Basebox2 + R11e-2HPnD

I have setup my Basebox so that the internal card (wlan1) connects to my home network. The R11 PCIe (wlan2) is then bridged to wlan1 and offers a second AP to hosts. I have tried to make a DHCP server in this setup to differentiate from the 192.168.1.0 main network, eg. 192.168.33.0, which did not work, so I gave up.
Now without the separate DHCP I’m trying to set a web proxy to redirect certain web pages. I have made a firewall NAT rule for :80 and redirected :8080, assigned to the bridge (assigning the rules to wlan1 or wlan2 gives a red error). All web-proxy rules are ignored, no matter what I try.
I followed this tutorial http://cedartech.blogspot.cz/2011/03/how-to-setup-site-blocking-and-url.html

The Mikrotik is great and offers so many options, but as a newcomer, the support is lacking and the documentation without any use examples is atrocious. After this experience, I may choose Ubnt next time.

Start by removing wlan2 from the bridge, and set up (there’s a wizard button) a second DHCP server over wlan2.

The wizard will guide you through the correct setup. (choosing a range, assigning an ip to wlan2, and setting up the DHCP server).

Same would apply for a hotspot setup if you wanted that (run it over wlan2 directly) to control those “hosts” .

Ok, but how will wlan2 connect to the internet if not in the bridge? It will certainly work as an AP, but where does data come from?
I have successfully set the DHCP server in past experiments (confirmed by getting IP 192.168.33.254 assigned on my phone, router 192.186.33.1, DNS 192.168.1.1) but it wouldn’t connect to any web service.

It will just work, as its name implies, RouterOS Routes by default. As long as you got IP addressing and routing right, it will automatically route those clients connected to wlan2.

When routing, both directions should be taken into account, i.e. if routing from host A to host B, routing should be set in A to reach B, and in B to reach A.

Basebox default route should point to 192.168.1.1 which I assume is your internet router and its already set up.

Your internet router should have a route to 192.168.33.0/24 using basebox 192.168.1.x/24 IP address, add it.

Check then by pinging from the router to 192.168.33.1 first. if suceeds, then ping from a client to 192.168.1.1; if suceeds then from a client to an outside host, 8.8.8.8 for example. If suceeds, you’re done.

Great information, thank you!
Skipping ahead, the web-proxy will thus also be set up on wlan2, correct?

The web-proxy is a service, is run on a basebox IP.

If you want wlan2 clients to go through the proxy, once the proxy is set up, you have to add a redirection to it based on source addresses (192.168.33.0/24) or in-interface (wlan2) to the ports the proxy is runing on.

action=redirect is the same as action dst-nat to basebox IP address.

No luck so far.
Interesting thing is that in Fing I can see the rest of the network, ping to 1.158 is OK, ping to 1.1 fails.

[admin@MikroTik] > export compact
# aug/27/2016 13:23:55 by RouterOS 6.36.2
# software id = 1L5S-LQJH
#
/interface bridge
add admin-mac=E4:8D:8C:7B:C8:1B auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no frequency=auto hide-ssid=yes mac-address=\
    D8:5D:4C:CE:D9:A4 mode=station-pseudobridge rx-chains=0,1 ssid=private tx-chains=0,1 wps-mode=disabled
/ip neighbor discovery
set bridge comment=defconf
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys \
    static-key-0=********** unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=********** wpa2-pre-shared-key=**********
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed name=free supplicant-identity=""
/interface wireless
set [ find default-name=wlan2 ] antenna-gain=8 disabled=no mode=ap-bridge security-profile=free ssid=FreeTest wps-mode=disabled
/ip pool
add name=dhcp_pool2 ranges=192.168.55.20-192.168.55.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=wlan2 name=dhcp1
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=wlan1
add bridge=bridge disabled=yes interface=wlan2
/ip address
add address=192.168.55.1/24 interface=wlan2 network=192.168.55.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge
/ip dhcp-relay
add dhcp-server=192.168.1.1 interface=wlan2 local-address=192.168.33.1 name=relay1
/ip dhcp-server network
add address=192.168.55.0/24 dns-server=8.8.8.8 gateway=192.168.55.1
/system routerboard settings
set cpu-frequency=600MHz init-delay=0s protected-routerboot=disabled

It work’s as it should. Your home router don’t know where is your second network 192.168.55.x, so if it gets packet’s from it’ it sends it to default gateway. You can src-nat your traffic to 192.168.1.x, or add a route on your first router.

Read about networks layers, routing, ip protocol, and after you understand how it’s working everything will be clear.

Hi czolo,
Thanks very much for your help. I was able to set the src-nat and everything works fine now! Including web redirect.

Now I would like to accomplish two more things:

1. What is the best way to redirect https? For example https://www.example.com → https://www.example.com/category1
   Also redirecting www.example.com (non-https) works fine by using .example.com, but when the browser uses just “example.com” it is not redirected. Do there have to be two access rules (.example.com and example.com)?

2. I will be using a 3G pocket router for connection fallback. Wlan1 is currently connecting to ssid ABC, but if this connection is lost, I would like it to search and connect to ssid XYZ (3G router). What is the best way to setup a fallback like this and check the current connection status every 10 seconds or so? Is it possible to have a list of say 5 ssids for fallback?
   I may also look into using a USB LTE dongle (because wlan2 is taking up the PCIEm slot).