Mikrotik as a secure gateway behind public WLAN

dg3feh · March 17, 2018, 11:13pm

Hello!

I wanna try the following.

A) I want to act a MT as a station connected to a (pubilc) wlan. That works fine, I get an IP, DNS, NTP, default route by the WLANs DHCP.

B) I want to provide a local WPA2-WLAN for my clients using the network 192.168.54.0/24. That works also fine.

C) I want to route the traffic from the local network through the public WLAN to the internet. That doesn’t work.

The config (without the secrets) u find below. The L2TP and IPSec parts are disabled. In a next step I wanna route all traffic through these tunnel.

# mar/17/2018 23:54:19 by RouterOS 6.41.3
# software id = 31J0-42KJ
#
# model = RouterBOARD 941-2nD
# serial number = 8AFE082826D1
/interface bridge
add fast-forward=no name=private-bridge
add fast-forward=no name=wan-bridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk,wpa-eap,wpa2-eap group-ciphers=\
    tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=\
    access-Yachthafen supplicant-identity="" unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=private-WLAN supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=access-Peer supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=access-iphone6S supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
    disabled=no frequency=auto name=wlan-to-wan security-profile=access-Peer \
    ssid=PMJFC-Gast
add disabled=no keepalive-frames=disabled mac-address=CE:2D:E0:43:93:BB \
    master-interface=wlan-to-wan multicast-buffering=disabled name=\
    privates-wlan security-profile=private-WLAN ssid=Tor-zur-Welt \
    wds-cost-range=0 wds-default-cost=0
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc
/ip pool
add name=PrivateIPs ranges=192.168.54.100-192.168.54.200
/ip dhcp-server
add address-pool=PrivateIPs disabled=no interface=private-bridge name=\
    DHCP-private
/ppp profile
set *0 use-encryption=no
/interface l2tp-client
add connect-to=79.212.123.188 name=L2TP-Home profile=default user=\
    IPSEC-MT-mobil
/interface bridge port
add bridge=private-bridge interface=ether2
add bridge=private-bridge interface=ether3
add bridge=private-bridge interface=ether4
add bridge=private-bridge interface=privates-wlan
add bridge=wan-bridge interface=ether1
add bridge=wan-bridge interface=wlan-to-wan
/ip address
add address=192.168.54.254/24 interface=private-bridge network=192.168.54.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=wan-bridge
/ip dhcp-server network
add address=192.168.54.0/24 dns-server=192.168.54.254 gateway=192.168.54.254 \
    ntp-server=192.168.54.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=drop chain=forward connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=accept chain=forward src-address=192.168.54.0/24
add action=accept chain=input src-address=192.168.54.0/24
add action=drop chain=forward log=yes log-prefix=drp-forward:
add action=drop chain=input log=yes log-prefix=drp-input:
/ip firewall nat
add action=masquerade chain=srcnat log=yes log-prefix=MASK: out-interface=\
    wan-bridge src-address=192.168.54.0/24
/ip ipsec peer
add address=172.17.2.1/32 dh-group=modp1024 disabled=yes enc-algorithm=\
    aes-256
/ip ipsec policy
set 0 disabled=yes
add disabled=yes dst-address=192.168.51.0/24 sa-dst-address=172.17.2.1 \
    sa-src-address=172.17.2.2 src-address=192.168.54.0/24 tunnel=yes
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Hafen-ToGo
/system leds
add interface=wan-bridge leds=user-led type=interface-activity

The routes look like this:

The traffic towards the WAN Bridge is masqueraded, but don’t get any connection to the WAN. If I connect directly to the external WLAN with the PC, the internet connection works fine and the routing table looks the same as on the mikrotik.

Does any one has a hint for me?

BR Holger

haik01 · March 18, 2018, 6:57pm

Is option B mandatory? I mean, is it needed that the clients use 192.168.54.0? Are they not happy with the DHCP from the public WLAN?

dg3feh · March 19, 2018, 10:15am

Yes, B is mandatory, because in this network are several clients with internal traffic which should have no connection to the outside.

I found the problem. operating with a wan-bridge for wlan and ether1 as out-interface doesn’t work. the routing here was not clear. using the wlan-to-wan and the ether1 directly together with the DHCP client side works fine. just one option is used and thus only one dynamic routing will be added by the DHCP client.

jayodas · May 22, 2018, 1:30pm

Can you post your config again with the correct configuration to get this working? I’m trying to do the same thing. Thanks!