I bought myself a combo of an RB2011 (no Wifi) and a UniFi AP-AC
Got the following to work:
Simple local network
- interface G5 set to separate VLAN (vlan-id 30, separate DHCP network 192.168.30.0/24)
The separate VLAN is allowed only access to the outside
G2,G3,G4 are all connected to bridge-local
The UniFi AP is connected to G2 via wire of course.
On the UniFi I have defined the following WLANs:
WLAN1 ("K1") no-vlan
WLAN2 ("K2") no vlan
WLAN3 (KGuests), tagged vlan-id=3, guest-hotspot handling enabled!
WLAN4 (KTrev), tagged with vlan-id=30
in bridge-local I have my own DHCP servers etc which are asigning IPs from 192.168.0.0/24 atm. This works.
The Unifi controller sits at 192.168.0.23
The UniFi AP AC has static IP 192.168.0.24
WLAN K2 works just fine. I get onto my bridge-local LAN, DHCP etc all work.
However:
WLAN3 Guest does not work. when I tried to have the Mikrotik assign IP addresses, it would get an address,
but the DHCP server did not hand out the (Requested) 'Routers' (Option 3), even though in the
DHCP-servers network the gateway was defined. Is this a known bug?
So I instead set up DHCP relay to my own DHCP servers and set up a separate network therte,
with the Routers option defined, and that assigns it.
Still, when I connect to this WLAN3/KGuests, and request a page (to make the browser connect to the uniFI controller
which manages the hotspot), I see the TCP SYN to 192.168.0.23:8880.
The Hotspot controller also does answer (SYN ACK) that never arrives at the client, being trapped by the
'invalid' traffic filter. But when if I disable that invalid trattic filter, no dice.
Even stranger is the WLAN4/KTrev. I get effectively nothing into the router from that WLAN (it has no hotspot featire). No DHCP requests are arriving, nothing.
I suspect this has to do with the fact that all this traffic is arriving on the Mikrotik on the G2 port.
Here is my setup (split for readability and some comments)
Code: Select all
/interface bridge
add name=bridge-Trev
add admin-mac=4C:5E:0C:xx:xx:xx auto-mac=no name=bridge-local
add name=bridge-loopback
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] mac-address=XX:XX:XX:XX:XX:XX name=G1-world
set [ find default-name=ether2 ] name=G2
set [ find default-name=ether3 ] name=G3
set [ find default-name=ether4 ] name=G4
set [ find default-name=ether5 ] name=G5-Trev
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] name=ether7-Hotspot
set [ find default-name=ether8 ] master-port=ether6-master-local name=\
ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=\
ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=\
ether10-slave-local
Code: Select all
/ip neighbor discovery
set G1-world discover=no
/ip neighbor discovery
set vlan-Kguests-3 comment="VLAN for the KGuests Hotspot SSID"
Code: Select all
/interface vlan
add interface=G5-Trev l2mtu=1594 name=VLAN-Trev-30 vlan-id=30
add comment="VLAN for the KGuests Hotspot SSID" interface=bridge-local l2mtu=\
1594 name=vlan-Kguests-3 vlan-id=3
In particular, I tried defining a 'VLAN-local' which was to become part of bridge-local but I didn't want to restrict it to a partcular interface. but one has to be selected (and one can select bridge-local again)
Code: Select all
/interface ethernet switch port
set 4 default-vlan-id=30 vlan-header=always-strip
Code: Select all
/interface ethernet switch port> print
Flags: I - invalid
# NAME SWITCH VLAN-MODE VLAN-HEADER DEFAULT-VLAN-ID
0 G1-world switch1 disabled leave-as-is auto
1 G2 switch1 disabled leave-as-is auto
2 G3 switch1 disabled leave-as-is auto
3 G4 switch1 disabled leave-as-is auto
4 G5-Trev switch1 disabled always-strip 30
5 ether6-master-local switch2 disabled leave-as-is 0
6 ether7-Hotspot switch2 disabled leave-as-is 0
7 ether8-slave-local switch2 disabled leave-as-is 0
8 ether9-slave-local switch2 disabled leave-as-is 0
9 ether10-slave-local switch2 disabled leave-as-is 0
10 switch1-cpu switch1 disabled leave-as-is auto
11 switch2-cpu switch2 disabled leave-as-is 0
Code: Select all
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=Pool-Trev-VLAN ranges=192.168.30.10-192.168.30.200
add name=Pool-KGuests ranges=192.168.3.100-192.168.3.254
Code: Select all
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-local name=default
add address-pool=Pool-KGuests interface=vlan-Kguests-3 name=DHCP-Kguests
add address-pool=Pool-Trev-VLAN disabled=no interface=bridge-Trev lease-time=\
1d name=dhcp-Trev
Code: Select all
/queue tree
add name="P4-Internet Total-UP" parent=G1-world queue=default
add name=P1-mathias parent="P4-Internet Total-UP" priority=1 queue=\
pcq-upload-default
add name=P5-Trev packet-mark=Trev parent="P4-Internet Total-UP" priority=5 \
queue=pcq-upload-default
add limit-at=10k max-limit=15k name=P8-TV parent="P4-Internet Total-UP" \
queue=pcq-upload-default
add limit-at=128k max-limit=130k name=P7-KGuests packet-mark=KGuests parent=\
"P4-Internet Total-UP" priority=7 queue=default
add limit-at=768k max-limit=1M name=P5-Trev-Down queue=default
add limit-at=250k max-limit=300k name=P8-Kguests-down parent=vlan-Kguests-3 \
queue=default
Code: Select all
/interface bridge port
add bridge=bridge-local interface=G3
add bridge=bridge-local interface=G4
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-Trev interface=G5-Trev
add interface=G1-world
add bridge=bridge-Trev interface=VLAN-Trev-30
add bridge=bridge-local interface=G2
Code: Select all
/interface bridge port> print detail
Flags: X - disabled, I - inactive, D - dynamic
0 interface=G3 bridge=bridge-local priority=0x80 path-cost=10 edge=auto point-to-point=auto external-fdb=auto horizon=none auto-isolate=no
1 I interface=G4 bridge=bridge-local priority=0x80 path-cost=10 edge=auto point-to-point=auto external-fdb=auto horizon=none auto-isolate=no
2 I interface=ether6-master-local bridge=bridge-local priority=0x80 path-cost=10 edge=auto point-to-point=auto external-fdb=auto horizon=none auto-isolate=no
3 I interface=G5-Trev bridge=bridge-Trev priority=0x80 path-cost=10 edge=auto point-to-point=auto external-fdb=auto horizon=none auto-isolate=no
4 I interface=G1-world bridge=*F priority=0x80 path-cost=10 edge=auto point-to-point=auto external-fdb=auto horizon=none auto-isolate=no
5 I interface=VLAN-Trev-30 bridge=bridge-Trev priority=0x80 path-cost=10 edge=auto point-to-point=auto external-fdb=auto horizon=none auto-isolate=no
6 interface=G2 bridge=bridge-local priority=0x80 path-cost=10 edge=auto point-to-point=auto external-fdb=auto horizon=none auto-isolate=no
Code: Select all
/ip settings
set tcp-syncookies=no
Code: Select all
/ip address
add address=103.247.134.180/24 interface=G1-world network=103.247.134.0
add address=127.0.0.2/32 comment="Loopback bridge" interface=bridge-loopback \
network=127.0.0.2
add address=192.168.88.1/24 interface=bridge-local network=192.168.88.0
add address=192.168.30.1/24 interface=bridge-Trev network=192.168.30.0
add address=192.168.0.233/24 disabled=yes interface=bridge-local network=\
192.168.0.0
add address=192.168.3.1/32 interface=vlan-Kguests-3 network=192.168.3.0
add address=192.168.0.1/24 interface=bridge-local network=192.168.0.0
Code: Select all
/ip dhcp-relay
add dhcp-server=192.168.0.41,192.168.0.42 disabled=no interface=\
vlan-Kguests-3 name=KGuests
and this is the DHCP network definition. Note that the Kguests network did include the gateway definition, yet the DHCP server did not provide the Routers Option (Option 3) to the client. (yes it was part of the PRL
Code: Select all
/ip dhcp-server network
add address=192.168.3.0/32 comment=Kguests dns-server=8.8.8.8 gateway=\
192.168.3.1 netmask=24
add address=192.168.30.1/32 comment=Trev dns-server=8.8.8.8,8.8.4.4 gateway=\
192.168.30.1 netmask=24
add address=192.168.88.0/24 comment="default configuration" dns-server=\
192.168.88.1 gateway=192.168.88.1 netmask=24
Code: Select all
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,103.11.48.190
Code: Select all
/ip dns static
add address=192.168.88.1 name=router
my rather large firewall. Still playing/testing things, so some of this may be unneccesary
Code: Select all
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add chain=input comment=\
"default configuration: allow all established/related traffic" \
connection-state=established,related
add action=drop chain=input comment="drop traffic from suspected portscanner" \
packet-mark=portscan-suspected
add chain=input comment="always Allow SSH in - on local" connection-state=new \
dst-port=22 in-interface=bridge-local protocol=tcp
add action=drop chain=input comment="drop incoming from Bogons" log=yes \
log-prefix=Bogon packet-mark=In-Bogons
add action=drop chain=input comment="drop private addresses from outside !" \
in-interface=G1-world log=yes log-prefix="private outside\?" \
src-address-list=rfc1918
add action=jump chain=input comment="check for SSH Brute force attacks" \
connection-state=new dst-port=22 in-interface=G1-world jump-target=\
bruteforce protocol=tcp
add chain=input comment="Allow SSH in - except from Kguests VLAN" \
connection-state=new dst-port=22 in-interface=!vlan-Kguests-3 protocol=\
tcp
add action=jump chain=input comment="Brute force handling also for OpenVPN" \
connection-state=new dst-port=1194 in-interface=G1-world jump-target=\
bruteforce protocol=tcp
add chain=input comment="Allow OpenVPN in from local only" connection-state=\
new dst-port=1194 in-interface=bridge-local protocol=tcp
add chain=input comment="Allow ICMP from Trev" dst-address=192.168.30.1 \
in-interface=bridge-Trev protocol=icmp
add chain=input comment="Allow DNS from Trev" dst-port=53 in-interface=\
bridge-Trev protocol=tcp
add chain=input comment="Allow DNS from Trev" dst-port=53 in-interface=\
bridge-Trev protocol=udp
add chain=input comment="Allow DHCP from Trev" dst-port=67 in-interface=\
bridge-Trev protocol=udp
add chain=input comment="Allow ICMP from KGuests" in-interface=vlan-Kguests-3 \
protocol=icmp
add chain=input comment="Allow DNS from Kguests" dst-port=53 in-interface=\
vlan-Kguests-3 protocol=tcp
add chain=forward comment="Allow the KGuests network access to the UBNT Contro\
ller's guest portal port" packet-mark=KGuests-Portal
add chain=forward comment="allow Kguests access to DHCP" dst-port=67 \
packet-mark=KGuests protocol=udp
add chain=input comment="Allow DNS from KGuests" dst-port=53 in-interface=\
vlan-Kguests-3 protocol=udp
add chain=input comment="Allow DHCP from KGuests" dst-port=67 in-interface=\
vlan-Kguests-3 protocol=udp
add chain=input comment=IPSEC connection-state=new dst-port=500 protocol=udp
add chain=input connection-state=new dst-port=1701 protocol=udp
add chain=input connection-state=new dst-port=4500 protocol=udp
add chain=input comment="allow in ipsec-esp" connection-state=new protocol=\
ipsec-esp
add action=jump chain=input comment="incoming public icmp" in-interface=\
G1-world jump-target=public-icmp protocol=icmp
add action=jump chain=input comment="icmp from hotspot" in-interface=\
ether7-Hotspot jump-target=public-icmp protocol=icmp
add chain=input comment="default configuration" protocol=icmp
add action=drop chain=input comment="drop everything else from outside" \
in-interface=G1-world
add action=drop chain=forward comment=\
"Allow established traffic back to Trev's VLAN" connection-mark=Trev \
connection-state=!established,related in-interface=G1-world
add action=drop chain=forward comment="Drop bogons !" log=yes log-prefix=\
"No fwd bogons" src-address-list=bogons
add action=drop chain=forward comment="drop private from outside" \
in-interface=G1-world log=yes log-prefix="private outside\?" \
src-address-list=rfc1918
add action=drop chain=forward comment="drop illegal addresses from KGuests" \
in-interface=vlan-Kguests-3 log=yes log-prefix="invalid address" \
src-address-list=!KGuests
add action=drop chain=forward comment=\
"drop invalid addresses from Trev's VLAN" in-interface=bridge-Trev log=\
yes log-prefix="invalid address" src-address-list=!Trev
add action=drop chain=forward comment=\
"Block_Hotspot_Shield_Addresses_(test phase_zaib)" disabled=yes \
src-address-list=hotspotshield_zaib
add action=drop chain=forward comment=\
"Block_Hotspot_Shield_Ports_(test phase_zaib)" dst-port=\
990,179,105,706,5245,3451,15009 protocol=tcp
add action=drop chain=forward comment=\
"Allow only Establshed/related traffic back to the KGuests VLAN" \
connection-state=!established,related disabled=yes in-interface=G1-world \
log=yes out-interface=vlan-Kguests-3
add chain=forward comment="allow Trev's subnet to reach DHCP" \
connection-mark=Trev dst-address-list=DHCP port=67,68 protocol=udp
add chain=forward comment="allow Trev's subnet to reach caching DNS" \
connection-mark=Trev dst-address-list=cDNSint port=53 protocol=udp
add chain=forward comment="allow Trev's subnet to reach auth DNS" \
connection-mark=Trev dst-address-list=aDNSint port=53 protocol=tcp
add action=drop chain=forward comment="drop all traffic from Trev to !world - \
needs to be augmented to allow printer, DNS etc" connection-mark=Trev \
in-interface=bridge-Trev out-interface=!G1-world
add action=drop chain=forward comment=\
"drop all traffic from Kguests to !world " connection-mark=Kguests \
in-interface=vlan-Kguests-3 out-interface=!G1-world
add action=drop chain=forward comment=\
"drop auth hotspot traffic to anywhere internal" connection-mark=\
HS-auth-traffic out-interface=bridge-local
add action=drop chain=forward comment="drop invalid traffic" \
connection-state=invalid disabled=yes log=yes log-prefix=dropINVALID
add action=drop chain=forward comment=\
"drop all traffic to KGuests that is not from outside" connection-state=\
new in-interface=!G1-world log=yes log-prefix=!world-KGuests \
out-interface=vlan-Kguests-3
add action=drop chain=bruteforce comment="Drop SSH brute forcers" log=yes \
log-prefix=BruteForce! src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=bruteforce log=yes log-prefix=\
"SSH blacklisting" src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=30m chain=bruteforce src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=10m chain=bruteforce src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1d chain=bruteforce
add chain=public-icmp comment="Limited Ping Flood - allow echo reply" \
icmp-options=0 limit=5,5 protocol=icmp
add chain=public-icmp comment="accept dest-unreachable 3" icmp-options=3:3 \
limit=5,5 protocol=icmp
add chain=public-icmp comment="accept dest unreachable 4" icmp-options=3:4 \
limit=5,5 protocol=icmp
add chain=public-icmp comment="accept echo request" icmp-options=8 limit=5,5 \
protocol=icmp
add chain=public-icmp comment="accept time exceeded" icmp-options=11 limit=\
5,5 protocol=icmp
add chain=public-icmp comment="accept source quench" icmp-options=4 limit=5,5 \
protocol=icmp
add action=drop chain=public-icmp log=yes log-prefix=ICMP
add chain=output port=22,8291,80 protocol=tcp
add chain=output log-prefix=OUTPUT
add action=drop chain=forward comment=\
"drop unDNATed traffic from the outside interface" connection-nat-state=\
!dstnat connection-state=new in-interface=G1-world log=yes log-prefix=\
drop!dstnattoWorld
add chain=forward comment="allow new connections from OVPN" connection-mark=\
OVPN-Traffic connection-state=new log-prefix=OVPNnew
add chain=forward comment="allow all other established/related traffic" \
connection-state=established,related log-prefix=established
Code: Select all
/ip firewall mangle
add action=mark-packet chain=input comment="mark bogons" in-interface=\
G1-world new-packet-mark=In-Bogons src-address-list=bogons
add action=mark-packet chain=input comment="mark RFC1918" in-interface=\
G1-world new-packet-mark=In-Bogons src-address-list=rfc1918
add action=add-src-to-address-list address-list=portscan-suspected \
address-list-timeout=10m chain=input comment=\
"suspected portscan - add to list" in-interface=G1-world psd=21,3s,3,2
add action=mark-packet chain=input comment="mark suspected portscan" \
in-interface=G1-world new-packet-mark=portscan-suspected \
src-address-list=portscan-suspected
add action=mark-connection chain=forward comment="Mark private from outside" \
in-interface=G1-world new-connection-mark=FWD-rfc1918 src-address-list=\
rfc1918
add action=mark-packet chain=forward comment="packet mark rfc1918" \
connection-mark=FWD-rfc1918 new-packet-mark=FWD-rfc1918
add action=mark-connection chain=forward comment="CONN Mark Bogons in FWD" \
connection-state=new new-connection-mark=FWD-Bogons src-address-list=\
bogons
add action=mark-packet chain=forward comment="packet mark bogons in FWD" \
connection-mark=FWD-Bogons connection-state=established,related \
new-packet-mark=FWD-Bogons
add action=mark-connection chain=forward comment=\
"CONN mark traffic from Kguests to Portal" connection-state=\
established,related,new dst-address=192.168.0.23 in-interface=\
vlan-Kguests-3 new-connection-mark=KGuests-Portal passthrough=no
add action=mark-packet chain=forward comment=\
"Packet mark traffic from Kguests to Portal" connection-mark=\
KGuests-Portal new-packet-mark=KGuests-Portal passthrough=no
add action=mark-connection chain=forward comment=\
"CONN mark traffic from Trev's VLAN" connection-state=new in-interface=\
bridge-Trev new-connection-mark=Trev
add action=mark-connection chain=forward comment=\
"conn mark NEW traffic from KGuests VLAN" connection-state=new \
in-interface=vlan-Kguests-3 new-connection-mark=Kguests
add action=mark-packet chain=forward comment=\
"packet mark ESTAB/RELATEDl of Trev's traffic" connection-mark=Trev \
new-packet-mark=Trev
add action=mark-packet chain=forward comment=\
"packet markESTAB/RELATED KGuests traffic" connection-mark=Kguests \
new-packet-mark=KGuests
add action=mark-connection chain=forward comment="mark OVPN traffic" \
connection-state=new disabled=yes log=yes log-prefix=OVPN \
new-connection-mark=OVPN-Traffic src-address=192.168.12.0/24
add action=mark-connection chain=forward comment=\
"Hotspot - mark authenticated traffic" connection-state=new disabled=yes \
in-interface=ether7-Hotspot new-connection-mark=HS-auth-traffic \
src-address=192.168.100.0/24
add action=mark-packet chain=forward comment=\
"propagate connmark to packet-mark" connection-mark=HS-auth-traffic \
disabled=yes new-packet-mark=HS-auth-traffic
Code: Select all
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade Trev's network" \
out-interface=G1-world src-address=192.168.30.0/24
add action=masquerade chain=srcnat comment="masquerade Guest network" \
out-interface=G1-world src-address=192.168.3.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=yes out-interface=G1-world src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=G1-world
Code: Select all
/ip route
add distance=1 gateway=a.a.a.a
add disabled=yes distance=1 gateway=192.168.0.1
Code: Select all
/ip service
set telnet disabled=yes
set www-ssl disabled=no
Interestingly the export did not output some of the ethernet switch config, so here it is separately:
Code: Select all
/interface ethernet switch port> print detail
Flags: I - invalid
0 name="G1-world" switch=switch1 vlan-mode=disabled vlan-header=leave-as-is default-vlan-id=auto
1 name="G2" switch=switch1 vlan-mode=disabled vlan-header=leave-as-is default-vlan-id=auto
2 name="G3" switch=switch1 vlan-mode=disabled vlan-header=leave-as-is default-vlan-id=auto
3 name="G4" switch=switch1 vlan-mode=disabled vlan-header=leave-as-is default-vlan-id=auto
4 name="G5-Trev" switch=switch1 vlan-mode=disabled vlan-header=always-strip default-vlan-id=30
5 name="ether6-master-local" switch=switch2 vlan-mode=disabled vlan-header=leave-as-is default-vlan-id=0
6 name="ether7-Hotspot" switch=switch2 vlan-mode=disabled vlan-header=leave-as-is default-vlan-id=0
7 name="ether8-slave-local" switch=switch2 vlan-mode=disabled vlan-header=leave-as-is default-vlan-id=0
8 name="ether9-slave-local" switch=switch2 vlan-mode=disabled vlan-header=leave-as-is default-vlan-id=0
9 name="ether10-slave-local" switch=switch2 vlan-mode=disabled vlan-header=leave-as-is default-vlan-id=0
10 name="switch1-cpu" switch=switch1 vlan-mode=disabled vlan-header=leave-as-is default-vlan-id=auto
11 name="switch2-cpu" switch=switch2 vlan-mode=disabled vlan-header=leave-as-is default-vlan-id=0
Code: Select all
/interface ethernet switch vlan> print
Flags: X - disabled, I - invalid
# SWITCH VLAN-ID PORTS
/interface ethernet switch vlan>