Add second mikrotik as Wireless Acces Point

Jacka · July 21, 2015, 8:29am

Hi all,

We have 2 Mikrotik devices, RB1100AHx2 acts as the main router, now I want to add RB2011UiAS-2HnD as Wireless Access Point.
RB2011UiAS-2HnD should have it’s own network 192.168.3.0/24 with DHCP enabled.

Now in practice, I will connect the UTP cable on Port 1 (RB2011UiAS-2HnD) and for example on Port 6 (RB1100AHx2), what will be my next moves? Route ? NAT? Firewall rules?

Could someone guide me through? I will really appreciate.

RB1100AHx2 - as Main Router (192.168.0.0/24)
RB2011UiAS-2HnD - as Wireless Access Point (192.168.3.0/24)

Thank you.

Van9018 · July 21, 2015, 9:58pm

Your config sounds right, you can get on the internet via wifi?

Next step is if you want the AP to be a guest AP with no access to the 192.168.0.0/24 network then you’d have to create a firewall rule on the 192.168.0.0/24 router.

The rule should allow packets going from port 6 to port 1 (the wan) and block the rest. If your DHCP or DNS is on 192.168.0.0/24, you’d have to create allow rules for those packets.

No additional NAT rules (other than the default ones) should be required on the AP.

Jacka · December 16, 2015, 7:04am

What I did on the second mikrotik (Access Point).

Disabled all interfaces except Ethernet1 (first LAN port) and WLAN
Configured DHCP Client on first port to get IP from main router.
Configured Wireless
Configured DHCP on wireless interface

I ping yahoo.com on mikrotik terminal and I get a response, but on my notebook connected to the WiFI I get IP from DHCP but no internet, what I’m doing wrong?

My steps in images…

Jacka · December 16, 2015, 3:23pm

Anybody?

ZeroByte · December 16, 2015, 3:32pm

I would recommend using a static IP address on ether1 of the 2011UAS, and disabling MASQUERADE.
e.g. 192.168.0.2/24

Then on the RB1100AHx2, create a static route dst=192.168.3.0/24 gateway=192.168.0.2

This way, inside your network, there is no NAT.

Make sure that the RB1100AHx2 will masquerade for 192.168.3.0/24 as well as 192.168.0.0/24
(many people have the rule set up this way:
chain=srcnat src-address=192.168.0.0/24 action=masquerade

I recommend this:
chain=srcnat out-interface=ether1 action=masquerade
(where ether1 = the interface that has your public IP on it)

Then on the 2011, you only need this one filter rule:
chain=forward dst-address=192.168.0.0/16 in-interface=wlan1 action=drop
(where wlan1 = the interface where you have the IP address 192.168.3.1/24)
This rule simply prevents any wireless device from communicating with the rest of your LAN.

SviMik · December 17, 2015, 1:56am

Here is my setup example, which works perfectly
(the ether2 is dedicated for the second AP with own network)
mikrotik_dual_nat.png

/ip pool
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool2 ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=yes disabled=no interface=bridge1 lease-time=2w name=dhcp1
add address-pool=dhcp_pool2 authoritative=yes disabled=no interface=ether2 lease-time=2w name=dhcp2
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.2.1/24 interface=ether2 network=192.168.2.0
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.2.0/24 gateway=192.168.2.1
/ip firewall filter
add action=drop chain=forward dst-address=192.168.2.0/24 src-address=192.168.1.0/24
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/16