MikroTik

Posted: **Tue Oct 12, 2021 10:48 pm**

I'm running a CAPsMAN managed network. The CAPs broadcast two SSIDs, one of which, "freifunk", is unencrypted and has its traffic tagged with VLAN ID 66. The other one is encrypted and its traffic is untagged. I have a switch that takes care of separating the 66 traffic from the other traffic, so everything behind that switch is safe.

However, the CAPs themselves don't have that luxury. All traffic, be it tagged 66 or untagged can access the router itself, configure it, etc. Because right now the CAPs have 0 firewall rules.
I have, however, restricted access to winbox, the API, all services on the router to IPs of the 192.168.1.0/24 subnet. Clients in the public, ID 66, wifi get assigned different addresses than that. Of course nothing is stopping someone from assigning themselves a 192.168.1.0/24 IP so it's certainly not ideal.

I have been looking into separating the two virtual networks within the router, too, with limited success. I also looked at whether I could setup firewall rules that took the VLAN ID into account but didn't get very far either. What's the best course of action here?

I am considering changing the CAPs from local forwarding to CAPsMAN forwarding. That should take care of this issue, right? At least for the Wifi.

CAPsMAN

# oct/12/2021 21:25:12 by RouterOS 7.1rc4
# software id = 2QED-STSN
#
# model = RBD25G-5HPacQD2HPnD
/caps-man channel add band=2ghz-g/n extension-channel=disabled frequency=2412 name="2.4 Channel 01" save-selected=yes tx-power=12
/caps-man channel add band=5ghz-a/n/ac extension-channel=XXXX name="5.0 Auto" save-selected=yes
/caps-man channel add band=2ghz-g/n extension-channel=disabled frequency=2437 name="2.4 Channel 06" save-selected=yes tx-power=12
/caps-man channel add band=2ghz-g/n extension-channel=disabled frequency=2462 name="2.4 Channel 11" save-selected=yes tx-power=12
/caps-man channel add band=5ghz-a/n/ac extension-channel=XXXX frequency=5150,5350 name="5.0 100mW" save-selected=yes tx-power=14
/caps-man channel add band=5ghz-a/n/ac extension-channel=XXXX frequency=5470,5725 name="5.0 1000mW" save-selected=yes tx-power=24
/interface bridge add comment=defconf name=lan-bridge
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(8dBm), SSID: Mittelerde, local forwarding
set [ find default-name=wlan1 ] country=germany disabled=no ssid=MikroTik
/interface wireless
# managed by CAPsMAN
# channel: 5200/20-eCee/ac/P(18dBm), SSID: Mittelerde, local forwarding
set [ find default-name=wlan2 ] country=germany disabled=no ssid=MikroTik
/interface wireguard add listen-port=13231 mtu=1420 name=wireguard1
/caps-man security add name=open
/caps-man security add authentication-types=wpa2-psk encryption=aes-ccm name=wip
/caps-man security add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=mittelerde
/caps-man configuration add channel="2.4 Channel 01" comment=defconf country=germany datapath.client-to-client-forwarding=yes .local-forwarding=yes distance=indoors installation=indoor name=cfg-2ghz security=mittelerde ssid=Mittelerde
/caps-man configuration add channel.band=5ghz-a/n/ac .control-channel-width=20mhz .extension-channel=XXXX comment=defconf country=germany datapath.client-to-client-forwarding=yes .local-forwarding=yes distance=indoors installation=indoor name=cfg-5ghz-ac security=mittelerde ssid=Mittelerde
/caps-man configuration add channel.band=5ghz-a/n .control-channel-width=20mhz .extension-channel=XX comment=defconf country=germany datapath.client-to-client-forwarding=yes .local-forwarding=yes distance=indoors installation=indoor name=cfg-5ghz-an security=mittelerde ssid=Mittelerde
/caps-man configuration add channel="2.4 Channel 01" channel.band=2ghz-b/g/n country=germany datapath.bridge=lan-bridge .local-forwarding=yes .vlan-id=66 .vlan-mode=use-tag distance=indoors installation=indoor name="FFF 2.4" security=open ssid=freifunk
/caps-man configuration add channel="5.0 Auto" channel.band=5ghz-a/n/ac .extension-channel=XXXX country=germany datapath.bridge=lan-bridge .local-forwarding=yes .vlan-id=66 .vlan-mode=use-tag installation=indoor name="FFF 5.0" security=open ssid=freifunk
/caps-man configuration add channel="5.0 Auto" channel.band=5ghz-a/n/ac .extension-channel=XXXX country=germany datapath.bridge=lan-bridge .client-to-client-forwarding=yes .local-forwarding=yes installation=indoor name="Mittelerde Fewo 5.0" security=mittelerde ssid=Mittelerde
/caps-man configuration add channel="2.4 Channel 06" channel.band=2ghz-b/g/n country=germany datapath.bridge=lan-bridge .client-to-client-forwarding=yes .local-forwarding=yes distance=indoors installation=indoor name="Mittelerde Fewo 2.4" security=mittelerde ssid=Mittelerde
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa2-psk comment=defconf disable-pmkid=yes mode=dynamic-keys name=wpsSync supplicant-identity=MikroTik
/interface wireless set [ find default-name=wlan3 ] band=5ghz-a/n/ac channel-width=20/40mhz-XX country=germany disabled=no mode=ap-bridge security-profile=wpsSync ssid=SYNC-CC11C0
/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add address-pool=default-dhcp disabled=yes interface=lan-bridge name=defconf
/user group add name=prometheus policy=read,test,winbox,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp,!rest-api
/caps-man access-list add action=accept disabled=no interface=any signal-range=-95..120 ssid-regexp=""
/caps-man access-list add action=reject disabled=no interface=any signal-range=-120..-96 ssid-regexp=""
/caps-man manager set enabled=yes
/caps-man manager interface set [ find default=yes ] forbid=yes
/caps-man manager interface add disabled=no interface=lan-bridge
/caps-man provisioning add action=create-dynamic-enabled comment=defconf hw-supported-modes=gn identity-regexp=Audience master-configuration=cfg-2ghz name-format=prefix-identity name-prefix=2ghz
/caps-man provisioning add action=create-dynamic-enabled comment=defconf hw-supported-modes=ac identity-regexp=Audience master-configuration=cfg-5ghz-ac name-format=prefix-identity name-prefix=5ghz-ac
/caps-man provisioning add action=create-dynamic-enabled comment=defconf hw-supported-modes=an identity-regexp=Audience master-configuration=cfg-5ghz-an name-format=prefix-identity name-prefix=5ghz-an
/caps-man provisioning add action=create-dynamic-enabled hw-supported-modes=gn identity-regexp=^243|^54 master-configuration="FFF 2.4" name-format=prefix-identity name-prefix=24 slave-configurations="Mittelerde Fewo 2.4"
/caps-man provisioning add action=create-dynamic-enabled hw-supported-modes=ac identity-regexp=^243|^54 master-configuration="FFF 5.0" name-format=prefix-identity name-prefix=50 slave-configurations="Mittelerde Fewo 5.0"
/caps-man provisioning add action=create-disabled comment=nope master-configuration="FFF 2.4" name-format=prefix-identity name-prefix=nope
/interface bridge port add bridge=lan-bridge comment=defconf ingress-filtering=no interface=ether2
/interface bridge port add bridge=lan-bridge ingress-filtering=no interface=wlan3
/ipv6 settings set accept-router-advertisements=yes
/interface list member add comment=defconf interface=lan-bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface wireless cap
# 
set bridge=lan-bridge caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2
/ip address add address=192.168.66.1/24 interface=wireguard1 network=192.168.66.0
/ip dhcp-client add comment=defconf interface=lan-bridge
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24
/ip dns set allow-remote-requests=yes
/ip firewall nat add action=masquerade chain=srcnat out-interface=lan-bridge src-address=192.168.66.0/24
/ip smb set domain=Mittelerde enabled=yes
/ip smb users add name=phi
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/snmp set enabled=yes
/system clock set time-zone-name=Europe/Berlin
/system identity set name=Audience
/system ntp client set enabled=yes
/system ntp client servers add address=192.168.1.1
/system package update set channel=development
/system routerboard settings set cpu-frequency=auto
/system scheduler add interval=1d name="auto upgrade" on-event="/system package update\r\
    \ncheck-for-updates once\r\
    \n:delay 3s;\r\
    \n:if ( [get status] = \"New version is available\") do={ install }" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/21/2021 start-time=03:00:00
/tool bandwidth-server set authenticate=no
/tool graphing interface add store-on-disk=no

CAP

# oct/12/2021 21:43:08 by RouterOS 6.49
# software id = MRZA-96QS
#
# model = RBD53iG-5HacD2HnD
/interface bridge
add comment=defconf name=bridgeLocal
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(9dBm), SSID: freifunk, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5640/20-eeeC/ac/DP(21dBm), SSID: freifunk, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeLocal comment=defconf disabled=yes interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf disabled=yes interface=ether3
add bridge=bridgeLocal comment=defconf disabled=yes interface=ether4
add bridge=bridgeLocal comment=defconf disabled=yes interface=ether5
/ipv6 settings
set accept-router-advertisements=yes
/interface wireless cap
# 
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add comment=defconf disabled=no interface=bridgeLocal
/ip service
set telnet address=192.168.1.0/24
set ftp address=192.168.1.0/24
set www address=192.168.1.0/24
set ssh address=192.168.1.0/24
set www-ssl address=192.168.1.0/24
set api address=192.168.1.0/24
set winbox address=192.168.1.0/24
set api-ssl address=192.168.1.0/24
/system clock
set time-zone-name=Europe/Berlin
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=wireless-signal-strength
set 1 leds=poe-led type=poe-out

Posted: **Wed Oct 13, 2021 4:04 pm**

I tried searching the forums and there is quite a few posts regarding VLANs and firewall rules. However, throw CAPsMAN in the mix and things look different.

Let me address my main points of confusion:

- To have your traffic on your CAPs go anywhere you have to create a bridge on the CAPsMAN, even when using local forwarding. You select that bridge in your CAPsMAN configurations. So, it's a bridge on your CAPsMAN router that becomes part of your CAPsMAN configurations which are then applied to CAPs even though those don't have that exact bridge.
- In contrast to that: If you want one of your wifi networks' traffic to be tagged with a VLAN ID, you don't first create that VLAN on your CAPsMAN (e.g. Bridge -> VLANs -> New Bridge VLAN). No. Instead, you simply select it in your CAPsMAN configuration in Datapath -> VLAN Mode (use tag) and VLAN ID (the id you want to use).

I found this:

By default, a Mikrotik router will router whenever it can. In other words, unless you block it with a firewall rule, it will happily route between VLANs.

OK, but how do I set up a firewall rule that takes the VLAN into account?

From a different thread:

One has TWO major tools in firewall rules (besides subnet addresses or singular addresses) to address users or groups of users.
Interface Lists and Firewall Address Lists.

A CAPsMAN VLAN does not appear as an individual interface, does it? So, how do I do this? Do I have to create a bridge VLAN on the CAPsMAN and use that somehow, similar to how one has to create a bridge on the CAPsMAN to use on the CAPs?

Oh, wait, I just discovered I can independently of VLAN ID etc. make a CAPsMAN interface be a member of a specific interface list. I could then use that interface list in my firewall rules. Except, those interface lists would be only on the CAPsMAN router, not on the CAPs, right? So, how can I create a firewall rule on my CAPs that uses an interface list from my CAPsMAN router? I don't see how this would be possible.

Does this mean my only course of action is to use manager forwarding mode so all traffic is sent to the CAPsMAN router and I only have to mess with firewall configs there?

MikroTik

Firewall Rules for a CAPsMAN network with VLANs

Firewall Rules for a CAPsMAN network with VLANs

Re: Firewall Rules for a CAPsMAN network with VLANs