I have a hAP-AC as my main home router.
I have a small portable 4u rack which has an RB951G acting as a switch, a standalone wireless access point and DHCP server. All ports are configured as LAN, there is no WAN config, no NAT, and no FIrewall. There is a small PC in the rack on a static IP, and I need wireless clients to be able to access the PC via its ip. The SSID on this unit is different from my home network.
When away from my home network, the DHCP server in the rack works fine.
When connected to my home network the DHCP server in the rack conflicts with my home router. The rack DHCP server’s scope is in the same subnet as my home router but non-overlapping ranges
Is there a way of configuring the DHCP servers so that when connected to my home network, the home router is the priority?
I could make the WLAN on the rack router a different subnet, use NAT and apply the DHCP to that subnet. However there are instances when I want the rack PC to initiate traffic to the wireless clients, so I’d like everything on the same subnet if possible.
For context, the PC controls a digital audio mixer for a small band, and runs a webserver. The wireless clients are tablets/ipads which allow the virtual mixer faders to be controlled through the webserver.
Cheers.
Is there a way of configuring the DHCP servers so that when connected to my home network, the home router is the priority?
You could set up DHCP Relay, https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Relay with some contortions you may overcome the not-at-home (where “main” DHCP server is) scenario:
- Set up a DHCP server on an empty bridge on the Rack 951.
- Set up a DHCP Relay, and add:
1- your home router DHCP as relayed server
2- previous, “local” DHCP Server as second relayed server.
However, keep in mind that
DHCP relay does not choose the particular DHCP server in the dhcp-server list, it just send the incoming request to all the listed servers.
i.e. maybe not the cleanest approach.
For context, the PC controls a digital audio mixer for a small band, and runs a webserver. The wireless clients are tablets/ipads which allow the virtual mixer faders to be controlled through the webserver.
As what you really need is the wireless segment, this would be my chosen path:
- Leave wlan1 on its own segment (do not bridge it with anything else)
- set up a DHCP server on wlan1 using a different subnet, say 192.168.2.0/24
- Set up a DHCP client on the interface connecting to the home router. (or assign it statically, along with the proper gateway to reach your home LAN)
- Make sure webserver is in this same range (192.168.2.x) either by assigning it statically, or making a static DHCP Lease for it so that it always get the same IP.
could make the WLAN on the rack router a different subnet, use NAT and apply the DHCP to that subnet. However there are instances when I want the rack PC to initiate traffic to the wireless clients, so I’d like everything on the same subnet if possible.
As you control the 951, and all reachable devices connected to it, there’s no need for NAT. Wireless devices will get 192.168.2.0/24 addresses and will get a default gateway through the 951 via 192.168.2.1, the webserver too.
While on gig, The 951 will know how to route everything without the need for NAT.
While at home, the 951 will have a default route through your home router, so it will send anything not localy reachable to it. The only router doing NAT will be your home router for traffic exiting via its WAN.
Thanks for this, I havent quite got it working yet.
My home network is 192.168.27.0/24 - default gateway is 192.168.27.254. RB951 has an ip address of 192.168.27.248
My “music” network is 192.168.22.0/24 - default gateway is 192.168.22.254
on the RB951:-
The rack pc is connected to ether2, the uplink to home network is ether 4.
Ether3,4,5 have Ether1 set as master port
I set up a bridge (Bridge-LAN-Music) with ether 2, and wlan, and DHCP on the bridge. The PC has a static ip of 192.168.22.10
I added a zeros route on the 951 to 192.168.27.254
[admin@RB951G] /ip> export
# may/23/2017 16:53:47 by RouterOS 6.39.1
# software id = YLWZ-WLQA
#
/ip pool
add name=dhcp_pool1 ranges=192.168.22.100-192.168.22.200
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 disabled=no interface=bridge-LAN-Music \
name=dhcp1
/ip address
add address=192.168.27.248/24 interface=ether1 network=192.168.27.0
add address=192.168.22.254/24 interface=bridge-LAN-Music network=192.168.22.0
/ip dhcp-server network
add address=192.168.27.0/24 dns-server=192.168.27.248 gateway=192.168.27.248
/ip route
add distance=1 gateway=192.168.27.254
/interface bridge
add name=bridge-LAN-Music
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-eC country="united kingdom" \
disabled=no frequency=auto frequency-mode=regulatory-domain mode=ap-bridge ssid=wifi352 \
wireless-protocol=802.11 wps-mode=disabled
/interface ethernet
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys \
supplicant-identity=MikroTik wpa-pre-shared-key=bandwifi wpa2-pre-shared-key=bandwifi
/interface bridge port
add bridge=bridge-LAN-Music interface=ether2
add bridge=bridge-LAN-Music interface=wlan1
/interface l2tp-server server
set caller-id-type=ip-address
The rack PC can’t ping 192.168.22.254. What have I missed?
Anyone able to take a quick look at the config?
From my home network I can ping 192.168.22.254, but the PC plugged into ether 2 on the 951 can’t ping 22.254.
Thanks
Your current config puts wlan1 and ether2 on the same L2 segment, and ether1,3,4,5 on another segment, which prevents L2 communication between them; you’ll need to resort to L3 requiring additional addressing and routing to enable wlan/ether2 ↔ ether1,3,4,5 communication.
You can make everything simpler by putting everything on the same L2 segment: remove ether2 from the bridge, and make ether2 slave of ether1. Then everything (wlan, and all ether ports) will be on the same L2 segment and able to communicate with current addressing.
Thanks again.
Can I check please
- Make sure webserver is in this same range (192.168.2.x) either by assigning it statically, or making a static DHCP Lease for it so that it always get the same IP.
The PC has address of 192.168.22.10 on ether2, but I think you’re saying to make ether2 slave of ether1 which then connects it to my home network 192.168.27.x? Is that correct?
Cheers
You’re right, PC should be able to ping 192.168.22.254 as they’re on the same bridge. firewall?
You can make everything simpler by putting everything on the same L2 segment: remove ether2 from the bridge, and make ether2 slave of ether1. Then everything (wlan, and all ether ports) will be on the same L2 segment and able to communicate with current addressing.
Sorry- checking again - if I do this, does that not give me the same problem of 2 DHCP servers on the same network? Because wlan1 would have to also be a member of that bridge?
ok, back to basics. I now have no bridges, no firewalls.
Ether 1 is master, Ether 2-5 are slaves of Ether1
192.168.27.248 is set as an ip address on Ether1
192.168.22.254 is set as an ip address on wlan1
DHCP is enabled on wlan1
PC is plugged into ether2 and has static ip of 192.168.27.57
I have kept the zeros route on the 951 to 192.168.27.254
The pc can ping 192.168.27.254 and 192.168.22.254
A wlan client gets a correct DHCP address of 192.168.22.100
I think I need to allow traffic to route between the .22 and .27 networks - how do I do this?
[admin@RB951G] /ip> export
# may/24/2017 14:48:32 by RouterOS 6.39.1
# software id = YLWZ-WLQA
#
/ip pool
add name=dhcp_pool1 ranges=192.168.22.100-192.168.22.200
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 disabled=no interface=wlan1 name=dhcp1
/ip address
add address=192.168.27.248/24 interface=ether1 network=192.168.27.0
add address=192.168.22.254/24 interface=wlan1 network=192.168.22.0
/ip dhcp-server network
add address=192.168.27.0/24 dns-server=192.168.27.248 gateway=192.168.27.248
/ip route
add distance=1 gateway=192.168.27.254
[admin@RB951G] /ip>
[admin@RB951G] /interface> export
# may/24/2017 14:49:06 by RouterOS 6.39.1
# software id = YLWZ-WLQA
#
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-eC country="united kingdom" disabled=no frequency=auto frequency-mode=regulatory-domain mode=ap-bridge ssid=wifi352 wireless-protocol=802.11 wps-mode=disabled
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=bandwifi wpa2-pre-shared-key=bandwifi
/interface l2tp-server server
set caller-id-type=ip-address
[admin@RB951G] /interface>
The ether2 interface has to be removed from the switch grouping:
/interface ethernet set ether2 master-port=none
Then it needs to be added to the bridge for your 192.168.22.0/24 network. You also need the IP of 192.168.22.254/24 on the bridge, bridge-LAN-Music. The DHCP server has to run on the bridge, bridge-LAN-Music.
/interface bridge port add interface=ether2 bridge=bridge-LAN-Music
/ip address add interface=bridge-LAN-Music address=192.168.22.254/24
/ip dhcp-server set <name/number> interface=bridge-LAN-Music
The only confusing part I’ve found is your:
/ip dhcp-server network
add address=192.168.27.0/24 dns-server=192.168.27.248 gateway=192.168.27.248
Here you are saying add a network to the DHCP server for the network 192.168.27.0/24 with the DNS server and gateway set to 192.168.27.248. You don’t want this. Change it to:
/ip dhcp-server network set 0 address=192.168.22.0/24 dns-server=192.168.22.254 gateway=192.168.22.254
Last but not least … route the packets for 192.168.22.0/24 to RB951 from hAP AC
On the hAP AC add:
/ip route add dst-address=192.168.22.0/24 gateway=192.168.27.248
You’re almost there, as idlemind pointed:
For routing to work, proper routes have to exist both ways: Your 951 will route anything that isn’t for him, or doesn’t know how to rreach, through its default, 0.0.0.0 route, to the home router. This tells your home router that to reach 192.168.22.0, it should use 192.168.27.248 (951) as the gateway, thus closing the circle.
I redid my configuration as per my original post, (I copied and pasted back from this thread,) and this time it all worked. I am not sure why it didn’t work before. I did have to fix the dhcp-server network, so thanks for spotting that, but that should not have affected the PC which was on a static ip.
I had already added in the route on the hAP-AC, but thanks for the reminder.
I also had to allow internet bound traffic out of the hAP-AC firewall (I restrict outbound internet to specific IP ranges)
Next question is how best to get short name resolution between both subnets. Can I route netbios? I tried adding some static dns entries into the 951 but that didn’t immediately work. I have not done any resesarch yet, so if there are any links to read, I’d appreciate any pointers.
Thanks for all the help both 
To me that’s a glaring hole in the RouterOS DHCP and DNS resolver implementations. The DNS resolver is meant to be super light but so many of us have used dnsmasq it leaves us greatly wanting.
What most of us do is use a script based on DHCP events that add and remove static DNS entries to the routers cache. Sadly if you have 2 separate networks on these 2 routers especially you’ll find the built-in services a little lacking. You may need to run an OpenWRT instance with dnsmasq if the hAP AC supports that. Alternatively a little Raspberry Pi may become your friend.