Hi,
I would like to set one wifi ssid with ip range that is not the same as my network range.
I set new ip range in ip>dhcp server>networks
i have new wifi interface in wireless.
How to add new ip range to this new wireless interface? how to route it to have internet?
thank you
Add a new IP Pool and assign that new pool to the new DHCP server. For example here are two of my networks. .101 has a physical interface on the router, whereas the .102 is on a VLAN out of the router.
/ip pool
add name=".101 DHCP pool" ranges=192.168.101.201-192.168.101.219
add name=".102 DHCP pool" ranges=192.168.102.201-192.168.102.219
/ip dhcp-server
add address-pool=".101 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=E02-pB4_101 lease-time=3h name=".101 DHCP server"
add address-pool=".102 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_102 lease-time=3h name=".102 DHCP server"
/ip dhcp-server network
add address=192.168.101.0/24 comment=".101 network" dns-server=\
192.168.101.11,192.168.101.251 gateway=192.168.101.251 netmask=24
add address=192.168.102.0/24 comment=".102 network" dns-server=\
192.168.102.251,8.8.8.8,4.2.2.2 gateway=192.168.102.251 netmask=24
tnx for your reply.
i’m still not familiar writing codes for mikrotik.
Is there any chance to add pool inside WebFig?
Posting screen captures or WebFig or WinBox is a DREADFUL way of showing configurations. Learn how to at lest basicly read and enter commands. However here it is in WinBox (very similar to WebFig)
thank you
I’m trying, but I’m still new.
the problem was that i didn’t add pool.
Now I can connect on that wifi and i have right ip, but subnet musk is 192.0.0.0 and I dont have internet.
I’m trying to set srcnat masquarade, but no luck
[admin@MikroTik] /ip/firewall/nat> print
Flags: X - disabled, I - invalid; D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
1 chain=srcnat action=masquerade src-address=192.168.98.0/24 out-interface=ether1 log=no log-prefix=""
Subnet mask most likely should be 255.255.255.0 - or if you prefer /24. See Networks tab.
and, one more thing cannot figurate out
[admin@MikroTik] /ip/dhcp-server> print
Flags: I - INVALID
Columns: NAME, INTERFACE, ADDRESS-POOL, LEASE-TIME
# NAME INTERFACE ADDRESS-POOL LEASE-TIME
0 defconf bridge dhcp 10m
1 I IoT DHCP iot IoTpool 10m
this new dhcp have Invalid flag, i cannot find out why
i’m aware of that. my networks are /24.
i dont know why wifi device got 192.0.0.0 subnet
Post your configuration. To export and paste your configuration (and I’m assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) “/export hide-sensitive file=any-filename-you-wish”. Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
Thank you very much for detailed instruction on this.
# 2023-11-28 15:50:41
/interface bridge
add admin-mac= xxxxxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
configuration.country=Serbia .mode=ap .ssid="mikrotik1" disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
configuration.country=Serbia .mode=ap .ssid=mikrotik2 disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk
add comment="wifi for IoT" configuration.mode=ap .ssid=iot disabled=no \
mac-address=xxxxxxxxxxxxx master-interface=wifi2 name=iot \
security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add comment="IoT pool" name=IoTpool ranges=192.168.98.10-192.168.98.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
add address-pool=IoTpool interface=iot lease-time=10m name="IoT DHCP" \
server-address=192.168.98.1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.98.0/24 interface=iot network=192.168.98.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
add address=192.168.98.0/24 dns-server=192.168.98.1 gateway=192.168.98.1 \
netmask=2
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.98.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
192.168.98.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Belgrade
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
any idea how to set this?
Too busy to look in detail. Maybe someone else can give some insight.
Your iot interface IP is wrong, should be .1 not .0
Also the network under dhcp-server for the iot interface has a wrong subnet mask config
You might also add the iot interface as a LAN inside interface list or review your firewall rules to allow traffic from iot interface
thank you
i fix that
How you know that? how to fix that?
no luck with nat to allow traffic from iot interface.
How can I add iot interface as lan?
thank you!
In the config shown in post #10 above you have netmask=2 in dhcp-server network section for IoT … set it to 24.
Add iot interface to LAN interface list. (Interface → list → members)
Thank you! With Iot interface added to lan list - everything works exactly how I want.
netmask=2 was typo 
I have one more question.
Here is my network diagram.
I want somehow to assign this Ikea lights to network 192.168.89.x
I dont want to allow this ikea lighs hub to comunicate with 192.168.88.x network. Is that posible at all?
Thank you
If netis-thingie supports VLANs then no problem. But quick view tells me that it likely doesn’t.
Netis is dummy one. no vlan.
i was thinking something like static ip address.
No, not really. Things don’t work nicely if IP subnets don’t overlap with L2 segments. In your case you have 192.168.89.0/24 on VLAN and it’ll be major PITA to have one of these IP addresses on your main (tagless) network.
If you can somehow plug the IKEA device directly to one ether port of hAP ax3, then it can be done.