,related
   add action=drop chain=input comment="drop invalid" connection-state=invalid
   add action=accept chain=input comment="Admin Access to Router" src-address-list=AdminAccess
   add action=accept chain=input comment="Allow VLAN to DNS-TCP" dst-port=53 in-interface-list=VLAN protocol=tcp
   add action=accept chain=input comment="Allow VLAN to DNS-UDP" dst-port=53 in-interface-list=VLAN protocol=udp
   add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
   add action=accept chain=input comment="accept ICMP" protocol=icmp
   add action=accept chain=input comment="CAPsMAN accept all local traffic" dst-port=5246,5247 protocol=udp src-address=127.0.0.1
   add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 log=yes log-prefix="accept local loopback CAPsMAN"
   add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address-type=local src-address-type=local
   add action=drop chain=input comment="Drop All Else" log-prefix=DROP-FIREWALL

The same applies for the chain=forward, the first 3 rules masks all the others.

   add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
   add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
   add action=drop chain=forward comment=Drop
   add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
   add action=accept chain=forward comment="accept established,related" connection-state=established,related
   add action=drop chain=forward comment="drop invalid" connection-state=invalid
   add action=accept chain=forward comment="Allow all VLAN (Office, Guest and POS) Traffic to Internet" connection-state=new in-interface-list=VLAN out-interface-list=WAN
   add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
   add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
   add action=drop chain=forward comment="DROP ALL Else"
   add action=accept chain=forward comment="Allow Port Fowarding if required" connection-nat-state=dstnat
   add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
   add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
   add action=drop chain=forward comment="DROP All Else"
   add action=drop chain=forward dst-address=77.66.21.133 in-interface=BR1
   add action=drop chain=forward dst-address=77.66.21.133 in-interface=BR1

The following NAT rules do not do anything as there is no to-address

   add action=redirect chain=dstnat comment="Force Users to Router DNS -TCP" dst-port=53 protocol=tcp
   add action=redirect chain=dstnat comment="Force Users to Router DNS -UDP" dst-port=53 protocol=udp

okw · Mon Apr 29, 2024 11:09 pm

Strange. The export seems to be on the fritz.
There are multiple instances of "add action=drop chain=forward" scattered around.

I usually script when I work with mikrotik, as it's much easier to systematically go through things, make changes, factory reset, run the script and have a bulletproof script in case I need to replace hardware.

Is it good practice to keep chain=input and chain=forward separated, so it's easier to read and maintain. Or are there times you want to have some input and forward rules before others?

okw · Tue Apr 30, 2024 2:22 pm

I've cleaned up the rules now. I am still not sure if they are valid, in the right order, if something is excessive or missing.
Any help would be appreciated.

Gastrofix_VLAN (eth4_gastrofix_wired and gastrofix net of the cAPs) shall see each other, plus internet access.
Employee_VLAN (only wired, eth2_kontor), shall see each other, pluss internet access. They should also be the only ones with winbox access to the RB, and neighbour discovery.
Guests shall see nothing else than internet.

/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=Ch01_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=Ch06_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=Ch11_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2467 name=Ch12_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=Ch13_20M_24G tx-power=10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5180 name=Ch36_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5200 name=Ch40_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5220 name=Ch44_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5240 name=Ch48_20M_5G tx-power=20
/interface bridge
add name=BR1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_kontor
set [ find default-name=ether3 ] name=eth3_MikrotikAPs
set [ find default-name=ether4 ] name=eth4_gastrofix_wired
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=Router
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=Employee_VLAN vlan-id=10
add interface=BR1 name=Gastrofix_VLAN vlan-id=30
add interface=BR1 name=GuestWIFI_VLAN vlan-id=20
/caps-man datapath
add bridge=BR1 local-forwarding=yes name=datapath-guest vlan-id=20 vlan-mode=use-tag
add bridge=BR1 local-forwarding=yes name=datapath-gastrofix vlan-id=30 vlan-mode=use-tag
/caps-man rates
add basic=9Mbps name="GN Only - No B rates" supported=9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps vht-basic-mcs=""
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security-gastrofix
add name=security-guest
/caps-man configuration
add channel=Ch36_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch36 security=security-guest ssid=Guest_5GHz
add channel=Ch06_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch6 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch11_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch11 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch12_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch12 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch13_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch13 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch36_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch36 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch40_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch40 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch48_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch48 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch44_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch44 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch06_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch6 security=security-guest ssid=Guest_2.4GHz
add channel=Ch11_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch11 security=security-guest ssid=Guest_2.4GHz
add channel=Ch12_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch12 security=security-guest ssid=Guest_2.4GHz
add channel=Ch13_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch13 security=security-guest ssid=Guest_2.4GHz
add channel=Ch40_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch40 security=security-guest ssid=Guest_5GHz
add channel=Ch48_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch48 security=security-guest ssid=Guest_5GHz
add channel=Ch44_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch44 security=security-guest ssid=Guest_5GHz
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=guest_dhcp_pool ranges=192.168.88.20-192.168.88.250
add name=gastrofix_dhcp_pool ranges=192.168.7.120-192.168.7.254
/ip dhcp-server
add address-pool=guest_dhcp_pool interface=GuestWIFI_VLAN lease-time=2h59m name=guest_dhcp_server
add address-pool=gastrofix_dhcp_pool interface=Gastrofix_VLAN lease-time=23h59m59s name=gastrofix_dhcp_server
/port
set 0 name=serial0
/system logging action
set 0 memory-lines=3000
set 1 disk-file-count=10 disk-lines-per-file=3000
/caps-man access-list
add action=accept allow-signal-out-of-range=10s comment="-85..120 accept" disabled=no signal-range=-85..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s comment="-120..-86 reject" disabled=no signal-range=-120..-86 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
add disabled=no interface=BR1
/caps-man provisioning
add action=create-enabled comment=CAP_Bar hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch6 name-format=prefix-identity name-prefix=2.4GHz- slave-configurations=cfg-2.4-guest-ch6
add action=create-enabled comment=CAP_Kontor hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch36 name-format=prefix-identity name-prefix=5GHz- slave-configurations=cfg-5ghz-guest-ch36
add action=create-enabled comment=CAP_BAR hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch40 name-format=prefix-identity name-prefix=5GHz- slave-configurations=cfg-5ghz-guest-ch40
add action=create-enabled comment=CAP_Messanin hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch44 name-format=prefix-identity name-prefix=5GHz- radio-mac=C4:AD:34:9E:DA:B2 slave-configurations=cfg-5ghz-guest-ch44
add action=create-enabled comment=CAP_Chambre hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch48 name-format=prefix-identity name-prefix=5GHz- slave-configurations=cfg-5ghz-guest-ch48
add action=create-enabled comment=CAP_Kontor hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch11 name-format=prefix-identity name-prefix=2.4GHz- slave-configurations=cfg-2.4-guest-ch11
add action=create-enabled comment=CAP_Chambre hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch12 name-format=prefix-identity name-prefix=2.4GHz- slave-configurations=cfg-2.4-guest-ch12
add action=create-enabled comment=CAP_Messanin hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch13 name-format=prefix-identity name-prefix=2.4GHz- radio-mac=C4:AD:34:9E:DA:B1 slave-configurations=cfg-2.4-guest-ch13
/interface bridge port
add bridge=BR1 interface=eth3_MikrotikAPs
add bridge=BR1 interface=eth2_kontor
add bridge=BR1 interface=eth4_gastrofix_wired
/interface bridge vlan
add bridge=BR1 tagged=BR1,eth2_kontor vlan-ids=10
add bridge=BR1 tagged=BR1,eth3_MikrotikAPs vlan-ids=20
add bridge=BR1 tagged=BR1,eth3_MikrotikAPs,eth4_gastrofix_wired vlan-ids=30
add bridge=BR1 tagged=BR1,eth2_kontor,eth3_MikrotikAPs,eth4_gastrofix_wired vlan-ids=99
/interface list member
add interface=eth1_WAN list=WAN
add interface=Employee_VLAN list=VLAN
add interface=GuestWIFI_VLAN list=VLAN
add interface=Gastrofix_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=193.90.223.118/24 interface=eth1_WAN network=193.90.223.0
add address=192.168.0.1/24 interface=Employee_VLAN network=192.168.0.0
add address=192.168.88.1/24 interface=GuestWIFI_VLAN network=192.168.88.0
add address=192.168.7.1/24 interface=Gastrofix_VLAN network=192.168.7.0
/ip dhcp-server network
add address=192.168.7.0/24 comment="DHCP for Gastrofix" dns-server=193.75.75.75,192.168.7.1 gateway=192.168.7.1 netmask=24
add address=192.168.88.0/24 comment="DHCP for Guests" dns-server=193.75.75.75,193.75.75.193 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=193.75.75.75,193.75.75.193

/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=192.168.1.0/24 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet

/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
add action=accept chain=input comment="Allow Access to Router" src-address-list=allowed_to_router
add action=accept chain=input comment="Allow VLAN to DNS-TCP" dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow VLAN to DNS-UDP" dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="CAPsMAN accept all local traffic" dst-port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 log=yes log-prefix="accept local loopback CAPsMAN"
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address-type=local src-address-type=local
add action=drop chain=input comment="Drop All Else" log-prefix=DROP-FIREWALL
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=BR1 log=yes log-prefix=!public_from_LAN out-interface=!BR1
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=eth1_WAN log=yes log-prefix=!NAT
add action=jump chain=forward protocol=icmp jump-target=icmp comment="jump to ICMP filters"
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=eth1_WAN log=yes log-prefix=!public src-address-list=not_in_internet

#not sure about this (we have several nets:
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=BR1 log=yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24

add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="Allow Port Fowarding if required" connection-nat-state=dstnat
add action=drop chain=forward dst-address=77.66.21.133 in-interface=BR1
add action=drop chain=forward comment="DROP All Else"
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept comment="host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"

/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
add action=src-nat chain=srcnat comment="Source_NAT for All Users" ipsec-policy=out,none out-interface=eth1_WAN to-addresses=193.90.223.118
add action=redirect chain=dstnat comment="Force Users to Router DNS -TCP" dst-port=53 protocol=tcp in-interface=local to-ports=53
add action=redirect chain=dstnat comment="Force Users to Router DNS -UDP" dst-port=53 protocol=udp in-interface=local to-ports=53
add action=accept chain=srcnat disabled=yes ipsec-policy=out,none out-interface=eth1_WAN

/ip firewall raw
add action=drop chain=prerouting comment="Drop all non-internet networks" src-address-list=not_in_internet

/lcd interface pages
set 0 interfaces=sfp1,eth1_WAN,eth2_kontor,eth3_MikrotikAPs,eth4_gastrofix_wired,ether5,ether6,ether7,ether8,ether9,ether10
/system note
set show-at-login=no

vingjfg · Tue Apr 30, 2024 3:23 pm

Hi there.

My comments -

Chain input looks good.

Chain forward:

I think this one has the in-interface wrong

    add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet\
    in-interface=BR1 log=yes log-prefix=!public_from_LAN out-interface=!BR1

You defined an interface list WAN, but you use the interface itself in this rule - note there is no difference in behaviour, just in formalism.

    add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=eth1_WAN\
    log=yes log-prefix=!public src-address-list=not_in_internet

For this one, consider creating a RFC1918 address list and changing the in-interface to the in-interface-list (VLAN, BASE)

add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=BR1\
log=yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24

The RFC1918 list could be

/ip firewall address-list
    add address=10.0.0.0/8 list=rfc1918
    add address=172.16.0.0/12 list=rfc1918
    add address=192.168.0.0/16 list=rfc1918

Lastly, same issue - BR1 is used as an interface, where you should consider using the interface list VLAN, BASE

    add action=drop chain=forward dst-address=77.66.21.133 in-interface=BR1

The rest looks ok.

BTW, are the wifi networks working fine now?

okw · Tue Apr 30, 2024 5:46 pm

I can specify multiple lists like this?

add action=drop chain=forward dst-address=77.66.21.133 in-interface-list=VLAN,BASE

I don't completely understand this rule.

add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface-list=rfc1918 log=yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24

The "not src-address", what does it mean? This is the sub net of the guest wifi. What about gastrofix (POS equipument) sub net? Or on the other sub nets?

I haven't deployed it yet. Need to wait for a day with less traffic. I've only tested it with a standalone RB + 1 cAP.

vingjfg · Tue Apr 30, 2024 6:03 pm

No, you can't create an ACL with multiple interface-lists (unfortunately ...), so the solution is to create successive rules

/ip firewall filter
add action=drop chain=forward dst-address=77.66.21.133 in-interface-list=VLAN
add action=drop chain=forward dst-address=77.66.21.133 in-interface-list=BASE

Alternatively, you may create an interface list that includes both lists, and use that list instead.

/interface/list/add name=LOCAL-NETS include=VLAN,BASE

/ip firewall filter
add action=drop chain=forward dst-address=77.66.21.133 in-interface-list=LOCAL-NETS

The rule you mention is the one you had flagged as "not sure about this."

#not sure about this (we have several nets:
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=BR1\
 log=yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24

A better formulation is below, provided that you have created the address list rfc1918. Its role is to drop all traffic coming from a non-private IP on one of the internal networks, which would indicate spoofing or an operational issue/misconfiguration.

/ip firewall filter
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface-list=VLAN\
 log=yes log-prefix=LAN_!LAN src-address-list=!rfc1918

okw · Tue Apr 30, 2024 6:07 pm

Cool. I'll try the new config after work and see how it goes

okw · Wed May 01, 2024 3:34 pm

I reset config and ran the script. First I could only connect to Guest wifi. With Gastrofix I didn't get an IP.
I removed "netmask=24" from:

/ip dhcp-server network
add address=192.168.7.0/24 comment="DHCP for Gastrofix" dns-server=8.8.8.8,192.168.7.1 gateway=192.168.7.1 netmask=24
add address=192.168.88.0/24 comment="DHCP for Guests" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1

And I could connect. But I could also reconnect after i reinstated netmask=24 on both Gastrofix and Guests.
Not sure if my computer remembered and the lease time wasn't up. Any pros or cons setting netmast this way. It's already in the address.

And I don't have internet on either wifi.
I am doing a dry-run on my home router, so I enabled eth1_WAN as dhcp client, manually changed the IP in one of the firewall rules to my assigned IP.

add action=src-nat chain=srcnat comment="Source_NAT for All Users" ipsec-policy=out,none out-interface-list=WAN to-addresses=192.168.1.146

At the moment I don't see how eth1_WAN has any link between any of the other interfaces? Unless it's this rule?

add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN

Here is the complete script:

/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=Ch01_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=Ch06_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=Ch11_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2467 name=Ch12_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=Ch13_20M_24G tx-power=10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5180 name=Ch36_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5200 name=Ch40_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5220 name=Ch44_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5240 name=Ch48_20M_5G tx-power=20
/interface bridge
add name=BR1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_kontor
set [ find default-name=ether3 ] name=eth3_MikrotikAPs
set [ find default-name=ether4 ] name=eth4_gastrofix_wired
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=Router
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=Employee_VLAN vlan-id=10
add interface=BR1 name=Gastrofix_VLAN vlan-id=30
add interface=BR1 name=GuestWIFI_VLAN vlan-id=20
/caps-man datapath
add bridge=BR1 local-forwarding=yes name=datapath-guest vlan-id=20 vlan-mode=use-tag
add bridge=BR1 local-forwarding=yes name=datapath-gastrofix vlan-id=30 vlan-mode=use-tag
/caps-man rates
add basic=9Mbps name="GN Only - No B rates" supported=9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps vht-basic-mcs=""
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security-gastrofix
add authentication-types=wpa2-psk encryption=aes-ccm name=security-guest
/caps-man configuration
add channel=Ch36_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch36 security=security-guest ssid=Guest_5GHz
add channel=Ch06_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch6 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch11_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch11 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch12_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch12 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch13_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch13 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch36_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch36 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch40_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch40 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch48_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch48 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch44_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch44 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch06_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch6 security=security-guest ssid=Guest_2.4GHz
add channel=Ch11_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch11 security=security-guest ssid=Guest_2.4GHz
add channel=Ch12_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch12 security=security-guest ssid=Guest_2.4GHz
add channel=Ch13_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch13 security=security-guest ssid=Guest_2.4GHz
add channel=Ch40_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch40 security=security-guest ssid=Guest_5GHz
add channel=Ch48_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch48 security=security-guest ssid=Guest_5GHz
add channel=Ch44_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch44 security=security-guest ssid=Guest_5GHz
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=guest_dhcp_pool ranges=192.168.88.20-192.168.88.250
add name=gastrofix_dhcp_pool ranges=192.168.7.120-192.168.7.254
/ip dhcp-server
add address-pool=guest_dhcp_pool interface=GuestWIFI_VLAN lease-time=2h59m name=guest_dhcp_server
add address-pool=gastrofix_dhcp_pool interface=Gastrofix_VLAN lease-time=23h59m59s name=gastrofix_dhcp_server
/port
set 0 name=serial0
/system logging action
set 0 memory-lines=3000
set 1 disk-file-count=10 disk-lines-per-file=3000
/caps-man access-list
add action=accept allow-signal-out-of-range=10s comment="-85..120 accept" disabled=no signal-range=-85..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s comment="-120..-86 reject" disabled=no signal-range=-120..-86 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
add disabled=no interface=BR1
/caps-man provisioning
add action=create-enabled comment=CAP_Bar hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch6 name-format=prefix-identity name-prefix=2.4GHz- slave-configurations=cfg-2.4-guest-ch6
add action=create-enabled comment=CAP_Kontor hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch36 name-format=prefix-identity name-prefix=5GHz- slave-configurations=cfg-5ghz-guest-ch36
add action=create-enabled comment=CAP_BAR hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch40 name-format=prefix-identity name-prefix=5GHz- slave-configurations=cfg-5ghz-guest-ch40
add action=create-enabled comment=CAP_Messanin hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch44 name-format=prefix-identity name-prefix=5GHz- radio-mac=C4:AD:34:9E:DA:B2 slave-configurations=cfg-5ghz-guest-ch44
add action=create-enabled comment=CAP_Chambre hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch48 name-format=prefix-identity name-prefix=5GHz- slave-configurations=cfg-5ghz-guest-ch48
add action=create-enabled comment=CAP_Kontor hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch11 name-format=prefix-identity name-prefix=2.4GHz- slave-configurations=cfg-2.4-guest-ch11
add action=create-enabled comment=CAP_Chambre hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch12 name-format=prefix-identity name-prefix=2.4GHz- slave-configurations=cfg-2.4-guest-ch12
add action=create-enabled comment=CAP_Messanin hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch13 name-format=prefix-identity name-prefix=2.4GHz- radio-mac=C4:AD:34:9E:DA:B1 slave-configurations=cfg-2.4-guest-ch13
/interface bridge port
add bridge=BR1 interface=eth3_MikrotikAPs
add bridge=BR1 interface=eth2_kontor
add bridge=BR1 interface=eth4_gastrofix_wired
/interface bridge vlan
add bridge=BR1 tagged=BR1,eth2_kontor vlan-ids=10
add bridge=BR1 tagged=BR1,eth3_MikrotikAPs vlan-ids=20
add bridge=BR1 tagged=BR1,eth3_MikrotikAPs,eth4_gastrofix_wired vlan-ids=30
add bridge=BR1 tagged=BR1,eth2_kontor,eth3_MikrotikAPs,eth4_gastrofix_wired vlan-ids=99
/interface list member
add interface=eth1_WAN list=WAN
add interface=Employee_VLAN list=VLAN
add interface=GuestWIFI_VLAN list=VLAN
add interface=Gastrofix_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
#moved employee VLAN to x.x.10.x as 1 is my home router.
add address=192.168.10.1/24 interface=Employee_VLAN network=192.168.10.0
add address=192.168.88.1/24 interface=GuestWIFI_VLAN network=192.168.88.0
add address=192.168.7.1/24 interface=Gastrofix_VLAN network=192.168.7.0
/ip dhcp-client
add interface=eth1_WAN
/ip dhcp-server network
add address=192.168.7.0/24 comment="DHCP for Gastrofix" dns-server=8.8.8.8,192.168.7.1 gateway=192.168.7.1
add address=192.168.88.0/24 comment="DHCP for Guests" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=192.168.1.0/24 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=10.0.0.0/8 list=rfc1918
add address=172.16.0.0/12 list=rfc1918
add address=192.168.0.0/16 list=rfc1918
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
add action=accept chain=input comment="Allow Access to Router" src-address-list=allowed_to_router
add action=accept chain=input comment="Allow VLAN to DNS-TCP" dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow VLAN to DNS-UDP" dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="CAPsMAN accept all local traffic" dst-port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 log=yes log-prefix="accept local loopback CAPsMAN"
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address-type=local src-address-type=local
add action=drop chain=input comment="Drop All Else" log-prefix=DROP-FIREWALL
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface-list=VLAN log=yes log-prefix=LAN_!LAN src-address-list=!rfc1918
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="Allow Port Fowarding if required" connection-nat-state=dstnat
add action=drop chain=forward dst-address=77.66.21.133 in-interface-list=VLAN
add action=drop chain=forward dst-address=77.66.21.133 in-interface-list=BASE
add action=drop chain=forward comment="DROP All Else"
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
#the is the DHCP assigned IP from my home router. 192.168.1.146.
add action=src-nat chain=srcnat comment="Source_NAT for All Users" ipsec-policy=out,none out-interface-list=WAN to-addresses=192.168.1.146
add action=accept chain=srcnat disabled=yes ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting comment="Drop all non-internet networks" src-address-list=not_in_internet
/system note
set show-at-login=no
/tool romon
set enabled=yes
[admin@MikroTik] >

vingjfg · Wed May 01, 2024 4:28 pm

For DHCP, I have netmask=24 on each network. It should not matter: the default (netmask=0) uses the netmask from the IP address.

Yup, eth1_WAN is a member of the interface list WAN.

Your srcnat rule is incorrect - it means "anything going through and exiting through WAN should be natted behind 192.168.1.146"

The correct rule was already in the configuration:

/ip firewall nat
   add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN

And there is already a firewall rule that should accept the connections.

Do you have an IP on eth1_WAN? And a default route?

okw · Wed May 01, 2024 5:11 pm

Your srcnat rule is incorrect - it means "anything going through and exiting through WAN should be natted behind 192.168.1.146"

So I should just delete it?

Do you have an IP on eth1_WAN? And a default route?

Yes, the home router assigned 192.168.1.146 to the RB.

vingjfg · Wed May 01, 2024 5:16 pm

Do you have an IP on eth1_WAN? And a default route?
Yes, the home router assigned 192.168.1.146 to the RB.

Ahhh okay! The masquerade rule should still work though. On the RB, do you see any rule counter increasing? Any NAT counter increasing?

okw · Wed May 01, 2024 6:03 pm

13 packets:

/ip firewall filter add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related

5 packets:

/ip firewall nat add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN

8108 packets:

/ip firewall raw add action=drop chain=prerouting comment="Drop all non-internet networks" src-address-list=not_in_internet

So I guess I know the answer

/ip firewall address-list add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet

So for now, my home router should be on a different net than 192.168.0.0.

Should I remove this?

add action=src-nat chain=srcnat comment="Source_NAT for All Users" ipsec-policy=out,none out-interface-list=WAN to-addresses=192.168.1.146

If left in, we have static IP, so I'll update once I'm on site.

add action=accept chain=srcnat disabled=yes ipsec-policy=out,none out-interface-list=WAN

This one is disabled by default, is it standard config and not needed?

In current previous config (which has been running for years now), we route like this:

/ip route add disabled=no dst-address=0.0.0.0/0 gateway=ISP-IP

This is not needed now?

And there was two rules with wrong interface (local):

/ip firewall nat
add action=redirect chain=dstnat comment="Force Users to Router DNS -TCP" dst-port=53 protocol=tcp in-interface=local to-ports=53
add action=redirect chain=dstnat comment="Force Users to Router DNS -UDP" dst-port=53 protocol=udp in-interface=local to-ports=53

Which interface should this be?

vingjfg · Wed May 01, 2024 6:10 pm

Yeah. It didn't register with me, but this rule is rather wrong:

/ip firewall raw
   add action=drop chain=prerouting comment="Drop all non-internet networks" src-address-list=not_in_internet

It will drop all traffic with private IP coming from the internal networks, where the intent is to drop that on the WAN side.

Edit it to:

/ip firewall raw
   add action=drop chain=prerouting comment="Drop all non-internet networks" src-address-list=not_in_internet in-interface-list=WAN

okw · Wed May 01, 2024 6:49 pm

Thanks

It worked

I RoMon'ed into the cAP, but locally it doesn't have internet (for package updates, ntp poll, etc).
What's the trick here?

vingjfg · Wed May 01, 2024 6:58 pm

You need to allow BASE to access the Internet as well, add something like

 
/ip firewall filter 
  add action=accept chain=forward comment="BASE Internet Access only" connection-state=new in-interface-list=BASE out-interface-list=WAN

After this one

   add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN

okw · Wed May 01, 2024 7:22 pm

It didn't work.

vingjfg · Wed May 01, 2024 7:30 pm

Config has no dhcp on base. Did you set a static IP, gateway and dns?

okw · Wed May 01, 2024 7:36 pm

I did that on the cAP, but maybe I have to do that on the RB?
How do I set that on a vlan?

vingjfg · Wed May 01, 2024 8:01 pm

You assign the ip to the vlan interface.

Can you post the cAP's config?

okw · Wed May 01, 2024 8:13 pm

Oh yes, that's done already. BASE_VLAN is 192.168.0.1.

cAP:

# 2024-05-01 13:55:08 by RouterOS 7.14.3
# software id = 7ADI-5IA3
#
# model = RBcAPGi-5acD2nD
# serial number = BECD0BB2F884
/interface bridge
add admin-mac=C4:AD:34:9E:E7:74 auto-mac=no comment=defconf name=bridgeLocal vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2437/20/gn(8dBm), SSID: Gastrofix_2.4GHz, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20/ac/P(17dBm), SSID: Gastrofix_5GHz, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1 vlan-ids=10
add bridge=bridgeLocal tagged=ether1 vlan-ids=20
add bridge=bridgeLocal tagged=ether1 vlan-ids=30
add bridge=bridgeLocal tagged=ether1 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/interface wireless cap
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system identity
set name=cAP
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=79.160.13.250
add address=162.159.200.1
/tool romon
set enabled=yes

vingjfg · Wed May 01, 2024 8:32 pm

OK, slight change of plans: you are using the native VLAN on the RB and cAP for the management. Let's keep it that way.

On the RB, let's assign an IP to the BR1 interface, add it to the BASE list and create a DHCP server.

/ip address 
add interface=BR1 address=192.168.64.1/24

/ip pool
add name=pool_ap_mgmt ranges=192.168.64.5-192.168.64.254

/ip dhcp-server network
add address=192.168.64.0/24 comment="DHCP for Access-points" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.64.1

/ip dhcp-server
add address-pool=pool_ap_mgmt interface=BR1 lease-time=1h name=dhcp_srv_ap_mgmt

/interface list member
add interface=BR1 list=BASE

okw · Wed May 01, 2024 8:49 pm

Amazing

Thanks. It worked.

Earlier today, sometimes I wasn't assigned an IP (on several laptops). What could be the reason for that? Where do I looks for hints?
It's happened on Guest and Gastrofix, and on both 2.4 and 5GHz. And it seems not very consistent. I can disconnect, and reconnect, and it works again.

vingjfg · Wed May 01, 2024 9:05 pm

Can you send the output of

 /interface bridge host print

okw · Wed May 01, 2024 9:08 pm

lags: D - DYNAMIC; L - LOCAL
Columns: MAC-ADDRESS, VID, ON-INTERFACE, BRIDGE
#    MAC-ADDRESS        VID  ON-INTERFACE      BRIDGE
0 DL 64:D1:54:46:70:CE       BR1               BR1   
1 DL 64:D1:54:46:70:CE    1  BR1               BR1   
2 D  C4:AD:34:9E:E7:74    1  eth3_MikrotikAPs  BR1   
3 DL 64:D1:54:46:70:CE   10  BR1               BR1   
4 DL 64:D1:54:46:70:CE   20  BR1               BR1   
5 DL 64:D1:54:46:70:CE   30  BR1               BR1   
6 D  98:5A:EB:8C:6A:80   30  eth3_MikrotikAPs  BR1   
7 DL 64:D1:54:46:70:CE   99  BR1               BR1

vingjfg · Wed May 01, 2024 9:35 pm

Do you have a machine on the wifi?

okw · Wed May 01, 2024 9:38 pm

I am Winboxed in with my Macbook and a HP. Both over wifi.

vingjfg · Wed May 01, 2024 10:00 pm

Do you see your Mac in the host list?

okw · Wed May 01, 2024 10:46 pm

Yes, the Mac is 98:5A:EB:8C:6A:80 and HP is D4:25:8B:5C:11:56.

Refreshed:

Flags: D - DYNAMIC; L - LOCAL
Columns: MAC-ADDRESS, VID, ON-INTERFACE, BRIDGE
#    MAC-ADDRESS        VID  ON-INTERFACE      BRIDGE
0 DL 64:D1:54:46:70:CE       BR1               BR1   
1 DL 64:D1:54:46:70:CE    1  BR1               BR1   
2 D  C4:AD:34:9E:E7:74    1  eth3_MikrotikAPs  BR1   
3 DL 64:D1:54:46:70:CE   10  BR1               BR1   
4 DL 64:D1:54:46:70:CE   20  BR1               BR1   
5 DL 64:D1:54:46:70:CE   30  BR1               BR1   
6 D  72:CB:4E:C5:D6:4A   30  eth3_MikrotikAPs  BR1   
7 D  98:5A:EB:8C:6A:80   30  eth3_MikrotikAPs  BR1   
8 D  D4:25:8B:5C:11:56   30  eth3_MikrotikAPs  BR1   
9 DL 64:D1:54:46:70:CE   99  BR1               BR1

vingjfg · Thu May 02, 2024 8:47 pm

For the DHCP issue, that's a good question, no idea really where it can be as it seems intermittent. I would start by checking on which AP the laptop(s) connect, make sure they get a correct registration entry in the CAPSMAN, that their MAC is present on the switch and everything.

okw · Sun May 12, 2024 2:10 pm

Thanks, I'll try once I have deployed (need to find a day with low traffic in the restaurant).

I just remembered something. Previously I separated the cAPs (which was only used for guest wifi) onto a dedicated switch, which was connected to the RB eth3. POS equipment (both wired and UniFi APs) was on another switch connected to RB eth4. This to isolate POS equipment from guest wifi.

Now, with the current vlan config you helped me with, can I connect both cAPs (no more UniFi AP) and wired POS equipment on the same unmanaged switch, and get rid of eth4 config? And the guest portion of cAPs won't see any of the POS equipment?

vingjfg · Sun May 12, 2024 3:53 pm

I would be very careful mixing VLAN and unmanaged switches, as there is a chance that you'll crash the device, the worst would be that the crashes occur with large packets, that is: seemingly randomly.

If you can, ask for a small budget and get a few manageable switches to replace the unmanaged devices, that will save you a lot of headaches.

okw · Sun May 12, 2024 6:46 pm

I already have a DGS-1210-48p. Will this be an ok choice?
And do I need to set it up in any particular way? I guess put it on the management net (ip 192.168.64.2 / subnet 255.0.0.0 / gateway 192.168.64.1)?
I enable VLAN and Management VLAN and leave all ports untagged? Or do I go through each port and add 10, 20, 30 and/or 99, based on the expected traffic on each port?
Do I enable SNMP?

vingjfg · Sun May 12, 2024 8:10 pm

Should be fine. Create the vlan and add the ip to your management vlan.

Port config should be trunks to the network devices and access in whatever vlan for the rest.

okw · Sun May 12, 2024 10:53 pm

I'm not completely confident in vlans.

I will link DGS1210 port 1 to RB eth3.
I select trunked for this port and include all vlans (10,20,30,99), right?
Same with ports connected to cAPs, trunked and vlans 20,30,99?

And access for computers, POS printers etc.?

Who is online