Connect to WiFi, Bridge to Ethernet (DHCP)

ckukowski · October 3, 2023, 5:46pm

Hey all,

I’ve spent a little over a week now trying to connect my mAPlite to our work AP and then sharing that connection with the Ethernet port in order for HP BIOS Updater to be able to get a DHCP address and communicate with the internet.

Note:
I have tried the simple bridge method I’ve found on here but none of the PC’s have been able to get a DHCP address via that method.

Where I’m At:
I have my mAPlite connected to our AP and receiving a DHCP address. I can also ping 8.8.8.8 from the mAPlite terminal. Now how in the world do I get it to bridge/share the connection with the Ethernet port and also give the device connected a DHCP address and have internet access?

I am more than happy to include screenshots, logs, etc.

erlinden · October 3, 2023, 7:57pm

Add bridge, then add all interfaces (wireless as well) to this bridge.
Make sure that the DHCP client is attached to the bridge and…you are done.

If that doesn’t work, please share the config (and remove serial and any other private information):

/export file=anynameyoulike

rplant · October 4, 2023, 2:50am

Hi,

In general attempting to bridge wifi clients doesn’t work.

If the AP is a mikrotik running 6.xx versions, it has features that do work well with mikrotik clients, just choose station bridge
on the maplite, and add it to the bridge. (choose ap bridge on the mikrotik AP)

Otherwise, you can try setting the maplite wifi client to be a station pseudo bridge.
That sort of works, sometimes.

Unless you really need it bridged, you are probably better off just making the wifi interface a wan
interface, and letting the devices behind it get an ip address from the maplite’s local dhcp server and get to the main network via Nat.

broderick · October 4, 2023, 7:34am

First, make sure that you can connect your mAPlite to the AP by setting the wireless mode to “Station”. This is the faster and easier way to connect to another non-Mikrotik AP device.
Of course you’ll also need to set up your MK device accordingly since you’ll be adding another NAT layer. However, it’s not a big deal most of the time.

ckukowski · October 4, 2023, 4:34pm

Okay I will try the above tips. I am connecting to an Aruba enterprise AP.

ckukowski · October 4, 2023, 4:42pm

1970-01-02 00:06:30 by RouterOS 7.11.2

software id = W08P-ZA83

model = RBmAPL-2nD

serial number = SERIALNUMBER

/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=2427
ssid=SSIDNAME
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap
group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik
unicast-ciphers=tkip,aes-ccm
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1
/ip dhcp-client
add interface=bridge1
/system note
set show-at-login=no

ckukowski · October 4, 2023, 6:07pm

Here is another configuration I'm trying.
I'm able to get an IP from the mAPlite on the connected PC.
I'm able to get an IP from the Wireless AP on the mAPlite.
From the computer I am able to ping the IP that the mAPlite received from the AP
I am still not able to ping 8.8.8.8 from the PC.

2023-10-04 12:54:19 by RouterOS 7.11.2

software id = W08P-ZA83

model = RBmAPL-2nD

serial number = XXXXXXXXXXXXX

/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=2427
ssid=SSIDNAME
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap
group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik
unicast-ciphers=tkip,aes-ccm
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=10.10.10.1-10.10.10.199
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether1 trusted=yes
add bridge=bridge1 interface=wlan1 trusted=yes
/ip address
add address=10.10.10.254/24 interface=bridge1 network=10.10.10.0
/ip dhcp-client
add interface=bridge1
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=192.168.178.254,10.10.10.254 gateway=
10.10.10.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall nat

in/out-interface matcher not possible when interface (wlan1) is slave - use master instead (bridge1)

add action=masquerade chain=srcnat out-interface=wlan1
/system clock
set time-zone-name=America/Chicago
/system note
set show-at-login=no

ckukowski · October 4, 2023, 9:09pm

Here is another attempt:
/interface bridge
add name=bridge1 protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn disabled=no ssid=SSIDNAME
wireless-protocol=nv2-nstreme-802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik
unicast-ciphers=tkip,aes-ccm
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.25
/ip dhcp-server
add address-pool=dhcp interface=ether1 name=dhcp1
/interface list member
add interface=wlan1 list=WAN
add list=LAN
/ip address
add address=192.168.88.1/24 interface=ether1 network=192.168.88.0
/ip dhcp-client
add interface=wlan1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
netmask=24

rplant · October 5, 2023, 10:07am

I am assuming the Aruba is using something more than a basic wpa2 psk.

The following might be helpful.

https://nixfaq.org/2020/06/using-a-mikrotik-router-as-a-wireless-client-station-to-a-802-1x-eap-secured-wifi-network.html

Once you get the map lite connected to the ap you can work through the rest.

ckukowski · October 5, 2023, 1:32pm

Thank you that helped and I also ended up getting it to work, finally two weeks after getting it from Amazon lol

I’ll post the configuration later today in the hopes it might help someone in the future!

ckukowski · October 5, 2023, 5:29pm

Here is the final WORKING config:

I think the thing I was missing were these two options
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=masquerade chain=srcnat

/interface bridge
add name=bridge1 protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn disabled=no mode=
station-pseudobridge ssid=SSIDNAME wireless-protocol=
nv2-nstreme-802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik
unicast-ciphers=tkip,aes-ccm
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.25
/ip dhcp-server
add address-pool=dhcp interface=ether1 name=dhcp1
/interface list member
add interface=wlan1 list=WAN
add list=LAN
/ip address
add address=192.168.88.1/24 interface=ether1 network=192.168.88.0
/ip dhcp-client
add interface=wlan1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=masquerade chain=srcnat

ckukowski · October 5, 2023, 6:49pm

Sooooo

Can anyone possibly clue me into why my working config above doesn’t work when I simply change the WLAN to a different Guest network and change the Security Profile password?

rplant · October 5, 2023, 10:33pm

Hi,

Not sure, but you could try to change the wireless band to be 2ghz bgn.
Also make wlan1 station (only)

Also, I think this:
add action=masquerade chain=srcnat

should be:
add action=masquerade chain=srcnat out-interface-list=WAN

(But this change is unlikely to fix your wifi connection problem)

After you get this all working ok,
You might perhaps consider the following.

The routers default configuration is quite good, and moderately secure.
However backwards to what you want. (ethernet is wan port, wifi is Lan port)

If you were to trial starting from default (again)
(Sorry, this is a bit long)

I would suggest backup and export your current working configuration.
reset to defaults, and connect via unsecured wifi

Temporarily give yourself better access to device.

Under ip firewall filter
disable the rule that blocks all input from not Lan

ip neighbours
Enable discovery on all interfaces

Then

Add the ether1 to the bridge ports
Disable/Remove the dhcp client from ether1

You should now be able to plug the router into your PC via ethernet and login to it from ether1.

Remove wlan1 port from bridge
add a dhcp client to wlan1

Interface, Interface lists, Add WLan1 to the WAN interface list
Disable the WAN entry for ether1

Now reconfigure your wlan1 as a client.

Once you get it to a good state again, you could/should? consider reverting the ip firewall and ip discovery changes above.
depends a bit on where you are using it.

\

ckukowski · October 6, 2023, 3:42pm

Thank you for taking so much time to write out that information!

So my main use scenario is to temporarily connect to my work WiFi and allow me to connect our HP PC’s up to ethernet (as there is no local LAN lines ran) and access the internet while in the BIOS in order to pull Firmware Updates for the PC’s. Once they’re booting into Windows they can use the internet just as well, and yes I know I can updating the BIOS from within Windows

Another scenario is having a network printer needing to be moved to a location in the plant that doesn’t have a line ran to it yet, this will let me use the Mikrotik as a temporary bridge until our electrician can come and run a line.

Also I had a lot of fun learning how to achieve this configuration so far. I even bought another mAPlite in hopes that I can even more easily connect one of them to our network switches and have it share that with a Mikrotik wirelessly and bridge it to the ethernet of that device.

rplant · October 7, 2023, 2:43am

Cool,

Another thought, if you have any spare Aruba’s, lots of the newer enterprise devices will do a mesh.
You could get its user guide, and if it does do mesh set that up.

This will give a much faster network than the maplite.

ckukowski · October 9, 2023, 5:20pm

Yup our Aruba AP’s are in a mesh. I’m using the mAPlite to connect devices that don’t have a wire connection ran to them and only have ethernet for network access.

This is just used to temporarily get equipment running until we have our electrician run a network cable to the device.

ckukowski · October 10, 2023, 4:47pm

I bought a 2nd mAPlite. I backed up the working mAPlite and tried to restore it to the new 2nd mAPlite but it doesn’t work. Is there something that wouldn’t be in the backup?

ckukowski · October 11, 2023, 5:47pm

I returned the 2nd mAPlite since I really didn’t understand why the 2nd mAPlite wouldn’t run using the backup config from the working.

I got the first one running and that’s all I really need.

rplant · October 15, 2023, 10:52pm

Yes,

Restoring a backup onto a different router (Unfortunately even of the same model router) usually doesn’t work.

You need to copy and paste in the text configuration, which will also often need some minor changes
(eg. bridge mac addresses) on the fly. And need to take care not to lock yourself out partway through.