I have an AP connected to ether 2 of my mikrotik
Mikrotik is running a hotspot on a bridge interface which includes all lan and wlan ports.
I connect with my laptop to ether 3 of the mikrotik.
My IP is 192.168.88.10, the AP ip address is 192.168.111.20. What rules do I need to add to facilitate access to the AP from my laptop?
(Of course if i change my local IP to the 192.168.111.x range I can access the AP)
Attached Diagram
Hi there,
/ip address
add address=192.168.111.1 interface=bridge
add address=192.168.88.1 interface=bridge
/ip firewall nat
add action=accept src-address=192.168.111.0/24 dst-address=192.168.111.0/24
add action=accept src-address=192.168.88.0/24 dst-address=192.168.88.0/24
# Masquerade to allow either network to talk to either network
add action=masquerade out-interface=bridge
# Or if you want to be more specific so that devices in 192.168.111.0/24 range cannot access 192.168.88.0/24 range.
add action=masquerade out-interface=bridge dst-address=192.168.111.0/24
Thank you very much.
Could you please enlighten me with regards to this rule
add action=accept src-address=192.168.88.0/24 dst-address=192.168.88.0/24
Will the above rule interfere with any of the Hotspot or Usermanager accounting? Or could it create a security issue of any sorts?
Hi Mark, That rule prevents the router from masquerading traffic between your LAN devices. Otherwise the IP that would always be seen from the devices perspective is the Mikrotik’s own IP. This doesn’t have an impact on your security. This should not have an effect on your hotspot either unless you are marking packets between your local devices. Normally I always add this rule as it helps in seeing what the true internet usage is.
[quote=“MLubbe”]Hi there,
/ip firewall nat
add action=accept src-address=192.168.111.0/24 dst-address=192.168.111.0/24
[/quote]
What chain should the above be in?
[code] /ip firewall nat> add action=accept src-address=192.168.111.0/24 dst-address=192.168.111.0/24
chain:
failure: no chain specified
Above is the error i receive
Hi there, the forward chain, sorry for that.
thank you, i appreciate your kind assistance
I have done as you said but yet am unable to access the AP
Here is my config
ping 192.168.111.10
SEQ HOST SIZE TTL TIME STATUS
0 192.168.111.10 timeout
1 192.168.111.10 timeout
2 192.168.111.10 timeout
3 192.168.111.10 timeout
4 192.168.111.10 timeout
5 192.168.111.10 timeout
sent=6 received=0 packet-loss=100%
[/ip firewall nat print detail
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client
1 D chain=hotspot action=jump jump-target=pre-hotspot
2 D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53
3 D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53
4 D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst dst-port=80
5 D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-dst dst-port=443
6 D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth
7 D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth
8 D chain=hs-unauth action=return protocol=tcp dst-port=82
9 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80
10 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128
11 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080
12 D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp dst-port=443
13 D chain=hs-unauth action=jump jump-target=hs-smtp protocol=tcp dst-port=25
14 D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http
15 D chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp dst-port=25
16 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
17 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.88.0/24 log=no log-prefix=""
18 chain=dstnat action=redirect to-ports=8080 protocol=tcp connection-mark=payment_reminder
19 chain=forward action=accept src-address=192.168.88.0/24 dst-address=192.168.88.0/24 log=no log-prefix=""
20 chain=forward action=accept src-address=192.168.111.0/24 dst-address=192.168.111.0/24 log=no log-prefix=""
21 chain=forward action=masquerade out-interface=bridge log=no log-prefix=""
Hi there, try moving the nat rules to the top above the rest.
Secondly do you make use of any mangle rules? It may be that it is interfering. If you do you can add this to your mangle rules to test to the top of the mangle list: (These rules will stop the internal traffic from being mangled)
/ip firewall mangle
add chain=prerouting src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=accept comment="Accept LAN -> LAN"
add chain=prerouting src-address=192.168.88.0/24 dst-address=192.168.111.0/24 action=accept comment="Accept LAN -> Hotspot"
add chain=prerouting src-address=192.168.111.0/24 dst-address=192.168.111.0/24 action=accept comment="Accept Hotspot -> Hotspot"
add chain=prerouting src-address=192.168.111.0/24 dst-address=192.168.88.0/24 action=accept comment="Accept Hotspot -> LAN"
Lastly you may have firewall rules affecting it. Try temporarily disable rules that use 192.168.88.0/24 as well as 192.168.111.0/24.
Once you have isolated the issue you can disable and remove the other rules as necessary.