Placing Mikrotik as AP after ISPs modem-router and provide two networks

Hello,

first of all, I really can arrange with those great Mikrotiks, but at this point I´ve got really stucked up, even if the solution might be very simple.
But for now I do not have any ideas any more (after spending hours to days trying), and maybe I am just completely going to the wrong direction, so please can you give me some help on the following :-p ?

FYI: I´ve already succesfully setup one mikrotik device in the past with a pppoe wan, two different networks (vlans), one routed to public IPs and one NATed private network routed to a dynamic IP on WAN. That worked flawless at the end, but the main advantage there were that I had full access to the modem of my ISP, which I do not have this time.


I want to reach a setup similar to that one as posted in the diagram below. I hope it`s understandable for you, take a look here:

The main restriction on the actual network is that the ISP modem-router cannot be replaced and also cannot be configured except for port-forwardings or IP ranges, all other things are restricted.
So I also cannot turn off NATing, DHCP and so on on the modem-router, it needs to be left there as it is (which is not optimal, i know).

What I now want to do is to place my Mikrotik after that ISP modem-router as AP, because it has a much better signal quality. And it should provide the following two things:

1. It should extend the existing network (192.168.101.0/24) to wlan and to the eth2-eth4 interfaces of the Mikrotik (for connecting more workstations over lan and wlan0)
2. It should provide an additional new network for guest devices only with it`s own DHCP range (192.168.88.0/24 or any other, wlan1)

Both networks should not be visible to each other. Devices in the private network (1) should only be visible to other devices in the same network (1).
In the guest network devices should not be visible to each other.

My approach was to create two seperate bridges (sw) assigning the needed interfaces to it, and to add an route to the ISP modem (0.0.0.0 → 192.168.101.254 and ether1) then.

But however, it seems like I am doing some basically wrong everytime. What I am especially unsure about:

1. How can I assign the fixed IP 192.168.101.30 to the Mikrotik (IP->Adresses or IP->DHCP client) ?
2. Which NAT rules are needed to be defined - if any (as the ISP modem-router should already do NATing - i want to avoid double NAT) ?
3. Which static routes are needed for routing the sub-networks to the ISP modem-router - if any (192.168.101.0/24 and 192.168.88.0/24 are needed to be routed to 192.168.101.254 or not) ?

Also quick set feature did not give me an idea.

Please help ! Thank you very much !

RouterOS: v6 latest version
Mikrotik RB941-2nD-TC

Yes, it should be simple. First, you’ll probably have to forget about Quick Set. Then create one big bridge and add all interfaces as its ports, both ethernets and wireless. Configure wireless interface as AP. Add management IP address to bridge, doesn’t matter if using dhcp or static (only if static, choose one not in dhcp pool used by main router). This takes care of the main network. If you don’t use dhcp, also add default route (gateway 192.168.101.254).

For guest network, create virtual AP interface. To isolate individual guests from each other, set default-forwarding=no on. Assign 192.168.88.x/24 to it (it will be gateway for guests). Then setup dhcp server (use the helpful “DHCP Setup” button and it will take you through it step by step). To protect main LAN, use firewall and block access from guest interface to 192.168.101.0/24. Then either add masquerade rule for guests on bridge (it would create double NAT for guests, but they could probably live with it), or add static route to 192.168.88.0/24 via 192.168.101.30 to main router.

This might work, but probability is not really high. Main router knows nothing about 192.168.88.0/24 thus knows nothing about RB being gateway towards that subnet. In addition to that NAT config on main router might not be ready for “alien” subnet on the LAN side.
It is worth trying though as it would quite simplify the whole setup if it worked.

Another remark (but I might just be ignorant): if FW rules block connections between 192.168.88.0/24 and 192.168.101.0/24, even NATted connections might not reach main router (en route towards internet). I guess that depends on order in which RB executes individual chains … is forward chain executed before src-nat chain? If not, then some explicit allow for connections toward main router should be placed before general drop.

What I meant is to add static route on main router (if it supports it). Target 192.168.88.0/24 (guest network), gateway 192.168.101.30 (RB). It’s the part where main router learns about guest network.

And blocking like this:

/ip firewall filter
add chain=forward in-interface=<guest-wlan> dst-address=192.168.101.0/24 action=drop

So if anyone from guest network tries to access main one, it will be blocked. It won’t affect connections to internet, because target won’t be in 192.168.101.0/24. Even if the gateway is 192.168.101.254, clients from guest network won’t be connecting to this specific address.

Hello,

thank you very much for your answers. I have just some questions to get sure if i`ve done things right

Do I have to add eth1 (where the main router / WAN is connected to) also to that bridge or not?
With management IP (for static) you mean I have to add “192.168.101.30/24 (network 192.168.101.0) on eth1” to IP->Adresses and not to enable the dhcp client in IP->DHCP Client right so that the Mikrotik takes it ?
And the static route would be “0.0.0.0/0 → 192.168.101.254 eth1” or “0.0.0.0/0 → 192.168.101.30 eth1” in IP->Routes ?

But what about redirecting the DHCP of the main router to the private network on the Mikrotik now (wlan0 + eth2-4) if it is all a whole bridge ?

For guest network, create virtual AP interface. To isolate individual guests from each other, set default-forwarding=no on. Assign 192.168.88.x/24 to it (it will be gateway for guests). Then setup dhcp server (use the helpful “DHCP Setup” button and it will take you through it step by step). To protect main LAN, use firewall and block access from guest interface to 192.168.101.0/24. Then either add masquerade rule for guests on bridge (it would create double NAT for guests, but they could probably live with it), or add static route to 192.168.88.0/24 via 192.168.101.30 to main router.

Ok. Which is the right mode for the WLAN interfaces, station (ap) or bridge (ap), I can not really identify what are the differences between those both ?


EDIT:

Btw, IF that one with the route really should work, do I need any rule in Firewall->NAT ?

Thank you !

You don’t have to. But if you don’t do it, ether1 interface will be completely useless …
For all of the setup your RB won’t act as router but mostly as (managed) switch. Only for guest-wifi it will act as router. Default setup, where ether1 port is not bridge member, is meant for “main router” where ether1 would face WAN and only routed and firewalled connectons can pass between this port and all the rest.

With management IP (for static) you mean I have to add “192.168.101.30/24 (network 192.168.101.0) on eth1” to IP->Adresses and not to enable the dhcp client in IP->DHCP Client right so that the Mikrotik takes it ?

No, not to ether1 (specially if you don’t add it to the bridge), but to bridge. IMHO having managed LAN equipment with DHCP client configured addresses calls for trouble (in case of Mikrotik, use of Winbox helps, however not every vendor has such utility).

And the static route would be “0.0.0.0/0 → 192.168.101.254 eth1” or “0.0.0.0/0 → 192.168.101.30 eth1” in IP->Routes ?

The former … by default, all packets should go towards main router … unless there’s better delivery path (eitger direc connected devices or some other explicit route).

But what about redirecting the DHCP of the main router to the private network on the Mikrotik now (wlan0 + eth2-4) if it is all a whole bridge ?

RB’s bridge is kind of ethernet switch and any DHCP requests will be broadcast to all other member interfaces, including the one towards main router. DHCP reply is ethernet unicast frame and will be sent through appropriate bridge member interface.
In short: if you configure RB in way @Sob suggested eth1-eth4 and “primary” wlan won’t be private to man router, they will be same network.

Ok. Which is the right mode for the WLAN interfaces, station (ap) or bridge (ap), I can not really identify what are the differences between those both ?

ap-bridge works for me.

Btw, IF that one with the route really should work, do I need any rule in Firewall->NAT ?

If you don’t want guest wifi clients to connect to your LAN hosts, then yes.

OP mentioned in the network chart that he wants that guest wifi clients use main router as DNS server. If that indeed must be so, then some connectivity needs to be allowed. However, it would be easier and safer to configure guest wifi DHCP server to instruct clients to use some public DHCP server, such as Google (at 8.8.8.8 or 8.8.4.4).

Ok, will try it and then post my config here for further “approval”. Thank you !

Btw, IF that one with the route really should work, do I need any rule in Firewall->NAT ?
If you don’t want guest wifi clients to connect to your LAN hosts, then yes.

I want them to access the WAN side (internet) and nothing else. Which rule would be needed ?

Thank you!

What I wrote before will work. Or if you really want them to use main router as their DNS resolver (I missed that), you can use e.g.:

/ip firewall filter
add action=jump chain=forward dst-address=192.168.101.0/24 in-interface=<guest-wlan> jump-target=guest2lan
add action=accept chain=guest2lan dst-port=53 protocol=udp
add action=accept chain=guest2lan dst-port=53 protocol=tcp
add action=reject chain=guest2lan reject-with=icmp-admin-prohibited

I’d probably give them 192.168.88.1 as resolver (requires setting resolver, which can be 192.168.1.254 and enabling remote requests in “/ip dns”), but it’s up to you, there’s no major difference.

– DELETED, NEVERMIND –

FINALLY, got it i think. I had to create two bridges. I think my main problems were the routing (I did not realize I need to route to the correct bridge first where the main router is connected to) and the NATing thing (wanted to avoid double NAT initially).

Please notice, that in this case my main network is 192.168.1.0/24 instead of 192.168.101.0/24 as i am on a different place, but the situation/topology is exactly the same (main router on 192.168.1.1 does DHCP,NAT,DNS etc.) !

Here is my config, if you see anything which has not been done well in this config please give me an advice on how to make it better (I know it`s not yet perfect maybe and some more firewall rules should be OK):

# mar/19/2018 19:56:26 by RouterOS 6.41.3
# software id = AFPA-UFZF
#
# model = RouterBOARD 941-2nD
# serial number = 8ACF08BB06A9
/interface bridge
add fast-forward=no name=bridge-guest
add fast-forward=no name=bridge-private
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm \
    management-protection=allowed mode=dynamic-keys name=private \
    supplicant-identity="" unicast-ciphers=tkip,aes-ccm wpa2-pre-shared-key=\
    FlynetLokn
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=\
    allowed name=guest supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
    disabled=no frequency=auto mode=ap-bridge name=wlan-private \
    security-profile=private ssid=lokn wps-mode=disabled
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=\
    CE:2D:E0:35:E4:F9 master-interface=wlan-private multicast-buffering=\
    disabled name=wlan-guest security-profile=guest ssid=lokn.gast \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=pool-guest ranges=192.168.88.100-192.168.88.200
/ip dhcp-server
add address-pool=pool-guest disabled=no interface=bridge-guest name=dhcp1
/interface bridge port
add bridge=bridge-private interface=ether1
add bridge=bridge-private interface=ether2
add bridge=bridge-private interface=ether3
add bridge=bridge-private interface=ether4
add bridge=bridge-private interface=wlan-private
add bridge=bridge-guest interface=wlan-guest
/ip address
add address=192.168.1.30/24 interface=bridge-private network=192.168.1.0
add address=192.168.88.254/24 interface=bridge-guest network=192.168.88.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.30
add address=192.168.88.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.254
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=drop chain=forward dst-address=192.168.1.0/24 in-interface=\
    bridge-guest
add action=drop chain=forward dst-port=8291 in-interface=bridge-guest protocol=\
    udp
add action=drop chain=forward dst-port=8291 in-interface=bridge-guest protocol=\
    tcp
add action=drop chain=forward dst-address=192.168.88.254 dst-port=80 \
    in-interface=bridge-guest protocol=tcp
add action=drop chain=forward dst-address=192.168.88.254 dst-port=80 \
    in-interface=bridge-guest protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.88.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Vienna

Thank you !

1. You don’t need bridge for guests. You can apply required config directly to wlan-guest interface. But if you like that bridge for some reason, you can keep it, it will work too.

2. If you want to protect router from guests, it’s done in input chain. In your case, you can probably block everything, e.g.:

/ip firewall filter
add action=drop chain=input in-interface=bridge-guest

At least I think that DHCP worked with raw sockets and didn’t care about IP firewall. In case I’m wrong, you’ll notice very quickly.