Hello,
Main router is router from Telecom.
RB951 ETH1 is connected to Telecom router.
On this RB951 I have two Virtual AP.
VAP1 for normal users and VAP2 for guest users.
Users on VAP1 receives IP address from DHCP on main (Telecom) router.
Is it possible and how to configure RB951 so that users on VAP2 receive IP address from DHCP on RB951 and go to internet?
Thank you!
Assuming that ****
vap1
and
ether1
are member ports of the same bridge, you merely create the following (replace vap2 by the actual name of your virtual AP and 192.168.99.0/24 by your actually chosen IP subnet which must differ from the one used by the Telecom router):
/ip address
add address=192.168.99.1/24 interface=vap2
/ip pool
add name=guest-dhcp ranges=192.168.99.10-192.168.99.254
/ip dhcp-server network
add address=192.168.99.0/24 gateway=192.168.99.1 dns-server=192.168.99.1
/ip dhcp-server
add address-pool=guest-dhcp disabled=no interface=vap2 name=guest
/ip firewall nat
add chain=srcnat action=src-nat out-interface=ether1 to-addresses=ip.of.ether.1
You could use ****
action=masquerade
in the last rule if you want the RB951’s address on
ether1
to be dynamic, but it is highly recommended to use a static one and avoid masquerade as it has some “side effects” related to the need to react properly to each change of the address.
Thank you, sindy.
I will try.
If you are more a GUI person, you can in either Winbox or Webfig go to IP>DHCP-Sever and click on DHCP Setup. It will guide you through the setup process.
Thank you!
I do this, but on connected client I don’t have internet.
My configuration:
/ip pool
add name=guest-dhcp ranges=192.168.99.10-192.168.99.254
/ip dhcp-server
add address-pool=guest-dhcp disabled=no interface=VAP2 name=guest
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=VAP1
/ip address
add address=192.168.2.100/24 interface=bridge1 network=192.168.2.0
add address=192.168.99.1/24 interface=VAP2 network=192.168.99.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge1)
add action=drop chain=input in-interface=ether1
/ip firewall nat
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge1)
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=192.168.2.100
When I put in out-interface “bridge1”, also no internet on connected client.
What is wrong?
Can you post an export?
export hide-sensitive file=export.rsc
This will create a file export.rsc that you can copy to your desktop and edit with your favorite word editor.
https://wiki.mikrotik.com/wiki/Manual:Configuration_Management
Your NAT rule is will not work because your specified out-interface is a slave.
The ****
src-nat
rule matching on
out-interface=ether1
was my mistake, but the OP wrote he has tried with
out-interface=bridge1
and it didn’t work either. So waiting for the
/export
.
Here is the export file
https://we.tl/F8YMg86GQH
Paste this inside one Console window, do not remove the { }, it fix all errors I see
{
/ip neighbor discovery
set ether1 discover=yes
/interface wireless
set wlan1 distance=indoors
set [find] keepalive-frames=enabled multicast-buffering=enabled wds-cost-range=50-150 wds-default-cost=100 wps-mode=disabled
/ip pool
set guest-dhcp name=pool-guest ranges=192.168.99.101-192.168.99.199
/ip dhcp-server
set guest name=dhcp-guest lease-time=01:00:00
/ip dhcp-client
set [find] interface=bridge1
/ip dhcp-server network
remove [find]
add address=192.168.99.0/24 dns-server=192.168.99.1,1.1.1.1 gateway=192.168.99.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h servers=1.1.1.1,1.0.0.1
/ip address
set [find where interface=ether2] interface=bridge1
/ip firewall filter
remove [find]
add action=drop chain=input connection-state=new dst-port=53 in-interface=bridge1 protocol=tcp src-address=!192.168.0.0/16
add action=drop chain=input connection-state=new dst-port=53 in-interface=bridge1 protocol=udp src-address=!192.168.0.0/16
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input connection-state=new in-interface=bridge1 src-address=!192.168.0.0/16
/ip firewall nat
remove [find]
add action=masquerade chain=srcnat comment="NAT" out-interface=bridge1 src-address=192.168.99.0/24
/ip firewall service-port
set [find] disabled=yes
set ftp disabled=no
set sip disabled=no
set pptp disabled=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system routerboard settings
set init-delay=2s
/system logging
add action=memory disabled=no prefix="" topics=critical
/console clear-history; /system check-installation; /system reboot;
}
Nothing happens. It stuck on
{... /console clear-history; /system check-installation; /system reboot;
{... }
and nothing happens.
???
You hit "enter" on keyboard?...
Yes....but RB stuck....2-3 times.
After reboot RB, paste your code and now I think all is OK.
I will check tomorrow....
Thank you! 
Everything works perfectly!
Thank you all! 
Is it possible to configure VPN (pptp) server on this configuration?
I know how to configure PPTP server on RB but on this configuration I can’t connect from remote location.
Can you post the updated configuration (not a link to an external site) here so that it is not necessary to compile it from the original one and @rextended’s fix script? Including the existing pptp setup which doesn’t work.
Updated configuration:
# apr/14/2018 17:06:10 by RouterOS 6.39.2
# software id = LUBL-GA8Y
#
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] disabled=no distance=indoors hide-ssid=yes \
mode=ap-bridge ssid=MikroTik wireless-protocol=802.11 wps-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=xxx \
supplicant-identity=""
/interface wireless
add disabled=no mac-address=66:D1:54:DD:63:8D master-interface=wlan1 name=\
VAP1 security-profile=xxx ssid=M wps-mode=disabled
add disabled=no mac-address=66:D1:54:DD:63:8E master-interface=wlan1 name=\
VAP2_Guest security-profile=xxx ssid="M G" wps-mode=disabled
/ip pool
add name=pool-guest ranges=192.168.99.101-192.168.99.199
/ip dhcp-server
add address-pool=pool-guest disabled=no interface=VAP2_Guest lease-time=1m \
name=dhcp-guest
/ppp profile
add dns-server=192.168.99.1 local-address=192.168.99.1 name=Vpn \
remote-address=pool-guest
/interface bridge port
add bridge=bridge1 interface=VAP1
add bridge=bridge1 interface=ether1
/ip address
add address=192.168.1.100/24 interface=bridge1 network=192.168.1.0
add address=192.168.99.1/24 interface=VAP2_Guest network=192.168.99.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=bridge1
/ip dhcp-server network
add address=192.168.99.0/24 dns-server=192.168.99.1,1.1.1.1 gateway=\
192.168.99.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input protocol=gre
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=drop chain=input connection-state=new dst-port=53 in-interface=\
bridge1 protocol=tcp src-address=!192.168.0.0/16
add action=drop chain=input connection-state=new dst-port=53 in-interface=\
bridge1 protocol=udp src-address=!192.168.0.0/16
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input connection-state=new in-interface=bridge1 \
src-address=!192.168.0.0/16
/ip firewall nat
add action=masquerade chain=srcnat comment=NAT out-interface=bridge1 \
src-address=192.168.99.0/24
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=xxx profile=Vpn service=pptp
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=cm_rb_1
/system logging
add topics=critical
/system routerboard settings
set init-delay=2s
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=wlan1
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=wlan1
How to configure VPN pptp server?
On telecom router port 1723 is forwarded to 192.168.1.100
Could it be that you’ve forgotten to enable the server? I cannot see the ****
/interface pptp-server server
part in your config export.
Yes, I don’t have this.
Where and what I must configure?
On my home RB I don’t have this also, but VPN work.
Now i see…on home RB this interface is autocreated when I connect to VPN.