Hello all.
I’m struggling to configure a hotspot and an admin network with the Mikrotik RouterBoard 493AH, RouterOS 4.10.
(Didn’t see anything related to this or similar in the change log to 4.11, so I didn’t upgrade)
My Scenario is pretty simple:
(INTERNET) <--cable--> (Mikrotik) <--cable--> (Wifi Antenna) <--wireless--> (Hotspot Wifi clients)
I need to be able to provide Internet to the clients, but also to be able to access the “Wifi Antenna” through it’s admin ip.
So, I decided to assign two public ip’s to the wan interface (ether1), and an additional internal ip to the hotspot interface (ether2) (different networks).
The hotspot NAT rules where defined with Winbox and I defined special NAT rules to be able to access the internal “Wifi Antena” from one of the public ip’s.
I have two problems:
a) If the hotspot ip rules are enabled (/ip hotspot enable hotspot2), I cant even ping the “Wifi Antenna”, but it works if the rules are disabled. I can’t find out why. How could I configure both networks in the same interface (or not), but all in the same mikrotik?
b) When I configured the hotspot with WinBox I selected to masquerade the internal ip’s also, so the clients received weird ip’s instead of the ones I defined in the pool, and it’s not working that way now. It now assigns the clients exactly the ip’s of the pool. How could I configure that it gives weird ip’s to the hotspot clients again without erasing the current configuration and starting from scratch?
I’m pretty new to this devices. I hope I’m not asking questions too dumb.
I have been searching the forums for help, but haven’t found (almost) anything useful. Maybe I haven’t been using the right set of words to search for. Please excuse me if this has been discussed already.
I have been struggling with this for two weeks now.
Any help to solve any one or both my current problems will be really appreciated.
Bellow I show the relevant configuration, and other things I’ve tried.
Thanks a lot.
Ely
/ip address print
------------------------------------------------------------------
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 ;;; Place: (hotspot2) (public ip)
XX.XX.XX.12/24 XX.XX.XX.0 XX.XX.XX.255 ether1
1 ;;; Admin (public ip)
XX.XX.XX.11/24 XX.XX.XX.0 XX.XX.XX.255 ether1
2 ;;; Hotspot
192.168.Y.1/24 192.168.Y.0 192.168.Y.255 ether2
3 ;;; Admin to Wifi Antenna
192.168.Z.254/24 192.168.Z.0 192.168.Z.255 ether2
/ip hotspot print
------------------------------------------------------------------
Flags: X - disabled, I - invalid, S - HTTPS
# NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT
0 hotspot2 ether2 hs-pool-2 hsprof1 5m
/ip firewall nat print
------------------------------------------------------------------
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
1 chain=dstnat action=dst-nat to-addresses=192.168.Z.11 dst-address=XX.XX.XX.11
2 chain=srcnat action=src-nat to-addresses=XX.XX.XX.11 src-address=192.168.Z.11
3 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.Y.0/24
EDIT: forgot to add the routing table
/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 S 0.0.0.0/0 XX.XX.XX.254 1
1 ADC 192.168.Y.0/24 192.168.Y.1 ether2 0
2 ADC 192.168.Z.0/24 192.168.Z.254 ether2 0
3 ADC XX.XX.XX.0/24 XX.XX.XX.12 ether1 0
Among other things, I tried to define the admin network in ether3 and plugged an external switch to ether2, ether3 and the antenna. That worked. The problem is I need to do this solution for over 45 places. I’m sure there should be a better way to do it.
So, I tried to define some switched ports instead of the external switch. Like this:
/interface ethernet print
------------------------------------------------------------------
Flags: X - disabled, R - running, S - slave
# NAME MTU MAC-ADDRESS ARP MASTER-PORT SWITCH
0 ether1 1500 00:0C:42:51:74:F9 enabled
1 ether2 1500 00:0C:42:51:74:FA enabled none switch1
2 ether3 1500 00:0C:42:51:74:FB enabled none switch1
3 S ether4 1500 00:0C:42:51:74:FC enabled ether3 switch1
4 S ether5 1500 00:0C:42:51:74:FD enabled ether3 switch1
5 ether6 1500 00:0C:42:51:74:FE enabled none switch1
6 ether7 1500 00:0C:42:51:74:FF enabled none switch1
7 ether8 1500 00:0C:42:51:75:00 enabled none switch1
8 ether9 1500 00:0C:42:51:75:01 enabled none switch1
I plugged an UTP cable from ether2 to ether3, and the “Wifi Antenna” in ether4, but that doesn’t work… the hotspot dhcp doesn’t offer addresses.
I also tried a hotspot nat rule like this in order to masquerade all but petitions going form the admin public ip:
3 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.Y.0/24 dst-address=!XX.XX.XX.11
But nothing changed.
There must be a NAT rule for the hotspot that doesn’t collide with the administration ones. I’m sure, but can’t find out how to do it.
Thanks again.
Ely.