I need help with a configuration.
I have two interfaces, Ether-69 (ip range 192.168.109.0/24) and Ether-70 (ip range 192.168.110.0/23).
The 69 is for the CAPs and the 70 for the wifi clients.
In the network 70 I also have connected my gateway (192.168.111.254) (cisco device that gives me Internet access).
The idea that I try to implement a CHR device (with ips in 192.168.109.253 for ether-69 and 192.168.111.253 for ether-70).
The CAPS teams are configured and connected, the CAPSMAN manages to affiliate the CAPS.
My problem is that if I connect a computer via ether to the network of CAPS, get ip via DHP, navigate, and can reach both 192.168.111.253 (CHR) and 192.168.111.254 (GW), however if I connect the computer via WIFI, get an ip of the 192.168.111.0/23 range, arrives at the CHR via ping but I CAN NOT get via PING to the GW (192.168.111.254) - Note that if I get it with the equipment that I connect via ethernet, and I do not get them with the WIFI equipment.
What am I doing wrong?
Thanks in advance
PD. CFG:
# jan/29/2019 09:55:58 by RouterOS 6.43.8
# software id =
#
#
#
/interface bridge
add arp=local-proxy-arp name=bri-VL070
/interface ethernet
set [ find default-name=ether2 ] disable-running-check=no name=ether_069
set [ find default-name=ether1 ] disable-running-check=no name=ether_070
/caps-man datapath
add bridge=bri-VL070 name=dp-VL70
/caps-man configuration
add country=spain datapath=dp-VL70 datapath.local-forwarding=no mode=ap name=\
Cfg_2G security.authentication-types=wpa-psk,wpa2-psk security.passphrase=\
secret123 ssid=AG2
add country=spain datapath=dp-VL70 datapath.local-forwarding=no mode=ap name=\
Cfg_5G security.authentication-types=wpa-psk,wpa2-psk security.passphrase=\
secret123 ssid=AG5
/caps-man security
add name=abierta
/interface list
add name=discovery
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool_HS ranges=192.168.109.1-192.168.109.250
add name=pool_AG_MOBILE ranges=192.168.110.1-192.168.111.250
/ip dhcp-server
add address-pool=pool_HS disabled=no interface=ether_069 lease-time=1h name=\
dhcp_HS
add address-pool=pool_AG_MOBILE disabled=no interface=bri-VL070 lease-time=1h \
name=dhcp_AG_MOBILE
/caps-man manager
set enabled=yes package-path=/disk1/repositorio upgrade-policy=\
suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=ether_069
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
Cfg_2G name-format=prefix-identity name-prefix=2G-
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
Cfg_5G name-format=prefix-identity name-prefix=5G-
/interface bridge port
add bridge=bri-VL070 interface=ether_070
/ip neighbor discovery-settings
set discover-interface-list=discovery
/interface list member
add interface=ether_069 list=discovery
/ip address
add address=192.168.109.253/24 interface=ether_069 network=192.168.109.0
add address=192.168.111.253/23 interface=bri-VL070 network=192.168.110.0
/ip dhcp-server network
add address=192.168.109.0/24 caps-manager=192.168.109.253 dns-server=\
192.168.109.253 domain=hsmkt.gijon.local gateway=192.168.109.254 \
ntp-server=192.168.31.11
add address=192.168.110.0/23 dns-server=192.168.111.253,192.168.31.11 domain=\
ag-mobile.gijon.local gateway=192.168.111.253 ntp-server=192.168.31.11
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=192.168.110.0/23 list=WIFI_LANS
add address=192.168.109.0/24 list=SEGURAS
/ip firewall filter
add action=accept chain=input disabled=yes dst-address=127.0.0.1 log-prefix=\
INSIDE- src-address=127.0.0.1
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes log-prefix=AC-
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=drop chain=input comment=WIFI->INTERNAS disabled=yes \
dst-address-list=SEGURAS log=yes log-prefix=WIFI->SEC: protocol=tcp \
src-address-list=WIFI_LANS
add action=drop chain=input disabled=yes dst-address-list=SEGURAS log=yes \
log-prefix=WIFI->SEC: protocol=icmp src-address-list=WIFI_LANS
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
/ip route
add distance=1 gateway=192.168.111.254
/ip service
set telnet disabled=yes
set ftp address=192.168.109.0/24
set www disabled=yes
set ssh address=192.168.109.0/24,10.9.9.0/24
set api address=192.168.109.0/24
set winbox address=192.168.109.0/24,10.9.9.0/24
set api-ssl address=192.168.109.0/24
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=CAPSMANAGER
/system ntp client
set enabled=yes primary-ntp=150.214.94.5
Re: Help with a configuracion
I'd say that use of arp=local-proxy-arp on bridge bri-VL070 messes things up. Why do you have it set?