I was inspired enough by RB951G as my home router, so decided to upgrade my office network with MT hardware. We have quite simple up to 20 users (LAN+wifi) network with windows server and few remote desktop users. My plan is to upgrade old 24p switch to CRS125 to do switching, routing, DHCP, internet gateway, firewall… but since it will be installed in sort of closed server room, I need another device for wifi in the office (semi open space of 3 rooms) and I think RB591G will be perfect for this. I pretty much have the picture how to configure CRS125, but confused about wifi AP. I need RB951G to be just a switch and wifi AP. Wireless users should get IP’s from the same subnet as CRS125 LAN users. So in RB951…
I add DHCP client to ether1 and connect it to crs125
bridge ether2+wlan1, or do I also need ether1 in the bridge?
but in what mode should I configure for wlan interface? “ap bridge” or “bridge”?
Do I need to configure address pool, firewall/NAT rules on rb951 or it will get it from CRS125?
I found a lot of tutorials on configuring PTP connections with 2 mikrotiks, but none on my scenario… please advice
First of all. You may not want to use CRS125 for routing purposes. It has not so fast CPU but this is very good product for switching. If it is possible it’s better to have separate routerboard with more fast CPU for routing.
You need to make ether1 as master port for other ports on RB951. Then you create bridge and add only master port (ether1) and wlan interface. You need to configure DHCP client on bridge interface. Now all ports and wlan will be in the same subnet so your DHCP server will give addresses to all your clients including RB951.
In kind of setup when the whole net is in one logical segment (switch master port + wlan interface in same bridge, all other ethernet ports as slaves to master), you need only add switch master port (for example ether1) and wlan interface to bridge as ports.
ap bridge - for many clients, bridge - for one client. If you have many devices connecting to ap, choose ap bridge.
This is depending on your network topology.
→ CRS as switch + router, all ports in same switch chip on RB951, bridged with wlan - you configure your pools, etc on CRS.
→ CRS as switch, your uplink is on ether1 on RB951, ether2 as master for LAN, other ethernet are slaves of ether2, bridge ports: ether2, wlan - your RB951 act as router and DHCP server, so pools must be configured on RB951.
Thanks, I got the idea. My plan is this scenario:
→ CRS as switch + router, all ports in same switch chip on RB951, bridged with wlan - you configure your pools, etc on CRS.
Let’s say my CRS adress pool for office LAN is 192.168.11.1/24 and I also add virtual AP on RB951 for guests say wlan2-guest. Then I setup another DHCP server on RB951 for wlan2 - 192.168.22.1/24. But:
Do wlan2 have to be member of the bridge?
Where do I add firewall rules for two subnets would not access each other, on CRS or RB951?
If your guests will be connecting only from WLAN, you don’t need to add wlan interface to a bridge. Just add IP address directly to wlan2, adjust DHCP server on wlan2 and some pools for it on RB951. But here you will have some problems. As your router for LAN subnet will be CRS and your router for guest wlan is on RB951, to connect from one network to other you need to add some subnet between CRS and RB951 to route traffic between two subnets.
Maybe the better way is to not route traffic for guests on RB951 and create separate VLAN for it and add it tagged on CRS and RB951. You’ll need in this situation to add IP address and DHCP config on vlan interface of CRS. You don’t need any IP on RB951 for it, just bridge wlan2 interface and vlan interface.
wlan2 bridged with vlan int. on RB951
vlan interface is tagged vlan on RB951 interface ether1 for example (master for other ports and connected to CRS).
vlan interface is tagged vlan on CRS interface going to RB951
IP address for routing on vlan interface on CRS
DHCP config for vlan int on CRS
Firewall rules on CRS
Everything seems to be working fine in my test environment (RB951’s clients are getting IPs from CRS etc.) but there is one problem. When I activate DHCP client on RB951 bridge interface, I can’t see the RB951 itself on CRS’s client list and unable to connect to RB951 with winbox untill reset. It seems that RB951 itself is not getting IP from CRS. When I try to connect with windox to RB951 MAC (it shows IP in the list as 0.0.0.0) getting time out to port 20561. Any ideas what could be wrong?
Is your RB951 switch master port (ether1?) added as bridge port? Are your clients on wlan1 (I think it’s not guest wlan) receiving IP from DHCP server?
Yes, ether1 is master and bridged with wlan1. Solved already, it was some kind of winbox glitch, conected with another pc/winbox and it is fine now.
The problem now is Windows server 2012 r2 essentials not receiving IP from CRS (all other LAN PCs are ok) it is visible in lan, but ip is wrong and no internet. Network adapter settings are correctly set to auto.
On CRS I have ether1 as manual gateway and ether2 as master switch port. Do I need any bridges on CRS?
Add route to guest subnet on CRS via RB951. NAT only to WAN.
Add NAT on RB951 with SNAT (to source: ip address in LAN connected to CRS) for guests. No need to add route on CRS to guests in this setup, but it’s additional cpu load and memory use for NAT/connection tracking on RB951.
Continuing with the same setup, I also have dude server on CRS125, can access it remotely, also can run tools/winbox remotely from the dude. But can not access rb951 winbox from the dude. I have opened the port on both devices for remote access but probably need some more firewall rules to access rb951 from the dude remotely?
I can’t help you cause I don’t use The Dude because it’s not ported to GNU/Linux.
If it is using api or winbox ports you certainly need to open these ports on RB951 in filter input chain.
I configured guest wlan2 according to #1 by adding the route on CRS ant it is ok, guest wlan users from RB951 are getting access to internet, but they also have access to LAN file shares which I don’t want. I am adding firewall input rule on CRS to drop everything from guest subnet (192.168.11.0/24) to my LAN subnet (192.168.1.0/24) but this filter doesn’t work.
Please advice what am I doing wrong.
please advice