Help- virtual access point

RouterOS Beginner Basics
1

Hi all
I am in need of a little help.
I have a wAP routerboard, the first of a few if we can get this working.
It is successfully set up to provide a guest hotspot using the ‘Hotspotsystem’ service, that all works fine, and access the internet via our router on 192.168.20.250. The hotspot system allocates all addresses correctly.
I want to set up private access to our lan, there are 2 domain controllers providing DHCP / DNS and the router to broadband services.
I have set up a virtual access point and bridge, than set up DHCP relay for these.
I can connect to the new SSID for the local network and pick up an IP address and DNS server addresses from the DHCP server, there is however no access to the local network on 192.168.20.x or to the internet.
I am struggling !
Any ideas welcome

2

Of course when you do this, you have to add the network to your DHCP server as well, with the proper gateway IP.
Check on a connected client what it got from DHCP and if this is all correct (address, netmask, gateway, DNS servers).
Also the routing must be correct at both ends.

When you actually bridge to a local network with the routing functionality already in place, you should not even configure
a DHCP relay. The DHCP will be handled by the existing server on the network.

3

Without the dhcp relay no ip address or dns / gateway are allocated as there is no server or address pool for the bridge to the local lan.
The hotspot dhcp address pool works fine for the bridge allocated to the hotspot
When the dhcp relay is put in place for the local ap/bridge then the correct address is allocated for the local lan and the dns/gateway/mask are all as would be expected for a wired connection to the lan. What is not working is actual access to the lan and the gateway

4

Please provide a network drawing and an export of your configuration.

5

==============================================================

jan/03/2018 13:21:28 by RouterOS 6.41

software id = PMSH-4WNU

model = RouterBOARD wAP 2nD r2

serial number = 676B05C78B43

/interface bridge
add name=HS_bridge
add name=bridge-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n default-forwarding=no
disabled=no mode=ap-bridge ssid=HotspotSystem.com_A
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
/interface wireless
add disabled=no mac-address=E6:8D:8C:48:AD:0E master-interface=wlan1 name=
local ssid=local wds-default-bridge=bridge-local wps-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
add hotspot-address=10.5.50.1 html-directory=flash/hotspot login-by=
http-chap,https,http-pap name=hsprof1 use-radius=yes
/ip hotspot user profile
set [ find default=yes ] shared-users=5
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=hs-pool-3 ranges=10.5.48.1-10.5.63.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
add address-pool=hs-pool-3 disabled=no interface=HS_bridge lease-time=1h
name=dhcp1
/ip hotspot
add address-pool=hs-pool-3 disabled=no interface=HS_bridge name=hotspot1
profile=hsprof1
/interface bridge port
add bridge=HS_bridge interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=yes
interface=bridge-local network=192.168.88.0
add address=10.5.50.1/20 comment="HotspotSystem network" interface=HS_bridge
network=10.5.48.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=
no interface=ether1-gateway
/ip dhcp-relay
add dhcp-server=192.168.20.3 interface=local local-address=192.168.20.60
name=relay1
/ip dhcp-server network
add address=10.5.48.0/20 comment="hotspot network" gateway=10.5.50.1
add address=192.168.88.0/24 comment="default configuration" gateway=
192.168.88.1
/ip dns static
add address=192.168.88.1 name=router
add address=8.8.8.8 name=Google1
add address=8.8.4.4 name=Google2
/ip firewall filter
add action=accept chain=input comment="Allow WinBox from WAN" dst-port=8291
protocol=tcp
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="default configuration"
out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="masquerade hotspot network"
out-interface=ether1-gateway src-address=10.5.48.0/20
add action=masquerade chain=srcnat out-interface=bridge-local src-address=
192.168.20.0/24
/ip hotspot user
add name=admin
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
add dst-host=.hotspotsystem.com
add dst-host=.worldpay.com
add dst-host=.paypal.com
add dst-host=.paypalobjects.com
add dst-host=.paypal-metrics.com
add dst-host=.altfarm.mediaplex.com
add dst-host=.akamaiedge.net
add dst-host=paypal.112.2O7.net
add dst-host=.moneybookers.com
add dst-host=.adyen.com
add dst-host=.directebanking.com
add dst-host=.paysafecard.com
add dst-host=betalen.rabobank.nl
add dst-host=.ing.nl
add dst-host=ideal.abnamro.nl
add dst-host=.triodos.nl
add dst-host=.asnbank.nl
add dst-host=.knab.nl
add dst-host=.regiobank.nl
add dst-host=.snsbank.nl
add dst-host=api.mailgun.net
add dst-host=.facebook.com
add dst-host=.facebook.net
add dst-host=.fbcdn.net
add dst-host=.licdn.net
add dst-host=.licdn.com
add dst-host=.akamaihd.net
add dst-host=.akamai.net
add dst-host=.akamaiedge.net
add dst-host=.cloudfront.com
add dst-host=*.twimg.com
add dst-host=api.twitter.com
/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=194.149.46.0/24
add action=accept disabled=no dst-address=198.241.128.0/17
add action=accept disabled=no dst-address=66.211.128.0/17
add action=accept disabled=no dst-address=216.113.128.0/17
add action=accept disabled=no dst-address=70.42.128.0/17
add action=accept disabled=no dst-address=128.242.125.0/24
add action=accept disabled=no dst-address=216.52.17.0/24
add action=accept disabled=no dst-address=62.249.232.74
add action=accept disabled=no dst-address=155.136.68.77
add action=accept disabled=no dst-address=66.4.128.0/17
add action=accept disabled=no dst-address=66.211.128.0/17
add action=accept disabled=no dst-address=66.235.128.0/17
add action=accept disabled=no dst-address=88.221.136.146
add action=accept disabled=no dst-address=195.228.254.149
add action=accept disabled=no dst-address=195.228.254.152
add action=accept disabled=no dst-address=203.211.140.157
add action=accept disabled=no dst-address=203.211.150.204
add action=accept disabled=no dst-address=82.199.90.136/29
add action=accept disabled=no dst-address=82.199.90.160/27
add action=accept disabled=no dst-address=91.212.42.0/24
/radius
add address=195.228.75.174 secret=hotsys123 service=hotspot timeout=3s
add address=85.25.150.36 secret=hotsys123 service=hotspot timeout=3s
/system clock
set time-zone-autodetect=no
/system identity
set name=exmoorforestinn_1
/system ntp client
set enabled=yes server-dns-names=pool.ntp.org
/system scheduler
add interval=1h name=up on-event="/tool fetch keep-result=no mode=http address
=tech.hotspotsystem.com host=tech.hotspotsystem.com src-path=("up.php\?
mac=".[/interface ethernet get 0 mac-address]."&nasid=".[/system identi
ty get name]."&os_date=Mikrotik&uptime=".[/system clock get time]."%20u
p%20".[/system resource get uptime].",%20load%20average:%20".[/system r
esource get cpu-load]."%")" policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=
jan/01/1970 start-time=01:01:00

6

I don’t see your network drawing. And there is no virtual access point. Is this the current config that you are working on to get the virtual access point connected?
Is the LAN connected to ether2?
You need to create the virtual access point, and put it in a bridge together with the ethernet port connected to the LAN.
Then it should get an IP address from the existing DHCP server.
Of course do NOT put it in the same bridge with the hotspot and/or the ether1 port. That would make your hotspot users connected to the LAN.

Edit: I see it is a device with only one ethernet port so you need to use a VLAN for that.

7

Hi
Thanks
Cant see a way to attach a diagram, however from the config uploaded:

add disabled=no mac-address=E6:8D:8C:48:AD:0E master-interface=wlan1 name=
local ssid=local wds-default-bridge=bridge-local wps-mode=disabled

that is the virtual access point connected to a lodge called bridge-local, the DHCP relay point to that

I can see the SSID in a wireless device picks up the correct IP address, if I connect to the hotpot SSID on the other access point then I get the IP address from the pool and connect to the hotspot software, what appears ot be missing is access to the lan when I get the correct local lan IP.

8

You do not have any ports in the bridge-local! The wireless interface and the port towards the LAN should be in there.
And you should not have the DHCP relay.
I think it is unwise to connect the hotspot and the local users to the same network, but that is your decision.
A proper solution would use a separate network for guests.