Hi Everyone,
I am new to this forum and to the world of Mikrotik/RouterOS, I think what I am trying to do should be simple but I have been going against a brick wall for the last 48h! Hopefully someone here could help me.
Basically, I have the following setup:
INTERNET → Mikrotik 2011UiAS-2HnD (WISP AP mode) → ASUS AC87U (Router Mode) → Wireless clients
Everything works, but I when I remove NAT on the ASUS AC87U then the internet stops working.
I have tried adding static routes on the Mikrotik router but nothing worked.
Can someone please look at the details below and help me?
So here are the details.
First, this is just a home network, but I am configuring it as a lab to practise network security.
My main goal is to be able to mirror ALL traffic from my local network (wired and wireless) so I can inspect it on a linux box running Security Onion (IDS). The most important part is the ability to see individual and local IP addresses… hence why I must find a way to get this working without NAT.
The Mikrotik is on firmware 3.19, running RouterOS 6.22, the model is: 2011UiAS-2HnD
Its quick setup is WISP AP
It is setup with PPPoE
Local IP is 192.168.1.254
DHCP is running and NAT is enabled
I have setup in the Mikrotik SWITCH option:
Switch1 port mirroring from Ether2 to Ether5
On Ether2, I have the ASUS AC87 connected
On Ether5 I have my linux box running an IDS, I am also using Etherape to quickly troubleshoot and visualise the local IP addresses I am monitoring.
The ASUS AC87 is configured as a Router with the following settings:
Its WAN IP is 192.168.1.1 and is connected to the Mikrotik Ether2 port
Its local IP is 192.168.2.1 and it has DHCP running.
Wireless clients connect to the ASUS AC87 and gets local IP 192.168.2.X
- If I enable NAT on the ASUS AC87 WAN:
- Everything works well - meaning Internet
- But on my IDS I can only see local traffic going from/to 1 IP address… 192.168.1.1, the WAN IP address of the ASUS AC87.
- If I disable NAT on the ASUS AC87 WAN:
- Internet does not work anymore
- BUT I can now see the local IP addresses from the 192.168.2.0 network.
Sure, I could just put the ASUS in bridge mode, that way NAT is disabled and I get to see all the local IP addresses from my wireless clients…
But putting the ASUS AC87 in Bridge mode removes a lot of functionality I want: graphical QOS, Further Firewall settings, Guest Wireless AP, etc.
When I hit that problem I thought…. of course, the issue is that my wireless clients connecting to the ASUS then to the Mikrotik do go out on the internet (I can see it from Etherape on my linux box) but the response coming back is blocked at the Mikrotik router… as that router does not know how to route 192.168.2.X addresses…
So I tried to add that route manually in Mikrotik:
IP → Addresses
Added 192.168.2.1/24, network 192.168.2.0, interface ether2
This automatically added the following in IP->Routes
DAC, dat address 192.168.2.0/24, gateway bridge-local reachable, pref source 192.168.2.1
However, this still does not work.
Am I missing a step on the Mikrotik router configuration?
Is there something else I need to do on the ASUS?
If anyone has any ideas I would be grateful!
Thanks!
Svain.
