mAP & mAP lite: The Wireless Swiss Knife Always in Your Pocket

urknall · February 17, 2022, 1:56pm

Hi,

i saw a while ago the presentation “mAP & mAP lite: The Wireless Swiss Knife Always in Your Pocket” from Lorenzo Busatti on youtube:

https://www.youtube.com/watch?v=VeZetH9uX_Y

https://mum.mikrotik.com/presentations/US16/presentation_3371_1462179397.pdf

I just ordered the map, does anyone have the config and scripts from Lorenzo or is running a similar setup?
You can also sent me a pm.

THANKS!

Zacharias · February 17, 2022, 2:49pm

How do you want to use the mAP ?

urknall · February 17, 2022, 3:45pm

I want to use it as travel router similar to the setup Lorenzo used in the presentation.

For example connect it to a hotel wifi or lan on port 1 providing the internet connection.
Then have different virtual aps running, where i connect my own devices or connect them via lan port 2.

As in the presentation it would be nice to have “MyBridged”, “MyRouted” and “MyVPN”. The other things
like “MyFriends” or hot spot or the other funny things i would not need right now, but if i could get the complete
config i could just disable them.

Also using netwatch to detect internet and vpn connection via leds would be very useful.

urknall · February 18, 2022, 5:08pm

Thanks to the wonderful information on the forum i started doing my own config.
Because i need the router next week, i did a quick and dirty solution with different bridges,
there are probably more elegant ways to solve this (vlans?).

Here is the config so far:

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no name=bridge_lan
add name=bridge_vpn
add name=bridge_wan
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=no_country_set
disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower
installation=indoor ssid=“” wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
add name=VPN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods=“”
group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik
unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa2-psk eap-methods=“” mode=dynamic-keys name=
MyRouted supplicant-identity=“”
add authentication-types=wpa2-psk eap-methods=“” mode=dynamic-keys name=
AccessPoint supplicant-identity=“”
add authentication-types=wpa2-psk eap-methods=“” mode=dynamic-keys name=
Buffalo_C_2_4 supplicant-identity=“”
add authentication-types=wpa2-psk eap-methods=“” mode=dynamic-keys name=
IslaDeMuerta supplicant-identity=“”
/interface wireless
add comment=MyBridged disabled=no keepalive-frames=disabled mac-address=
xx:xx:xx:xx:xx:xx master-interface=wlan1 mode=bridge multicast-buffering=
disabled name=wlan2 security-profile=MyRouted ssid=MyBridged
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add comment=MyRouted disabled=no keepalive-frames=disabled mac-address=
xx:xx:xx:xx:xx:xx master-interface=wlan1 multicast-buffering=disabled
name=wlan3 security-profile=MyRouted ssid=MyRouted wds-cost-range=0
wds-default-cost=0 wps-mode=disabled
add comment=MyVPN disabled=no keepalive-frames=disabled mac-address=
xx:xx:xx:xx:xx:xx master-interface=wlan1 multicast-buffering=disabled
name=wlan4 security-profile=MyRouted ssid=MyVPN wds-cost-range=0
wds-default-cost=0 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan2 comment=MyBridged
set wlan3 comment=MyRouted
set wlan4 comment=MyVPN
/interface wireless nstreme
set *8 comment=MyBridged
set *9 comment=MyRouted
set *C comment=MyVPN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=myvpn ranges=192.168.77.10-192.168.77.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge_lan name=mybridged
add address-pool=myvpn disabled=no interface=bridge_vpn name=myvpn
/interface ovpn-client
add certificate=schleicher cipher=aes256 connect-to=
my host disabled=yes mac-address=xx:xx:xx:xx:xx:xx
name=openvpn_home port=443 profile=default-encryption user=schleicher
/interface bridge port
add bridge=bridge_wan interface=ether1
add bridge=bridge_wan interface=pwr-line1
add bridge=bridge_wan interface=wlan1
add bridge=bridge_lan interface=ether2
add bridge=bridge_lan interface=wlan3
add bridge=bridge_vpn interface=openvpn_home
add bridge=bridge_lan interface=wlan2
add bridge=bridge_lan interface=wlan4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge_lan list=LAN
add interface=ether2 list=LAN
add interface=wlan1 list=WAN
add interface=wlan3 list=LAN
add interface=ether1 list=WAN
add interface=wlan2 list=LAN
add interface=bridge_wan list=WAN
add interface=wlan4 list=LAN
add interface=bridge_vpn list=LAN
/interface wireless connect-list
add interface=wlan1 security-profile=Buffalo_C_2_4 ssid=Buffalo_C_2_4
add interface=wlan1 security-profile=IslaDeMuerta ssid=IslaDeMuerta
/ip address
add address=192.168.88.1/24 interface=bridge_lan network=192.168.88.0
add address=192.168.77.1/24 interface=bridge_vpn network=192.168.77.0
/ip dhcp-client
add disabled=no interface=bridge_wan
/ip dhcp-server network
add address=192.168.77.0/24 comment=MyVPN dns-server=10.10.10.22 domain=
duron.sarabriga.net gateway=192.168.77.1
add address=192.168.88.0/24 comment=MyBridged dns-server=192.168.88.1
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=bridge_vpn
new-routing-mark=redirect-to-openvpn passthrough=yes src-address=
192.168.77.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN

no interface

add action=masquerade chain=srcnat out-interface=openvpn_home
/ip route
add distance=1 dst-address=10.0.0.0/8 gateway=openvpn_home routing-mark=
redirect-to-openvpn scope=10
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MAP
/system leds
set 3 type=on
set 4 type=on
/system scheduler
add name=autorun-client-mode on-event=“/system script run client-mode”
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-time=startup
/system script
add dont-require-permissions=no name=client-mode owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“#
wait 3s after startup to run script\r
\n:delay 3\r
\n\r
\n#ensure that master wireless is set as station\r
\n/interface wireless set wlan1 mode=station ssid="" security-profile=de
fault;\r
\n:log info "Set wlan1 network as station";\r
\n\r
\n#wait 15s for wireless to have time to connect\r
\n:delay 15;\r
\n\r
\n#check if wireless is connected to a network\r
\nlocal connectstatus [/interface get wlan1 running]\r
\n\r
\n#if wireless is connected to something, don’t do anything. Else set mast
er wireless as AP\r
\nif $connectstatus do={\r
\n:log info "Network active, keep on keeping on";\r
\n} else={\r
\n/interface wireless set wlan1 mode=ap-bridge ssid="MAP" security-profi
le=AccessPoint;\r
\n:log info "Network not active, setting master network to AP";}”
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment=“Check Internet” down-script=“system leds set 3 type=off” host=
8.8.8.8 interval=30s up-script=“system leds set 3 type=on”
add comment=“Check OpenVPN” down-script=“system leds set 4 type=off” host=
10.10.10.1 interval=30s up-script=“system leds set 4 type=on”

Some things i got already working properly and others not…
Seperating the different networks with firewalling isn’t done yet at all.

I have some question to the config, maybe someone can answer those:

For the wifi interface wlan1 (client) which is connecting to the access points i choosed the mode station, what is the difference compared to station bridge and station peusdobridge?
Should i prefer one of the other two modes or stay with station?
On the virtual wlan2 i set the mode to bridge, which is wrong i guess, i want to have “level 2” access to the wireless network (bridge with the physical wlan), which mode i need for that?
I tried to setup routing and masquerading only for the MyVPN wlan, but i can also reach the hosts inside the vpn when i connect via the MyBridged wlan.
How do i have to change the routing and masquerading rules, or do i have to block this via firewall?

Zacharias · February 18, 2022, 5:17pm

Read here : https://wiki.mikrotik.com/wiki/Manual:Wireless_Station_Modes#Mode_station
And here: https://help.mikrotik.com/docs/display/ROS/Wireless+Interface#WirelessInterface-Overview

urknall · February 18, 2022, 5:28pm

Thanks alot, this means station for wlan1 (client) and station pseudobridge for the l2 access on wlan2, if i am not mistaken…

Zacharias · February 18, 2022, 5:45pm

Mode station, so that you can connect to e.g. the Hotels AP.
And mode AP Bridge on the virtual interface, so that you can connect e.g. your Laptop.

urknall · February 18, 2022, 5:57pm

yes, thank you, i already set this 2 modes and they are working. only for the mybridge wlan i have no clue how to solve this…

i set the physical wlan1 to station mode and the virtual wlans ap-mode. do i have to do it the opposite way?
set physical wlan1 to ap-mode and virtual wlan2 for example to station to connect to the hotel and for wlan2 to station with dhcp-client for the bridged access?

Zacharias · February 18, 2022, 6:15pm

yes, thank you, i already set this 2 modes and they are working. only for the mybridge wlan i have no clue how to solve this…

What about it ?

urknall · February 21, 2022, 6:56pm

It wasn’t working

But now i know how to configure it properly:

The physical wlan has to be set to station-pseudobridge and the virtual wlan to ap-bridge or bridge.

The map is ready for this week, there were some minor things that i must change someday or which are not working as expected yet.

The openvpn-client is creating a dynamic routing rule, and i can access from myvpn AND myrouted to the vpn network.
That’s something that i must solve someday. I will probably post a complete config someday, when all the minor things were solved
and when i don’t forget it

Thanks for all so far…

holvoetn · February 21, 2022, 9:37pm

If using it with wifi only:
Don’t forget to use access list to connect to various wifi sources including… your phone’s hotspot, so it will always find a known network and then the virtual networks can be made.
No connected network= no connection = more problems for reconfiguring ( eth and winbox will always work when done properly but it is easier when ‘it just connects’).

urknall · February 21, 2022, 10:22pm

Access list? I think you meant connect list…

Yeah i defined some networks in the connect list, but i included also a fallback script, that is autorun at boot: if no network is found that
the map can connect to, the physical wlan is set to ap-bridge. So in every case you can connect to a running wlan:

/system scheduler
add name=autorun-client-mode on-event="/system script run client-mode" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/system script
add dont-require-permissions=no name=client-mode owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    wait 3s after startup to run script\r\
    \n:delay 3\r\
    \n\r\
    \n#ensure that master wireless is set as station\r\
    \n/interface wireless set wlan1 mode=station-pseudobridge ssid=\"\" securi\
    ty-profile=default;\r\
    \n:log info \"Set wlan1 network as station\";\r\
    \n\r\
    \n#wait 15s for wireless to have time to connect\r\
    \n:delay 15;\r\
    \n\r\
    \n#check if wireless is connected to a network\r\
    \nlocal connectstatus [/interface get wlan1 running]\r\
    \n\r\
    \n#if wireless is connected to something, don't do anything. Else set mast\
    er wireless as AP\r\
    \nif \$connectstatus do={\r\
    \n:log info \"Network active, keep on keeping on\";\r\
    \n} else={\r\
    \n/interface wireless set wlan1 mode=ap-bridge ssid=\"MAP-FALLBACK\" secur\
    ity-profile=AccessPoint;\r\
    \n:log info \"Network not active, setting master network to AP\";}"

holvoetn · February 22, 2022, 4:36am

Correct, connect list is what I meant.

Arecki · January 10, 2023, 11:13pm

@urknall I am also very interested in learning how to configure map like Lorenzo. Could you please share your most recent config?