Hello everyone, i’am a newbie, so sorry for too easy questions for you..

So my situation::

I have a AD with DHCP server on it then goes FG firewall (but it is necessary) next is connected mikrotik router (RB951)
it used for wifi access point with its own DHCP. So i want i can access AD and local servers. How should it be organised?
Using bridge beween ports WAN and LAN or someway using masqurading? I tried both but seem i done something wrong. AD part i have 10.0.0.0/8 network on mikrotik 192.168.2.0/24
Please help.

First off is the Firewall setup in stateful or stateless mode?


Do you have routes configured for each network so traffic knows where to go?

Do you have any firewall rules on your Mokrtik that could be interfering?

Can you provide a diagram as I am not sure I fully understand how things are connected and the flow of traffic?

I recommend using the Mikrotik as a simple access point - completely bridged.

To do this, disable DHCP server on the LAN bridge (IP > DHCP server > disable (then remove later) the DHCP service)

Make sure that the LAN bridge is connected to the wlan1 interface and the ether2-local-master interface.

The go into the interfaces configuration and make sure that ether3, ether4, and ether5 have master port = ether2-local-master

Disable all firewall rules in IP > Firewall

Change the IP address on the LAN bridge to be something static from the 10.0.0.0/8 network so that you can reach it from anywhere on your network for administration.

Finally, disable dhcp-client on ether1-gateway interface, and set ether1-gateway master port = ether2-local-master.

At this point, the device will be a simple access point/switch - you can connect to any of the 5 ethernet ports you like, and anyone connected to the wlan will be on the LAN directly. No routing / nat translation / filter rules are required.

Here is my config:

feb/01/2016 07:11:54 by RouterOS 6.23

software id = 55XF-BLQM

/interface bridge
add name=bridge-guest
add admin-mac=4C:5E:0C:AF:C0:D5 auto-mac=no name=bridge-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=
20/40mhz-ht-above disabled=no distance=indoors frequency=auto l2mtu=2290
mode=ap-bridge name=wlan-main ssid=KK_ZZZ wds-mode=dynamic
wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=
ether5-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods=""
group-ciphers=tkip,aes-ccm mode=dynamic-keys unicast-ciphers=tkip,aes-ccm
wpa-pre-shared-key=p0o9i8u7 wpa2-pre-shared-key=p0o9i8u7
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=
tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=guest
supplicant-identity="" unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=
guestwifi wpa2-pre-shared-key=guestwifi
/interface wireless
add disabled=no l2mtu=2290 mac-address=4E:5E:0C:AF:C0:DA master-interface=
wlan-main name=wlan-guest security-profile=guest ssid=ZZZ_GUEST
wds-cost-range=0 wds-default-cost=0 wds-mode=dynamic
/ip pool
add name=dhcp ranges=192.168.2.10-192.168.2.254
add name=guest_pool ranges=192.168.5.10-192.168.5.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
add address-pool=guest_pool interface=bridge-guest name=guest-server
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan-main
add bridge=bridge-guest interface=wlan-guest
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip address
add address=192.168.2.1/24 comment="default configuration" interface=
bridge-local network=192.168.2.0
add address=10.0.1.81/8 interface=ether1-gateway network=10.0.0.0
add address=192.168.5.1/24 interface=bridge-guest network=192.168.5.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=
ether1-gateway
/ip dhcp-server network
add address=192.168.2.0/24 comment="default configuration" dns-server=
192.168.2.1 gateway=192.168.2.1
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.2,10.0.0.3
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" disabled=yes protocol=icmp
add chain=input comment="default configuration" connection-state=
established,related disabled=yes
add action=drop chain=input comment="default configuration" disabled=yes
in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=
established,related disabled=yes
add action=drop chain=forward comment="default configuration"
connection-state=invalid disabled=yes
add action=drop chain=forward comment="default configuration"
connection-nat-state=!dstnat connection-state=new disabled=yes
in-interface=ether1-gateway
add action=drop chain=forward disabled=yes dst-address=10.0.0.0/8
out-interface=bridge-guest
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration"
out-interface=ether1-gateway
/ip route
add distance=1 gateway=10.0.0.1
/system leds
set 0 interface=wlan-main
/system ntp client
set enabled=yes primary-ntp=85.254.216.1
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan-main
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan-main
add interface=bridge-local


I believe there is some useful config path as the dhcp for guests i was experimenting with, but now most important make talk two networks 10.0.0.0/8 and 192.168.2.0/24.
There was reason why i don't like to use just as simple AP with AD DHCP server, better if it was separate network talk each other + another network for guest wifi which cant talk to other network (192.168.5.1/24)

I have some other access points configured (simple D-link router) w/ and alos w/o own dhcp servers and main firewall let access to local network, so i dont think there is problem with that.

As i posted in previous post mikrotik has no firewall rules configured.

Please see previous post.

Thank you!

I did read your original post:

That leads me to believe you have a firewall - my questions still remain unanswered. Also, is your firewall configured in bridge mode or routed mode?

According to your config, you do have the firewall enabled on the Mikrotik:

/ip firewall filter
add chain=input comment="default configuration" disabled=yes protocol=icmp
add chain=input comment="default configuration" connection-state=\
established,related disabled=yes
add action=drop chain=input comment="default configuration" disabled=yes \
in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=\
established,related disabled=yes
add action=drop chain=forward comment="default configuration" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment="default configuration" \
connection-nat-state=!dstnat connection-state=new disabled=yes \
in-interface=ether1-gateway
add action=drop chain=forward disabled=yes dst-address=10.0.0.0/8 \
out-interface=bridge-guest
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway

I think there is not problem im main firewall but in miktrotik configuration.

1. Firewall is stateless and runnning NAT mode.

2. All mikrotik firewall rules are inactive except masquarading

Could anybody help with my question?