Hi, I created a WiFi network for guests, dhcp works, it assigns me an IP, but I can't access the internet from this network, . I tried disabling firewall rules and bogons. Below I upload the config
Code:
# 2024-03-17 11:28:58 by RouterOS 7.14.1# software id = AUFB-4CQ1## model = C53UiG+5HPaxD2HPaxD/interface bridgeadd comment="BRIDGE LAN" name=LAN protocol-mode=none vlan-filtering=yesadd comment="WTK BRIDGE" name=WAN protocol-mode=none/interface ethernetset [ find default-name=ether1 ] comment=WTK mac-address=1321231231set [ find default-name=ether2 ] comment=1/1set [ find default-name=ether3 ] comment=1/2 disabled=yesset [ find default-name=ether4 ] comment=2/1set [ find default-name=ether5 ] comment=2/2/interface wireguardadd listen-port=12232 mtu=1420 name="WIREGUARD VPN"/interface vlanadd interface=LAN name=GUEST_VLAN_10 vlan-id=10/interface listadd name=mactel/interface wifi datapathadd bridge=LAN name=guest vlan-id=10/interface wifi securityadd authentication-types=wpa2-psk disable-pmkid=yes disabled=no encryption=ccmp,gcmp,ccmp-256,gcmp-256 group-encryption=ccmp name="Wifi prywatne" wps=disableadd authentication-types=wpa2-psk comment="GUEST NETWORK" disable-pmkid=yes disabled=no encryption=ccmp,ccmp-256 name="Guest network" wps=disable/interface wifi configurationadd channel.band=5ghz-a .width=20/40/80mhz country=Poland disabled=no mode=ap name="Wifi konfig" security="Wifi prywatne" ssid=Piorun5add channel.band=5ghz-a .width=20/40/80mhz country=Poland datapath.vlan-id=10 disabled=no mode=ap name="GUEST NETWORK" security="Guest network" security.authentication-types=wpa2-psk .disable-pmkid=yes .wps=disable/interface wifiset [ find default-name=wifi2 ] channel.band=2ghz-ax .width=20/40mhz configuration="Wifi konfig" configuration.mode=ap .ssid=Mikroboj2 disabled=no name=2 security="Wifi prywatne" security.authentication-types=wpa2-psk .encryption=ccmp,gcmp,ccmp-256,gcmp-256 .group-encryption=ccmpset [ find default-name=wifi1 ] channel.band=5ghz-ax .width=20/40/80mhz configuration="Wifi konfig" configuration.mode=ap .ssid=Mikromen5 disabled=no name=5 security="Wifi prywatne" security.authentication-types=wpa3-psk .encryption=ccmp,gcmp,ccmp-256,gcmp-256add comment="virtual wifi interface for guest" configuration="GUEST NETWORK" configuration.mode=ap .ssid=MikroGuest datapath.bridge=LAN .interface-list=all .vlan-id=10 disabled=no interworking.internet=no mac-address=7A:9A:18:30:DE:D5 master-interface=5 name="Guest Network" security="Guest network" security.authentication-types=wpa2-psk/ip pooladd name="PULA LAN " ranges=10.27.0.70-10.27.0.244add name="guest pool" ranges=10.27.10.1-10.27.10.254/ip dhcp-serveradd add-arp=yes address-pool="PULA LAN " interface=LAN name=dhcp_ether2add address-pool="guest pool" interface=GUEST_VLAN_10 name="guest network"/interface bridge portadd bridge=WAN interface=ether1add bridge=LAN interface=ether2add bridge=LAN interface=ether3add bridge=LAN interface=ether4add bridge=LAN interface=ether5add bridge=LAN interface=5add bridge=LAN interface=2add bridge=LAN frame-types=admit-only-vlan-tagged interface="Guest Network" pvid=10/ip firewall connection trackingset udp-timeout=10s/ip neighbor discovery-settingsset discover-interface-list=none/interface bridge vlanadd bridge=LAN tagged="Guest Network,LAN" vlan-ids=10/interface list memberadd interface=ether2 list=mactel/ip addressadd address=10.27.0.11/24 interface=LAN network=10.27.0.0add address=10.27.2.11/24 disabled=yes interface="WIREGUARD VPN" network=10.27.2.0add address=10.27.10.0/24 interface=GUEST_VLAN_10 network=10.27.10.0/ip dhcp-clientadd interface=WAN use-peer-dns=no use-peer-ntp=no/ip dhcp-server leaseadd address=10.27.0.16 client-id=1:d8:3a:dd:8c:57:47 mac-address=D8:3A:DD:8C:57:47 server=dhcp_ether2add address=10.27.0.15 client-id=1:74:40:bb:c9:5b:d mac-address=74:40:BB:C9:5B:0D server=dhcp_ether2/ip dhcp-server networkadd address=10.27.0.0/24 dns-server=10.27.0.16 gateway=10.27.0.11 netmask=24add address=10.27.10.0/24 dns-server=1.1.1.1 gateway=10.27.10.0/ip firewall address-listadd address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogonsadd address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogonsadd address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogonsadd address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" list=bogonsadd address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it" list=bogonsadd address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogonsadd address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogonsadd address=198.18.0.0/15 comment="NIDB Testing" list=bogonsadd address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogonsadd address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogonsadd address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it" list=bogons/ip firewall filteradd action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=synadd action=accept chain=input dst-port=13231 protocol=udpadd action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooderadd action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanneradd action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmpadd action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST " disabled=yes dst-port=8291 protocol=tcp src-address-list=!supportadd action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmpadd action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogonsadd action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0:packet protocol=tcpadd action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammersadd action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udpadd action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcpadd action=accept chain=input comment="Accept to established connections" connection-state=establishedadd action=accept chain=input comment="Accept to related connections" connection-state=relatedadd action=accept chain=input comment="Full access to SUPPORT address list wylacozne111111111111111" disabled=yes src-address-list=supportadd action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yesadd action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood, adjust the limit as needed" icmp-options=8:0 limit=2,5:packet protocol=icmpadd action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmpadd action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmpadd action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmpadd action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmpadd action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmpadd action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmpadd action=drop chain=input src-address=115.243.85.101add action=drop chain=input src-address=188.166.226.191# in/out-interface matcher not possible when interface (ether2) is slave - use master instead (LAN)add action=accept chain=input comment="winbox" dst-port=8291 in-interface=ether2 protocol=tcp src-address-list=management# in/out-interface matcher not possible when interface (ether2) is slave - use master instead (LAN)add action=drop chain=input comment="blokuje wszystko poza ether2" dst-port=8291 in-interface=!ether2 protocol=tcpadd action=drop chain=forward dst-address=10.27.0.0/24 src-address=10.27.10.0/24/ip firewall natadd action=masquerade chain=srcnat out-interface=WAN src-address=10.27.0.0/24/ip serviceset telnet disabled=yesset ftp disabled=yesset www disabled=yesset ssh disabled=yesset api disabled=yesset api-ssl disabled=yes/ip smb sharesset [ find default=yes ] directory=/pub disabled=noadd directory=usb2 name=Pliczki/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" list=bad_ipv6add address=::1/128 comment="defconf: lo" list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6/ipv6 firewall filteradd action=accept chain=input connection-state=established,related,untrackedadd action=accept chain=input connection-state=established,related,untrackedadd action=accept chain=input connection-state=established,related,untrackedadd action=accept chain=input connection-state=established,related,untrackedadd action=accept chain=input connection-state=established,related,untrackedadd action=accept chain=input connection-state=established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=input port=33434-33534 protocol=udpadd action=accept chain=input dst-port=546 protocol=udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=input ipsec-policy=in,ipsecadd action=accept chain=forward connection-state=established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward src-address-list=bad_ipv6add action=drop chain=forward dst-address-list=bad_ipv6add action=drop chain=forward hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=forward ipsec-policy=in,ipsec/system clockset time-zone-name=Europe/Warsaw/system noteset show-at-login=no/tool bandwidth-serverset enabled=no/tool mac-serverset allowed-interface-list=mactel/tool mac-server mac-winboxset allowed-interface-list=mactel/tool mac-server pingset enabled=no
Statistics: Posted by Bolendox — Sun Mar 17, 2024 12:39 pm