Hi everyone,
I have a connection problem between my Mikrotik router and a Vodafone router that I want to use as AP.
Basic info:
Mikrotik: CCR2004
Vodafone: H500-S
RouterOS: 7.4.1
This is what I did:
Because I’m using a SFP-RJ45 module, I disabled auto negotiation and limited the rate to 1Gbps
I made a bridge between interfaces, including the interface I’m using to connect the AP
In the firewall, I activated NAT/masquerade
All devices in my network (Directedly connected to the MTK or thought a switch) are working fine and had access to internet.
The only device not working is this AP: I can’t ping from and the two devices! The AP can’t get an IP from the DHCP of the MTK…
[Update]
When I connect the AP with the switch (Connected to the MTK), the AP can get IP address and DNS, and internet (ping 8.8.8..
But I remarqued that when I’m connected with PC to AP’s wifi, I can’t reach internet, and the problem of ping between the AP and the MTK still no resolved.
I’m new in Mikrotik devices, and I believe I’m missing a basic thing.
Probably but how can I best investigate the issues… Crystal ball, tarot cards, speculating…
OR
post network diagram
and
/export config (minus public WANIP info)
Hi,
Thanks for replying.
I did the modification by removing WAN port from LAN bridge.
But this didn’t resolve the AP problem: The MTK sill not “seeing” the AP directly connected to the MTK.
When I plug the AP in a no Mikrotik router I can ping between the two devices, and the AP gets internet in addition!
Once replaced under MTK, it doesn’t work.
I suspect a firewall blocking rule in the MTK.
Any idea?
Thanks.
Hi,
Thanks for replying.
I add rules you sent, but the AP still not getting connection from the MT.
What is strange, is that when I take the AP and I plug it the the Cisco switch, all works fine! Once plugged directly to MT, it doesn’t work: no ping, no internet.
The config:
/interface bridge
add name=LAN1-INFO_Bridge
/interface ethernet
set [ find default-name=ether1 ] comment=“Management Port” name=Ether1
set [ find default-name=sfp-sfpplus1 ] comment=“->Dell T430 DAC1” name=SFP+01
set [ find default-name=sfp-sfpplus2 ] comment=“->Dell T430 DAC2” name=SFP+02
set [ find default-name=sfp-sfpplus3 ] comment=“->INFO2 (Local C)” name=
SFP+03
set [ find default-name=sfp-sfpplus4 ] comment=“->INFO3 (LocalC)” name=SFP+04
set [ find default-name=sfp-sfpplus5 ] comment=“->INFO1 (Local D)” name=
SFP+05
set [ find default-name=sfp-sfpplus6 ] comment=“->Dell R820 DAC1” name=SFP+06
set [ find default-name=sfp-sfpplus7 ] comment=“->HP DL360e DAC1” name=SFP+08
set [ find default-name=sfp-sfpplus9 ] name=SFP+09
set [ find default-name=sfp-sfpplus10 ] name=SFP+10
set [ find default-name=sfp-sfpplus11 ] auto-negotiation=no comment=
“AP1_Local D” name=SFP+11
set [ find default-name=sfp-sfpplus12 ] auto-negotiation=no comment=
“IAM Modem 192.168.2.1” name=SFP+12
set [ find default-name=sfp28-1 ] name=SFP28-01
set [ find default-name=sfp28-2 ] name=SFP28-02
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp_pool0 ranges=192.168.8.100-192.168.8.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN1-INFO_Bridge lease-time=11m name=
dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/zerotier
set zt1 comment=“ZeroTier Central controller - https://my.zerotier.com/”
disabled=yes disabled=yes name=zt1 port=9993
/interface bridge port
add bridge=LAN1-INFO_Bridge interface=SFP+01
add bridge=LAN1-INFO_Bridge interface=SFP+02
add bridge=LAN1-INFO_Bridge interface=SFP+03
add bridge=LAN1-INFO_Bridge interface=SFP+04
add bridge=LAN1-INFO_Bridge interface=SFP+05
add bridge=LAN1-INFO_Bridge interface=SFP+06
add bridge=LAN1-INFO_Bridge interface=SFP+08
add bridge=LAN1-INFO_Bridge interface=SFP+09
add bridge=LAN1-INFO_Bridge interface=SFP+10
add bridge=LAN1-INFO_Bridge interface=SFP+11
/interface list member
add interface=LAN1-INFO_Bridge list=LAN
add interface=SFP+12 list=WAN
/ip address
add address=192.168.8.1/24 interface=LAN1-INFO_Bridge network=192.168.8.0
add address=192.168.2.2/24 interface=SFP+12 network=192.168.2.0
/ip dhcp-server network
add address=192.168.8.0/24 dns-server=192.168.8.5,8.8.8.8 gateway=192.168.8.1
/ip dns
set servers=192.168.8.5,8.8.8.8
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment=“drop all else”
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic”
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat out-interface=SFP+12
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
192.168.2.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=
no target-scope=10
/system clock
set time-zone-name=Africa/Casablanca
/system gps
set set-system-time=yes
/system identity
set name=DSTM-MTK
/system ntp client
set mode=broadcast
/system ntp client servers
add address=id.pool.ntp.org
Hi Anav,
I added the mac of 2 APs, and things seem working for now.
I’m thankful for your patience and help.
PS: the two addresses I added are in “waiting” statut, I don’t know if does matter …
Can I ask you briefly (Cause I should open one other topic for this): As you saw in the diagram in my first post, my MT is behind an ISP modem. It have a public IP. witch way should I explore to do a remote access to my LAN (example my MT) from the WAN (Forwarding ports, VPN, cloud…). I’m looking for security first.
Hi,
For update, I’m planning to do it this weekend cause I can’t during production time…
For remote access, I want to access the MT from PC for config trough Winbox, may be accessing also some PCs in my LAN …
Thank you.
Assuming you dont have an MT router at home so a windows client on the pC should work.
As well if you have an IOS device it will work with wireguard client.
I use my iphone with wireguard client and then use the mikrotik app to config the router
.