Help with SXT setup and two separate networks

beamer · Sat Sep 15, 2012 4:28 am

Hi

I read a lot of threads in this forum and was hoping one would cover my setup... but the topics I found always involved different MikroTik hardware (not SXTs), so I have difficulties to adapt the solutions to my situation.

I configured two SXTs as a transparent bridge successfully with the help of the wiki. But now I need to implement this scenario, where the client in the two subnets should be separated from each other but share the internet access.

capture_15092012_014128.png

The Fritz!Box cable modem/wifi/router thing does NAT and handles the internet access.
The Time Capsule is a switch and wifi access point. NAT can be disabled here. It should serve as DHCP server, but could be disabled (when "bridge" mode is selected; the SXT1 could serve as DHCP server then?)

For the 192.168.1.0/24 network, what do I set as default gateway? The TC? SXT1? SXT2? Fritz!Box?

I guess in SXT2 I have to remove the bridge between wlan and eth, and assign different IPs from the respective networks? But then... do I need routes, or firewall rules, or masquerading or a combination of it?

Please advice how this should be configured.

beamer · Sat Sep 15, 2012 10:49 am

Basically, I have the same situation as here:
http://forum.mikrotik.com/viewtopic.php?f=7&t=60782

Unfortunately the last answer was just "I solved the problem" instead of writing two lines HOW.

Robinson · Fri Sep 21, 2012 10:17 pm

Hi.
You can setup masquerade on SXT2.
eth1 port -add Ip in 192.168.178.0/24 range, wlan1 add ip in 192.168.1.0/24 range (ie. 192.168.1.6)
On sxt2 set defoult gateway 192.168.178.1 (Fritz!), you can setup DHCP here if you like.
Then on all hosts in network 192.168.1.0/24 gateway is sxt2 (wlan1 address).
You do not need any routing except static route in mikrotik ip---route

beamer · Sun Sep 23, 2012 5:05 am

Thanks for your answer Robinson!

The setup is now a bit different since we got a separate cable modem instead of sharing the existing Fritz!Box. This is how it looks now:

capture_23092012_033355.png

I had to remove the bridge in SXT2. On SXT2 the DHCP client is enabled on eth1 and gets a public IP from the Arris cable modem (this is really a modem, no NAT etc.). A route 0.0.0.0/0 to this public address is added automagically.

And the srcnat masquerade nat rule is set.

The Time Capsule is set to bridge mode and basically acts as a switch and wifi access point now.

Default gateway for the clients is 192.168.1.6 and this works so far.

But I still have some issues, for example configuring port forwarding on SXT2 to clients in the 192.168.1.0/24 network. It works for the Arris' status page (which is accessible under a fixed IP 192.168.100.1), but forwardings across the wireless link are not working.

Then I cannot reach SXT2 (192.168.1.6) from within the network by Winbox or browser, but I can ping it?! Fortunately I can reach it using Winbox on the public WAN IP.

I can run the internal bandwith test from SXT2 to SXT1, but I cannot run it vice versa ("can't connect").

Has SXT2's management interface to be "bound" to something? As I said, I removed the bridge... and I'm very careful now with configuring, since I'm far away and have to rely on DynDNS and Teamviewer.

EDIT: I enabled the DNS server on SXT2 and it's providing IP adresses, but I had to use a public DNS server address. If I set the DNS server to 192.168.1.6, the clients cannot resolve host names. Under IP -> DNS a public DNS server is set (8.8.4.4) as well as two dynamic servers from the internet provider. But the SXT2 does not resolve or forward it. These kind of problems drive me crazy....

Robinson · Mon Sep 24, 2012 1:04 pm

SXT come with some configuration (I think NAT masquerade, wlan1 client mode, def. gateway on eth1, some IP setup...). When setting up network I always discard such settings and do it on "my way".
Sometimes def. configuration is helpful to users with less routerOS knowledge.

Sou, did you enable "remote request" option in DNS settings SXT2?
-That might be issue in resolving domain names.
Furthermore SXT2 is router, NAT, between public network and your home network. Therefore you must setup port forward.

can you export exact configuration of both SXT, ip firewall, nat, wireles..

This is very simple network scenario, should be configured easily.

http://wiki.mikrotik.com/wiki/Bridging_ ... s_with_SXT this can help you.

beamer · Tue Sep 25, 2012 4:26 am

Hi, I found a missing configuration that caused some of the problems: SXT1 had no default gateway configured. I added this:

/ip route
add gateway=192.168.1.6

Now SXT1 is reachable from internet by a forwarded SSH port. And the NTP client works (couldn't reach the internet time servers before).

SXT1:

/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip address
add address=192.168.1.5/24 comment="default configuration" interface=bridge1
/ip dns
set max-udp-packet-size=8192 servers=192.168.1.6
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=wlan1-gateway
/ip neighbor discovery
set wlan1-gateway disabled=yes
/ip route
add distance=1 gateway=192.168.1.6
/ip ssh
set forwarding-enabled=yes

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods=passthrough group-ciphers=tkip management-protection=allowed mode=dynamic-keys name=profile1 \
    supplicant-identity="" unicast-ciphers=tkip wpa2-pre-shared-key=x
/interface wireless
set 0 band=5ghz-onlyn channel-width=20/40mhz-ht-above country=germany disabled=no ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=bridge \
    name=wlan1-gateway nv2-preshared-key=x nv2-security=enabled security-profile=profile1 ssid=x\
    wireless-protocol=nv2

SXT2:

/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=dhcp_pool1 ranges=192.168.1.20-192.168.1.200
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=wlan1-gateway lease-time=1d \
    name=dhcp1
/ip address
add address=192.168.1.6/24 comment="default configuration" interface=\
    wlan1-gateway
/ip dhcp-client
add default-route-distance=0 disabled=no interface=ether1-local
/ip dhcp-server config
set store-leases-disk=15m
/ip dhcp-server network
add address=192.168.1.0/24 comment="default configuration" dns-server=\
    8.8.4.4,8.8.8.8 gateway=192.168.1.6
/ip dns
set allow-remote-requests=yes cache-max-ttl=2h cache-size=8192KiB \
    max-udp-packet-size=8192 servers=8.8.4.4
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    wlan1-gateway
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-local
add action=dst-nat chain=dstnat comment=Winbox dst-port=58291 protocol=tcp \
    to-addresses=192.168.1.5 to-ports=8291
add action=dst-nat chain=dstnat comment="Arris Modem" disabled=yes dst-port=\
    8080 protocol=tcp to-addresses=192.168.100.1 to-ports=80
add action=dst-nat chain=dstnat comment="SSH SXT1" dst-port=1522 protocol=\
    tcp to-addresses=192.168.1.5 to-ports=22
/ip neighbor discovery
set wlan1-gateway disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=1622
set www-ssl disabled=no

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods=passthrough group-ciphers=tkip \
    management-protection=allowed mode=dynamic-keys name=profile1 \
    supplicant-identity="" unicast-ciphers=tkip wpa2-pre-shared-key=x
/interface wireless
set 0 band=5ghz-onlyn channel-width=20/40mhz-ht-above country=germany disabled=\
    no ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=station-bridge name=\
    wlan1-gateway nv2-preshared-key=x nv2-security=enabled \
    security-profile=profile1 ssid=x wireless-protocol=nv2

The changed SSH port (from 22 to 1622) - could that cause the problem with the bandwith test still not working from SXT1 to SXT2 (but vice versa)?

The firewall filter rules on SXT1 are not necessary, right?

The DNS server on SXT2 is set to allow-remote-requests=yes, but DNS resolution doesn't work from SXT1. When I set the DNS server to Google DNS instead of SXT2, it works immediately.

Robinson · Tue Sep 25, 2012 12:50 pm

/ip dns
set allow-remote-requests=yes cache-max-ttl=2h cache-size=8192KiB \
max-udp-packet-size=8192 servers=8.8.4.4

You set remote dns request=yes
Then DHCP should assign clients that information sou they can use SXT2 as DNS server

/ip dhcp-server network
add address=192.168.1.0/24 comment="default configuration" dns-server=\
192.168.1.6 gateway=192.168.1.6

Did you enable hotspot service on SXT2??

And, yes, no configuration on SXT1 firewall!

Help with SXT setup and two separate networks

Help with SXT setup and two separate networks

Re: Help with SXT setup and two separate networks

Re: Help with SXT setup and two separate networks

Re: Help with SXT setup and two separate networks

Re: Help with SXT setup and two separate networks

Re: Help with SXT setup and two separate networks

Re: Help with SXT setup and two separate networks

Who is online