I’m new to this forum and after reading some threads without finding an appropiate answer for this, I hope you can help me.
Maybe what I’m trying is not doable, but let’s see.
I have an ISP router which I can’t and don’t want to get rid of. It is connected to some home devices and, in one port, to a Mikrotik HAP AC2.
So, what I want is one of the devices connected to one of the LAN ports of the Mikrotik to have an IP of the ISP provided range. The other 3, to work as standard on a new subnet.
Maybe with this little schematic is more clear:
The devices connected to the ISP router would be in the 192.168.1.x subnet, and I want one of the devices below the Mikrotik to be in that subnet. The other devices connected to the Mikrotik would be on the 192.168.88.x subnet. I tried to configure a new bridge between the WAN and the LAN1 port, removing it from the standard bridge, but doesn’t seem to do the trick. What I’m trying is to avoid double NAT on that device.
Just to be clear you want the HAPAC to be a router as well and not simply pass on the subnet of the main router ( so it would be an AP/switch, vice router).
Do you need the 192.168.88 network for some reason??
@anav idea of setting up the two vlans is correct, however in this case OP has a hAP ac² with an Atheros 8327 switch chip, which means Bridge VLAN Filtering is not hardware-accelerated:
For the Atheros 8327 chip VLANs should be configured with /interface ethernet switch and its submenus (also with the special care for vlan-header=leave-as-is):
For not double NAT.
If you can change the ISP router, you may be able to add a static route to it.
192.168.88.0/24 via 192.168.1.2
Then from anav’s config, change all the WAN interfaces to LAN and let the ISP router pretty much do all the Natting and external firewalling.
/interface list members
add interface=ether1 list=LAN
add interface=ISP-LAN list=LAN
When you connect from a PC in the .1.x network to a PC on the .88.x network, it will send the packet to the ISP router, which will (hopefully) forward it to the mikrotik, but also send a redirect to the PC on the .1.x network telling it to use the mikrotik (.1.2) to get to that particular device on the .88.x network in future. (Not sure if redirect works if the PC doesn’t trust the network it is on though)
Thanks CGGXANNX, I keep forgetting the hapac2 is old skool.
Upon further review, some clarity for the OP is required.
What we are doing is setting up the hapac2 as a router and accepting traffic coming in on ether1, as the WANIP of the hapac2. We will do two things with this traffic,
a. terminate the connection as WAN IP of the MT router ( by static IP address vice ip dhcp client ) ( LANIP on the ISP subnet )
b. pass through the connection to the ports that are in effect transparent to the MT router and are simply being passed like a switch in through ether1 and out the appropriate port to the PCs expecting the ISP LAN subnet.
The way to do this is to tag the incoming data from the ISP and we will call this vlan ISP.
Since we are using bridge and vlan, its easy and convenient to create our MT lan subnet as VLAN 88.
Hopefully this makes it a bit clearer.
/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=always-strip default-vlan-id=10 comment=“port from ISP”
set ether2 vlan-mode=secure vlan-header=always-strip default-vlan-id=10 comment=“port to PC-PT”
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=88 comment=“port to Server-PT”
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure
+++++++++++++++++++++++
The differences I see are:
a. we dont use/invoke bridge vlan filtering
b. we use ethernet switch port to define tagging and untagging of ports/wlans
c. we use /bridge ports to simply identify which ports are together on the switch1
d. we use /bridge vlans to identify which vlans are allowed on which ports
