I read a lot of threads in this forum and was hoping one would cover my setup… but the topics I found always involved different MikroTik hardware (not SXTs), so I have difficulties to adapt the solutions to my situation.
I configured two SXTs as a transparent bridge successfully with the help of the wiki. But now I need to implement this scenario, where the client in the two subnets should be separated from each other but share the internet access.
The Fritz!Box cable modem/wifi/router thing does NAT and handles the internet access.
The Time Capsule is a switch and wifi access point. NAT can be disabled here. It should serve as DHCP server, but could be disabled (when “bridge” mode is selected; the SXT1 could serve as DHCP server then?)
For the 192.168.1.0/24 network, what do I set as default gateway? The TC? SXT1? SXT2? Fritz!Box?
I guess in SXT2 I have to remove the bridge between wlan and eth, and assign different IPs from the respective networks? But then… do I need routes, or firewall rules, or masquerading or a combination of it?
Hi.
You can setup masquerade on SXT2.
eth1 port -add Ip in 192.168.178.0/24 range, wlan1 add ip in 192.168.1.0/24 range (ie. 192.168.1.6)
On sxt2 set defoult gateway 192.168.178.1 (Fritz!), you can setup DHCP here if you like.
Then on all hosts in network 192.168.1.0/24 gateway is sxt2 (wlan1 address).
You do not need any routing except static route in mikrotik ip—route
The setup is now a bit different since we got a separate cable modem instead of sharing the existing Fritz!Box. This is how it looks now:
I had to remove the bridge in SXT2. On SXT2 the DHCP client is enabled on eth1 and gets a public IP from the Arris cable modem (this is really a modem, no NAT etc.). A route 0.0.0.0/0 to this public address is added automagically.
And the srcnat masquerade nat rule is set.
The Time Capsule is set to bridge mode and basically acts as a switch and wifi access point now.
Default gateway for the clients is 192.168.1.6 and this works so far.
But I still have some issues, for example configuring port forwarding on SXT2 to clients in the 192.168.1.0/24 network. It works for the Arris’ status page (which is accessible under a fixed IP 192.168.100.1), but forwardings across the wireless link are not working.
Then I cannot reach SXT2 (192.168.1.6) from within the network by Winbox or browser, but I can ping it?! Fortunately I can reach it using Winbox on the public WAN IP.
I can run the internal bandwith test from SXT2 to SXT1, but I cannot run it vice versa (“can’t connect”).
Has SXT2’s management interface to be “bound” to something? As I said, I removed the bridge… and I’m very careful now with configuring, since I’m far away and have to rely on DynDNS and Teamviewer.
EDIT: I enabled the DNS server on SXT2 and it’s providing IP adresses, but I had to use a public DNS server address. If I set the DNS server to 192.168.1.6, the clients cannot resolve host names. Under IP → DNS a public DNS server is set (8.8.4.4) as well as two dynamic servers from the internet provider. But the SXT2 does not resolve or forward it. These kind of problems drive me crazy…
SXT come with some configuration (I think NAT masquerade, wlan1 client mode, def. gateway on eth1, some IP setup…). When setting up network I always discard such settings and do it on “my way”.
Sometimes def. configuration is helpful to users with less routerOS knowledge.
Sou, did you enable “remote request” option in DNS settings SXT2?
-That might be issue in resolving domain names.
Furthermore SXT2 is router, NAT, between public network and your home network. Therefore you must setup port forward.
can you export exact configuration of both SXT, ip firewall, nat, wireles..
This is very simple network scenario, should be configured easily.
The changed SSH port (from 22 to 1622) - could that cause the problem with the bandwith test still not working from SXT1 to SXT2 (but vice versa)?
The firewall filter rules on SXT1 are not necessary, right?
The DNS server on SXT2 is set to allow-remote-requests=yes, but DNS resolution doesn’t work from SXT1. When I set the DNS server to Google DNS instead of SXT2, it works immediately.
