Good Day,
I have read several posts regarding the use of the MikroTik mAP 2nD while traveling. I ended up buying one and have been trying to set this up.
I have it working where ether1 gets a 192.168.99.0/24 network while ether2 retains the default 192.168.88.0/24 network. I removed wlan1 from the bridge, and have it setup to connect to my WiFi at home.
For testing with the VPN I am connecting to another location I manage out of state, so a good simulation of being “away”.
From looking online it looks like we need the following to make this all work:
- A VPN interface (In my case I have an L2TP over IPSec tunnel)
- A mangle firewall rule in pre-routing to take any traffic from the 99.0/24 network and mark the routing
- A NAT firewall rule to masquerade the 99.0/24 network over the tunnel
- A default route for 0.0.0.0/0 over the VPN interface using the routing mark for the 99.0/24 network.
Using this setup I have been able to have traffic go over the tunnel and confirmed this by going to whatismyip.com and gotten the correct IP.
The issue I am having at the end of the day is the performance. Using the SpeedTest.net app on my MacBook I try to do a test but latency is through the rood over 1000ms, and throughout is only about 0.4mbit down and about 0.01 up. Which makes no sense.
If I go through the mAP unit on the 88.0/24 network and run a SpeedTest on the app on my MacBook, I am able to hit about 29ms latency, and about 73.6 mbit down and 23.85mbit up (All my internet at home will allow). Keeping this through the mAP and connecting to the VPN on my MacBook, I get latency of about 87ms, 27.3mbit down, and 21.8mbit up. BIG difference.
I have checked the resources tab on the mAP while it was trying to run the VPN tunnel for me, and it only hit about 7% during a speed test. Something is seemingly limiting the mAP. But not sure what.
Here is my current config on the mAP:
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no fast-forward=no name=bridge
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=WiFi supplicant-identity="" wpa2-pre-shared-key=\
Password
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-Ce country="united states3" disabled=no distance=indoors frequency=2432 frequency-mode=\
regulatory-domain security-profile=WiFi ssid="WiFi" wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.99.2-192.168.99.254
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=ether1 name=dhcp1
/ppp profile
add change-tcp-mss=yes name=l2tp-encryption use-encryption=yes use-upnp=yes
/interface l2tp-client
add connect-to=XXX.XXX.XXX.XXX ipsec-secret=XXXXXXXXXXXXXXXX max-mru=1420 max-mtu=1460 name="L2TP" password=Password profile=l2tp-encryption \
use-ipsec=yes user=user
/interface bridge port
add bridge=bridge hw=no interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=wlan1 list=discover
add interface=ether2 list=discover
add interface=bridge list=discover
add list=discover
add interface="L2TP" list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
/interface wireless connect-list
add interface=wlan1 security-profile=peckhq ssid="WiFi"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.99.1/24 interface=ether1 network=192.168.99.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=wlan1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1,8.8.8.8,8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=wlan1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=wlan1
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes dst-address=!192.168.99.0/24 new-routing-mark=L2TP-VPN passthrough=no src-address=192.168.99.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface="L2TP" routing-mark=L2TP-VPN src-address=192.168.99.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=wlan1
/ip route
add distance=1 gateway="L2TP" routing-mark=L2TP-VPN
add distance=1 dst-address=x.x.x.x/x gateway="L2TP"
/system clock
set time-zone-name=America/Chicago
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool romon
set enabled=yes
For security obviously I removed a couple IP addresses and passwords.
I would appreciate any help on this.