help for the newbie - Virtual AP

lubo1000 · March 28, 2013, 10:59am

Hi all,

We have recently bought RB 951-2n for to get to know with Mikrotik. We are not wifi expetrts/nor linux ones but we want to try out new things.

After bit of struggle we have been able to setup RB951 as Access point and also enable MAC filtering for security.

For added security we would like to use Virtual AP - meaning another SSID with password and different IP address poll especially for visitors (so that they dont use our internal IP addresses)

Unfortunately we have not been able to configure it.

Can anyone please post procedure in steps on how to correctly configure such thing (or point us to some relevant article about it)?

Thank you

Lubo

normis · March 28, 2013, 11:01am

It is very simple. In Webfig (or Winbox) open the Interface menu, click “+” (or “Add”) and select “VirtualAP”. This will bring up an interface similar to Wireeless settings. all you need is to enter the SSID and select frequency, security profile, and any other options you want. That is all

lubo1000 · March 28, 2013, 11:53am

Thanks, but unfortunatelly it is not it.

We need to have different ip addreses alocated for Virtual AP, not the same as for Non-virtual one.

We tried to setup dhcp for Virtual AP - we are able to connect to Virtual AP, get new adresses (range 192.168.6.1-255) but we are unable to connect to internet
dhcp and gateway are 192.168.6.1

it seems we are not able to “translate” 192.168.6.1 to real GW and DHCP addresses.

(just to clarify, we use mikrotik as AP (it is in AP bridge), so DHCP and GATEWAY are on main server which is connected to ISP)

normis · March 28, 2013, 11:57am

No problem. The VirtualIP will be a separate interface. Go to the IP → address menu and assign a new IP there. It will work just like any separate interface. If internet is not working, make sure your SRC NAT (masquerade) rule is set up correctly. Post output of this command “/export compact”

lubo1000 · March 28, 2013, 12:14pm

Thank you, yes, that is probably it. We are totally lost with correct config of SRC NAT.

As for the new IP - why to do it there, when we did it in DHCP? (I checked in IP -address and the address is to be ok)

normis · March 28, 2013, 12:18pm

Your masquerade rule needs an “out-interface=xxx” parameter.

lubo1000 · March 28, 2013, 12:27pm

I am sorry I dont follow.

Currently in firewall-nat we have

srcnat
src address 192.168.6.1
action masquerade
2, srcnat
out interface - ethernet2 master local (our main server)
action masquerade

is this correct?

normis · March 28, 2013, 12:30pm

I see this:
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” disabled=
no to-addresses=0.0.0.0
add action=accept chain=srcnat disabled=yes src-address=192.168.5.5neither of these rules has an out-interface specified. Second rule is disabled.

lubo1000 · March 28, 2013, 12:40pm

Sorry we have changed it in a meantime…

add action=masquerade chain=srcnat comment=“default configuration” disabled=
no to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=no out-interface=
ether2-master-local
add action=masquerade chain=srcnat disabled=no src-address=192.168.6.1

normis · March 28, 2013, 12:42pm

you only need one rule.

leave ONLY this

add action=masquerade chain=srcnat disabled=no out-interface=ether2-master-local

lubo1000 · March 28, 2013, 12:56pm

Thank you, after rebooting it works with both rules..)

but I will do as you suggest …and it works ..

oh man, THANK YOU very much, you are realy genius.

lubo1000 · April 2, 2013, 11:36am

Hi again,

I guess we are just plain dumb but we have problem with Virtual AP again.

During weekend there has been power outage so we had to reset all the setting on mikrotik to default.

No problem, we setup wlan, Virutal AP set everything as it was + set the NAT rules as you suggested.

Connection to internet is not working

Is it OK for you to check our current settings?

lubo1000 · April 2, 2013, 11:43am

here are the settings

# apr/02/2013 12:36:52 by RouterOS 5.24
# software id = GA8Y-1P15
#
/interface bridge
add admin-mac=D2:CA:6D:50:18:1B auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 master-port=ether2-master-local name=ether5-slave-local
/interface wireless security-profiles
add authentication-types=wpa2-psk eap-methods=passthrough \
    management-protection=allowed mode=dynamic-keys name=Key1 \
    supplicant-identity="" wpa2-pre-shared-key=test111111
add authentication-types=wpa2-psk eap-methods=passthrough \
    management-protection=allowed mode=dynamic-keys name=Key2 \
    supplicant-identity="" wpa2-pre-shared-key=test222222
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=\
    indoors l2mtu=2290 mode=ap-bridge security-profile=Key1 ssid=A \
    wireless-protocol=any
add area="" arp=enabled bridge-mode=enabled default-ap-tx-limit=0 \
    default-authentication=yes default-client-tx-limit=0 default-forwarding=\
    yes disable-running-check=no disabled=no hide-ssid=no l2mtu=2290 \
    mac-address=D8:CA:6D:50:18:1F master-interface=wlan1 max-station-count=\
    2007 mtu=1500 multicast-helper=default name=wlan2 proprietary-extensions=\
    post-2.9.25 security-profile=Key2 ssid=B update-stats-interval=disabled \
    wds-cost-range=0 wds-default-bridge=none wds-default-cost=0 \
    wds-ignore-ssid=no wds-mode=disabled wmm-support=disabled
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.10.50-192.168.10.60
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
add address-pool=dhcp_pool1 disabled=no interface=wlan2 name=dhcp1
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.15.120/24 comment="default configuration" interface=\
    bridge-local
add address=192.168.10.0/24 interface=wlan2
/ip dhcp-client
add comment="default configuration" disabled=no interface=ether1-gateway
add default-route-distance=0 disabled=no host-name=192.168.15.10 interface=\
    bridge-local
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=masquerade chain=srcnat out-interface=ether2-master-local
/ip neighbor discovery
set ether1-gateway disabled=yes
set wlan1 disabled=yes
set wlan2 disabled=yes
/system clock
set time-zone-name=Etc/GMT+1
/system leds
set 0 interface=wlan1
/system routerboard settings
set cpu-frequency=360MHz
/tool mac-server
add disabled=no interface=ether2-master-local
add disabled=no interface=ether3-slave-local
add disabled=no interface=ether4-slave-local
add disabled=no interface=ether5-slave-local
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
[admin@MikroTik] >

lubo1000 · April 2, 2013, 11:53am

just to add comment - wlan is working proprely and we are able to connect to wlan2 (Virtual AP) - it provides us with IP address from desired range.
“Just” we are not able to get to internet. (again fw problem i guess).

Thanks for any suggestions

CelticComms · April 2, 2013, 12:04pm

This is an invalid address. You probably meant to have it as 192.168.10.1/24.

add address=192.168.10.0/24 interface=wlan2

lubo1000 · April 2, 2013, 12:12pm

Thank you, typo mistake

but unfortunately it did not fix the issue

still no internet connection

lubo1000 · April 2, 2013, 12:33pm

ok, it seems we tracked down the problem

as we expected it was in firewall-nat

we had wrong interface (we copied the one suggested by normis (withouth thinking)
add action=masquerade chain=srcnat disabled=no out-interface=ether2-master-local

and our out-interface should be different - bridgelocal

now we try to reset all to default set it up again and will post if we succeed

Thnx everyone for patience with us

OK problem solved

Thank you all