Hi guys, I got back to mikrotik, as I wanted to use it's hotspot features, which I found most suitable for me..
The setup I have is :
MT main router (AC2) ---- trunk ---- Openwrt ---- trunk ---- Mikrotik wAP ac
Trunk carries vlans 5, 10, 90 (hotspot)
The thing is that DHCP works till openwrt router. If I have wifi there with proper SSID then clients from there got DHCP address assigned from main router.
But the issue is with second mikrotik, there wifi with proper VLAN assigned cannot get IP address.
I tracked the issue using packet captures back to main MT router receiving DHCP Discover and sending DHCP offer, but incoming trunk (hence outgoing as well) on Openwrt can't see any DHCP offer received from MT main..
same thing works when client is on Openwrt, not +1 more hop Mikrotik...
Is it issue with Openwrt or Main Mikrotik ?
DHCP Offer not received on other side of trunk [solved]
Last edited by miguelos on Wed Nov 08, 2023 12:31 pm, edited 1 time in total.
Re: DHCP Offer not received on other side of trunk
Does the same issue persist if you bypass the OpenWRT (i.e. if you connect wAP ac to same trunk port of ac2)?
Re: DHCP Offer not received on other side of trunk
Tried to use Openwrt in transparant bridge mode, relayd did not solve it, but even kmod_trelay, or other _mod_available at that time, did not work. I had the same DHCP problems as with station-pseudobridge in MT setup. DHCP lease stayed in "offered".
https://openwrt.org/docs/guide-user/net ... figuration
They, at Openwrt, go for WDS based solution?: https://openwrt.org/docs/guide-user/net ... atheroswds
https://openwrt.org/docs/guide-user/net ... figuration
They, at Openwrt, go for WDS based solution?: https://openwrt.org/docs/guide-user/net ... atheroswds
Re: DHCP Offer not received on other side of trunk
haven't tested yet, it's remote site ..Does the same issue persist if you bypass the OpenWRT (i.e. if you connect wAP ac to same trunk port of ac2)?
the thing is that it's wired connection, not wifi... I guess this does not apply.Tried to use Openwrt in transparant bridge mode, relayd did not solve it, but even kmod_trelay, or other _mod_available at that time, did not work. I had the same DHCP problems as with station-pseudobridge in MT setup. DHCP lease stayed in "offered".
https://openwrt.org/docs/guide-user/net ... figuration
They, at Openwrt, go for WDS based solution?: https://openwrt.org/docs/guide-user/net ... atheroswds
And theoretically openwrt should act just as a switch (although I have IP interfaces configured for each VLAN - could this be the case?)
Also I'd like to understand why this happens ? static configuration seems to be working fine (I can remote Mikrotik, on ROS7 I can even hook wireguard interface..)
I'm considering 2 things :
- tunnel (GRE?) from MT main to MT AC, but that's yet another overhead ..
- putting small VLAN switch in path, so Openwrt will not be passing the traffic, but switch will, like :
Code: Select all
┌─────────────────┐ ┌──────────────┐ ┌──────────┐
│ MT AC2 │ │ VLAN capable │ │ MT AC │
│ VL 5,10,90 ├───┤ switch ├─────────────┤Vl 5,10,90│
└─────────────────┘ └──────┬───────┘ └──────────┘
│
│
│
│
┌──────┴────────┐
│ OpenWRT │
│ Vlans 5,10,90 │
└───────────────┘
Re: DHCP Offer not received on other side of trunk
Why are you using openwrt anything for starters.
Why are you using it as a router, it seems to be acting solely as a switch??..
Bottom line this is not an MT issue, suggest you try openwrt forum.
Why are you using it as a router, it seems to be acting solely as a switch??..
Bottom line this is not an MT issue, suggest you try openwrt forum.
Re: DHCP Offer not received on other side of trunk
Openwrt - I'd like to use a couple of the features (network apps etc)Why are you using openwrt anything for starters.
Why are you using it as a router, it seems to be acting solely as a switch??..
Bottom line this is not an MT issue, suggest you try openwrt forum.
while it's not acting as a router on most of the vlans I do like to have access to it on every interface, or so it can present in every network serving some services, and avoid doing inter vlan routing on main router, and looping the traffic back eating 2x bandwidth..
Re: DHCP Offer not received on other side of trunk
so I had a chance to remove openwrt from the picture...Why are you using openwrt anything for starters.
Why are you using it as a router, it seems to be acting solely as a switch??..
Bottom line this is not an MT issue, suggest you try openwrt forum.
currently the setup is as on picture with switch introduced (OpenWrt is no longer passing packets between its interfaces)
Result is exactly the same.. Main Mikrotik receives DHCP Discover and sends DHCP Offer. Destination MT (wAP ac) is not receiving DHCP Offer...
Main MT = ROS 6.49.10
MT wAP ac = ROS 7.11.2, 6.49.10 - same thing
Last edited by miguelos on Sun Nov 05, 2023 3:01 pm, edited 1 time in total.
Re: DHCP Offer not received on other side of trunk
You'll have to show the config of both MTs ... export them to text file and copy-paste contents inside [code] [/code] block.
Re: DHCP Offer not received on other side of trunk
MT Main config :
MT hAC cfg
connection : MT main ether 5 -- switch --- MT hAC ether 1
testing guest on VLAN90 -- wifi1 on MT hAC interface...
Code: Select all
[admin@MTmain] > export
# nov/05/2023 13:51:30 by RouterOS 6.49.10
# software id = R483-S3DQ
#
# model = RBD52G-5HacD2HnD
#
/interface bridge
add admin-mac=B8:69:F4:18:B0:E2 arp-timeout=30s auto-mac=no frame-types=admit-only-vlan-tagged ingress-filtering=yes name=BRIDGE-internal vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=sssssssss
set [ find default-name=ether3 ] comment=biuro1
set [ find default-name=ether4 ] comment=biuro2
set [ find default-name=ether5 ] comment=stacja
/interface pppoe-client
add add-default-route=yes comment=WAN disabled=no interface=ether1 name=pppoe-out password=SssssssssSSSSSS user=SssssssssSSSS
/interface vlan
add comment=sssssssss interface=BRIDGE-internal name=INTF-vlan5 vlan-id=5
add comment="GGG sala" interface=BRIDGE-internal name=INTF-vlan10 vlan-id=10
add comment="GGG biuro" disabled=yes interface=BRIDGE-internal name=INTF-vlan20 vlan-id=20
add comment="GGG audio" disabled=yes interface=BRIDGE-internal name=INTF-vlan30 vlan-id=30
add arp=reply-only comment=guest interface=BRIDGE-internal name=INTF-vlan90 vlan-id=90
/interface list
add name=WAN
add name=LAN
add name=VLANs
add name=VPN
add include=LAN,VPN,VLANs name=Admin-Access
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=sssssssss-AES supplicant-identity="" wpa-pre-shared-key=sssssssss wpa2-pre-shared-key=sssssssss
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-a/g=12Mbps,18Mbps,24Mbps basic-rates-b=11Mbps disabled=no distance=indoors mode=ap-bridge security-profile=\
sssssssss-AES ssid=SSSSSSSSS supported-rates-b=11Mbps tx-power=14 tx-power-mode=all-rates-fixed wireless-protocol=802.11 wps-mode=push-button-virtual-only
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-Ceee country=poland disabled=no distance=indoors frequency=5580 mode=ap-bridge security-profile=\
sssssssss-AES ssid=SSSSSSSSS wireless-protocol=802.11 wps-mode=push-button-virtual-only
add keepalive-frames=disabled mac-address=BA:69:F4:18:B0:E6 master-interface=wlan1 multicast-buffering=disabled name=wlan3-guest ssid=SSSS-gosc vlan-id=90 wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
/ip dhcp-server
add interface=BRIDGE-internal name=defconf
/ip hotspot profile
add dns-name=hotspot.GGG hotspot-address=10.1.90.1 html-directory=flash/hotspotGGG login-by=cookie,http-chap,http-pap,trial name=hsprof1
/ip hotspot user profile
add name=guest rate-limit=5M/2M shared-users=20
/ip pool
add name=dhcp_pool5 ranges=10.0.0.100-10.0.0.199
add name=dhcp_pool10 ranges=10.1.10.100-10.1.10.199
add name=dhcp_pool90 ranges=10.1.90.150-10.1.90.250
add name=dhcp_pool30 ranges=10.1.30.100-10.1.30.199
add name=dhcp_pool20 ranges=10.1.20.100-10.1.20.199
/ip dhcp-server
add address-pool=dhcp_pool5 disabled=no interface=INTF-vlan5 lease-time=1d name=dhcp5
add address-pool=dhcp_pool10 disabled=no interface=INTF-vlan10 lease-time=1d name=dhcp10
add add-arp=yes address-pool=dhcp_pool90 disabled=no interface=INTF-vlan90 lease-time=12h name=dhcp90
add address-pool=dhcp_pool30 disabled=no interface=INTF-vlan30 lease-time=1d name=dhcp30
add address-pool=dhcp_pool20 disabled=no interface=INTF-vlan20 lease-time=1d name=dhcp20
/ip hotspot
add address-pool=dhcp_pool90 disabled=no interface=INTF-vlan90 name=hotspot1 profile=hsprof1
/interface bridge port
add bridge=BRIDGE-internal interface=ether2 pvid=5
add bridge=BRIDGE-internal interface=ether3 pvid=5
add bridge=BRIDGE-internal interface=ether4 pvid=5
add bridge=BRIDGE-internal interface=ether5
add bridge=BRIDGE-internal interface=wlan1 pvid=5
add bridge=BRIDGE-internal interface=wlan2 pvid=5
add bridge=BRIDGE-internal ingress-filtering=yes interface=wlan3-guest pvid=90
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=BRIDGE-internal tagged=ether5,BRIDGE-internal untagged=ether2,ether3,ether4,wlan1,wlan2 vlan-ids=5
add bridge=BRIDGE-internal tagged=ether5,BRIDGE-internal vlan-ids=10
add bridge=BRIDGE-internal tagged=ether5,BRIDGE-internal vlan-ids=20
add bridge=BRIDGE-internal tagged=ether5,BRIDGE-internal vlan-ids=30
add bridge=BRIDGE-internal tagged=ether5,BRIDGE-internal untagged=wlan3-guest vlan-ids=90
add bridge=BRIDGE-internal untagged=ether4 vlan-ids=1
/interface list member
add interface=BRIDGE-internal list=LAN
add interface=ether1 list=WAN
add interface=INTF-vlan5 list=VLANs
add interface=INTF-vlan10 list=VLANs
add interface=INTF-vlan20 list=VLANs
add interface=pppoe-out list=WAN
add list=VPN
/ip address
add address=192.168.88.1/24 disabled=yes interface=BRIDGE-internal network=192.168.88.0
add address=10.0.0.1/24 interface=INTF-vlan5 network=10.0.0.0
add address=10.1.10.1/24 interface=INTF-vlan10 network=10.1.10.0
add address=10.1.20.1/24 interface=INTF-vlan20 network=10.1.20.0
add address=10.1.30.1/24 interface=INTF-vlan30 network=10.1.30.0
add address=10.1.90.1/24 interface=INTF-vlan90 network=10.1.90.0
add address=192.168.1.88/24 disabled=yes interface=BRIDGE-internal network=192.168.1.0
add address=10.60.0.10/28 disabled=yes network=10.60.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=10.1.1.99 comment="MC562 printer" disabled=yes mac-address=00:25:36:AE:AC:CF
add address=10.0.0.10 client-id=1:0:80:92:8c:7b:a7 comment="drukarka sssssssss" mac-address=00:80:92:8C:7B:A7 server=dhcp5
add address=10.1.10.10 client-id=1:8:5b:d6:d0:4f:a3 mac-address=08:5B:D6:D0:4F:A3 server=dhcp10
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1
add address=10.1.10.0/24 dns-server=10.1.10.1 gateway=10.1.10.1
add address=10.1.20.0/24 dns-server=10.1.20.1 gateway=10.1.20.1
add address=10.1.30.0/24 dns-server=10.1.30.1 gateway=10.1.30.1
add address=10.1.90.0/24 dns-server=10.1.90.1 gateway=10.1.90.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=4d servers=1.1.1.1,1.1.1.2
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=acme-v02.api.letsencrypt.org list=Letsencrypt
add address=acme-staging-v02.api.letsencrypt.org list=Letsencrypt
add address=letsencrypt.org list=Letsencrypt
/ip firewall filter
add action=accept chain=forward comment="allow mgmt-mgmt" dst-address=10.0.0.0/28 src-address=10.1.10.0/28
add action=accept chain=input dst-port=80 in-interface-list=WAN protocol=tcp src-address-list=Letsencrypt
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="## to remove ## accept all" disabled=yes
add action=accept chain=input dst-port=53 protocol=udp
add action=accept chain=input comment="from inside only" dst-port=80,8291,99 in-interface-list=Admin-Access protocol=tcp
add action=accept chain=input comment=ssh dst-port=22,99 protocol=tcp
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.1.90.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.1.90.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.1.90.0/24
add action=masquerade chain=srcnat comment="masq mgmt" dst-address=10.0.0.0/28 src-address=10.1.10.0/28
/ip hotspot user
set [ find default=yes ] limit-bytes-total=500000000 limit-uptime=1h
add name=admin password=ttttt
add name=guest password=guest profile=guest server=hotspot1
add name=gosc password=gosc profile=guest server=hotspot1
/ip hotspot user profile
set [ find default=yes ] mac-cookie-timeout=8h parent-queue=*5 rate-limit=3M/1M shared-users=50
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
add dst-host=gggggggggg.pl
/ip hotspot walled-garden ip
add action=accept comment="kiosk radio" disabled=yes dst-address=10.1.90.0/24 !dst-address-list !dst-port !protocol server=hotspot1 src-address=10.1.90.2 !src-address-list
add action=accept comment=mmmmm disabled=no dst-address=mmmmm !dst-address-list !dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=10.1.90.1 !dst-address-list !dst-port protocol=icmp !src-address !src-address-list
/ip service
set telnet disabled=yes
set ssh port=99
set www-ssl certificate=letsencrypt-autogen_2023-09-15T13:32:00Z disabled=no
/ip ssh
set always-allow-password-login=yes forwarding-enabled=both
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=MTmain
/system logging
add topics=hotspot,debug
add disabled=yes topics=dhcp
/system ntp client
set enabled=yes primary-ntp=91.149.253.184 secondary-ntp=162.159.200.123
/system package update
set channel=long-term
/system scheduler
add interval=3h name=duckdns on-event=duckdns policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/15/2023 start-time=16:00:00
add name=ddns-reboot on-event=duckdns policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
add interval=11w3d name=letsencrypt on-event=test policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/15/2023 start-time=00:03:12
add interval=3h name=noip on-event=no-ip.pl policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2023 start-time=16:00:00
/system script
/tool graphing interface
add interface=pppoe-out store-on-disk=no
add interface=INTF-vlan5 store-on-disk=no
add interface=INTF-vlan10 store-on-disk=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=MTma filter-interface=INTF-vlan90 memory-limit=200KiBMT hAC cfg
Code: Select all
[admin@MT wAPac] > export
# nov/05/2023 13:48:15 by RouterOS 6.49.10
# software id = YLFH-8B7F
#
# model = RBwAPG-5HacD2HnD
#
/interface bridge
add admin-mac=48:A9:8A:65:7F:9C auto-mac=no name=bridgeINT vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="external INT"
set [ find default-name=ether2 ] comment="internal INT"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn country=poland disabled=no distance=indoors frequency=2437 installation=indoor mode=ap-bridge ssid=GGG-guest \
wireless-protocol=802.11 wps-mode=disabled
add keepalive-frames=disabled mac-address=4A:A9:8A:65:7F:9D master-interface=wlan1 multicast-buffering=disabled name=wlan1-2 ssid=MT-guest vlan-id=90 wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=ether1 name=VLAN1 vlan-id=1
add interface=ether1 name=VLAN5 vlan-id=5
add interface=ether1 name=VLAN10 vlan-id=10
add interface=ether1 name=VLAN20 vlan-id=20
add interface=ether1 name=VLAN30 vlan-id=30
add interface=ether1 name=VLAN90 vlan-id=90
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk comment="WPA2 lllllll4321" mode=dynamic-keys name=sec-lllllll321 supplicant-identity="" wpa2-pre-shared-key=lllllll321
add authentication-types=wpa2-psk mode=dynamic-keys name=sec-214 supplicant-identity="" wpa2-pre-shared-key=214-BBBBBB
add authentication-types=wpa2-psk mode=dynamic-keys name=LLLLLL supplicant-identity="" wpa2-pre-shared-key=79-LLLLLL
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40/80mhz-Ceee country="united states" distance=indoors frequency=5745 installation=indoor mode=ap-bridge \
security-profile=sec-214 ssid=GGG wireless-protocol=802.11
add keepalive-frames=disabled mac-address=4A:A9:8A:65:7F:9E master-interface=wlan2 multicast-buffering=disabled name=wlan2-2 ssid=GGG-guest vlan-id=90 wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
add keepalive-frames=disabled mac-address=4A:A9:8A:65:7F:9F master-interface=wlan1 multicast-buffering=disabled name=wlan3 security-profile=LLLLLL ssid=GLOS_NA_PUSTYNI2 \
vlan-id=5 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip dhcp-server
add interface=bridgeINT name=dhcp0
add add-arp=yes interface=wlan1-2 lease-time=30m name=dhcp3
/ip hotspot
add interface=wlan1-2 name=hotspot1
/ip hotspot user profile
set [ find default=yes ] rate-limit=2M/500k shared-users=20
add name=guest-prof rate-limit=4M/2M shared-users=20
add name=vip-prof rate-limit=50M/10M shared-users=5
/interface bridge port
add bridge=bridgeINT interface=ether2
add bridge=bridgeINT interface=wlan1 pvid=90
add bridge=bridgeINT interface=wlan2 pvid=10
add bridge=bridgeINT ingress-filtering=yes interface=wlan1-2 pvid=90
add bridge=bridgeINT ingress-filtering=yes interface=ether1
add bridge=bridgeINT ingress-filtering=yes interface=wlan2-2 pvid=90
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridgeINT tagged=ether1 vlan-ids=5
add bridge=bridgeINT tagged=ether1 untagged=wlan2 vlan-ids=10
add bridge=bridgeINT disabled=yes tagged=ether1 vlan-ids=20
add bridge=bridgeINT tagged=ether1 untagged=wlan1,wlan2-2 vlan-ids=90
add bridge=bridgeINT disabled=yes tagged=ether1 vlan-ids=30
add bridge=bridgeINT disabled=yes untagged=ether1,ether2 vlan-ids=1
/interface ethernet switch vlan
add independent-learning=yes ports=ether2 switch=switch1 vlan-id=20
add independent-learning=yes ports=ether2 switch=switch1 vlan-id=30
add independent-learning=yes ports=ether2 switch=switch1 vlan-id=10
/interface list member
add interface=bridgeINT list=LAN
add interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridgeINT network=192.168.88.0
add address=10.1.20.3/24 interface=VLAN20 network=10.1.20.0
add address=10.1.10.3/24 interface=VLAN10 network=10.1.10.0
add address=192.168.1.222/24 disabled=yes interface=bridgeINT network=192.168.1.0
add address=10.0.0.3/24 interface=VLAN5 network=10.0.0.0
add address=10.1.30.3/24 interface=VLAN30 network=10.1.30.0
add address=10.60.0.11/28 network=10.60.0.0
add address=10.1.90.3/24 interface=VLAN90 network=10.1.90.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
add interface=bridgeINT
add interface=VLAN1
/ip dhcp-server network
add address=10.5.50.0/24 comment="hotspot network" gateway=10.5.50.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.1,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="test - disable" disabled=yes
add action=accept chain=forward comment="test - disable" disabled=yes
add action=accept chain=forward comment="ALLOW ALL FORWARD - TEST" disabled=yes
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input dst-port=8291,80,22 protocol=tcp
add action=accept chain=input disabled=yes dst-port=22 in-interface=*E protocol=tcp
add action=accept chain=input comment="ALLOW ALL INPUT - TEST" disabled=yes
add action=drop chain=input comment="defconf: drop invalid /////" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=yes src-address=10.5.50.0/24
add action=accept chain=srcnat disabled=yes out-interface=*E
/ip hotspot user
add name=admin password=tttttttt
add limit-bytes-total=600000000 limit-uptime=2h name=gosc profile=guest-prof
add name=vip password=GGG.vip
/ip route
add distance=1 gateway=10.0.0.1
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name="MT wAPac"
/system logging
add topics=dhcp,debug
add disabled=yes topics=debug
add topics=wireless,debug
/system package update
set channel=testing
/tool graphing interface
add interface=VLAN90 store-on-disk=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=wap filter-interface=wlan1 memory-limit=200KiBtesting guest on VLAN90 -- wifi1 on MT hAC interface...
Re: DHCP Offer not received on other side of trunk
The wAP bridge config is a mess:
You have VLANs attached directly to a bridge port, they should always be attached to the bridge itself.
Don't add a VLAN with ID 1, this is the default PVID on bridge ports.
You have a mix of VLAN-aware bridge and switch VLAN configuration - these interact in undocumented ways, use one or the other not both.
You have VLANs attached directly to a bridge port, they should always be attached to the bridge itself.
Don't add a VLAN with ID 1, this is the default PVID on bridge ports.
You have a mix of VLAN-aware bridge and switch VLAN configuration - these interact in undocumented ways, use one or the other not both.
Re: DHCP Offer not received on other side of trunk
Thank you for replyThe wAP bridge config is a mess:
1# You have VLANs attached directly to a bridge port, they should always be attached to the bridge itself.
2# Don't add a VLAN with ID 1, this is the default PVID on bridge ports.
3# You have a mix of VLAN-aware bridge and switch VLAN configuration - these interact in undocumented ways, use one or the other not both.
1# I don't get where the config change should be made
I based my config on this thread : viewtopic.php?t=182898
2#
Code: Select all
/interface vlan
add disabled=yes interface=ether1 name=VLAN1 vlan-id=1
/interface bridge vlan
add bridge=bridgeINT disabled=yes untagged=ether1,ether2 vlan-ids=13# == fixed, i haven't noticed, these were some remainings after earlier configs
/interface ethernet switch vlan -> EMPTY
Still the issue remains, I thought the root of this issue was rather sourced on Main MT...
Re: DHCP Offer not received on other side of trunk
Under /interface vlan the entries should have interface=bridgeINT not interface=ether1. The first post in the thread you quote is similarly incorrect as pointed out by the second post.
Which VLAN isn't receiving DHCP, the wAP appears to have multiple DHCP clients plus some DHCP servers which is unusual, normally all of the DHCP servers would be on the main router.
Which VLAN isn't receiving DHCP, the wAP appears to have multiple DHCP clients plus some DHCP servers which is unusual, normally all of the DHCP servers would be on the main router.
Re: DHCP Offer not received on other side of trunk
moved as suggested and Finally working! Huge thanksUnder /interface vlan the entries should have interface=bridgeINT not interface=ether1. The first post in the thread you quote is similarly incorrect as pointed out by the second post.
Which VLAN isn't receiving DHCP, the wAP appears to have multiple DHCP clients plus some DHCP servers which is unusual, normally all of the DHCP servers would be on the main router.
(don't bother about DHCP, those should be disabled & somehow are not in export)