Have never used Mikrotik RouterOS 2.95. System was setup before I started.
Problem: when I pathping my APs static ip I get the destination unreachable error. It goes through the switch, through the firewall/router, but when it gets to the Mikrotik system thats where the ping stops. Cannot ping the Mikrotik router from the AP either. When I plug in the AP and connect to it, using my laptop, I do get to the outside world, but cannot manage the AP except through the console.
Currently there are 6 APs setup and functioning and I can ping them with the correct response.
DO NOT tell me to read the manual. 1) The manual is written for those that have used the product before and 2) I have read a good portion of the manual and do not understand why I am being stopped at the router.
I promise I will not tell you to read the manual YET!
Does the hotspot work ok? Does it let you login? If so, login and try the ping. The hotspot stops just about everything.
If you want to ping the other way, you will have to let those devices past the hotspot. This is done in /ip hotspot ip-binding.
/ip hotspot ip-binding add address=192.168.0.3 type=bypassed
That will let an AP with the IP 192.168.0.3 through both ways. You should be able to ping it, and it will be able to ping past the MT box.
I apologize. That is what I am saying. The person before me did not setup the Mikrotik system as it should be setup. When I went to the command prompt these are the options I get:
IP options
.. – go up to root
service/ – IP services
upnp/ – Universal Plug and Play
arp/ – ARP entries management
socks/ – SOCKS version 4 proxy
dns/ – DNS settings
traffic-flow/ –
address/ – Address management
proxy/ –
pool/ – IP address pool
vrrp/ – Virtual Router Redundancy Protocol
accounting/ – Traffic accounting
packing/ – Packet packing settings
neighbor/ – Neighbors
route/ – Route management
firewall/ – Firewall management
dhcp-client/ – DHCP client settings
dhcp-relay/ – DHCP relay settings
dhcp-server/ – DHCP server settings
ipsec/ – IP security
export –
That is why I am confused. I would ask the person I replaced, but I believe they left on a sour note.
Thank you.
My bad, I misunderstood. Do you have to login to access the internet (hotspot gateway) or just connect and go (router)?
In the meantime, check this:
/ip route print
Insure there is a gateway setting to your internet interface gateway IP address. Insure there is an ‘r’ preceeding the gateway IP when you print the list. If it shows ‘u’, it will not find the gateway and the internet.
and this:
/ip firewall nat print
There should be some type of srcnat or masquerade rules there to your internet interface or IP address.
and this:
/ip firewall filter print
Check to see if there is a rule blocking access to all, like:
chain=input action=drop
You did not mention, but I am curious. What hardware is this RouterOS installed in?
And what level license does the RouterOS have?
/system license print
If this is the first time a pc or laptop connects they have to register. Once that has been completed any time after that, for a period of time, they can just connect.
ip route print produces:
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE
0 ADC 10.x.x.x/x 10.x.x.x some name
1 A S 10.x.x.x/x 10.x.x.x r 10.x.x.x some name
2 ADC 10.x.x.x/x 10.x.x.x some name
3 A S 0.x.x.x/x r 10.x.x.x some name
ip firewall nat print produces:
Flags: X - disabled, I - invalid, D - dynamic
0 X chain=srcnat action=masquerade out-interface=(unknown)
/ip firewall filter print produces:
Flags: X - disabled, I - invalid, D - dynamic
Level 5 license and the software is installed on a 1u server 1.86 Mhz 1 G Ram 80 G hard drive.
The nat rule is bad. You need to change that unknown to the interface where the gateway is. Like:
/ip firewall nat set 0 out-interface=ether1
I change the out interface parameter to the only two choices and it did not make a difference.
When you changed the masquerade, did the X disappear? It was:
0 X chain=srcnat action=masquerade out-interface=(unknown)
It should be:
0 chain=srcnat action=masquerade out-interface=ether1
The X indicates it is disabled.
Since I am not as familiar with this system I used WinBox to change the parameter. What I did is this:
- Enabled this item.
- Double-clicked and went to that parameter.
- Chose LAN, there were two options LAN and HotSpot. I chose LAN because I believe this is the nic that is the path to the outside world. In either case this did not work so I selected the other option and that did not work either.
- Disabled it again.
Enable the masquerade on LAN and post the new firewall nat rules again.
You need this (or a srcnat), or nothing goes out of the LAN to the internet.
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=Lan
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=HotSpot
After setting both interfaces as out and rebooting the router software, when I pathping from my system I get the error below.
2 hotspot.umary.edu [10.x.x.x]
3 hotspot.umary.edu [10.x.x.x] reports: Destination host unreachable
The out-interface needs to be the one connected to the internet (ether1 maybe?), not lan or hotspot.
If you look in
/ip route print
it will be the interface with the “r” and an IP after it.
Hang in there. You almost have it. 
Output from ip route print.
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE
0 ADC 10.x.x.x/x 10.x.x.x Lan
1 A S 10.x.x.x/x 10.x.x.x r 10.x.x.x Lan
2 ADC 10.x.x.x/x 10.x.x.x HotSpot
3 A S x.x.x.x/x r 10.x.x.x Lan
I believe lan is the interface you are asking for.
My bad. I guess it is lan. But I think it needs a default route now that you showed me the names.
Try
/ip route add gateway=10.x.x.x
Use the IP after the “r” in the other entry
The first entry should now be:
0 A S 0.0.0.0/0 r 10.x.x.x 1 Lan
ADD: Is the IP after the ‘r’ in line 3 the same as line 1?
Also check
/ip address print
and see if there are any other interfaces assigned addresses not listed in the route section.
BTW, If that gateway entry was not there when you took over, then I would guess that your opinion of the former employee is correct. Without that gateway, the system is pretty much down, and he/she certainly should have known that.
When I pull up Winbox and do IP Routes it has 4 listed:
Destination: 0.0.0.0 Gateway: 10.10.x.1 Interface: LAN
Destination: 10.10.x.x Pref. Source: 10.10.x.2 Interface: LAN
Destination: 10.10.x.x Gateway: 10.10.x.1 Pref. Source: 10.20.x.1 Interface: LAN
Destination: 10.20.x.x Pref. Source: 10.20.x.1 Interface: Hotspot
Is the information already set for the gateway?
If 10.10.x.1 is the interface IP of the router/computer that connects your router to the internet, then you are set.
How does your network get to the internet? Is it through a computer/router on the Lan interface? Or does your network get to the internet through this router that you are working on?
This list does not agree with the list from the /ip route print.
Don’t worry too much about giving anyone your IP addresses here. Those (10.x.x.x) are all private IPs.
Just to make you feel better, here are mine inside my network:
My main router is 10.0.0.1/24
My rooftop AP/hotspot is 10.0.1.2/24
At the tennis courts hotspot is 10.0.2.2/24
You can’t get to them from a public IP unless you are me from my computers.
Here is the ip route print information
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE
0 ADC 10.10.16.0/20 10.10.16.2 Lan
1 A S 10.10.32.0/20 10.20.1.1 r 10.10.16.1 Lan
2 ADC 10.20.0.0/16 10.20.2.1 HotSpot
3 A S 0.0.0.0/0 r 10.10.16.1 Lan
The aps are attached to a switch which goes through the mikrotik router, but I am only guessing the LAN is out and HotSpot is in. The mikrotik router has a path through a switch to a router/firewall which allows traffic in and out. I spoke with the person who left this position and he said that nothing should have to be done except assign the aps a 10.20.1.x address and put them on the proper vlan of the correct switch. Well I believe that I have done this and cannot pull them up in the web or telnet to them. I can see them broadcasting with netstumbler.
If they are behind the hotspot, and all that seems to be “wrong” is you can’t ssh, telnet,ftp,etc to them, then you are there!
/ip hotspot ip-binding add address=10.20.1.0/24 type=bypassed
This will bypass all the APs through the hotspots. (Insure no clients get a 10.20.1.x IP!)
That will allow you to telnet, ssh, etc and bypass the hotspot. The hotspot may be letting your requests in, but the hotspot is blocking their response unless you bypass them.
ADD: You must do this also if you expect anything like NTP to work on the APs. Otherwise, the hotspot blocks the requests.
Thank you for all your help. I can get to my ap with the web and I can ping it and tracert it. The only problem I have now is that the new ap will not provide a IP when I connect to it.
I don’t know how your network is set up. What device make/model is the AP?
Did it issue IPs before these changes?
Check the other APs and see how they are set up, especially the dhcp server and IP addresses on the wireless interfaces.
/ip dhcp-server
/ip address