hAP lite (not mAP lite), wlan1 as ap bridge, Virtual device in station--why working!?

terraformer · February 2, 2017, 5:46pm

Hi,

I’ve read that you cannot configure an mAP lite to use ap bridge mode (on wlan_main/atheros ar9300) and have a virtual device running in station mode (i.e. client mode).
But that is what is running here now on my mAP lite.

First issue I see is the small bandwidth. Although the connection is reported by RouterOS as 110 MBit, a single client cannot get more than 8 MBit.

/interface wireless monitor clientwlan
                 status: connected-to-ess
      wireless-protocol: 802.11
                tx-rate: 115.5Mbps-20MHz/2S/SGI
                rx-rate: 104Mbps-20MHz/2S
                   ssid: mainAP
                  bssid: 38:14:83:62:26:40
        signal-strength: -63dBm
    signal-strength-ch0: -70dBm
    signal-strength-ch1: -63dBm
        signal-to-noise: 50dB
                 tx-ccq: 87%
           p-throughput: 90067
  authenticated-clients: 1
    802.1x-port-enabled: yes
    authentication-type: wpa2-psk
             encryption: aes-ccm
       group-encryption: tkip
  management-protection: no
            wmm-enabled: yes
    notify-external-fdb: no

Second issue, I’m not sure it has really to do with the setup. I have to use NAT masquerade when I want to access the subnet 192.168.8.0/24 (the subnet of the main AP). Internet access does work without NAT, the mAP lite and the main AP have static routes to reach their respective subnets. Although I cannot access devices on 192.168.8.0/24 using TCP, I can ping all devices without NAT activated. Couldn’t find an explanation through forum and web search.

Despite that I’m curious why ap bridge and station mode run simultaneously .
Or is it just not good practice? Security issues?

Thanks & best!

Sob · February 2, 2017, 7:36pm

You’re using one radio for two purposes at the same time, you can’t expect miracles. But I can’t really say if 8Mbit is too slow or not.

About the other problem, that will require sharing a little more info about your config. But if ping works, routing should be ok. Perhaps some firewall rules affecting only tcp…

terraformer · February 2, 2017, 8:08pm

Hi sob,

Thanks for your thoughts.
So, is it “normal” to use one radio for two different purposes at the same time? I don’t complain about the speed, just wondering how mAP lite’s info is so far away from reality.

In regards to the routing problem, I thought about firewall problems but I had it deactivated completely on the mAP lite. The other device (see the other thread), a Fritz!Box 7430 can’t be configured in detail. Unfortunately, the manufacturer’s support was neither helpful nor polite. When connecting to the mainAP through cable, no NAT masquerading is required and all is working as expected. In addition I used a second mAP lite to test my routing config and there was all working fine. So, I think the problem lies in the internal routing of the mainAP through WLAN.
Anyhow, what config prints could help shed light on a possible misconfiguration I made in the mAP lite?

Thanks & best!

Sob · February 2, 2017, 11:42pm

It’s not normal (disclaimer: that’s just an opinion, not a fact). Poor wireless has enough worries even when doing just one thing. It’s half-duplex by nature, prone to interference and all kind of problems with signals, … And you want it to do two things?

The routing problem, I checked the other thread, and isn’t your mAP lite a little strange? I mean, ether2, where did that come from? mAP lite has only one ethernet port. Did you mean wlan1? So it works when you connect to main router using ethernet and 192.168.88.x clients are on wireless, but it does not work the other way around? That sounds unlikely. Did I misunderstood something?

If you want to share your config, you can’t go wrong with “/export hide-sensitive”.

terraformer · February 10, 2017, 11:51am

Dear sob,

Thanks for getting back to me. You are right, mAP lite is not what I use. Sorry for misspelling. I’ve https://routerboard.com/RB941-2nD-TC, hAP lite.
Here are all(?) the relevant parts of my config, stripped of all disabled entries:

/ip pool
add name=pool_secure ranges=192.168.88.100-192.168.88.200
add name=pool_wlan ranges=192.168.87.100-192.168.87.190

/ip address
add address=192.168.88.1/24 interface=secure network=192.168.88.0
add address=192.168.87.1/24 interface=wlan_main network=192.168.87.0

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=client2fritzbox
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
    interface=insecure

/ip dhcp-client print
 #   INTERFACE                    USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS        ADDRESS           
 0   client2fritzbox                  yes          yes               bound         192.168.8.112/24  
 1   insecure                          yes          yes               searching... 

/ip dhcp-server
add address-pool=pool_secure disabled=no interface=secure lease-time=1d name=dhcp_secure
add address-pool=pool_wlan disabled=no interface=wlan_main name=dhcp_wlan

/ip dhcp-server network
add address=192.168.87.0/24 dns-server=192.168.88.1 gateway=192.168.87.1 netmask=24
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24
		
/ip route print 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.8.1               1
 2 ADC  192.168.8.0/24     192.168.8.112   client2fritzbox           0
 4 ADC  192.168.87.0/24    192.168.87.1    wlan_main                 0
 5 ADC  192.168.88.0/24    192.168.88.1    secure                    0

 

/ip firewall nat
add action=masquerade chain=srcnat comment="why is this needed anyway\?" \
    dst-address=192.168.8.0/24 out-interface=client2fritzbox

All firewall rules are disabled. If I disable the nat/masquerading-rule I cannot access clients in the 192.168.8.0/24 subnet despite the FritzBox router itself. Traceroute to the client tested shows

/tool traceroute  address=192.168.8.100 
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST STD-DEV STATUS                                                  
 1 192.168.8.100                      0%    7   4.1ms     4.9     2.2    13.1     3.5

so ICMP is working (nat does not touch that off course).

And hAp lite as WiFi-client is running better than expected.

Would be great if you have an idea.
Best!

Sob · February 11, 2017, 3:37am

Are you sure about your routes? Does your main router really have (in RouterOS syntax):

/ip route
add dst-address=192.168.87.0/24 gateway=192.168.8.112
add dst-address=192.168.88.0/24 gateway=192.168.8.112

terraformer · February 12, 2017, 9:23pm

Hi Sob,

Yes I’m sure. The Fritz!Box router does exactly have these two static routes. I contacted the Fritz!Box support but their answer was “your configuration fault, our devices work” (simplified). Due to the fact that I had successfully configured two hAP lite to use static routes two route the traffic between their different subnets, I was confident I could configure in the Fritz!Box.

Thanks & best!

Sob · February 13, 2017, 3:00am

Well, maybe I missed or misunderstood something. So the difference is between device connected using ethernet (works ok) and the same device connected using wireless (does not work ok), right? How exactly are your interfaces configured (bridged together, etc..)? Maybe post the whole config…

terraformer · February 14, 2017, 7:42pm

Yes, you did understand the problem. This should be the rest of the related config:

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC country=germany disabled=no distance=indoors frequency=2472 frequency-mode=regulatory-domain mode=ap-bridge name=wlan_main ssid="Client AP" wireless-protocol=802.11 wps-mode=\
    disabled
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full name=insecure
set [ find default-name=ether2 ] name=secure
set [ find default-name=ether3 ] master-port=secure
set [ find default-name=ether4 ] master-port=secure
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=mainap supplicant-identity="" unicast-ciphers=tkip,aes-ccm
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=6E:3B:6C:10:E2:02 master-interface=wlan_main multicast-buffering=disabled name=client2fritzbox security-profile=mainap ssid="mainAP" wds-cost-range=0 wds-default-cost=0 wps-mode=disabled

Stripped the disabled entries. I have no bridges.

Thanks & best

Sob · February 15, 2017, 10:48pm

Hmm. Looking at everything again, if internet access works without NAT, then routes from Fritz!Box must be ok. Difference between internet and .8 network is that if devices in this subnet do not have specific route to .87 and .88 subnets, packets from them will first come to Fritz!Box and then “bounce back” to hAP. But if it works with ethernet, then it should also work with wifi. It’s still one subnet, so most likely it’s just a simple bridge on Fritz!Box and it shouldn’t make a difference where client is connected (except that you need to adjust gateway for static routes, because most likely hAP gets different address depending on how it connects). Another thing, you wrote that ping works also with wifi, right? So the problem is only with wifi and tcp. That’s really strange.

You mentioned another hAP. Can you use it to simulate exactly what Fritz!Box should be doing? Bridge ethernets and wifi together, add 192.168.88.1/24 on bridge, together with DHCP server. Then connect some device for testing, your first hAP as client, add static routes and see if everything works with both ethernet and wifi connection. I don’t have any better idea.

terraformer · February 16, 2017, 8:57am

Thank you for taking the time and looking at the config. I really appreciate it!
I take it that there is no obvious configuration mistake in the hAP lite–which is good because, now, I plan to discard the Fritz!Box. It’s troubling me in more ways than already described, e.g. forgetting forwarded ports, assign the same IP to different devices, WiFi instability.
The second hAP lite is running on a different site now. Hence, I cannot simulate the configuration of the Fritz!Box as you suggested

I think I’m “stuck” here and will not find the origin of the problem. Luckily, it’s no major issue and the two hAP lite work great.

So, thank you very much for your help & best!

terraformer · February 28, 2017, 12:49pm

Final update on the matter.
I’m using a different router-modem now to handle the DSL connection. I set proper static routes for the MikroTik secured LAN. And I kept my MikroTik configuration but disabled the masquerading. As expected, all is working well now.
The Fritz!Box will be disposed

Best