Hi,
I’m trying to setup a pretty basic P2P link using 2 dynadishes. These will connect to an external network, so the ethernet port on the first dish will be on that networks IP-range.
From this point on, I’d like to use an internal 10.x.x.x range.
The diagram here illustrates what I’m trying to setup, with the focus of this post on the top-left, i.e. the dynadishes:
I’ve tried to set this up to test the configuration - if I connect a standard router at the top left (called internet in the diagram), and have bridges on wlan1 and eth1 on both dynadishes, then I can get connectivity at the the DynaCl ethernet output. However, as soon as I try allow the dynadishes have different IPs (the 10.x.x.x) from the source, I loose all connectivity.
I’m sure I’m messing up something basic here - I don’t have a networking background, so please assume no knowledge - but it may have something to do with NAT and/or gate-way settings. Essentially I want each dynadish to route bi-directionally any traffic that come in/our the the eth and wan ports.
Also, is it true that if I bridge eth and wan, that the IP can only be set on the bridge - so by definition this is NOT what I want, as I do want different IP ranges on eth and wan for at least 1 of the dishes.
If you want you can bridge the traffic from the Internet router through the DynaDish’s into the RouterBoard in the top right (between the DynaDish and SXT). I do this with Ubnt gear. I have a management VLAN w/private IPs to manage the wireless links and pass another VLAN through the wireless link for the public Internet. I like that as it keeps NAT where you’d want to put it and you can manage your devices with a fair degree of safety. VLAN hopping is only a concern if the device is compromised from the private side of the network since the public side doesn’t have an IP.
For the bridging I believe the DynaDish’s support virtual AP and you can add them as bridges with bridge ports to pass the necessary VLANs along end to end. I use MikroTik routers and Ubnt for the wireless but the function should be very similar.
First dynadish will be gateway with nat and the rest of all devices will be bridges. Do not rely on quickset. Reset the devices with no defaults and set what you need only.
It is not clear why you need two ip addresses on the second dynadish.
Thanks for the reply - I’m afraid I’m quite a way away from using VLANs. At this point I’m looking for basic connectivity! I do hope to manage the network from the CPE units (e.g. SXTC1 in the diagram).
Thanks. I’ve taken your advice on board. I agree there is no need for the 2nd dish to have two IP-addresses. I’ve modified the diagram, and the changes are marked in red. Does this match what you were suggesting?
Now - in terms of setting up the NAT and gateway on dish1 - can you give examples of that? I’ve been looking into NAT, and while the concept makes sense, the terminology/setup has loads of options so it’s not clear what I should be doing here. I see src-nat, dst-nat, masquerade, etc. If you could give an example NAT config for this, using the IPs in the diagram, that would be greatly appreciated. I will start from a new, blank config.
Keep it easy.
First dynadish: Set DHCP client on ether1, let it add default route and DNS servers. (hope your isp provides DHCP, otherwise, set it manually according his instructions). Set 10.0.0.1/24 network on wlan1, create DHCP server for that interface with corresponding pool. Make firewall nat masquerade rule for out-interface=ether1. Allow remote requests in DNS service. Set basic firewall rules (allow out, allow in in case of related/established, drop the rest in forward chain, drop from ether1 in input chain) - see some basic firewall config tutorial, if necessary.
The other devices: bridge/switch all interfaces together, put DHCP client on the bridge and everything should be working like a charm.
The Internet connection in the diagram is actually not direct - I’m getting it from another person who’s basically giving me a connection into his private wireless setup. So essentially dish1 is plugging into a router that itself goes a few more hops to get to a commercial internet connection. As a result I’ve no dedicated public ips. Does that affect the NAT?
Thanka for the NAT info - It looks like src-nat is all I need - but I appwars I must know the ip I’m getting from the other network.
In terms of gateway, do I set it to the ip of the eth port on dish1?
By the way, can NAT work if the ip im getting (eth1 dish1) is dynamc, or must it be static.
So if I was you … This is how I would do it. Why? SImple, limit the layers of NAT and isolate traffic as much as possible. Each layer of NAT creates a point for issues to occur like VPN connectivity or resource exhaustion. By bridging your WAN / Internet connection all the way to the CPE of your downstream customers their traffic isn’t passing through what would be perceived as your LAN with access to your devices on your LAN. You would still configure NAT somewhere, either on the head DynaDish or your router in the upper right. Which ever one you pick is where you’d place an IP for VLAN11, perform NAT and set that as the default gateway for your devices.
It’s a more complicated design for sure. It provides you with isolation. The downstream customers will not be able to see your 10.0.0.0/24 LAN. Also they will avoid 1 extra layer of NAT which is always a positive.
Makes sense. Will I need a gateway on dish1? If so, based on this diagram how would that be configured? I understand DCHP from the external router would give a gateway, subnet mask and IP - but I’m wondering if I need a gateway set between wan and eth ports in dish1?
This is the most confusing part. It seems a srcnat/masquerade is often mentioned. However, the other stuff you mentioned (allow out, allow in for related/established, and the dropping - do you have examples of those?)
Thanks for the diagram - very detailed and much appreciated. This setup is not actually a commercial effort - a private/rural internet access solution with just 2 clients (me and a neighbor) and we’re accessing the network of a guy who has a decent internet connection (i.e. he is not an ISP). So with regards to isolation/security, I think the NAT at the top-left of the diagram should be sufficient - and there is no undue load on the system resources, etc.
That said, your setup proposal does look nice. My concern at the moment is I know nothing about VLANs and as I am having trouble getting the ‘simple’ version working, it’s a step beyond my current level of comfort with using Mikrotik devices. However, if things were to expand beyond where they are now (i.e. we end up adding more people), I would definitely look at the VLAN system as I like the separate channels for traffic and management, etc.
First dynadish will be the gateway. Its routing rules together with the masquerade and connection tracking will do the trick.
Firewall filter rules are good because without them all types of traffic are allowed by default.
Have you seen the manual?
I’ve looked at the manual a lot, but I have yet to find solid configuration examples - only snippets of various bits.
Based on this thread, I’ve tried to setup the initial link the the diagram. The image here is my latest (failed) attempt at this.
What I’ve setup is - an internet connected router acting as the ‘ISP’ in the top-left of the original diagram. The first dynadish has its ether1 port setup with a DHCP client.
Screenshot of the config:
The following steps were taken:
reset configuration - no default
Set DHCP client on ether1 of dish1
This works, I can ping from a terminal in winbox to 8.8.8.8
Setup wlan with a fixed ip of 10.0.0.1, and added a 802.11 connection.
Can connect to routeros via my laptop’s wifi connecting to the wlan on dish1
This works - had to setup my laptop’s wifi to have a static up of 10.0.0.10
Try to get access from my laptop to ping 8.8.8.8
This fails - no route
Added a manual route (the one in blue in the image) to the ether1 port
Still fails to give access from the laptop to the internet via the dish.
So I think I’m close - but there is some part of the route from 10.0.0.x subnet to 192.168.1.x that is failing. Any info to help resolve this missing piece would be greatly apprecaited!
Ok, looks like it WAS a small issue - the one being when I set the static-IP on my windows machine, I did not set the windows default gateway to 10.0.0.1.
I just did this and now I have connectivity from laptop wifi → dish1 wlan1 → dish ether1 → router → internet
I’ll try setup each of the next links in the chain by bridging each one. Finger crossed!
Thanks guys for the help so far, It’s really great.
You need to test the protocols yourself because they could behave slightly different according to your local conditions. None can tell what will be generally the best in your case. Set any protocol on distant device and rotate all protocols on close side to see what is better.
