Bridge masquerade

Xiloid · February 6, 2018, 8:24pm

Hi guys! I have a simple question! how to masquerade one bridge to another? It is posible? One bridge have internet, and i just need forward this internet to another bridge.

More detailed:
Router Mikrotik CRS125-24G-1S-2HnD-IN (Router OS 6.41, CapsMan activated) + 4 cAP (Router OS 6.41 on each).
eth1-eth8 in “bridge-local” and all cAP’s turned on in arbitrary port from 1 to 8. If i plug in my corp local (10.10.10.) to any eth1-eth8 port - i have my corporative network on each mobile devises, like i need! Its called - “corp-wifi”. No question on that stage, BUT i needed also “guest-wifi”, no problem (I thought) just create “guest-pool”, make a DHCP-server to “guest-pool”, make “guest” conf on CapsMan and bind this “guest-pool” to “guest-conf” - works like a charm! My guests receive isolated IP from “guest-pool” (192.168.10.) but … without internet
So how to throw internet from “bridge-local”(work net with internet) to “guest-bridge” (virtual Wi-Fi on cAPs)?
Thank you, and sorry for my bad english, im from USSR

cdiedrich · February 7, 2018, 9:54am

Did you assign an address within the guest range to your guest bridge? Like 192.168.10.1?
Does your DHCP push this address as default gateway to your your clients?
Did you add a srcnat/masquerade rule for guests? Like

/ip firewall nat
add chain=srcnat action=src-nat src-address=192.168.10.0/24 dst-address=0.0.0.0/0 to-address=<yourWANaddress> out-interface=<yourWANinterface>

All restrictions for guests should then be done in /ip firewall filter like:

/ip firewall filter
add chain=forward action=drop src-address=192.168.10.0/24 dst-address=your-private-lan-range

-Chris

Xiloid · February 7, 2018, 3:08pm

Thank you Chris for reply!

Did you assign an address within the guest range to your guest bridge? Like 192.168.10.1?

Yes i did. I make test net in my home, so let imagine my work net is 192.168.88.0/24, and guest pool is 10.10.10.0/24. Then in “IP - adresses”: Address: 10.10.10.1/24, Network: 10.10.10.0, Interface: bridge-guest.

Does your DHCP push this address as default gateway to your your clients?

Yes. Here is screenshot of my phone, after connect to “guest” WiFi:
http://i.piccy.info/i9/17e1a81ac01d08be7da499bcd5f30b07/1518015485/180469/1219818/IMG_20180207_165458.jpg

Did you add a srcnat/masquerade rule for guests? Like

Yes, but bytes and packets do not moving
ScreenShot, major settings of my cAPsMan controller:
http://i.piccy.info/i9/da9cacc14a5a8946b1089f845ed97bfa/1518016024/94743/1219818/Screenshot_3.png

cdiedrich · February 7, 2018, 3:15pm

Do I see it correctly that your router is not really the router for the network?
So your bridge-local is currently your WAN interface?
Do you have a default route configured?

-Chris

Xiloid · February 7, 2018, 4:35pm

Thank you Chris for helping me!

Yes, you right! I already have configured network on my work, so i need just extension for my network by wifi. So my Mikrotik CS125 not a router in that case, so i simple make eth1 - eth8 as local-bridge, and my colleagues get IP’s and have access from mobile devices to work resources.
You are see clearly right! My WAN and all cAPs connected to “bridge-local” (eth1-eth8).
No, i dont. Is it necessary in my case?

This is simple version of my work net:
http://i.piccy.info/i9/4450850664929535a41ca3258fc3a25b/1518021300/46858/1219818/Dokument1.png

sindy · February 7, 2018, 7:44pm

Firewall NAT rules only work on routed traffic. So if your Mikrotik itself has no default route, the phone sends packets towards the Mikrotik (because the phone gets Mikrotik’s IP address in its subnet as a gateway), but the Mikrotik doesn’t know where to forward that traffic, and as it does not forward it, it doesn’t do src-nat either.

(note regarding vocabulary - “gray” and “white” addresses are not widely understood among English-speaking audience, “public” and “private” is used to distinguish the address ranges).

Xiloid · February 7, 2018, 8:07pm

Thank you for answer! Sorry about “color” of adresses, I did not mean to offend anyone.
Can you give me advice please, which exactly “default route” i must write in my “IP - Routes” to have internet in my “bridge-guest”? I’m totally lost

sindy · February 7, 2018, 8:17pm

My remark had nothing to do with political correctness, only with readability. I come into contact with russian-speaking network specialists but many others don’t.

Can you use command line and publish the results of the following commands?

/ip export hide-sensitive
/caps-man export hide-sensitive
/ip route print

Xiloid · February 7, 2018, 8:39pm

/ip export hide-sensitive

# feb/02/2018 21:14:05 by RouterOS 6.41
# software id = RN4X-NAWF
#
# model = CRS125-24G-1S-2HnD
# serial number = 49C602EE2CCD
/ip pool
add name=guest-pool ranges=10.10.10.100-10.10.10.200
/ip dhcp-server
add address-pool=guest-pool disabled=no interface=bridge-guest lease-time=59m name=dhcp1
/ip address
add address=192.168.88.90/24 interface=bridge-local network=192.168.88.0
add address=10.10.10.1/24 interface=bridge-guest network=10.10.10.0
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=8.8.8.8 domain=steel.guest gateway=10.10.10.1 netmask=24
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip firewall nat
add action=src-nat chain=srcnat disabled=yes dst-address=0.0.0.0/0 out-interface=bridge-local src-address=10.10.10.0/24 to-addresses=192.168.88.90

/ip route print

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADC  10.10.10.0/24      10.10.10.1      bridge-guest              0
 1 ADC  192.168.88.0/24    192.168.88.90   bridge-local              0

/caps-man export hide-sensitive

# feb/02/2018 21:17:24 by RouterOS 6.41
# software id = RN4X-NAWF
#
# model = CRS125-24G-1S-2HnD
# serial number = 49C602EE2CCD
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=channel-default tx-power=15
/caps-man datapath
add bridge=bridge-local client-to-client-forwarding=no local-forwarding=no name=datapath-default
add bridge=bridge-guest client-to-client-forwarding=no local-forwarding=no name=datapath-guest
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=security-default
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=security-guest
/caps-man configuration
add channel=channel-default datapath=datapath-default distance=indoors guard-interval=long mode=ap multicast-helper=full name=cfg-default rx-chains=0,1,2 \
    security=security-default ssid=Steel tx-chains=0,1,2
add channel=channel-default datapath=datapath-guest distance=indoors guard-interval=long mode=ap multicast-helper=full name=cfg-guest rx-chains=0,1,2 \
    security=security-guest ssid=Steel-Guest tx-chains=0,1,2
/caps-man access-list
add action=accept disabled=no interface=all signal-range=-79..120 ssid-regexp=""
add action=reject disabled=no interface=all signal-range=-120..80 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=cfg-default name-format=prefix name-prefix=wifi_ slave-configurations=\
    cfg-guest

sindy · February 7, 2018, 9:07pm

xopowo, that means that @cdiedrich’s guess was correct. The WiFi clients in the “work” network which get their IP settings from the Cisco get them via DHCP, but the Mikrotik has its own IP address from 192.168.88.0/24 configured manually rather than asking for it using DHCP, and therefore it cannot receive the default gateway address from the Cisco. So the following command should solve your issue:

/ip route add gateway=192.168.88.x

where 192.168.88.x is the address of the Cisco router on which the DHCP server is running.

Another possibility would be to attach a dhcp client to bridge-local (you can do it while the manually assigned address still exists in the configuration) and create a static reservation for the Mikrotik in Cisco’s DHCP server configuration. After that, you could remove the manually configured IP address. But in such case you’d also have to replace the src-nat action in your NAT rule by “masquerade”.

Xiloid · February 7, 2018, 9:46pm

I forgot one little detail. I brought the controller from work office to my home. This way i can simulate my office situation, except that my home router Mikrotik 751 replaces Cisco. As well as in the office, my 751 gives to CS125 DHCP, so the whole situation is correct.

/ip route add gateway=192.168.88.1

ITS WORK!

Thank you so much Sindy for the invaluable help!!! I do not understand clearly this commands, but its works and i promise find out HOW its works! (especially src-nat

And last little question, is this correct prohibition rule for boths net?

sindy · February 8, 2018, 7:53am

It is correct in terms that it prohibits any traffic between the two networks as you most likely wanted, but

this type of limitation is usually placed to “filter” table, chains “input” (to protect the device itself) and “forward” (to protect clients from one another)
action “unreachable” causes an icmp response packet to be sent back, while action “drop” just silently drops the packet so it consumes less CPU and bandwidth

Xiloid · February 8, 2018, 11:04am

Thank you so much!