3G USB modem on hAP ac2

benniebez · April 29, 2020, 1:26pm

I’m configuring a Huawei E1820 on a hAP ac2 for to provide internet access to my LAN.
The MT has internet access pinging from a terminal, using Tools>Ping to 8.8.8.8 and also from Src address.
Steps that I followed are:

Reset the MT with no default config.
Create bridge1 and add IP address 192.168.88.1
Configure DHCP server on bridge1 pool 192.168.88.100 to 199
Added bridge1 ports eth1 to 5, wlan1 and wlan2
Connected Huawei 3G to the USB port.
Enable ppp-out1 with the following settings: USB1, Data channel 0, Info channel 3, APN internet, uncheck dial-on-demand.
Tools>Ping 8.8.8.8 gives replies; using src address 192.168.88.1 no replies.
Add nat masquerade. Tools>Ping 8.8.8.8 gives replies; using src address 192.168.88.1 gives replies.
No internet access when connecting a laptop to the MT ethernet or wlan. Laptop gets DHCP lease 192.168.88.1/24, GW 192.168.88.1, DNS 8.8.8.8. Laptop can ping 192.168.88.1, but no replies when pinging 8.8.8.8; URL’s not resolved like pinging gmail.com.

The USB modem also don’t connect again when I leave it plugged in and reboot the MT.

mkx · April 29, 2020, 1:56pm

Make sure you have the following:

in step #3 you have to configure /ip dhcp-server network … you need an entry with minimum of the following attributes:

address=192.168.88.0/24  dns-server=8.8.8.8,1.1.1.1 gateway=192.168.88.1 netmask=24

in step #6 you need to check add-default-route

As you did not post full config export of partially working setup[*] it’s hard to guess what else might be wrong.

[*] If it doesn’t start to work for you, open terminal window, execute command /export hide-sensitive, copy-paste output into a text editor, redact sensitive data (such as WPA2 preshared key and PPPoE username/password) and post it here … between [__code] [/code] tags for better readability.

benniebez · April 29, 2020, 2:27pm

Thank you for the reply. wlan is still defaults since I figure when ethernet is working it should be fairly easy to configure wlan interfaces. Here is the config:
[admin@MikroTik] > /export hide-sensitive

apr/29/2020 14:55:42 by RouterOS 6.46.5

software id = B56K-Q5F1

model = RBD52G-5HacD2HnD

serial number = BEEB0A8C2034

/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.100-192.168.88.199
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/port
set 0 name=usb1
/interface ppp-client
add apn=internet dial-on-demand=no disabled=no info-channel=3 name=ppp-out1
port=usb1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=ether2
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=8.8.8.8 gateway=192.168.88.1
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ppp-out1 src-address=
192.168.88.1
/system clock
set time-zone-name=Africa/Johannesburg
[admin@MikroTik] >

mkx · April 29, 2020, 2:47pm

This rule

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ppp-out1 src-address=192.168.88.1

only covers router’s own address … remove the last part (src-address), it should be like this:

add action=masquerade chain=srcnat out-interface=ppp-out1

benniebez · April 29, 2020, 3:23pm

Silly mistake on my side. Thank you for clearing it up. All is working now as required.

mkx · April 29, 2020, 3:39pm

Last word of caution: your router currently doesn’t have any firewall whatsoever. It is an easy target for hackers and you should really implement some.

My suggestion: check the default firewall filter rules, they are very decent starting point. However, before implementing those rules you have to prepare a few things

create interface lists named LAN and WAN (they are heavily referred to in firewall rules) and populate them with correct interfaces:

/interface list 
add name=WAN comment="defconf"
add name=LAN comment="defconf"
/interface list member
add list=LAN interface=bridge1 comment="defconf"
add list=WAN interface=ppp-out1

print out default configuration using command /system default-configuration print (before hand make sure your terminal window is wide enough or else config lines will be truncated), scroll down to the line /ip firewall {
copy the following lines … up to the first closing curly brace (}) … on my RB its 11 lines.
As I already mentioned, make sure none of them end with character ‘>’ … it means that that line is truncated.
quit the pager of default config
enter safe mode by pressing CTRL-X
paste the config lines from bullet #3 above
if you still have management connectivity, exit safe mode by pressing CTRL-X again