No internet access for clients on Virtual AP? (RB951G)

avggeek · May 20, 2014, 4:08am

I’m trying to setup a Virtual AP on my RB951G but while the clients are assigned DHCP addresses, they are not able to ping any Internet addresses. I’ve looked at several threads on the forum but I’m not able to spot what I am doing wrong.

Here is my “export compact” output (trimmed to remove some information):

# may/20/2014 11:42:05 by RouterOS 5.24
# software id = XFTG-QBRY
#
/interface bridge
add admin-mac=D4:CA:6D:6C:F7:39 auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
/interface wireless
set 0 band=2ghz-onlyn country=singapore disabled=no distance=indoors \
    frequency=2462 ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge \
    ssid=Home_WifiN wireless-protocol=802.11
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 master-port=ether2-master-local name=ether5-slave-local
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa2-pre-shared-key=\
    somepass
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=wlan2 wpa2-pre-shared-key=somepass1
/interface wireless
add area="" arp=enabled bridge-mode=enabled comment=\
    "Rate-limited network for residents" default-ap-tx-limit=0 \
    default-authentication=yes default-client-tx-limit=0 default-forwarding=\
    yes disable-running-check=no disabled=no hide-ssid=no l2mtu=2290 \
    mac-address=D6:CA:6D:6C:F7:3D master-interface=wlan1 max-station-count=\
    2007 mtu=1500 multicast-helper=default name=wlan2 proprietary-extensions=\
    post-2.9.25 security-profile=wlan2 ssid=Home_ResWiFi \
    update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=\
    bridge-local wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled \
    wmm-support=disabled
/interface wireless manual-tx-power-table
set wlan2 comment="Rate-limited network for residents"
/interface wireless nstreme
set wlan2 comment="Rate-limited network for residents"
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=home-dhcp ranges=192.168.48.100-192.168.48.155
add name=wlan2-dhcp ranges=192.168.52.10-192.168.52.20
/ip dhcp-server
add address-pool=home-dhcp disabled=no interface=bridge-local name=default
add address-pool=wlan2-dhcp disabled=no interface=wlan2 lease-time=5m name=\
    wlan2-dhcp
/snmp community
set [ find default=yes ] addresses=0.0.0.0/32 read-access=no
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.48.1/24 comment="default configuration" interface=wlan1
add address=192.168.52.1/24 interface=wlan2
/ip dhcp-client
add comment="default configuration" disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.48.0/24 comment="default configuration" dns-server=\
    192.168.48.1 gateway=192.168.48.1 netmask=24
add address=192.168.52.0/24 dns-server=192.168.52.1 gateway=192.168.52.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.48.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="for Rate-limited network" \
    out-interface=bridge-local src-address=192.168.52.0/24
/ip neighbor discovery
set ether1-gateway disabled=yes
set wlan1 disabled=yes
set wlan2 disabled=yes
/ip service
set telnet address=192.168.48.0/24
set ftp address=192.168.48.0/24
set www address=192.168.48.0/24
set ssh address=192.168.48.0/24
set api address=192.168.48.0/24 disabled=no
set winbox address=192.168.48.0/24
/ip smb
set domain=HOME
/system clock
set time-zone-name=Asia/Singapore
/system identity
set name="MikroTik SG Router"
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes mode=unicast primary-ntp=54.251.84.105
/tool mac-server
add disabled=no interface=ether2-master-local
add disabled=no interface=ether3-slave-local
add disabled=no interface=ether4-slave-local
add disabled=no interface=ether5-slave-local
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local

Appreciate any help I can get on how to get this working!

cdiedrich · May 20, 2014, 6:02am

Why do you NAT your wlan2 guests to your local bridge?
I’d rather masquerade them directly out on ether1-gateway, the rule for which you already have in your first masquerade rule.
If you don’t want them to see your 192.168.48.0/24 network, add a drop rule in forward chain for src-address=192.168.52.0/24 and dst-address=192.168.48.0/24

avggeek · May 20, 2014, 6:36am

I will try that now but I’m assuming that by itself the additional rule will not cause lack of Internet access on the Virtual AP? Is there anything else in the config that might be a problem?

avggeek · May 20, 2014, 1:59pm

Thanks for the help - it’s working as expected now.