However, the CAPs themselves don't have that luxury. All traffic, be it tagged 66 or untagged can access the router itself, configure it, etc. Because right now the CAPs have 0 firewall rules.
I have, however, restricted access to winbox, the API, all services on the router to IPs of the 192.168.1.0/24 subnet. Clients in the public, ID 66, wifi get assigned different addresses than that. Of course nothing is stopping someone from assigning themselves a 192.168.1.0/24 IP so it's certainly not ideal.
I have been looking into separating the two virtual networks within the router, too, with limited success. I also looked at whether I could setup firewall rules that took the VLAN ID into account but didn't get very far either. What's the best course of action here?
I am considering changing the CAPs from local forwarding to CAPsMAN forwarding. That should take care of this issue, right? At least for the Wifi.
CAPsMAN
Code: Select all
# oct/12/2021 21:25:12 by RouterOS 7.1rc4
# software id = 2QED-STSN
#
# model = RBD25G-5HPacQD2HPnD
/caps-man channel add band=2ghz-g/n extension-channel=disabled frequency=2412 name="2.4 Channel 01" save-selected=yes tx-power=12
/caps-man channel add band=5ghz-a/n/ac extension-channel=XXXX name="5.0 Auto" save-selected=yes
/caps-man channel add band=2ghz-g/n extension-channel=disabled frequency=2437 name="2.4 Channel 06" save-selected=yes tx-power=12
/caps-man channel add band=2ghz-g/n extension-channel=disabled frequency=2462 name="2.4 Channel 11" save-selected=yes tx-power=12
/caps-man channel add band=5ghz-a/n/ac extension-channel=XXXX frequency=5150,5350 name="5.0 100mW" save-selected=yes tx-power=14
/caps-man channel add band=5ghz-a/n/ac extension-channel=XXXX frequency=5470,5725 name="5.0 1000mW" save-selected=yes tx-power=24
/interface bridge add comment=defconf name=lan-bridge
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(8dBm), SSID: Mittelerde, local forwarding
set [ find default-name=wlan1 ] country=germany disabled=no ssid=MikroTik
/interface wireless
# managed by CAPsMAN
# channel: 5200/20-eCee/ac/P(18dBm), SSID: Mittelerde, local forwarding
set [ find default-name=wlan2 ] country=germany disabled=no ssid=MikroTik
/interface wireguard add listen-port=13231 mtu=1420 name=wireguard1
/caps-man security add name=open
/caps-man security add authentication-types=wpa2-psk encryption=aes-ccm name=wip
/caps-man security add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=mittelerde
/caps-man configuration add channel="2.4 Channel 01" comment=defconf country=germany datapath.client-to-client-forwarding=yes .local-forwarding=yes distance=indoors installation=indoor name=cfg-2ghz security=mittelerde ssid=Mittelerde
/caps-man configuration add channel.band=5ghz-a/n/ac .control-channel-width=20mhz .extension-channel=XXXX comment=defconf country=germany datapath.client-to-client-forwarding=yes .local-forwarding=yes distance=indoors installation=indoor name=cfg-5ghz-ac security=mittelerde ssid=Mittelerde
/caps-man configuration add channel.band=5ghz-a/n .control-channel-width=20mhz .extension-channel=XX comment=defconf country=germany datapath.client-to-client-forwarding=yes .local-forwarding=yes distance=indoors installation=indoor name=cfg-5ghz-an security=mittelerde ssid=Mittelerde
/caps-man configuration add channel="2.4 Channel 01" channel.band=2ghz-b/g/n country=germany datapath.bridge=lan-bridge .local-forwarding=yes .vlan-id=66 .vlan-mode=use-tag distance=indoors installation=indoor name="FFF 2.4" security=open ssid=freifunk
/caps-man configuration add channel="5.0 Auto" channel.band=5ghz-a/n/ac .extension-channel=XXXX country=germany datapath.bridge=lan-bridge .local-forwarding=yes .vlan-id=66 .vlan-mode=use-tag installation=indoor name="FFF 5.0" security=open ssid=freifunk
/caps-man configuration add channel="5.0 Auto" channel.band=5ghz-a/n/ac .extension-channel=XXXX country=germany datapath.bridge=lan-bridge .client-to-client-forwarding=yes .local-forwarding=yes installation=indoor name="Mittelerde Fewo 5.0" security=mittelerde ssid=Mittelerde
/caps-man configuration add channel="2.4 Channel 06" channel.band=2ghz-b/g/n country=germany datapath.bridge=lan-bridge .client-to-client-forwarding=yes .local-forwarding=yes distance=indoors installation=indoor name="Mittelerde Fewo 2.4" security=mittelerde ssid=Mittelerde
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa2-psk comment=defconf disable-pmkid=yes mode=dynamic-keys name=wpsSync supplicant-identity=MikroTik
/interface wireless set [ find default-name=wlan3 ] band=5ghz-a/n/ac channel-width=20/40mhz-XX country=germany disabled=no mode=ap-bridge security-profile=wpsSync ssid=SYNC-CC11C0
/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add address-pool=default-dhcp disabled=yes interface=lan-bridge name=defconf
/user group add name=prometheus policy=read,test,winbox,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp,!rest-api
/caps-man access-list add action=accept disabled=no interface=any signal-range=-95..120 ssid-regexp=""
/caps-man access-list add action=reject disabled=no interface=any signal-range=-120..-96 ssid-regexp=""
/caps-man manager set enabled=yes
/caps-man manager interface set [ find default=yes ] forbid=yes
/caps-man manager interface add disabled=no interface=lan-bridge
/caps-man provisioning add action=create-dynamic-enabled comment=defconf hw-supported-modes=gn identity-regexp=Audience master-configuration=cfg-2ghz name-format=prefix-identity name-prefix=2ghz
/caps-man provisioning add action=create-dynamic-enabled comment=defconf hw-supported-modes=ac identity-regexp=Audience master-configuration=cfg-5ghz-ac name-format=prefix-identity name-prefix=5ghz-ac
/caps-man provisioning add action=create-dynamic-enabled comment=defconf hw-supported-modes=an identity-regexp=Audience master-configuration=cfg-5ghz-an name-format=prefix-identity name-prefix=5ghz-an
/caps-man provisioning add action=create-dynamic-enabled hw-supported-modes=gn identity-regexp=^243|^54 master-configuration="FFF 2.4" name-format=prefix-identity name-prefix=24 slave-configurations="Mittelerde Fewo 2.4"
/caps-man provisioning add action=create-dynamic-enabled hw-supported-modes=ac identity-regexp=^243|^54 master-configuration="FFF 5.0" name-format=prefix-identity name-prefix=50 slave-configurations="Mittelerde Fewo 5.0"
/caps-man provisioning add action=create-disabled comment=nope master-configuration="FFF 2.4" name-format=prefix-identity name-prefix=nope
/interface bridge port add bridge=lan-bridge comment=defconf ingress-filtering=no interface=ether2
/interface bridge port add bridge=lan-bridge ingress-filtering=no interface=wlan3
/ipv6 settings set accept-router-advertisements=yes
/interface list member add comment=defconf interface=lan-bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface wireless cap
#
set bridge=lan-bridge caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2
/ip address add address=192.168.66.1/24 interface=wireguard1 network=192.168.66.0
/ip dhcp-client add comment=defconf interface=lan-bridge
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24
/ip dns set allow-remote-requests=yes
/ip firewall nat add action=masquerade chain=srcnat out-interface=lan-bridge src-address=192.168.66.0/24
/ip smb set domain=Mittelerde enabled=yes
/ip smb users add name=phi
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/snmp set enabled=yes
/system clock set time-zone-name=Europe/Berlin
/system identity set name=Audience
/system ntp client set enabled=yes
/system ntp client servers add address=192.168.1.1
/system package update set channel=development
/system routerboard settings set cpu-frequency=auto
/system scheduler add interval=1d name="auto upgrade" on-event="/system package update\r\
\ncheck-for-updates once\r\
\n:delay 3s;\r\
\n:if ( [get status] = \"New version is available\") do={ install }" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/21/2021 start-time=03:00:00
/tool bandwidth-server set authenticate=no
/tool graphing interface add store-on-disk=no
CAP
Code: Select all
# oct/12/2021 21:43:08 by RouterOS 6.49
# software id = MRZA-96QS
#
# model = RBD53iG-5HacD2HnD
/interface bridge
add comment=defconf name=bridgeLocal
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(9dBm), SSID: freifunk, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5640/20-eeeC/ac/DP(21dBm), SSID: freifunk, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeLocal comment=defconf disabled=yes interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf disabled=yes interface=ether3
add bridge=bridgeLocal comment=defconf disabled=yes interface=ether4
add bridge=bridgeLocal comment=defconf disabled=yes interface=ether5
/ipv6 settings
set accept-router-advertisements=yes
/interface wireless cap
#
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add comment=defconf disabled=no interface=bridgeLocal
/ip service
set telnet address=192.168.1.0/24
set ftp address=192.168.1.0/24
set www address=192.168.1.0/24
set ssh address=192.168.1.0/24
set www-ssl address=192.168.1.0/24
set api address=192.168.1.0/24
set winbox address=192.168.1.0/24
set api-ssl address=192.168.1.0/24
/system clock
set time-zone-name=Europe/Berlin
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=wireless-signal-strength
set 1 leds=poe-led type=poe-out