renters in flats had wire internet access. but most of them want now wireless so without asking they buy or had routers instead of access point, connect them to lan cable on wall in their flat and after nobody had internet because of rogue dhcp server.
my sollution is.
i have order 10 hap lite to install one per flat so they will have wireless and wired ports inside the flat. i wont install hap lite as simple bridge.
main router rb951ui (192.168.88.1) ->>> unmanaged tplink switch —> hap lite (10 total)
rb951 is connected with bridge mode to a adsl modem (10mbs/1mbps)
1st hap lite setup
ether 1 (static ip 192.168.88.100) and a static route to main router (192.168.88.1). so even an rogue dhcp server appears, the hap lite know that internet source is only 192.168.88.1
bridge ether2-ether3-ether4-wlan1 with dhcp server (192.168.99.0/24) and even if someone connect another router on port of hap lite, it stays only inside that apartment lan.
2nd hap lite setup
ether1 (static ip 192.168.88.101) and a static route to main router (192.168.88.1)
bridge ether2-ether3-ether4-wlan1 with dhcp server (192.168.99.0/24)
etc…
do you find the idea good of connectiing haps to main router like this? any other suggestions?
You will be using NAT from the client intranet to the router intranet. Since You are using reserved addresses anyway, why not get rid of NAT on the HAPs Lite? If incoming connections are a concern, just put a default drop protecting the Hap intranet.
No, no. I mean use ether1 as WAN. The rest as LAN.
Router 1:
WAN: 192.168.88.100
LAN: 10.0.1.0/24
Router 2:
WAN: 192.168.88.101
LAN: 10.0.2.0/24
And so on. I used the 10/8 range just because. Feel free to use the private range that You want. Insert on the “master router” one static route for each Hap subnet.
Set the “master router” (192.168.88.1) as the default gateway to the Haps.
Disable NAT on the Haps.
Insert default drop in the forward chain, blocking WAN => LAN new connections.
Without NAT the Haps will use less CPU. Although I just saw the speeds of the DSL connection. Will make no difference at all - too slow to be relevant on the CPU load.
i try this on my lab now.
i miss something on my main router (static route???). hap lite has internet but toshiba laptop connected on hap does not have internet.
is the static route on my main router correct?
paternot thank u very much for the suggestion. i think i found it. i have internet in laptop now.
in hap lite ip-dns should i enable in “allow remote requests”? should i place google dns servers in the same tab?
why double nat is problem for simple users just surfing google,facebook,youtube etc? nobody asked for port forward until now.
why routing way is preffered than masquerade way?
Depends upon your configuration. Your PPPoE server tells the client wich DNS use. You can either tell them to use the PPPoE server as DNS or to use some other DNS server. Using the PPPoE server has the advantage of cache. Using another server has the advantage of less resources.
Usually I let the mikrotik handle the DNS. But it is very important to block DNS queries from the internet - otherwise your server will be used in DNS amplification attacks. If your firewall has a default drop on the input chain, and you didn’t open port 53 TCP/UDP, then all is fine.
For plain site and email use there is no problem. But there are many services that don’t work well with one NAT - let alone two. Some of them are FTP, SIP (used on VoIP) and IPsec.
Routing is easier on the router resources, is easier to firewall, is easier to find out which IP did what (if the police should ask) and don’t brake the point to point model the internet was built upon.
NAT was mostly a band aid, made to cope with the problem of “not enough addresses”.
any suggestion of using same SSID/WPA2 for the 10 flats? or different per flat?
i believe for the owner of flats will be easier to have one password to give to the 10 renters.
but roaming in different subnets is a problem?
You will loose whatever connection active at the roaming time, the IP of the device will change, and there is the possibility that one tenant will have a wireless client on a different network than his wired devices.