I'm having some trouble with getting guest and IoT WiFi SSIDs working in our home network. There are two issues:
The basic topology of our network is an RB5009UG+S+IN router connected to ISP that acts as the main router for the house, connected to a hAP ac3 that serves as the main AP for the house.
The hAP ac3 has a few things attached to it by ethernet cables (stereo, AppleTV, TV) that all get assigned properly to the ENTERTAINMENT_VLAN and are able to reach the internet.
We have a second AP to serve the front end of the house, but I've got it turned off for now for reasons that are irrelevant to this post. I force all DNS traffic on the router through a PiHole on the network.
Here's the main router config:
And the AP config:
Hoping somebody with more experience can easily spot anything I've got misconfigured. Aside from looking for the cause of the issues above, feel free to roast my configs!
- If I try to provision Guest as a slave config to our Mgmt or IoT configs, it never shows up on devices I'm trying to connect to it, so I'm probably missing some magic in the steps of how to set that up
- Devices that connect to the PiperNet_IoT SSID get assigned an IP address properly, from the IOT_POOL (10.0.40.2-10.0.40.254). However, they are unable to ping the gateway at 10.0.40.1. The main problem here is that there is no internet access on these devices. Devices that connect to the main PiperNet are able to reach internet, most likely because of the "allow all" rule in the firewall for the Mgmt subnet.
The basic topology of our network is an RB5009UG+S+IN router connected to ISP that acts as the main router for the house, connected to a hAP ac3 that serves as the main AP for the house.
The hAP ac3 has a few things attached to it by ethernet cables (stereo, AppleTV, TV) that all get assigned properly to the ENTERTAINMENT_VLAN and are able to reach the internet.
We have a second AP to serve the front end of the house, but I've got it turned off for now for reasons that are irrelevant to this post. I force all DNS traffic on the router through a PiHole on the network.
Here's the main router config:
Code:
# dec/31/2023 14:20:35 by RouterOS 7.1.1# model = RB5009UG+S+/caps-man channeladd band=5ghz-onlyac control-channel-width=20mhz extension-channel=eeeC frequency=5240 name=5ghz-onlyacadd band=2ghz-b/g/n control-channel-width=20mhz frequency=2412 name=2.4GHz-bgn/interface bridgeadd admin-mac=DC:2C:6E:28:E1:FF auto-mac=no comment=defconf name=bridge protocol-mode=none vlan-filtering=yes/interface ethernetset [ find default-name=ether4 ] disabled=yesset [ find default-name=ether8 ] disabled=yes/interface wireguardadd listen-port=13231 mtu=1420 name=wireguard1/interface vlanadd interface=bridge name=ENTERTAINMENT_VLAN vlan-id=50add interface=bridge name=GUEST_VLAN vlan-id=240add interface=bridge name=HOME_SEC_VLAN vlan-id=30add interface=bridge name=HOME_SVC_VLAN vlan-id=20add interface=bridge name=IOT_VLAN vlan-id=40add interface=bridge name=MGMT_VLAN vlan-id=9add interface=bridge name=NET_SVC_VLAN vlan-id=10/caps-man datapathadd bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=CAP_MGMT_DATAPATH vlan-id=9 vlan-mode=use-tagadd bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=CAP_IOT_DATAPATH vlan-id=40 vlan-mode=use-tagadd bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=CAP_GUEST_DATAPATH vlan-id=240 vlan-mode=use-tag/caps-man securityadd authentication-types=wpa2-psk name=CAP_MGMT_SECURITYadd authentication-types=wpa2-psk name=CAP_IOT_SECURITYadd authentication-types=wpa2-psk name=CAP_GUEST_SECURITY/caps-man configurationadd channel=5ghz-onlyac country="united states3" datapath=CAP_MGMT_DATAPATH installation=indoor name=CAP_MGMT_CONFIG security=CAP_MGMT_SECURITY ssid=PiperNetadd channel=2.4GHz-bgn country="united states3" datapath=CAP_IOT_DATAPATH installation=indoor name=CAP_IOT_CONFIG security=CAP_IOT_SECURITY ssid=PiperNet_IoTadd channel=5ghz-onlyac country="united states3" datapath=CAP_GUEST_DATAPATH installation=indoor name=CAP_GUEST_CONFIG security=CAP_GUEST_SECURITY ssid=PiperNet_Guest/caps-man interfaceadd configuration=CAP_IOT_CONFIG disabled=no l2mtu=1600 mac-address=<REDACTED> master-interface=none name=LivingRoomAP_2.4GHz radio-mac=<REDACTED> radio-name=<REDACTED>add configuration=CAP_MGMT_CONFIG disabled=no l2mtu=1600 mac-address=<REDACTED> master-interface=none name=LivingRoomAP_5GHz radio-mac=<REDACTED> radio-name=<REDACTED>add configuration=CAP_GUEST_CONFIG disabled=yes l2mtu=1600 mac-address=<REDACTED> master-interface=LivingRoomAP_5GHz name=LivingRoomAP_5GHz_Guest radio-mac=00:00:00:00:00:00 radio-name=""add configuration=CAP_IOT_CONFIG disabled=yes l2mtu=1600 mac-address=<REDACTED> master-interface=none name=OfficeAP_2.4GHz radio-mac=<REDACTED> radio-name=<REDACTED>add configuration=CAP_MGMT_CONFIG disabled=yes l2mtu=1600 mac-address=<REDACTED> master-interface=none name=OfficeAP_5GHz radio-mac=<REDACTED> radio-name=<REDACTED>/interface listadd comment=defconf name=WANadd comment=defconf name=LANadd name=VLANadd name=MGMT/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=default-dhcp ranges=192.168.88.10-192.168.88.254add name=MGMT_POOL ranges=10.0.0.2-10.0.0.254add name=NET_SVC_POOL ranges=10.0.10.2-10.0.10.254add name=HOME_SVC_POOL ranges=10.0.20.2-10.0.20.254add name=HOME_SEC_POOL ranges=10.0.30.2-10.0.30.254add name=IOT_POOL ranges=10.0.40.2-10.0.40.254add name=ENTERTAINMENT_POOL ranges=10.0.50.2-10.0.50.254add name=GUEST_POOL ranges=10.0.240.2-10.0.240.254/ip dhcp-serveradd address-pool=default-dhcp interface=bridge name=defconfadd address-pool=MGMT_POOL interface=MGMT_VLAN name=MGMT_DHCPadd address-pool=NET_SVC_POOL interface=NET_SVC_VLAN name=NET_SVC_DHCPadd address-pool=HOME_SVC_POOL interface=HOME_SVC_VLAN name=HOME_SVC_DHCPadd address-pool=HOME_SEC_POOL interface=HOME_SEC_VLAN name=HOME_SEC_DHCPadd address-pool=IOT_POOL interface=IOT_VLAN name=IOT_DHCPadd address-pool=ENTERTAINMENT_POOL interface=ENTERTAINMENT_VLAN name=ENTERTAINMENT_DHCPadd address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP/user groupadd name=Readonly_API policy="api,!local,!telnet,!ssh,!ftp,!reboot,!read,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp,!rest-api"/caps-man managerset enabled=yes/caps-man provisioningadd action=create-enabled master-configuration=CAP_MGMT_CONFIG slave-configurations=CAP_GUEST_CONFIGadd action=create-enabled master-configuration=CAP_IOT_CONFIG/interface bridge portadd bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=9add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether3add bridge=bridge comment=defconf interface=ether4add bridge=bridge comment=defconf interface=ether5add bridge=bridge comment="PoE Switch" interface=ether6add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=9add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether8add bridge=bridge comment=defconf interface=sfp-sfpplus1/ip neighbor discovery-settingsset discover-interface-list=LAN/interface bridge vlanadd bridge=bridge tagged=bridge,ether3,ether5,ether6,ether8 vlan-ids=9add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=10add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=20add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=30add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=40add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=50add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=240/interface list memberadd comment=defconf interface=bridge list=LANadd comment=defconf interface=ether1 list=WANadd interface=MGMT_VLAN list=VLANadd interface=NET_SVC_VLAN list=VLANadd interface=HOME_SVC_VLAN list=VLANadd interface=HOME_SEC_VLAN list=VLANadd interface=IOT_VLAN list=VLANadd interface=ENTERTAINMENT_VLAN list=VLANadd interface=GUEST_VLAN list=VLANadd interface=MGMT_VLAN list=MGMTadd interface=wireguard1 list=MGMTadd interface=wireguard1 list=LAN/interface wireguard peersadd allowed-address=10.0.1.2/32 interface=wireguard1 public-key="<REDACTED>"/ip addressadd address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0add address=10.0.0.1/24 interface=MGMT_VLAN network=10.0.0.0add address=10.0.10.1/24 interface=NET_SVC_VLAN network=10.0.10.0add address=10.0.20.1/24 interface=HOME_SVC_VLAN network=10.0.20.0add address=10.0.30.1/24 interface=HOME_SEC_VLAN network=10.0.30.0add address=10.0.40.1/24 interface=IOT_VLAN network=10.0.40.0add address=10.0.50.1/24 interface=ENTERTAINMENT_VLAN network=10.0.50.0add address=10.0.240.1/24 interface=GUEST_VLAN network=10.0.240.0add address=10.0.1.1/24 interface=wireguard1 network=10.0.1.0/ip cloudset ddns-enabled=yes ddns-update-interval=5m/ip dhcp-clientadd comment=defconf interface=ether1/ip dhcp-server networkadd address=10.0.0.0/24 gateway=10.0.0.1add address=10.0.1.0/24 gateway=10.0.1.1add address=10.0.10.0/24 gateway=10.0.10.1add address=10.0.20.0/24 gateway=10.0.20.1add address=10.0.30.0/24 gateway=10.0.30.1add address=10.0.40.0/24 gateway=10.0.40.1add address=10.0.50.0/24 gateway=10.0.50.1add address=10.0.240.0/24 gateway=10.0.240.1add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1/ip dnsset allow-remote-requests=yes servers=10.0.10.2/ip dns staticadd address=192.168.88.1 comment=defconf name=router.lan/ip firewall address-listadd address=10.0.30.0/24 comment="HOME_SEC subnet" list=WAN_DENIEDadd address=10.0.50.3 comment=AppleTV list=ALLOWS_HOMEASSISTANTadd address=10.0.40.3 comment=Printer list=ALLOWS_HOMEASSISTANTadd address=10.0.50.4 comment=Stereo list=ALLOWS_HOMEASSISTANTadd address=10.0.40.4 comment=Thermostat list=ALLOWS_HOMEASSISTANTadd address=10.0.50.5 comment="LG TV" list=ALLOWS_HOMEASSISTANTadd address=10.0.50.3 comment="Apple TV" list=UDP_ALLOWEDadd address=10.0.40.5 comment="Doorbell Camera" list=CAMERASadd address=10.0.30.2 comment="Back Porch Camera" list=CAMERASadd address=10.0.40.100 comment=Firestick list=EXPLICIT_ALLOW_WAN/ip firewall filteradd action=accept chain=input comment="Accept VPN UDP" dst-port=13231 protocol=udpadd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked log-prefix=ESTABLISHEDadd action=accept chain=input comment="Allow MGMT full access" in-interface-list=MGMTadd action=accept chain=input comment="Allow PiHole TCP" dst-address=10.0.10.2 dst-port=53 in-interface-list=LAN protocol=tcpadd action=accept chain=input comment="Allow PiHole UDP" dst-address=10.0.10.2 dst-port=53 in-interface-list=LAN protocol=udpadd action=accept chain=input comment="Allow UDP" protocol=udp src-address-list=UDP_ALLOWEDadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix="Drop input invalid"add action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=NON_LANadd action=drop chain=input comment="Drop all else" log=yes log-prefix="Dropped Input"add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yesadd action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untrackedadd action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsecadd action=accept chain=forward comment="Allow MGMT full access" in-interface-list=MGMTadd action=accept chain=forward comment="Allow Net Services Access to LAN" dst-address=10.0.10.2 in-interface-list=VLAN log=yes log-prefix="Allow Net Service Usage"add action=drop chain=forward comment="Deny WAN Access" log=yes log-prefix="Denied WAN" out-interface-list=WAN src-address-list=WAN_DENIEDadd action=accept chain=forward comment="Allow VLAN internet access" in-interface-list=VLAN out-interface-list=WANadd action=accept chain=forward comment="Allow HomeAssistant" dst-address-list=ALLOWS_HOMEASSISTANT src-address=10.0.20.5add action=accept chain=forward comment="Allow Frigate to Cameras" dst-address-list=CAMERAS src-address=10.0.20.2add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix="Forward Invalid"add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="Forward not DSTNATed"add action=drop chain=forward comment="Drop all else" log=yes log-prefix="Dropped forward"/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WANadd action=dst-nat chain=dstnat comment="Intercept DNS queries TCP" dst-address=!10.0.10.2 dst-port=53 protocol=tcp src-address=!10.0.10.2 to-addresses=10.0.10.2 to-ports=53add action=dst-nat chain=dstnat comment="Intercept DNS queries UDP" dst-address=!10.0.10.2 dst-port=53 protocol=udp src-address=!10.0.10.2 to-addresses=10.0.10.2 to-ports=53add action=masquerade chain=srcnat comment="Masquerade request to PiHole TCP" dst-address=10.0.10.2 dst-port=53 protocol=tcp src-address=10.0.0.0/8add action=masquerade chain=srcnat comment="Masquerade request to PiHole UDP" dst-address=10.0.10.2 dst-port=53 protocol=udp src-address=10.0.0.0/8/ip serviceset telnet disabled=yesset ftp disabled=yesset www address=10.0.0.0/24,10.0.1.0/24set ssh disabled=yesset api address=10.0.0.0/24,10.0.20.5/32set winbox address=10.0.0.0/24set api-ssl disabled=yes/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" list=bad_ipv6add address=::1/128 comment="defconf: lo" list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6/ipv6 firewall filteradd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udpadd action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LANadd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udpadd action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN/system clockset time-zone-name=America/Denver/system routerboard settingsset cpu-frequency=auto/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LAN/tool netwatchadd down-script=\ ":log warning \"PiHole offline. Changing DNS\"\r\ \nsystem script run BeepDown\r\ \nip dns set servers=\"1.1.1.1\"" host=10.0.10.2 interval=5s up-script=":log warning \"PiHole back online. Changing DNS\"\r\ \nsystem script run BeepUp\r\ \nip dns set servers=\"10.0.10.2\""Code:
# dec/31/2023 18:17:49 by RouterOS 6.47.9# model = RBD53iG-5HacD2HnD/interface bridgeadd admin-mac=2C:C8:1B:A0:58:58 auto-mac=no comment=defconf name=bridgeLocal protocol-mode=none vlan-filtering=yes/interface wireless# managed by CAPsMAN# channel: 2412/20-Ce/gn(27dBm), SSID: PiperNet_IoT, local forwardingset [ find default-name=wlan1 ] disabled=no ssid=MikroTik# managed by CAPsMAN# channel: 5240/20-eeeC/ac(25dBm), SSID: PiperNet, local forwardingset [ find default-name=wlan2 ] disabled=no ssid=MikroTik/interface vlanadd interface=bridgeLocal name=ENTERTAINMENT_VLAN vlan-id=50add interface=bridgeLocal name=GUEST_VLAN vlan-id=240add interface=bridgeLocal name=IOT_VLAN vlan-id=40add interface=bridgeLocal name=MGMT_VLAN vlan-id=9add interface=bridgeLocal name=NET_SVC_VLAN vlan-id=10/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/interface bridge portadd bridge=bridgeLocal comment="Trunk Port" frame-types=admit-only-vlan-tagged interface=ether1add bridge=bridgeLocal comment="Uses ENTERTAINMENT_VLAN" frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=50add bridge=bridgeLocal comment="Uses ENTERTAINMENT_VLAN" frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=50add bridge=bridgeLocal comment="Uses ENTERTAINMENT_VLAN" frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=50add bridge=bridgeLocal comment=defconf interface=ether5/interface bridge vlanadd bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=9add bridge=bridgeLocal tagged=ether1 vlan-ids=50add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=40add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=240add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=10/interface wireless capset bridge=bridgeLocal caps-man-addresses=10.0.0.1 discovery-interfaces=bridgeLocal enabled=yes interfaces=wlan1,wlan2/ip dhcp-clientadd comment=defconf interface=bridgeLocaladd disabled=no interface=MGMT_VLAN/system clockset time-zone-name=America/Denver/system identityset name="Living Room AP"Statistics: Posted by jbarry — Mon Jan 01, 2024 6:02 pm