MikroTik

Community discussions
https://forum.mikrotik.com/

Issue with multiple SSID / LAN

https://forum.mikrotik.com/viewtopic.php?t=206152

Page 1 of 1

Issue with multiple SSID / LAN

Posted: Mon Mar 25, 2024 4:52 pm
by marcobag84
Dear forum,
i've configured my Capsman Wifi Wave 2 in order to have 2 different SSIDs and in the datapath i've inserted the bridge that it must use.

The final result i would like it to have 2 SSIDs that assign IPs from a different pool, the issue is that with the attached configuration both SSIDs assign IP from the same pool (local).

Could you please help me fixing that?

Thank you
Code: Select all
# 2024-03-25 15:30:29 by RouterOS 7.14.1
# software id = **ELIDED**
#
# model = RBD53iG-5HacD2HnD
# serial number = **ELIDED**
/interface bridge
add name=iot_bridge
add name=local port-cost-mode=short
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wifi datapath
add bridge=local disabled=no name=LOCAL
add bridge=iot_bridge disabled=no name=IOT
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
    name="Main WiFi Security"
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=no ft-over-ds=no \
    name="Guest WiFi Security"
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=\
    "Main WiFi Security (No FR)"
/interface wifi configuration
add country=Italy datapath=LOCAL disabled=no name="WIFI - MAIN" security=\
    "Main WiFi Security" security.ft=yes .ft-over-ds=yes ssid=WIFI
add country=Italy datapath=LOCAL disabled=no name="WIFI - IOT DEVICES" \
    security="Main WiFi Security (No FR)" ssid=WIFI_IOT
/ip pool
add name=dhcp_pool0 ranges=10.40.1.1-10.40.10.254
add name=iot_pool ranges=10.42.1.1-10.42.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=local name=dhcp1
add address-pool=iot_pool interface=iot_bridge name=iot_dhcp
/ip smb users
set [ find default=yes ] disabled=yes
/queue type
add kind=pcq name=pcq_voip_upload pcq-classifier=src-address
add kind=pcq name=pcq_voip_download pcq-classifier=dst-address
add kind=pcq name=pcq_default_upload pcq-classifier=src-address
add kind=pcq name=pcq_default_download pcq-classifier=dst-address
/queue tree
add comment="VoIP Upload Priority on Local Bridge" name=voip_upload_local \
    packet-mark=voip_pkt parent=local priority=1 queue=pcq_voip_upload
add comment="VoIP Download Priority on Local Bridge" name=voip_download_local \
    packet-mark=voip_pkt parent=local priority=1 queue=pcq_voip_download
add comment="VoIP Upload Priority on IoT Bridge" name=voip_upload_iot \
    packet-mark=voip_pkt parent=local priority=1 queue=pcq_voip_upload
add comment="VoIP Download Priority on IoT Bridge" name=voip_download_iot \
    packet-mark=voip_pkt parent=local priority=1 queue=pcq_voip_download
/ip smb
set enabled=no
/interface bridge port
add bridge=local interface=ether2 internal-path-cost=10 path-cost=10
add bridge=local interface=ether3 internal-path-cost=10 path-cost=10
add bridge=local interface=ether4 internal-path-cost=10 path-cost=10
add bridge=local interface=ether5 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/interface detect-internet
set detect-interface-list=all
/interface wifi capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\
    no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
    "MOOX - MAIN" slave-configurations="MOOX - IOT DEVICES"
/interface wireguard peers **ELIDED**
/ip address
add address=10.40.0.1/16 interface=local network=10.40.0.0
add address=10.39.0.10/24 interface=ether1 network=10.39.0.0
add address=10.41.0.1/24 interface=wireguard1 network=10.41.0.0
add address=10.42.1.1/24 interface=iot_bridge network=10.42.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server lease **ELIDED**
/ip dhcp-server network
add address=10.40.0.0/16 dns-server=1.1.1.1,1.0.0.1 gateway=10.40.0.1
add address=10.42.1.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.42.1.1
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=10.40.0.0/16 list=LAN_and_VPN_Clients
add address=10.41.0.0/24 list=LAN_and_VPN_Clients
add address=10.40.1.200 list=Allowed_to_IOT_Devices
add address=10.40.1.201 list=Allowed_to_IOT_Devices
add address=10.40.1.202 list=Allowed_to_IOT_Devices
add address=10.40.1.10 list=Allowed_to_IOT_Devices
add address=PRIVACY list=VOIP_Servers
add address=PRIVACY list=VOIP_Servers
add address=10.40.0.0/16 list=ALL_clients
add address=10.41.0.0/24 list=ALL_clients
add address=10.42.0.0/24 list=ALL_clients
/ip firewall filter
add action=accept chain=input comment=\
    "Allow established and related connections" connection-state=\
    established,related
add action=accept chain=forward comment=\
    "Allow established and related connections" connection-state=\
    established,related
add action=accept chain=input comment="Allow ICMP for LAN and VPN" protocol=\
    icmp src-address-list=ALL_clients
add action=accept chain=input comment="Allow WireGuard connections" dst-port=\
    13231 protocol=udp
add action=accept chain=forward comment="Allow HTTP to specific host" \
    dst-address=10.40.0.10 dst-port=80 protocol=tcp
add action=accept chain=forward comment="Allow HTTPS to specific host" \
    dst-address=10.40.0.10 dst-port=443 protocol=tcp
add action=accept chain=input comment="Allow input from LAN and VPN Clients" \
    src-address-list=ALL_clients
add action=accept chain=forward comment=\
    "Allow VPN clients to access internet" out-interface=ether1 src-address=\
    10.41.0.0/24
add action=accept chain=forward comment="Allow VPN client to access LAN" \
    dst-address=10.40.0.0/16 src-address=10.41.0.0/24
add action=accept chain=forward comment=\
    "Allow IOT Clients to access selected LAN IP" dst-address-list=\
    Allowed_to_IOT_Devices src-address=10.42.1.0/24
add action=accept chain=forward comment=\
    "Allow IOT Clients to communicate each other" dst-address=10.42.1.0/24 \
    src-address=10.42.1.0/24
add action=drop chain=forward comment=\
    "IOT Clients cannot access to other LAN resources" disabled=yes \
    dst-address-list=LAN_and_VPN_Clients src-address=10.42.1.0/24
add action=drop chain=input comment=\
    "Drop all other input not explicitly allowed"
add action=drop chain=forward comment=\
    "Drop forward from WAN not destined to NAT" connection-nat-state=!dstnat \
    connection-state=new in-interface=!local
/ip firewall mangle
add action=mark-packet chain=prerouting comment="Mark VoIP Packets UDP" \
    new-packet-mark=voip_pkt passthrough=no protocol=udp src-port=5060,5061
add action=mark-packet chain=prerouting comment="Mark VoIP Packets UDP" \
    dst-port=5060,5061 new-packet-mark=voip_pkt passthrough=no protocol=udp
add action=mark-packet chain=prerouting comment="Mark VoIP Packets TCP" \
    new-packet-mark=voip_pkt passthrough=no protocol=tcp src-port=5060,5061
add action=mark-packet chain=prerouting comment="Mark VoIP Packets TCP" \
    dst-port=5060,5061 new-packet-mark=voip_pkt passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="Mark VoIP Packets IP" \
    new-packet-mark=voip_pkt passthrough=no src-address-list=VOIP_Servers
add action=mark-packet chain=prerouting comment="Mark VoIP Packets IP" \
    dst-address-list=VOIP_Servers new-packet-mark=voip_pkt passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade for Internet access" \
    out-interface=ether1
add action=masquerade chain=srcnat comment=\
    "Masquerade for IOT internet access" out-interface=ether1 src-address=\
    10.42.1.0/24
add action=dst-nat chain=dstnat comment="Port forward for specific service" \
    dst-port=7573-7575 protocol=tcp to-addresses=10.40.5.101 to-ports=\
    7573-7575
add action=dst-nat chain=dstnat comment="HTTP port forward" dst-port=80 \
    in-interface=ether1 protocol=tcp to-addresses=10.40.0.10 to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS port forward" dst-port=443 \
    in-interface=ether1 protocol=tcp to-addresses=10.40.0.10 to-ports=443
/ip route
add gateway=10.39.0.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.40.0.0/16,10.41.0.0/24
set api disabled=yes
set winbox address=10.40.0.0/16,10.41.0.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no

Re: Issue with multiple SSID / LAN

Posted: Tue Mar 26, 2024 8:43 pm
by TheCat12
To be honest I don't see any ports/interfaces set on the IoT bridge and that would explain why they share the same pool - because they're in the same bridge

Re: Issue with multiple SSID / LAN

Posted: Wed Mar 27, 2024 3:54 am
by UkRainUa
Delete one from bridge or use vlan for second SSID (layer2) and routing between networks (layer3).Image

Re: Issue with multiple SSID / LAN

Posted: Wed Mar 27, 2024 8:20 am
by TheCat12
Also remove detect-interface if you don't need it. It is known among the community to not work properly. And i don't see any "MOOX - MAIN" and "MOOX - IOT DEVICES" configurations which are set in the provisioning

Re: Issue with multiple SSID / LAN

Posted: Fri Mar 29, 2024 7:13 pm
by marcobag84
Thank you, i'll try the suggested changes and i'll update this post in the following day.

Re: Issue with multiple SSID / LAN

Posted: Sat Mar 30, 2024 11:42 am
by DuctView
A bit late to this, but this video from Cat5tv https://www.youtube.com/watch?v=gcwbhncwPug shows setting up a guest network with a different IP range and its own SSID, which is what you want, even though it is for a different use case
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/