过去几天,我一直在努力使用 Mikrotik hAP ac3 设置家庭网络。我想要实现以下目标:
- 无线接口(wlan1、wlan2)是分开的,并且无法访问 ether3/4/5
- ether3/4/5 是分开的,无法访问 wi/fi
- ether2 应该可以从无线网络和 ether3/4/5 网络访问(我想在这里使用 pi-hole 托管我的 DNS 服务器)。
以上所有设备均应能访问互联网。
到目前为止,我已成功创建了 2 个网桥 - 1 个用于 wifi,1 个用于 ether3/4/5,添加了 DHCP 服务器、IP 池、网络地址 - 两者都可以访问互联网并正常工作。我原本计划为 ether2(pi-hole)添加第三个网桥,但出于测试目的,我将 ether 2 分配给 wifi 网桥并在 IP/Routes 中添加了路由(见图)。在 IP->ARP 中,我看到 IP 分配成功,但我无法从 ether3(ether3/4/5 网桥)访问 pi-hole(wi-fi 网桥)。我做错了什么?有没有更好的方法来完成我想做的事情?
这是我的配置:
/interface bridge
add admin-mac=08:55:31:FD:FE:EF auto-mac=no comment=defconf name=bridge
add name=bridge-wifi
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=Venera wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=Venera wireless-protocol=802.11
/interface vlan
add interface=wlan1 name=vlan-private vlan-id=1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik wpa-pre-shared-key=08874541551 \
wpa2-pre-shared-key=08874541551
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=wifi-pool next-pool=dhcp ranges=192.168.89.100-192.168.89.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=wifi-pool disabled=no interface=bridge-wifi name=wifi-dhcp
/interface bridge port
add bridge=bridge-wifi comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge-wifi comment=defconf interface=wlan1
add bridge=bridge-wifi comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge-wifi list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.89.1/24 interface=bridge-wifi network=192.168.89.0
/ip arp
add address=192.168.88.253 interface=bridge mac-address=A0:BD:1D:E7:B0:A6
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.89.0/24 gateway=192.168.89.1 netmask=2
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward in-interface=bridge-wifi out-interface=bridge
add action=accept chain=forward in-interface=bridge out-interface=bridge-wifi
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 dst-address=192.168.88.0/24 gateway=bridge-wifi pref-src=\
192.168.89.1
add distance=1 dst-address=192.168.89.0/24 gateway=bridge pref-src=\
192.168.89.1
/system clock
set time-zone-name=Europe/Sofia
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN