I have an old Airport express ( AE )which I want to replace by cAP
The configuration of AE is as follows
it has a fixed address xxx.xxx.xxx.185 on our public network with net mask 255.255.255.0 and router (gateway) address xxx.xxx.xxx.254
-It acts as a router (not as bridge) and creates a WIFI network say myWIFI
-as a DHCP server it distributes just 4 addresses xxx.xxx.xxx.186 → 189 and does not do NAT
-The Apple configuration indicates that the WAN and LAN addresses of AE are the same i.e. xxx.xxx.xxx.185 ( ? )
With that config any device connected to myWIFI is of course part of our network and sees printer and other machines.
I tried modifying the default setup o cAP without success using either the phone App or WinBox ( I do not know much about networks to say the least)
What should be my configuration ?
Thanks for any help
Terminal
export file=anynameyouwish
Move file to your PC, obfuscate sensitive info so we know it’s there (serial, passwds, …)
Post back here in between [code] [/code] quotes.
This is what I use for the moment but it is not what I want.
I do not want a subnet, but everything to be part of the main network, with cAP doing the authentication by password (all other machines are authenticated by MAC address),
and distributing a subset of the 254 pool of addresses available. There is already a DHCP server on the main network used for laptop connecting by ethernet cable and whose MAC addresses are registered. The wifi would be used for unregistered devices
That’s an incompatible wish given your prior requirement that it be a router and not a bridge. The IP schemes have to be different on each side for routing to do its thing. There is no this side/that side distinction otherwise.
The wifi would be used for unregistered devices
That sounds like guest networking to me, except that the “guests” in this case (what you call “unregistered devices”) do get to talk to the private LAN as well as the Internet. Basically, take my config and remove some of the firewall rules to suit.
The only other tricky bit is going to be getting Bonjour printer discovery working, if you weren’t using direct IPs. The new mDNS repeater feature can help here.
What I want seems to me quite simple, but I cannot figure out how to do it.
I attache a drawing of my needs here.
Remarark: I have no control over the Gateway but of course full control of the Mikritik cAP
As was stated, we understand your request, the problem is you dont understand how basic networking functions…
If you want all to be on the same network… then do the following. Otherwise, suggesting on the main router to create a separate subnet, best done through vlans.
/interface bridge
add ingress-filtering=no name=bridgecap vlan-filtering=no
/interface ethernet
set [ find default-name=ether2 ] name=OffBridge2
/interface list
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
management-protection=allowed mode=dynamic-keys name=guest_Security \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan2 ] ampdu-priorities=0,1,2,3,4,5 band=5ghz-a/n/ac \
channel-width=20/40mhz-Ce country=canada disabled=no frequency=5220 \
guard-interval=long mode=ap-bridge name=homeWLan5 security-profile=\
home_Security skip-dfs-channels=all ssid=5GHz-connection wireless-protocol=802.11 \
wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan1 ] ampdu-priorities=0,1,2,3,4,5 band=2ghz-g/n \
basic-rates-b="" country=canada frequency=2437 guard-interval=long mode=\
ap-bridge name=homeWLan2 rate-set=configured security-profile=\
media_Security skip-dfs-channels=all ssid=2GHZ-connection supported-rates-b=\
11Mbps wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/interface bridge port
add bridge=bridgecap interface=homeWLan2
add bridge=bridgecap interface=homeWLan5
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=819
/interface detect-internet
set detect-interface-list=NONE
/interface list member
add interface=bridgecap list=TRUSTED
add interface=OffBridge2 list=TRUSTED
/ip address
add address=X.X.10.185/24 interface=bridgecap network=X.X.10.0
add address=192.168.55.1/30 interface=OffBridge2 network=192.168.55.0
/ip dns
set servers=X.X.10.1
/ip route
add dst-address=0.0.0.0/0 gateway=X.X.10.1 routing-table=main
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
Use ether2, for what I call Offbridge access, direct access without any bridge affiliation, perhaps not as critical since not doing vlans but still recommended.
Just connect your laptop to ether2 and change IPV4 settings to 192.168.55.2 and you will get access.
If the capac is easily accessible, then easy to attach a temp cable.
IF not easily accessible at least wire a second ethenet cable to a location where you can reach it with your laptop…
The fact that I do not understand networking is obvious (that is why I posted in Beginner Basics) but thanks a lot for your patience and the script.
The two command I left in your quoted code above did not work.
Anyway I got something to work after adding few routes and the DHCP server for the wireless clients. The Bonjour printer discovery also work which is great.
It is still kind of slow and unstable so I guess I will have to dig a bit deeper but thanks for providing a very good start.
Thanks for asking. Here it is.
It works but is horribly slow
Note that ether1 r(whose MAC is known to the main server) eceives a DHCP address from the main network. The DHCP server is on X.X.10.75 and does NAT as required for the lab laptops which are known and trusted on the wired network.
Any advice would be more than welcome.
Cheers
p.
/interface bridge
add name=bridgecap
/interface ethernet
set [ find default-name=ether2 ] name=OffBridge2
/interface list
add comment=lab name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes management-protection=\
allowed mode=dynamic-keys name=lab_Security supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] ampdu-priorities=0,1,2,3,4,5 band=2ghz-g/n \
basic-rates-b="" comment=lab country=france disabled=no distance=indoors \
frequency=2437 guard-interval=long installation=indoor mode=ap-bridge \
name=labWLan2 rate-set=configured security-profile=lab_Security \
skip-dfs-channels=all ssid=pw2 supported-rates-b=11Mbps \
wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] ampdu-priorities=0,1,2,3,4,5 band=5ghz-a/n/ac \
channel-width=20/40mhz-eC comment=lab country=france disabled=no \
distance=indoors frequency=5320 guard-interval=long installation=indoor \
mode=ap-bridge name=labWLan5 security-profile=lab_Security \
skip-dfs-channels=all ssid=pw wireless-protocol=802.11 wmm-support=\
enabled wps-mode=disabled
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=labpool ranges=X.X.10.186-X.X.10.189
/ip dhcp-server
add address-pool=labpool interface=bridgecap name=lab
/interface bridge port
add bridge=bridgecap comment=lab interface=labWLan2
add bridge=bridgecap comment=lab interface=labWLan5
add bridge=bridgecap interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=lab interface=ether1 list=TRUSTED
add comment=lab interface=bridgecap list=TRUSTED
add comment=lab interface=OffBridge2 list=TRUSTED
/ip address
add address=X.X.10.185/24 interface=bridgecap network=X.X.10.0
add address=192.168.55.1/30 interface=OffBridge2 network=192.168.55.0
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add comment=defconf interface=ether1
/ip dhcp-server network
add address=X.X.10.0/24 comment=lab dns-server=X.X.10.1 domain=\
xxxxx gateway=X.X.10.254
/ip dns
set allow-remote-requests=yes servers=X.X.10.1
/ip route
add dst-address=0.0.0.0/0 gateway=X.X.10.254 routing-table=main
add dst-address=0.0.0.0/0 gateway=X.X.10.254 routing-table=main
/system clock
set time-zone-name=Europe/Paris
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
Firstly: I assumed you had a capAC, but it would appear you have a CAP ONLY. Please confirm!!!
It only has one port and that is a 10/100 based port.
In addition acting as a router, its throughput would actually be less than 100Mbps based on having 25 filter rules.
Secondly, if it was a capac and had more throughput you still need to not try and stuff an MT into an apple schema.
In other words your realistic choices are
a. keep the capac as an AP/switch as per the config provided ( router provides all dhcp, all devices are on same network )
b.. use the capac as a router in which case, the LAN behind the capac would a different subnet on the network and its unlikely that all devices could see each other.
It would depend upon the upstream routers capabilites to create static routes and allow traffic rules and even then may not work…bonjour can be finicky across subnets.
TRUEDAT… okay then keeping the capac as an AP/switch is the smart way to go…cant help you if you want to make it a router… the only reason to use it as a router is if you needed separate subnets and most likely vlans to go out the wifi.
This is what I have
RouterBoard cAP AC
CPU: IPQ-4018 - 716 MHz, 4 cores
Memory: RAM 128MB, Flash: 16MB
Ethernet: 2x 10/100/1000 Mbit/s Fast Ethernet ports
OS: MikroTik RouterOS, Level4 license
1- when configured as router with the usual subnet 192.168…. we loose some access to the rest of the network and most importantly all access to Bonjour printers so that in particular people with phones or tablets can’t print. Very frustrating
2- when used as a switch then the main router of the lab refuses to give DHCP addresses to guests as their MAC addresses are not recognized. The net being administered by fellow physicists colleagues we cannot pester them each time to alter their tables of recognized MAC
3- ??? what’s the solution to avoid this conundrum which the old AirPort base station handled gracefully ? And what is suboptimal in my present configuration built on your precious advices ?
Again thanks a lot for your time, thoughts and kind help
p.
I can’t tell from the absence of the setting whether you tried my advice up-thread to enable the mDNS repeater and had it fail, or did not try at all. It’s a single-line addition to your configuration:
/ip/dns/set mdns-repeat-ifaces=ether1,bridgecap
I was forced to guess on the proper interface names since your posted config is not for this #1 setup, but for #2 or #3, to use your list’s numbering. Adjust to suit.
Another thing not clear from your posted config is that when you have multiple DHCP servers on a single subnet, you need to arrange for them to not conflict. You can do that with a combination of firewall rules, use of RouterOS’s DHCP snooping feature, and setting up non-overlapping address pools. As you have it now, your server and the other will fight.
If I understand I should try this after a Quick Setup with the usual subnet for WiFi
and eth1 having its DHCP address from the main network right ? And that could solve the printers problem. I will try that
I kept the configuration that I had posted but took the advice of tangent regarding the DHCP conflicts.
So the only modification was to tick the 2 boxes regarding DHCP Snooping in the Bridge configuration.
Now it seems to work like a charm !
Fast and no more alerts from the main server about MAC adresses fast switching their associated IP addresses.
Thanks a lot to both of you for all the precious advice and for your patience with an ignoramus.
p.
