New 6 client wlan system to have no Bridges, with your help

ionsignal · September 29, 2011, 8:04pm

New to forum, using RouterOS in bridged wds system of about 6 clients for a few years. This has been a nice community service to under-served houses on my street.

New system to have no Bridges and no wds if I can. Since I have new equipment I will not post any settings from current, bridged system.

My question is what NAT’s and Route’s will I need in each box to get it to work? Routing rules or prerouting?? What should the radio’s be configured as?

I would like all interfaces to have static IP and static on client’s router or PC wired into the six Box3’s Box3’s will have simple queues for client burst and limits.

first time using net notepad but I’m attaching it anyways. And simple diagram here if file doesn’t work.

DSL modem===ether1-PPPoE-BOX1-XR9~~XR9-Box2-SR9~~SR9-BOX3-ether1===client-PC/router

The Box1 will have RB433 with XR9. A PPPoE interface for the dsl on ether1, ether2 will feed Internet to DSL site house.

Box 2 will have XR9 and SR9 and ether1 interfaces on a RB433. This is the box that I will use winbox for system admin and get my Internet access.

Box3 will be 6 similar boxes with RB133 or RB112 with SR9 and ether interfaces.

using SR9’s and RB133/112’s from old system.

Is this enough info to get the discussion started?

I ordered this book, is it a good resource? http://www.streakwave.com/itemdesc.asp?ic=LearnRouterOS&eq=&Tp

Thank you all in advance. Hope I met the newbie requirements for good question.

Mark

cbrown · September 30, 2011, 1:00am

Are you wanting to give each client a public IP and how do you want to limit each client or do you?

This sounds a lot like the email I received earlier today.

ionsignal · September 30, 2011, 12:50pm

Chris, thank you for your interest.

I don’t need to provide clients with public IP’s. We are currently sharing a dynamic IP DSL line with a NAT and DHCP server in ‘Box1’. I don’t think I need a DHCP server in ‘Box1’. In-fact, I’d like to have the system as static as possible.

I have been limiting each client with simple Ques on the Ethernet port of their ‘Box3’. This has worked OK. I have a burst time and then a max limit. No complaints!

My system has run bridged with wds even hopping to a few customers (that I don’t have to hop to now–I dropped them). I set the system up with static wds interfaces and static ports, but it still was very unstable.

Do you think with my experience with the bridged network it would be a stretch for me to set up a routed network?

Mark

ionsignal · October 5, 2011, 11:43am

I set up an AP and Client in the shop and got it to pass traffic without any bridges! I notice that when the link comes up the pings start right away while in the old bridged system would take 15 seconds or more.

before I get the three router boards to work as AP–repeater–cpe I need to resolve a couple of things.

When I start to pass traffic across the wireless link the link drops out. It will stay up for more than 10 minutes without traffic but when I call up a web page it drops out. Is this from my routing setup or that fact that the radios are about 6 feet apart (sr9’s on routerboard 112’s) in the shop and are getting interference? ( power turned down to 17dbm)
When the pc is plugged into the cpe I can access the cpe with winbox but can not access the AP through the wireless link. How do I get the winbox loader to see all the routerboards? I will need this when the repeater is at my house and I want access to the ap and cpe’s.

As forum member wrote to me: “If you have an understanding of routing and wireless you should be at least dangerous enough to get it working.” OK, I got it to work…LOL

Here are the setups, and I thank you in advance:

[admin@AP1]

ADDRESS NETWORK BROADCAST INTERFACE

0 X 192.168.1.202/24 192.168.1.0 192.168.1.255 ether1
1 192.168.20.1/24 192.168.20.0 192.168.20.255 wlan1
2 D 192.168.2.102/24 192.168.2.0 192.168.2.255 ether1

ether1 gets ip from dhcp server on 192.168.2.2

[admin@AP1] > ip route print
Flags: B - blackhole, U - unreachable, P - prohibit, X - disabled, A - active,
D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf

DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE

0 AD 0.0.0.0/0 r 192.168.2.2 0 ether1
1 ADC 192.168.2.0/24 192.168.2.102 0 ether1
2 ADC 192.168.20.0/24 192.168.20.1 0 wlan1
[admin@AP1] > ip firewall export

jan/01/2000 02:25:59 by RouterOS 2.9.35

/ ip firewall mangle
add chain=prerouting in-interface=wlan1 action=change-ttl new-ttl=set:65
comment=“” disabled=yes
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1400
comment=“” disabled=yes
/ ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade comment=“” disabled=no
add chain=srcnat out-interface=ether1 protocol=udp action=masquerade
comment=“” disabled=yes
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s
tcp-established-timeout=1d tcp-fin-wait-timeout=10s
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m
tcp-syncookie=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=no
set gre disabled=yes
set pptp disabled=yes
[admin@AP1] > interface
[admin@AP1] interface> wireless print
Flags: X - disabled, R - running
0 R name=“wlan1” mtu=1500 mac-address=00:15:6D:93:4B:3A arp=enabled
disable-running-check=no interface-type=Atheros AR5213
radio-name=“00156D934B3A” mode=ap-bridge ssid=“MikroTik” area=“”
frequency-mode=manual-txpower country=no_country_set antenna-gain=0
frequency=2427 band=2.4ghz-b/g scan-list=default rate-set=configured
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps basic-rates-b=1Mbps
basic-rates-a/g=6Mbps max-station-count=2007 ack-timeout=dynamic
tx-power=13 tx-power-mode=card-rates noise-floor-threshold=default
periodic-calibration=default periodic-calibration-interval=60
burst-time=disabled dfs-mode=none antenna-mode=ant-a wds-mode=disabled
wds-default-bridge=none wds-default-cost=100 wds-cost-range=50-150
wds-ignore-ssid=no update-stats-interval=disabled
default-authentication=no default-forwarding=no default-ap-tx-limit=0
default-client-tx-limit=0 proprietary-extensions=post-2.9.25
hide-ssid=no security-profile=default disconnect-timeout=15s
on-fail-retry-time=100ms preamble-mode=both compression=no
allow-sharedkey=no
[admin@AP1] interface>

[admin@CPE1] > ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 192.168.20.3/24 192.168.20.0 192.168.20.255 wlan1
1 192.168.30.1/24 192.168.30.0 192.168.30.255 ether1
[admin@CPE1] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf

DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE

0 ADC 192.168.20.0/24 192.168.20.3 wlan1
1 ADC 192.168.30.0/24 192.168.30.1 ether1
2 A S 0.0.0.0/0 r 192.168.20.1 wlan1
[admin@CPE1] >
[admin@CPE1] >
[admin@CPE1] > interface print
Flags: X - disabled, D - dynamic, R - running

NAME TYPE RX-RATE TX-RATE MTU

0 R ether1 ether 0 0 1500
1 R wlan1 wlan 0 0 1500
[admin@CPE1] >

[admin@CPE1] interface> wireless print
Flags: X - disabled, R - running
0 R name=“wlan1” mtu=1500 mac-address=00:15:6D:93:04:79 arp=enabled
disable-running-check=no interface-type=Atheros AR5213
radio-name=“00156D930479” mode=station ssid=“MikroTik” area=“”
frequency-mode=manual-txpower country=no_country_set antenna-gain=0
frequency=2427 band=2.4ghz-b/g scan-list=default rate-set=configured
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps basic-rates-b=1Mbps
basic-rates-a/g=6Mbps max-station-count=2007 ack-timeout=dynamic
tx-power=13 tx-power-mode=card-rates noise-floor-threshold=default
periodic-calibration=default periodic-calibration-interval=60
burst-time=disabled dfs-mode=none antenna-mode=ant-a wds-mode=disabled
wds-default-bridge=none wds-default-cost=100 wds-cost-range=50-150
wds-ignore-ssid=no update-stats-interval=disabled
default-authentication=no default-forwarding=yes default-ap-tx-limit=0
default-client-tx-limit=0 proprietary-extensions=post-2.9.25
hide-ssid=no security-profile=default disconnect-timeout=15s
on-fail-retry-time=100ms preamble-mode=both compression=no
allow-sharedkey=no

/ ip firewall nat
add chain=srcnat out-interface=wlan1 action=masquerade comment=“” disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s
tcp-established-timeout=1d tcp-fin-wait-timeout=10s
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m
tcp-syncookie=no
/ ip firewall filter
add chain=input protocol=tcp connection-state=established action=accept
comment=“” disabled=no
add chain=input protocol=tcp connection-state=related action=accept comment=“”
disabled=no
add chain=input protocol=udp action=accept comment=“” disabled=no
add chain=input protocol=icmp action=accept comment=“” disabled=no
add chain=input src-address=192.168.20.0/24 action=accept comment=“”
disabled=no
add chain=input src-address=192.168.30.0/24 action=accept comment=“”
disabled=no
add chain=input action=drop comment=“” disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=no
set gre disabled=yes
set pptp disabled=yes

ionsignal · October 7, 2011, 7:28pm

Hi all,

Well I am able to pass traffic and the link stays up. What I did was move the radios outside and set the nStreme for exact size of 768. Now a can do BW test at 2Mbs an all is OK. cpu of rb112 at 100% at that rate so didn’t push it higher. I’ll be using rb433 for AP’s with a 1.5 Mbs dsl line so I think I’ll be OK with cpu’s.

I still want to find out how to get winbox to work through the NAT. So if I’m on the ether of the cpe I can access the AP with the winbox loader. I tried to load it with IP but no go. When I drop down the discovery list in the winbox loader when on the ether port of the cpe I only see the cpe. If I’m on the ethernet port of the AP I only see the AP.

Any ideas?

Mark

cbrown · October 7, 2011, 10:13pm

6 feet apart and at 17db is way too high. That is why your link was so unstable. I would do it at 2 or 3 db. I am assuming you are running your bandwidth test directly to and from the routers and that is more than likely why your CPU is at 100%. Try running your test through the routers instead of to them. Have you tried NV2? It is working very well for us and I have been pleased with it.

I am guessing that it is a routing issue if you can’t access it via IP. If they are on different networks you will not be able to see them on the discovery list in WinBox but you should be able to get to it via the IP assuming you have the routing correct.

ionsignal · October 8, 2011, 11:50am

Chris,

I am using nstreme. These older rb1xx have rOS v2.9. I don’t recall what version is on the new hardware but I will be using some of these older boards so may have to stick with nsteme.

I’ll read some more on that routing. would I be adding NAT rules or use Mangle rules? dst-nat?

Since I can establish connection from the cpe through the AP to the Internet I should, I think, be able to get winbox to establish a connection to the AP from the cpe. I’ll try that again…

After the weekend I’ll write some rules and post them for dissection! lol

Thank you,

Mark