Hi, I have one Mikrotik as CAPman, there are 2 SSID, the second is based on another brigde (le’ts call it bridge1), there is a DCHP and a NAT which suppose to route everything from the bridge1 to the default bridge. It works but I can’t see the traffic on the NAT, it looks it does the first NAT and then the router automatically route all packets without track them on the NAT chart, how this is possible? I see the traffic on bri
I need this because I would somehow give a limitation on the NAT badwith
The NAT roule works only if I choose WAN on “out interface list”, but this router has no WAN; it is connected with eth2 to the main internet router, it has local LAN IP in the same domain as other CAPS. Why?
Thanks
Can you please share your config?
/export hide-sensitive file=anynameyoulike
Thank you for answer, sorry for delay I haven’t enabled the subscritpion here:
# aug/20/2020 23:07:05 by RouterOS 6.45.9
# software id = SA7S-N6BA
#
# model = RB941-2nD
# serial number = A1C30ABEA2ED
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2412 name=ch1
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2422 name=ch3
add band=2ghz-g/n control-channel-width=20mhz frequency=2457 name=ch10
/interface bridge
add admin-mac=74:4D:28:F4:51:61 auto-mac=no comment=defconf name=bridge
add name=bridge-public
/interface wireless
# managed by CAPsMAN
# channel: 2457/20-eC/gn(20dBm), SSID: casa_nostra-staff, CAPsMAN forwarding
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
20/40mhz-XX country=no_country_set distance=indoors frequency=auto \
frequency-mode=manual-txpower mode=ap-bridge ssid=MikroTik-F45165 \
wireless-protocol=802.11
add mac-address=76:4D:28:F4:51:65 master-interface=wlan1 mode=station name=\
wlan4
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes name=datapath1
add bridge=bridge-public client-to-client-forwarding=yes local-forwarding=no \
name=datapath-publ
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
name=Staff
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
name=Public
/caps-man configuration
add channel=ch10 country=russia datapath=datapath1 name=251 security=Staff \
ssid=casa_nostra-staff
add channel=ch3 country=russia datapath=datapath1 mode=ap name=253 security=\
Staff ssid=casa_nostra-staff
add channel=ch1 country=russia datapath=datapath1 mode=ap name=252 security=\
Staff ssid=casa_nostra-staff
add channel=ch10 country=russia datapath=datapath-publ mode=ap name=251p \
security=Public ssid=casa_nostra
add channel=ch3 country=russia datapath=datapath-publ mode=ap name=253p \
security=Public ssid=casa_nostra
add channel=ch1 country=russia datapath=datapath-publ mode=ap name=252p \
security=Public ssid=casa_nostra
/caps-man interface
add channel=ch1 channel.frequency=2422 configuration=252 datapath=datapath1 \
disabled=no l2mtu=1600 mac-address=74:4D:28:7D:5B:8D master-interface=\
none name=252 radio-mac=74:4D:28:7D:5B:8D radio-name=744D287D5B8D \
security=Staff
add channel=ch3 configuration=252p configuration.country=russia \
configuration.mode=ap configuration.ssid=casa_nostra datapath=\
datapath-publ disabled=no l2mtu=1600 mac-address=74:4D:28:7D:5B:8D \
master-interface=252 name=252-Publ radio-mac=74:4D:28:7D:5B:8D \
radio-name="" security=Public
add channel.frequency=2412 configuration=253 datapath=datapath1 disabled=no \
l2mtu=1600 mac-address=74:4D:28:77:87:07 master-interface=none name=253 \
radio-mac=74:4D:28:77:87:07 radio-name=744D28778707 security=Staff
add channel=ch1 configuration=253p datapath=datapath-publ disabled=no l2mtu=\
1600 mac-address=74:4D:28:77:87:07 master-interface=253 name=253-Publ \
radio-mac=74:4D:28:77:87:07 radio-name="" security=Public
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-public ranges=10.0.0.2-10.0.1.254
/ip dhcp-server
add address-pool=dhcp-public bootp-support=none disabled=no interface=\
bridge-public lease-time=6h name=server1
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=wlan1
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=251 name-format=prefix \
name-prefix=251_ radio-mac=74:4D:28:F4:51:65 slave-configurations=251p
add action=create-dynamic-enabled master-configuration=253 name-prefix=252_ \
radio-mac=74:4D:28:77:87:07 slave-configurations=253p
add action=create-dynamic-enabled master-configuration=252 name-prefix=253_ \
radio-mac=74:4D:28:7D:5B:8D slave-configurations=252p
/interface bridge filter
add action=accept chain=forward limit=100,5
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=bridge list=WAN
/interface wireless cap
#
set bridge=bridge caps-man-addresses=192.168.88.251 discovery-interfaces=\
bridge enabled=yes interfaces=wlan1
/ip address
add address=192.168.88.251/24 comment=defconf interface=ether2 network=\
192.168.88.0
add address=10.0.0.1/22 interface=bridge-public network=10.0.0.0
add address=192.168.88.250/24 interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1
/ip dhcp-server network
add address=10.0.0.0/22 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.0.1 netmask=\
22
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input protocol=udp src-address=192.168.88.252
add action=accept chain=input protocol=udp src-address=192.168.88.253
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat dst-address=!192.168.88.0/24 \
out-interface-list=WAN src-address=10.0.0.0/22 to-addresses=\
192.168.88.250
/ip route
add distance=1 gateway=192.168.88.1
/system clock manual
set time-zone=+03:00
/system ntp client
set enabled=yes primary-ntp=193.204.114.232 secondary-ntp=95.216.238.58 \
server-dns-names=8.8.8.8
/system scheduler
add interval=1d name=reboot on-event="/system reboot" policy=reboot \
start-date=aug/13/2020 start-time=06:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I’m not sure why you chose this option, perhaps VLAN’s is a better way to go to split networks?
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Can you explain why you want two networks? What is the purpose of the two networks?
Hi, teorically, why I need vlans? Caps should work like a vlan for different bridges, yes? The important is on the main router and without NAT the bridge public will not access internet. The problemmis that I don’t need traffic in that nat, neither in bridge public, why? Fast track?
The purpose is to leave the main bridge full bandwidth for staff and limit internet usage for public. Also public should not access the private network for security reasons
You want to restrict access from bridge-public to bridge by this rule?
add action=src-nat chain=srcnat dst-address=!192.168.88.0/24 \
out-interface-list=WAN src-address=10.0.0.0/22 to-addresses=\
192.168.88.250
IMHO, this will not work, requests to 192.168.88.0/24 misses this rule and will be routed to appropriate interface.
You should add firewall rule in forward chain to drop all connections from bridge-public to bridge.
Actually this rule works, I can’t access any IP of network .88 from oublic 10.0. my problem is another as I described, I can’t limit the bandwidth of NAT or limit the bandwidth of public bridge. How? Thank you