First of all I’m looking for pointers here.
I have 2 Mikrotik routers on standard setup as of yet. Each with their own 100MB/s line. They are at the same place and I would like to connect them so both networks would be able to see each other but Internet traffic should stay where it belongs.
I thought about using VPN but wouldn’t that be a waste with them being close to each other?
Could perhaps Wireless Bridging be the right choice?
Thanks in advance.
Sure a wireless bridge would work fine however a wired connection is always better. Then use static routes to connect the 2 LANs.
yeah wired would be better I know Just the way the rooms are laid out that’s a no-go. thanks.
First - make sure the two LAN networks are using different IP networks.
(e.g. 192.168.1.0/24 = mikrotik1 LAN, and 192.168.2.0/24 = mikrotik2 LAN)
Choose an interconnection interface - such as ether5 (why not use gigabit?)
Make sure ether5 is not running as slave port to any other port.
Choose an IP for the interconnect - 192.168.255.0/30
Assign 192.168.255.1/30 on ether5, mikrotik 1
Assign 192.168.255.2/30 on ether5, mikrotik 2
Ping test across the link to confirm the link is good.
Create static routes across the link:
mikrotik1: /ip route add dst=192.168.2.0/24 gateway=192.168.255.2
mikrotik2: /ip route add dst=192.168.1.0/24 gateway=192.168.255.1
Create firewall filters which deny Internet traffic across the link:
both mikrotiks:
/ip firewall filter
add chain=forward in-interface=ether5 out-interface=WAN action=drop
add chain=forward in-interface=ether5 action=accept
Finally, make sure that your NAT rules do not match lan-to-lan traffic, and you’re all set.
If they do match, make them more specific to the Internet connection
Or else you can create exception rules:
/ip firewall nat add chain=srcnat out-interface=ether5 action=accept
/ip firewall nat add chain=srcnat in-interface=ether5 action=accept
(make sure these rules come before any rule which is incorrectly matching lan-to-lan)
Nice instruction thank you for that. I just don’t see where wireless bridging is involved there. Or does the internal bridge handle that automatically?
HAhaha - I missed that detail. Somehow, I thought the wireless bridge was gabrielpike’s suggestion. That’s what I get for scanning to quickly.
I wouldn’t use wireless bridge - just your usual AP/Endpoint relationship is fine.
Basically, my solution works for wireless too - just use interface wlan1 in stead of ether5
The only thing left is to configure the wlan.
Pick one of them to be the AP, set up the SSID and wpa2 keys.
The other is in station mode, and you configure it to connect to the SSID you created on router1.
Basically, edit the default security profile and Authentication types - only WPA2 PSK is checked.
Unicast and group ciphers, only aes ccm is selected.
Enter a WPA2 Pre-shared key
Management Protection = disabled
No changes are needed in RADIUS/EAP/Static Keys tabs.
On the AP router, set the SSID and the defaults should pretty much work.
On the Staion router, set the mode to station. You can actually use the Scan tool to find your SSID, select it and hit connect.
Once the wlan interfaces are linked, then the IP routing in my previous example will work exactly the same way. Just replace all instances of ether5 with wlan1
So I’d have one SSID for both routers? Not exactly what I had in mind. I still want them to be separate. Is it possible by using Virtual APs?
No. The second router will not have an SSID at all in the above setup… It will search for the first router’s SSID on the air, and it won’t be accessible “directly” and wirelessly by any other devices. WiFi devices would need to connect to the first router, in order to reach devices connected by wire on the second router.
If you want both routers to be usable as APs, you’d need to set up a WSD bridge on the second router… mode=station-wds I think (I haven’t personally done WDS with MikroTik… yet). In that mode, you again have the second router search the first one on the air, but the router also has its own SSID that WiFi devices can access wirelessly.
Alright, makes sense. So any other ideas? Perhaps wireless bridging seems like the way to go again?
Or just plug in a couple of dedicate APs for end users.
When you put too many things in one place, strangeness ensues.
You know that old riddle about having a rowboat, a chicken, a fox, and a bag of chicken feed - how do you get all 3 across the river if the boat can only hold one item? Take the chicken across, row back, bring the fox across, bring the chicken back to the first side with you so the fox won’t eat it, drop off the chicken and get the chicken feed, take it across, row back empty, collect the chicken and then you’re across the river.
Don’t put yourself in a situation like this.
Instead:
Put a virtual SSID on the router1 and bridge that virtualAP to the LAN bridge there.
Install an inexpensive 951 model at side 2, and make the 951 be a simple AP/bridge, and connect it to router2 with a cable. Make sure it’s on a different channel than router1, and you’re done.
Easy and no rowing back and forth with chickens and foxes and bags of bird seed.
I missed out that detail the first time I saw this topic…
Because of that factor alone, yes, I totally agree with ZeroByte. The two routers should definitely be connected to each other with a cable, and simply emit two different SSIDs, ideally in different directions (for better coverage).
The aforementioned WDS bridging is useful if the two routers are too far from each other for a cable to be feasible, but by virtue of it being wireless, the bandwidth and reliability suffers with that approach.
Outline question: I’m sorry for this.
why should I bridge Wlan and one Ether together?
I didn’t know that reference. 
Makes sense. I don’t really want to buy more devices for this project. And even though i currently live in Latvia it takes surprisingly long to get one. I waited 3 weeks for one of my routers, if memory serves me right.
Edit:
Your right, as I mentioned before the only problem is that due to the layout of my apartment it’s rather difficult to route a cable here. A certain someone (female) will lynch me if I start routing cables across the ceiling.
Why not on the floor, literally “under the rug” then 
?
Little to no rugs available here. Otherwise I would need to tear the floor up. So nope not a good way 
Well, WDS then indeed… I mean, given the environment factor you call “female” 
… That’s not an easily fixable one. 
I think I might be mis-understanding the design.
For now, don’t worry about the link being wired or wireless…
topo1.png
I imagined topology 1 from your original question.
Is it really more like 2 - where you just want to extend the LAN to another part of the apartment with the second router acting as a second AP?
Or maybe a hybrid where you want LAN1 and LAN2 to have their own unique SSID, but be available via wifi from either router…
What I gathered was topology 1, but with the two APs somewhat overlapping in their range… So, a hybrid of the two - the settings of topology 1, and the WiFi coverage (more or less) of topology 2.
Right KennyDB?
FWIW - even in a hybrid solution, I would only bridge the “roaming” SSIDs - and I would still use a 2nd radio at whichever end has its 1st radio in station mode.
WDS repeater / WDS slave really makes me gag.
I’m going to wait for a reply from OP before going into any lengthy discourse on how it might be done.
So as I can see I might have only 2 choices here either LAN to LAN or wds setup. Do I see that right?
Well to state my needs here again:
I have 2 RB2011UiAS-2HnD
That sound more like what I was looking for. Would be nice to do it using Wifi only, but as it seems I will not get around using 2 more wireless devices ( perhaps "hAP lite which is rather inexpensive)
and use them in a station/client setup in which I have to configure my current routers to treat them as a LAN to LAN setup.
Right?