Connecting Mikrotik Router and Mikrotik AP

MarekDuchac · May 24, 2020, 5:36pm

Hey guys,
I still don’t know how to connect two separate networks on Mikrotiks together. I read many articles, documents but w/o success.I hope, somebody can help me here.

I have Router RouterBOARD 750G r3 and AP RBcAPGi-5acD2nD, where I just want to connect from wifi to LAN clients of the router.
Router (192.168.88.1) with bridged 4 eth ports, where 1 port is connected to first LAN of the AP
AP (192.168.10.1, bridged wifi ports)

I set static routes, but probably it’s not enough - PC2 can’t see PC1 according to picture above.

Config exports in attachment included.
config_router.rsc (4.15 KB)
config_AP.rsc (4.29 KB)

anav · May 25, 2020, 12:06am

Get rid of capsman and I will be more than happy to help.
Also, do you plan on providing guest and home user wifi
in other words wifi for home user on .88 network and guests on .10 network ??

Are there separate groups of users?

MarekDuchac · May 25, 2020, 8:16am

Thanks for reply.

Capsman should be disabled, I hope, I’ll check.
Idea behind is: .88 network, there are connected devices like Storage, TVs, media box etc. And I wanted to have separate network .10, where I will connect home users and friends.
So basically it could be one network, but I think it’s not secure enough because of my devices in .88 network

MarekDuchac · May 25, 2020, 5:06pm

Capsman, totaly deleted, but anyway issue still present.

anav · May 25, 2020, 5:35pm

Please repost configs and I will take a look gladly!!

MarekDuchac · May 25, 2020, 5:42pm

reposted config here (new router config)

thx
config_AP.rsc (4.29 KB)
config-router.rsc (3.54 KB)

anav · May 25, 2020, 6:47pm

Assumptions:
(1) You want two subnets. I will use vlans but you get the idea for a clean config/.
(2) I will assume the AP serves both smart devices and homeusers (on different SSIDs etc, with smartdevices using 2.4ghz and homeusers using 5ghz)
(3) eth4 goes to AP
(4) eth1 goes to WAN
(5) Ether 2,3 go to PCs on home network
(6) Ether 5 goes to a smart device.

Changes and mods to setup below.

Router Setup.
/interface ethernet
set [ find default-name=ether1 ] comment=Port1 name=ISP_eth1 speed=
100Mbps

/interface bridge
add bridge=home-bridge vlan-filtering=yes (the vlan-filtering=yes is last step in config)

/interface vlan
add interface=home-bridge name=Devices-LAN_22 vlan-id=22
add interface=home-bridge name=Home-LAN_11 vlan-id=11

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface list member
add interface=Devices-LAN_22 list=LAN
add interface=Home-LAN_11 list=LAN
add interface=ISP_ether1 list=WAN

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ip pool
add name=pool-dhcp_devices ranges=192.168.88.100-192.168.88.200
add name=pool-dhcp ranges=192.168.10.100-192.168.10.200

/ip dhcp-server
add address-pool=dhcp_devices disabled=no interface=Devices-LAN_22
add address-pool=dhcp disabled=no interface=Home-LAN_11

/ip address
add address=192.168.88.1/24 comment=“Devices” interface=Devices-LAN_22 network=
192.168.88.0
add address=192.168.88.1/24 comment=“Home users” interface=Home-LAN_11 network=
192.168.88.0

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1

/interface bridge port
add bridge=home-bridge LAN interface=ether2 pvid=11 frame-types=admit-only-untagged-and-priority-tagged {access port}
add bridge=home-bridge LAN interface=ether3 pvid=11 frame-types=admit-only-untagged-and-priority-tagged {access port}
add bridge=home-bridge LAN interface=ether4 ingress-filtering=yes {trunk port carrying vlans 11,22}
add bridge=home-bridge LAN interface=ether5 pvid=22 frame-types=admit-only-untagged-and-priority-tagged {access port}

/interface bridge vlan
add bridge=home-bridge tagged=homebridge,ether4 untagged=ether2,ether3 vlan-ids=11
add bridge=home-bridge tagged=homebridge,ether4 untagged=ether5 vlan-ids=22

/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1,8.8.8.8

/ip dhcp-client
add add-default-route=yes comment=defconf disabled=no interface=ISP_eth1
use-peer-dns=no use-peer-ntp=no

/ip firewall filter
{input chain}
add action=accept chain=input comment=“defconf: accept established,related”
connection-state=established,related disabled=yes
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” disabled=yes
protocol=icmp
add action=drop chain=input comment=“Default Firewall - drop all not coming from LAN” in-interface-list=!LAN (this replaces the botched rule that blocked all from WAN)

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
out-interface-list=WAN

/ip route
keep default setting established by the default rules when first hooking up to the internet

/tool mac-server
set allowed-interface-list=NONE

You can do this as well by assigning two different subnets one on a bridge and one off a bridge etc…
I prefer vlans for firewall rules and clear separation at layer 2 between subnets regardless of where vlans are located.
They are also much easier to deal with when porting subnets to different devices such as switches and access points.

anav · May 25, 2020, 7:11pm

Access Point.
Assumptions
(1) trunk port from router is ether1
(2) ether 2 is going to a PC on home vlan.
(3) Wlan1 is to devices
(4) Wlan2 is to home users.

added changes or modifications

/interface ethernet
set [ find default-name=ether1 ] name=LAN_router

/interface bridge
add admin-mac=48:8F:5A:08:87:DD auto-mac=no comment=defconf name=wifi-bridge

/interface vlan
add interface=home-bridge name=Devices-LAN_22 vlan-id=22
add interface=home-bridge name=Home-LAN_11 vlan-id=11

/interface list
add comment=defconf name=LAN
add comment=defconf name=HOMEUSERS

/interface list member
add interface=Devices-LAN_22 list=LAN
add interface=Home-LAN_11 list=LAN
add interface=ether2 list=LAN
add interface=Home-LAN_11 list=HOMEUSERS
add interface=ether2 list=HOMEUSERS

/ip neighbor discovery-settings
set discover-interface-list=HOMEUSERS

/interface bridge port
add bridge=wifi-bridge comment=defconf interface=LAN_router ingress-filtering=yes
add bridge=wifi-bridge comment=defconf interface=ether2 pvid=11 frame-types=admit-only-untagged-and-priority-tagged
add bridge=wifi-bridge comment=defconf interface=wlan1-2-4GHz pvid=22 frame-types=admit-only-untagged-and-priority-tagged
add bridge=wifi-bridge comment=defconf interface=wlan2-5GHz pvid=11 frame-types=admit-only-untagged-and-priority-tagged

/interface bridge vlan
add bridge=wifi-bridge tagged=wifi-bridge,LAN_router untagged=ether2,WLAN2-5Ghz vlan-ids=11
add bridge=wifi-bridge tagged=wifi-bridge,LAN_router untagged=WLAN1-2-4GHz vlan-ids=22

No requirement for DHCP
No requirement for FW rules
Ensure Device gets an IP from vlan11 (setup vlan 11 first on the router than attach the device to the router and should acquire an IP on vlan 11 automatically.
Then make it static on the router under leases, then finish configuring the device.