Plan
WareHouse Dimensions
height ~ 8 meters
lenght ~ 50 meters
widht ~ 30 meters
WareHouse-Photo
WareHouse-General-Plan
WareHouse-General-Scheme
General Description
1. We use USGw01(RB433UAH) for Internet access of entire office(Office Area).
2. USGw01 also used for Mesh Setup as DHCP Server and Firewall.
3. On warehouse we use Wireless Barcode Scanners - Symbol MC3090 as wireless clients.
4. They are working only with server in LAN(Office Area).
5. Scanners should have access only for DNS server(for name resolving) and for WarehouseServer.
6. All WAP have Static IP.
7. All Scanners have Dynamic IP obtained from DHCP Server(USGw01).
8. In this setup Wireless security settings are not described. And you will get network secured only by MAC. If you want to secure your WAP by authentication you should create an appropriate security profile and assign it to your WAP interface - on all WAP.
RB433UAH
Setup mesh interface
ros code
# add mesh interface interface mesh add name=mesh-interface # assign ports to the mesh interface interface mesh port add interface=ether2-warehouse mesh=mesh-interface # add ip to the mesh interface ip address add address=192.168.14.1/24 interface=mesh-interfaceSetup DHCP server
ros code
ip pool add name=warehouse-dhcp-ip-pool ranges=192.168.14.230-192.168.14.253 ip dhcp-server add name=warehouse-dhcp-server interface=mesh-interface lease-time=12:00:00 address-pool=warehouse-dhcp-ip-pool always-broadcast=yes disabled=no ip dhcp-server network add address=192.168.14.0/24 gateway=192.168.14.1 netmask=24 dns-server=192.168.13.1Setup static leases for scanners
ros code
# T001 ip dhcp-server lease add address=192.168.14.231 mac-address=00:00:00:00:00:01 server=warehouse-dhcp-server lease-time=0 address-list=US-WH-Scanners disabled=no comment="Scanner T001" # T002 ip dhcp-server lease add address=192.168.14.232 mac-address=00:00:00:00:00:02 server=warehouse-dhcp-server lease-time=0 address-list=US-WH-Scanners disabled=no comment="Scanner T002"Setup NTP Client
ros code
system ntp client set enabled=yes mode=unicast primary-ntp=64.73.32.134 secondary-ntp=38.229.71.1Setup NTP Server
ros code
system ntp server set broadcast=no broadcast-addresses="" enabled=yes manycast=no multicast=noSetup address list on firewall
ros code
ip firewall address-list add address=192.168.13.1 comment="admin01" disabled=no list=Gw-admins ip firewall address-list add address=192.168.13.2 comment="linux for backups to SVN" disabled=no list=Gw-admins ip firewall address-list add address=192.168.13.1 disabled=no list=US-Srv-DNS ip firewall address-list add address=192.168.13.1 disabled=no list=US-Srv-WareHouseServer ip firewall address-list add address=192.168.14.201 comment=WAP1 disabled=no list=US-WH-WAP ip firewall address-list add address=192.168.14.202 comment=WAP2 disabled=no list=US-WH-WAP ip firewall address-list add address=192.168.14.203 comment=WAP3 disabled=no list=US-WH-WAP ip firewall address-list add address=192.168.14.204 comment=WAP4 disabled=no list=US-WH-WAP # US-WH-Scanners - dynamic via DHCPSetup firewalls rules for WAP zone
ros code
# Input chain ip firewall filter add action=accept chain=input comment="Drop invalid connections" connection-state=invalid disabled=no ip firewall filter add action=accept chain=input comment="Allow Established connections to Gateway" connection-state=established disabled=no ip firewall filter add action=accept chain=input comment="Allow Related connections to Gateway" connection-state=related disabled=no ip firewall filter add action=accept chain=input comment="Allow SG Network Core: NTP on LAN" disabled=no dst-port=123 in-interface=!ether1-wan-primary protocol=udp # Forward chain # # General rules ip firewall filter add action=accept chain=forward comment="Drop invalid connections" connection-state=invalid disabled=no ip firewall filter add action=accept chain=forward comment="Allow Established connections to Any" connection-state=established disabled=no ip firewall filter add action=accept chain=forward comment="Allow Related connections to Any" connection-state=related disabled=no # From Mesh to LAN ip firewall filter add action=accept chain=forward comment="Allow Network Core: ICMP from Mesh" disabled=no in-interface=mesh-wap out-interface=bridge-lan protocol=icmp ip firewall filter add action=accept chain=forward comment="Allow Scanners to DNS - US-WH-Scanners" disabled=no dst-address-list=US-Srv-DNS dst-port=53 in-interface=mesh-wap out-interface=bridge-lan protocol=udp src-address-list=US-WH-Scanners ip firewall filter add action=accept chain=forward comment="Allow Scanners to WareHouseServer - US-WH-Scanners" disabled=no dst-address-list=US-Srv-WareHouseServer dst-port=80 in-interface=mesh-wap out-interface=bridge-lan protocol=tcp src-address-list=US-WH-Scanners ip firewall filter add action=log chain=forward comment="Log any other from scanners" disabled=yes in-interface=mesh-wap ip firewall filter add action=drop chain=forward comment="Drop any other from scanners" disabled=no in-interface=mesh-wap # From LAN to Mesh ip firewall filter add action=accept chain=forward comment="Allow SG Network Core: ICMP to WAP" disabled=no dst-address-list=US-WH-WAP in-interface=!ether1-wan-primary out-interface=mesh-wap protocol=icmp ip firewall filter add action=accept chain=forward comment="Allow SG Network Core: ICMP to Scanners" disabled=no dst-address-list=US-WH-Scanners in-interface=!ether1-wan-primary out-interface=mesh-wap protocol=icmp ip firewall filter add action=accept chain=forward comment="Allow SG Remote Access: Winbox for admins on WAP" disabled=no dst-port=8291 in-interface=!ether1-wan-primary out-interface=mesh-wap protocol=tcp src-address-list=Gw-admins ip firewall filter add action=accept chain=forward comment="Allow SG Remote Access: SSH for backup WAP" disabled=no dst-port=22 in-interface=!ether1-wan-primary out-interface=mesh-wap protocol=tcp src-address-list=Gw-admins ip firewall filter add action=accept chain=forward comment="Allow SG Monitoring: SNMP on WAP segment" disabled=no dst-port=161 in-interface=bridge-lan out-interface=mesh-wap protocol=udp ip firewall filter add action=log chain=forward comment="Log any other to scanners" disabled=yes out-interface=mesh-wap ip firewall filter add action=drop chain=forward comment="Drop any other to scanners" disabled=no out-interface=mesh-wapRB751U-2HnD
Install the following packages
# WAP1/WAP2/WAP3/WAP4
system
routerboard
dhcp
wireless
security
advanced-tools
ros code
# WAP1/WAP2/WAP3/WAP4 interface mesh add name=mesh-interface interface mesh port add interface=ether1 mesh=mesh-interface interface mesh port add interface=wlan1 mesh=mesh-interfaceSetup IP on the WAP
ros code
# WAP1 ip address add address=192.168.14.201/24 interface=mesh-interface # WAP2 ip address add address=192.168.14.202/24 interface=mesh-interface # WAP3 ip address add address=192.168.14.203/24 interface=mesh-interface # WAP4 ip address add address=192.168.14.204/24 interface=mesh-interfaceSetup wireless interface
ros code
# WAP1/WAP2/WAP3/WAP4 interface wireless set wlan1 disabled=no mode=ap-bridge band=2ghz-b/g/n frequency=2452 ssid=Mikrotik-Mesh default-authentication=no default-forwarding=noTuning wireless settings
ros code
# WAP1/WAP2/WAP3/WAP4 # # ban Scanners with low signal strength interface wireless access-list add interface=wlan1 mac-address=00:00:00:00:00:00 signal-range=-80 authentication=no forwarding=noAdd Scanner to ALC on WAP
ros code
# WAP1/WAP2/WAP3/WAP4 # # T001 interface wireless access-list add disabled=no authentication=yes forwarding=no interface=wlan1 mac-address=00:00:00:00:00:01 comment="Scanner T001" # T002 interface wireless access-list add disabled=no authentication=yes forwarding=no interface=wlan1 mac-address=00:00:00:00:00:02 comment="Scanner T002"Setup default route
ros code
# WAP1/WAP2/WAP3/WAP4 ip route add dst-address=0.0.0.0/0 gateway=192.168.14.1Setup SSH access to WAP devices
ros code
# WAP1/WAP2/WAP3/WAP4 ip service set ssh port=22Setup time synchronization
ros code
# WAP1/WAP2/WAP3/WAP4 system clock set time-zone-name=America/Detroit system ntp client set enabled=yes mode=unicast primary-ntp=192.168.14.1Disable unused services
ros code
# WAP1/WAP2/WAP3/WAP4 ip service disable ftp ip service disable telnet ip service disable www ip service disable www-sslCreate user for monitoring purpose
ros code
# WAP1/WAP2/WAP3/WAP4 /user group add name=monitoring policy=winbox,read comment="Group for monitoring purpose" /user add name=dude password="********" group=monitoring address=192.168.13.1/32 comment="User for Dude monitoring"Setup backup to SVN
Backup Mikrotik config to Subversion/SVN repository via SSH
Add new scanner to WareHouse wireless network
Add new scanner to ACL on RB751U-2HnD
ros code
# This must be done on all AP in Mesh # T0XY interface wireless access-list add disabled=no authentication=yes forwarding=no interface=wlan1 mac-address=00:00:00:00:00:03 comment="Scanner T0XY"Add static lease on RB433UAH
ros code
# T0XY ip dhcp-server lease add address=192.168.14.2zz mac-address=00:00:00:00:00:03 server=warehouse-dhcp-server lease-time=0 address-list=US-WH-Scanners disabled=no comment="Scanner T0XY"
Testing
Scan from Mikrotik
Android Wi-Fy Analyser - in center of WareHouse
Android Wi-Fy Analyser - WareHouse perimeter
Test (Android) when WAP1 goes down, device connect to WAP2
Test (PC) when WAP1 goes down, device connect to WAP2
Live
The Dude
WAP3 Registration Table
Comments
1. Clients see only one network with SSID Mikrotik-Mesh and they don't know anything about 4 AP.
2. Now is ROS 5.18.
3. Scanners are Motorola Symbol MC3000, MC3100.
4. Traffic from scanners is very low.
5. Scanners have access only to DNS and Web servers in LAN.
6. Hopefully this will be useful for someone.