No internet access WHY?

RouterOS Beginner Basics
1

Hi,
I have a RB 751G
I like to have 2 separate networks with there own WiFi Virtual AP.
From both networks I can't access internet Why?
I connect my DSL modem with IP 192.168.2.254 to ETHER1

This is what I have configured.

Set system identity

system identity set name=mt01

Add bridges

interface bridge add name=BR-LAN disabled=no
interface bridge add name=BR-GAST disabled=no

Turn on WLAN

interface wireless enable wlan1

Hide SSID wlan1 (mikrotik)

interface wireless set wlan1 hide-ssid=yes

Set wireless mode

interface wireless set mode=ap-bridge wlan1 band=2ghz-b/g/n ht-txchains=0,1 ht-rxchains=0,1

Add a security profile

interface wireless security-profile add name=LAN authentication-type=wpa2-psk unicast-ciphers=aes-ccm group-ciphers=aes-ccm wpa2-pre-shared-key=")(&Access&()" mode=dynamic-keys
interface wireless security-profile add name=GAST authentication-type=wpa2-psk unicast-ciphers=aes-ccm group-ciphers=aes-ccm wpa2-pre-shared-key=#@!Gast!@# mode=dynamic-keys

Set wireless channel

interface wireless set wlan1 channel-width=20/40mhz-ht-above

Set wirless protocol

interface wireless set wlan1 wireless-protocol=any

Add virtual-ap

interface wireless add master-interface=wlan1 ssid=LAN security-profile=LAN name=VAP-LAN disabled=no
interface wireless add master-interface=wlan1 ssid=GAST security-profile=GAST name=VAP-GAST disabled=no

Add ports to Bridge

interface bridge port add interface=ether2 bridge=BR-LAN disabled=no
interface bridge port add interface=ether3 bridge=BR-LAN disabled=no
interface bridge port add interface=ether4 bridge=BR-LAN disabled=no
interface bridge port add interface=VAP-LAN bridge=BR-LAN disabled=no

interface bridge port add interface=ether5 bridge=BR-GAST disabled=no
interface bridge port add interface=VAP-GAST bridge=BR-GAST disabled=no

IP toewijzen aan Ether1

ip address add address=192.168.2.1/24 interface=ether1

IP toewijzen aan Ether2

ip address add address=192.9.201.1/24 interface=ether2

IP toewijzen aan Ether5

ip address add address=192.9.202.1/24 interface=ether5

Set Ether speed 1GB/s

interface ethernet set ether1 speed=1Gbps
interface ethernet set ether2 speed=1Gbps
interface ethernet set ether3 speed=1Gbps
interface ethernet set ether4 speed=1Gbps
interface ethernet set ether5 speed=1Gbps

Add DHCP-Address-Pool

ip pool add name=LAN range=192.9.201.2-192.9.201.254
ip pool add name=GAST range=192.9.202.2-192.9.202.254

Add DHCP-Server BR-LAN

ip dhcp-server add interface=BR-LAN name=DCHP-LAN address-pool=LAN lease-time=3d disabled=no
ip dhcp-server network add address=192.9.201.0/24 dns-server=194.151.228.18 gateway=192.9.201.1 netmask=255.255.255.0

Add DHCP-Server BR-GAST

ip dhcp-server add interface=BR-GAST name=DCHP-GAST address-pool=GAST lease-time=3d disabled=no
ip dhcp-server network add address=192.9.202.0/24 dns-server=194.151.228.18 gateway=192.9.202.1 netmask=255.255.255.0

2

Problem #1
You don’t have NAT MASQUERADING setup. It is required for the Internet connection to work.

Problem #2
Do NOT add IP addresses to interfaces inside a bridge. Add the IP addresses to the Bridge Itself.

These addresses should be on the bridge not the interfaces:

# IP toewijzen aan Ether2
ip address add address=192.9.201.1/24 interface=ether2

# IP toewijzen aan Ether5
ip address add address=192.9.202.1/24 interface=ether5
3

Oh ok thanks but how can I do this?

4

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1

5

Ok when I add the Nat and try to ping (from winbox) to 8.8.8.8
It says: no route to host

6 



/ip route
add gateway=192.168.2.254
7

Hi,
Still no internet connection from BR-LAN or BR-GAST.
If I do a ping to 8.8.8.8 in winbox it is working but if I ping from a Client from BR-LAN or BR-GAST it is not reply's

I have now this configuration:

Set system identity

system identity set name=mt01

Add bridges

interface bridge add name=BR-LAN disabled=no
interface bridge add name=BR-GAST disabled=no

Turn on WLAN

interface wireless enable wlan1

Hide SSID wlan1 (mikrotik)

interface wireless set wlan1 hide-ssid=yes

Set wireless mode

interface wireless set mode=ap-bridge wlan1 band=2ghz-b/g/n ht-txchains=0,1 ht-rxchains=0,1

Add a security profile

interface wireless security-profile add name=LAN authentication-type=wpa2-psk unicast-ciphers=aes-ccm group-ciphers=aes-ccm wpa2-pre-shared-key=")(&Access&()" mode=dynamic-keys
interface wireless security-profile add name=GAST authentication-type=wpa2-psk unicast-ciphers=aes-ccm group-ciphers=aes-ccm wpa2-pre-shared-key=#@!Gast!@# mode=dynamic-keys

Set wireless channel

interface wireless set wlan1 channel-width=20/40mhz-ht-above

Set wirless protocol

interface wireless set wlan1 wireless-protocol=any

Add virtual-ap

interface wireless add master-interface=wlan1 ssid=LAN security-profile=LAN name=VAP-LAN disabled=no
interface wireless add master-interface=wlan1 ssid=GAST security-profile=GAST name=VAP-GAST disabled=no

Add ports to Bridge

interface bridge port add interface=ether2 bridge=BR-LAN disabled=no
interface bridge port add interface=ether3 bridge=BR-LAN disabled=no
interface bridge port add interface=ether4 bridge=BR-LAN disabled=no
interface bridge port add interface=VAP-LAN bridge=BR-LAN disabled=no

interface bridge port add interface=ether5 bridge=BR-GAST disabled=no
interface bridge port add interface=VAP-GAST bridge=BR-GAST disabled=no

IP toewijzen aan Ether1

ip address add address=192.168.2.1/24 interface=ether1

IP toewijzen aan Ether2

ip address add address=192.9.201.1/24 interface=BR-LAN

IP toewijzen aan Ether5

ip address add address=192.9.202.1/24 interface=BR-GAST

Set Ether speed 1GB/s

interface ethernet set ether1 speed=1Gbps
interface ethernet set ether2 speed=1Gbps
interface ethernet set ether3 speed=1Gbps
interface ethernet set ether4 speed=1Gbps
interface ethernet set ether5 speed=1Gbps

Add DHCP-Address-Pool

ip pool add name=LAN range=192.9.201.2-192.9.201.254
ip pool add name=GAST range=192.9.202.2-192.9.202.254

Add DHCP-Server BR-LAN

ip dhcp-server add interface=BR-LAN name=DCHP-LAN address-pool=LAN lease-time=3d disabled=no
ip dhcp-server network add address=192.9.201.0/24 dns-server=194.151.228.18 gateway=192.9.201.1 netmask=255.255.255.0

Add DHCP-Server BR-GAST

ip dhcp-server add interface=BR-GAST name=DCHP-GAST address-pool=GAST lease-time=3d disabled=no
ip dhcp-server network add address=192.9.202.0/24 dns-server=194.151.228.18 gateway=192.9.202.1 netmask=255.255.255.0

Enable firewall between bridges

ip firewall address-list add list=local-networks address=192.9.201.0/24 disabled=no
ip firewall address-list add list=local-networks address=192.9.202.0/24 disabled=no
ip firewall filter add chain=forward src-address-list=local-networks dst-address-list=local-networks action=drop

Add default Gateway

ip route add gateway=192.168.2.254

Add NAT

ip firewall nat add chain=srchat action=masquerade out-interface=ether1

8

Again, don’t put IP address on individual ethernet Ports if they are in a bridge. Put IP addresses on bridge itself.

Also, disable filter rules until everything works, then put the filter rules in place.

Sent from my DROID4 using Tapatalk 2

9

Hi,

Oh but in my last config the 2 IP addresses are set to BR-LAN en BR-GAST is that not ok?
I allso disabled the firewall rule but stil not working
Any more tips?

10

Hope someone can help me get it working.
What i need is 2 separate networks with 2 Virtual WiFi AP’s
The two networks must not be able to connect to each other.
ether1 must be the port to the DSL modem
ether2-4 + AP1 LAN
ether5 + AP2 must but GuestLan

11

You are right on that, i didn’t notice you fixed that.

Sent from my DROID4 using Tapatalk 2

12

Ok but still no solution for internet access.
Hope someone can help me

13

I can ping to 192.168.2.1 but not to 192.168.2.254
Is that the problem?
And why is it?

14

The problem is that you misspelled the chain in the NAT rule!!!!

Add NAT

ip firewall nat add chain=srchat action=masquerade out-interface=ether1 <<<WRONG, DELETE THIS RULE!

\

Add NAT

ip firewall nat add chain=srcnat action=masquerade out-interface=ether1 <<<CORRECT, ADD THIS RULE!

15

Hi,
Thanks for notice this mistake of me.
I changed it but still nog internet access.
I even can’t ping 192.168.2.254
Ping to 192.168.2.1 is working (from BR-LAN and BR-GAST)

16

You will NOT be able to ping 192.168.2.254 until everything is fixed. Once you can ping that, you are good.

Post your rules again now.

17

Set system identity

system identity set name=mt01

Add bridges

interface bridge add name=BR-LAN disabled=no
interface bridge add name=BR-GAST disabled=no

Turn on WLAN

interface wireless enable wlan1

Hide SSID wlan1 (mikrotik)

interface wireless set wlan1 hide-ssid=yes

Set wireless mode

interface wireless set mode=ap-bridge wlan1 band=2ghz-b/g/n ht-txchains=0,1 ht-rxchains=0,1

Add a security profile

interface wireless security-profile add name=LAN authentication-type=wpa2-psk unicast-ciphers=aes-ccm group-ciphers=aes-ccm wpa2-pre-shared-key=")(&Access&()" mode=dynamic-keys
interface wireless security-profile add name=GAST authentication-type=wpa2-psk unicast-ciphers=aes-ccm group-ciphers=aes-ccm wpa2-pre-shared-key=#@!Gast!@# mode=dynamic-keys

Set wireless channel

interface wireless set wlan1 channel-width=20/40mhz-ht-above

Set wirless protocol

interface wireless set wlan1 wireless-protocol=any

Add virtual-ap

interface wireless add master-interface=wlan1 ssid=LAN security-profile=LAN name=VAP-LAN disabled=no
interface wireless add master-interface=wlan1 ssid=GAST security-profile=GAST name=VAP-GAST disabled=no

Add ports to Bridge

interface bridge port add interface=ether2 bridge=BR-LAN disabled=no
interface bridge port add interface=ether3 bridge=BR-LAN disabled=no
interface bridge port add interface=ether4 bridge=BR-LAN disabled=no
interface bridge port add interface=VAP-LAN bridge=BR-LAN disabled=no

interface bridge port add interface=ether5 bridge=BR-GAST disabled=no
interface bridge port add interface=VAP-GAST bridge=BR-GAST disabled=no

IP toewijzen aan Ether1

ip address add address=192.168.2.1/24 interface=ether1

IP toewijzen aan BR-LAN

ip address add address=192.9.201.1/24 interface=BR-LAN

IP toewijzen aan BR-GAST

ip address add address=192.9.202.1/24 interface=BR-GAST

Set Ether speed 1GB/s

interface ethernet set ether1 speed=1Gbps
interface ethernet set ether2 speed=1Gbps
interface ethernet set ether3 speed=1Gbps
interface ethernet set ether4 speed=1Gbps
interface ethernet set ether5 speed=1Gbps

Add DHCP-Address-Pool

ip pool add name=LAN range=192.9.201.2-192.9.201.254
ip pool add name=GAST range=192.9.202.2-192.9.202.254

Add DHCP-Server BR-LAN

ip dhcp-server add interface=BR-LAN name=DCHP-LAN address-pool=LAN lease-time=3d disabled=no
ip dhcp-server network add address=192.9.201.0/24 dns-server=194.151.228.18 gateway=192.9.201.1 netmask=255.255.255.0

Add DHCP-Server BR-GAST

ip dhcp-server add interface=BR-GAST name=DCHP-GAST address-pool=GAST lease-time=3d disabled=no
ip dhcp-server network add address=192.9.202.0/24 dns-server=194.151.228.18 gateway=192.9.202.1 netmask=255.255.255.0

Enable firewall between bridges

ip firewall address-list add list=local-networks address=192.9.201.0/24 disabled=no
ip firewall address-list add list=local-networks address=192.9.202.0/24 disabled=no
ip firewall filter add chain=forward src-address-list=local-networks dst-address-list=local-networks action=drop

Add default Gateway

ip route add gateway=192.168.2.254

Add NAT

ip firewall nat add chain=srcnat action=masquerade out-interface=ether1

18

show the result of ipconfig from the command line of your PC

also, remove the firewall filters until the internet connection works. you can put those in after it works.

19

Here the screenshot.
The Firewall rule is disabled and still no internet acess
ipconfig.jpg

20

Sorry, wrong screenshot. I will upload the food screenshtot