Ahoj, už jsem zoufalý - mám mikrotik, ve kterém přes CAPsMANa jsou wifi na AP, kde jedna wifi pro hosty je pověšena na VLAN a dostavá jinou IP z DHCP. Problém je, že tato wifi nemá přístup do internetu i když by měla mín. Když dám torch na pppoeOUT interface, tak vidím, že source addr z této wifi nejsou přeloženy.
Dokázal by někdo poradit?
Tady je export konfigurace:
`
/caps-man channel
add band=5ghz-n/ac name=5g
add band=2ghz-g/n control-channel-width=20mhz frequency=2437,2462,2412 name=24g \
tx-power=8
/interface bridge
add admin-mac=18:FD:74:93:A8:C5 auto-mac=no comment=defconf name=bridge
add disabled=yes name=bridge_hosts
/interface pppoe-client
add add-default-route=yes allow=pap dial-on-demand=yes disabled=no interface=\
ether1 max-mru=1500 max-mtu=1500 mrru=1600 name=pppoe-out1 use-peer-dns=yes \
user=8474
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=wifi_kenod_patro wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge name=wlan2-5g ssid=wifi_kenod_patro_5G wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan20 vlan-id=20
/caps-man datapath
add bridge=bridge local-forwarding=yes name=wifi_dole
add bridge=bridge local-forwarding=yes name=hosts vlan-id=20 vlan-mode=use-tag
/caps-man rates
add basic=12Mbps name=GN supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
group-key-update=1h name=security1
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
group-key-update=1h name=hosts
/caps-man configuration
add channel=24g country="czech republic" datapath=wifi_dole installation=indoor \
mode=ap multicast-helper=full name=wifi24 rates=GN security=security1 ssid=\
wifi_kenod
add channel=5g country="czech republic" datapath=wifi_dole installation=indoor \
mode=ap multicast-helper=full name=wifi5 security=security1 ssid=wifi_kenod
add channel=24g country="czech republic" datapath=hosts installation=indoor \
mode=ap multicast-helper=full name=guests rates=GN security=hosts ssid=\
kenod_guests
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guests \
supplicant-identity=""
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=1A:FD:74:93:A8:C9 \
master-interface=wlan1 multicast-buffering=disabled name=wlan_guests \
security-profile=guests ssid=kenod_guests vlan-id=20 vlan-mode=use-tag \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.254
add name=dhcp_pool1 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=vlan20 name=dhcp1
/user group
add name=homeassistant policy="read,test,api,!local,!telnet,!ssh,!ftp,!reboot,!w\
rite,!policy,!winbox,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp"
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
wifi24 name-format=prefix-identity name-prefix=24G slave-configurations=\
guests
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
wifi5 name-format=prefix-identity name-prefix=5G
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2-5g
add bridge=bridge_hosts disabled=yes interface=wlan_guests
add bridge=bridge_hosts disabled=yes interface=D
add bridge=bridge_hosts disabled=yes interface=165
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-out1 list=WAN
add disabled=yes interface=bridge_hosts list=LAN
add interface=vlan20 list=VLAN
/interface wireless access-list
add mac-address=4E:2E😃2:C7:6D:51
/interface wireless cap
set bridge=bridge caps-man-addresses=192.168.1.1 discovery-interfaces=bridge \
interfaces=wlan1
/ip address
add address=192.168.1.1/16 interface=bridge network=192.168.0.0
add address=10.10.10.1/24 disabled=yes interface=bridge_hosts network=\
10.10.10.0
add address=10.10.10.1 interface=vlan20 network=10.10.10.1
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.65 client-id=1:c4:ad:34:5d:34:dd mac-address=\
C4:AD:34:5D:34😃D server=defconf
add address=192.168.1.140 client-id=1:bc:cf:4f:79:4b:9d mac-address=\
BC:CF:4F:79:4B:9D server=defconf
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=8.8.8.8,8.8.8.8 gateway=10.10.10.1
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.1.200 comment=defconf name=router.lan
add address=192.168.1.149 name=home.dankovi.cz
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward connection-state=new disabled=yes \
in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes src-address=192.168.1.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=pppoe-out1 \
src-address=10.10.10.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=443 in-interface=pppoe-out1 protocol=\
tcp to-addresses=192.168.1.149 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface=pppoe-out1 protocol=\
tcp to-addresses=192.168.1.149 to-ports=80
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/16 port=70
set ssh disabled=yes
set api address=192.168.0.0/16
set winbox address=192.168.0.0/16
set api-ssl address=192.168.0.0/16
/ipv6 address
add from-pool=HVfree interface=bridge
/ipv6 dhcp-client
add interface=pppoe-out1 pool-name=HVfree pool-prefix-length=48 rapid-commit=no \
request=prefix use-peer-dns=no
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=RouterOS
/system scheduler
add interval=1d name="Night wifi off at 1 am" on-event=script_wifi_off policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=feb/08/2023 start-time=00:00:00
add interval=1d name="Night wifi on at 6am" on-event=script_wifi_on policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=feb/08/2023 start-time=06:00:00
add interval=1d name="Night down wifi off" on-event=wifi_dole_off policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=feb/11/2023 start-time=01:00:00
add interval=1d name="Night down wifi on" on-event=wifi_dole_on policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=feb/11/2023 start-time=06:00:00
/system script
add dont-require-permissions=no name=script_wifi_off owner=kenod policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"interface wireless disable wlan1\r\
\ninterface wireless disable wlan2-5g"
add dont-require-permissions=no name=script_wifi_on owner=kenod policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"interface wireless enable wlan1\r\
\ninterface wireless enable wlan2-5g"
add dont-require-permissions=no name=wifi_dole_off owner=kenod policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"caps-man manager set enabled=no"
add dont-require-permissions=no name=wifi_dole_on owner=kenod policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"caps-man manager set enabled=yes"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
`
