RB433AH + RH-52H used as Point-to-Point Link (Office-Home)

Dear ALL,

After trying for a few weeks I have no other option but to post my problem here hoping for some HELP! (let me also mention that I am a newcomer concerning MikroTik HWD)


The PROBLEM:
Connecting my office and my home via a 5Ghz wireless link in order to “transfer” my office internet access at home. The wireless link is operating properly (line-of-sight, about -50dBm signal level) but the two sides (i.e. networks) don’t “talk” to each other.


The SETUP:

I am dealing with 3 class-c networks:

Office: 192.168.1.x (DHCP enabled)
Wireless: 192.168.124.x (initially I wanted to be static but then I have tried with DHCP trying to “propagate” office’s DHCP…)
Home: 192.168.123.x (this is to be connected to a Linksys WRT-54 wireless router)

My target is my home router (WRT-54) to be able to get internet from my office as if I was physically connected at office (i.e. ether1 of my MB-433AH at home is planned to be connected at “internet” interface of my WRT-54)


The REFERENCES:

YES I have done quite some reading, both considering the reference manual (RouterOS v3.0) and also the following (others too but mainly this seemed more relevant): http://wiki.mikrotik.com/index.php?title=How_to_set_wireless_client_and_Ethernet&oldid=8662
Following the reading and trying I have performed the following:


Office:

192.168.1.x (having a DHCP Server)
MB-433AH (v3.10) + RH-52H configured as:

ip address remove 0
ip address add address=192.168.124.201/24 interface=ether1 [is there a problem having both an assigned static IP to an interface and also enabling DHCP for the same interface??? (in order when no DHCP is available to use the assigned static IP. From what I have seen it works)]
ip address add address=192.168.124.202/24 interface=wlan1 [Do I need to put both ether1 and wlan1 on the same class-c network??? After all I am going to bridge them afterwards]
ip dhcp-client add interface=ether1 disable=no [in order to get an IP from my office’s DHCP server]
ip pool add name=dhcp-pool ranges=192.168.124.101-192.168.124.105
ip dhcp-server network add address=192.168.124.0/24 gateway=192.168.124.201 [I have tried this in an attempt to “propagate” office’s DHCP towards the wireless side and finally my home…I have assigned the gateway with the static IP of ether1 but since ether1 will get IP via DHCP this will be invalid…]
ip dhcp-server add interface=wlan1 address-pool=dhcp-pool
interface wireless security-profiles add name=“net” mode=dynamic-keys authentication-types=wpa2-psk unicast-ciphers=aes-ccm group-ciphers=aes-ccm wpa2-pre-shared-key=“net”
interface wireless set wlan1 ssid=“net” frequency=5180 band=5ghz mode=ap-bridge disabled=no security-profile=net
interface bridge add name=bridge1
interface bridge port add interface=ether1 bridge=bridge1
interface bridge port add interface=wlan1 bridge=bridge1


Home:

192.168.123.x (planning to put WRT-54 operating as DHCP Server)
MB-433AH(v3.10) + RH-52H configured similarly to the aforementioned with wlan1 being in DHCP-client mode and ether1 in DHCP-server mode (attempting to “propagate” the DHCP info and thus internet connectivity…). Of course the wireless-mode here is “station” and the wireless link is up and running (-50dBm!).


I would appreciate your help, based on your knowledge and experience.
THANK you in advance.

//George

After more than 3 weeks no feedback…

ANYBODY please?!

//Euphoric

Hi,

form what I can understand, your routing setup is all wrong… actually, it’s a mix of a bridged and routed setup. Normally you would have either one type or the other -bridged OR routed- but you managed to do both on the same link… well done, but it will never work!

So let me go through your description bit by bit… have patience and keep an open mind, and you will be successful

Ok, so your wireless configuration seems good, that eliminates a big part of the problem, as that is usually the hardest part to troubleshoot.

And here is where you start getting it all wrong!

Why do you have 3 networks? I thought you just wanted to bring your office LAN to your home LAN. A simple, transparent bridge should do the job just fine. Use the DHCP server at the office even for your home PCs. In other words, both your office and home LAN will be on the 192.168.1.xxx network.

Again, wrong. On a home router like the WRT-54, the scope of a WAN or Internet port is for NAT (to translate several computers internal IPs into the single public IP assigned to you by an ISP). Now in your case you already have a router doing NAT at the office (the default gateway of the 192.168.1.xxx network), so as long as you are using your office’s internet connection, doing NAT again at home is pointless. It will only cause problems with stuff like Skype, MSN, FTP, VoIP.

You don’t need any of the features of the WRT-54, so at home you could hook up your Mikrotik router directly into your home PC, and it will work just fine. It will work just as though the home PC was on your office LAN.

If you want to use the WRT-54 as a switch and wifi access point, don’t plug anything into the WAN port. Instead, plug the Mikrotik router into one of the LAN ports on the WRT-54, and make sure you disable the WRT-54’s DHCP server.

It’s good that you have been reading up, but you have been looking at the wrong examples for your needs.

Try this instead:
http://wiki.mikrotik.com/wiki/Transparently_Bridge_two_Networks

Hello Andrea,

First of all, thanks for the feedback.

Trying to follow the “Transparently Bridge two Networks” guide of the link your have provide I came across a peculiarity: in item 4 of the instructions is mentioned adding an IP address to AP and another IP to the client (both on wds-bridge interface). Both IPs are in the range of 10.1.0.xxx and do NOT correspond to the network diagram in the begining of the guide! What is the case? Should I incude the wlan1 of both AP and client to the wds-bridge or what…??? (the suffixes of the IPs seems to correspond with the IPs of the ether1 interfaces of AP and client!)

Thank you in advance for your time and interest.

//George

[Andrea: visiting your page i came across a broken link: http://www.air.com.mt/currentprojects.asp you might need to check it]

//George

Hi George,

yes you’re correct, the description on that wiki page is a bit incorrect. The IP addresses are wrong.

However, strictly speaking you do not need any IP addresses on the MikroTiks. You are setting up a transparent bridge, packets will just be passed across the link. Whatever data there is on one side of the link appears on the other side (it’s actually a bit more complex, but the effect is just that).

You should really think of it as a long, transparent wire… and wires do not need IP addresses to work


The only use of IP addresses in this case is for management, such as for connecting to the router via Telnet or Winbox. If you want to, you can assign an IP from your 192.168.1.xxx network to the bridge-wds interface on each router (1 IP each router). But as I said, with or without the IP addresses configured on the router, the link will work just fine.


PS: thanks for the bad link on our site, I will check it out.

Hi Andrea,

First of all my apologies for my erratic posting. Unfortunately I have TOO many work obligations and almost everything seems up the running currently (except the MikroTik routers unfortunately!).

I have followed your instructions and I have configured the following

Access-Point Parameters
system reset-configuration
system identity set name=AP
ip address remove 0
interface bridge add name=wds-bridge
interface bridge port add interface=ether1 bridge=wds-bridge
interface wireless security-profiles add name=“123” mode=dynamic-keys authentication-types=wpa2-psk unicast-ciphers=aes-ccm group-ciphers=aes-ccm wpa2-pre-shared-key=“123”
interface wireless set wlan1 ssid=“123” frequency=5180 band=5ghz mode=bridge disabled=no security-profile=123 hide-ssid=yes
interface wireless set wlan1 wds-mode=dynamic wds-default-bridge=wds-bridge
ip address add address=192.168.234.234/24 interface=wds-bridge
ip address add address=192.168.1.234/24 interface=ether1
ip dhcp-client

Station Parameters
system reset-configuration
system identity set name=Station
ip address remove 0
interface bridge add name=wds-bridge
interface bridge port add interface=ether1 bridge=wds-bridge
interface bridge port add interface=wlan1 bridge=wds-bridge
interface wireless security-profiles add name=“123” mode=dynamic-keys authentication-types=wpa2-psk unicast-ciphers=aes-ccm group-ciphers=aes-ccm wpa2-pre-shared-key=“123”
interface wireless set wlan1 ssid=“123” frequency=5180 band=5ghz mode=station-wds disabled=no security-profile=123
ip address add address=192.168.234.235/24 interface=wds-bridge
ip address add address=192.168.1.235/24 interface=ether1


RF Link is ok (about -50dBm as usually) but from my side (Station) I can not ping my file server on the other side (192.168.1.2). It seems that Ii have to define DHCP-Client on ether1 of the AP to do so. Even doing so provides me access to the LAN behind AP but this is erratic (e.g. Web pages are half-opened, my file server sometimes replies to pings sometimes not, etc) since it seems that AP is being rebooted by a watchdog timer.

Any IDEA of what I might be – again – missing???

Thanks.

//George

P.S. 1 according to your guidelines defining IP addresses in ether1 interfaces, on both AP and Station, is NOT needed. I did this to be able to “see” them.
P.S. 2 on step 4, checking the WDS link, the parameter of “disable-running-check=yes” is not present when I do the check on console

You don’t need to define DHCP-Client for this to work. AFAIK, what you have done is enough to make the bridge work. You’re saying your AP is being rebooted by watchdog, but from your commands list you didn’t configure watchdog. Double check that there is no IP configured in the watch-address box on System → Watchdog.

Your IP settings are closer than before, but still slightly incorrect. You have an IP configured on your ether1 interface, this should be configured on your wds-bridge interface instead, as Ether1 is now a ‘slave’ to the bridge. The other IP addresses -192.168.234.xxx/24- are unnecessary and can be removed.

Your configuration seems correct, Besides checking the Watchdog settings, check hardware, cables etc.

Hi Andrea,

First of all my apologies for the really BIG delay to get back to you… really too much work in my side… (despite the so called economic crisis!!!).

THANKS a lot for your support and the infoprovided. Everything seems to be smooth. No need for IP addresses, as you said (only one assigned on wds-bridge, on both RB-433s, for management purposes). Also, no neded for any DHCP configurations (again as you said!). WDS is up and running (RF-Link: -37dbm!!!) and my business LAN bandwidth is now at home!

The next step is to make the seperation of the networks since I would prefer the Business-LAN users (i.e. the collegues at my work) not to be able to access my Home-LAN!!! I would appreciate your suggestion about what is the best way to do it (an easy one I hope!).

Thanks for all.

//Euphoric

Great!

The next step is to > make the seperation of the networks > since I would prefer the > Business-LAN > users (i.e. the collegues at my work) not to be able to access my > Home-LAN> !!! I would appreciate your suggestion about what is the best way to do it (an easy one I hope!).

Oh no! So you wanted a ROUTED link, not a BRIDGED link! That’s a completely different setup.

Anyway, now that you have the bridged link up and running, you could try doing the following:

On your home router, remove the Ether1 port from the bridge1 interface port, so you end up with just the WDS link in your bridge.

Then, if you have a DHCP server at your office, add a DHCP-Client on the bridge interface (IP → DHCP-Client). If you don’t have one, manually set an IP address from your office on the Bridge1 interface and set a default route in IP → Routes.

Then, set an IP address on a different subnet on Ether1 (IP → Addresses), and set up a DHCP-Server also on Ether1 (IP → DHCP-Server). Finally, go to IP-> Firewall → NAT and add a masquerade rule for all traffic going out of the bridge1 interface, like this:

Chain: src-nat
Out Interface: Bridge1
Action → Action: Masquerade

Never tried it this way, but it should work…

Hi Andrea,

Thanks for the rapid feedback (you are really FAST!). I will give it a try as soon as time will permit… For the time being I have connected my home RB-433/ether1 to my home router’ WAN port (WRT-54GS), configured this WAN port to act as DHCP client and everything is smooth!

Thanks for all and wishing you the very best.

//Euphoric

That is basically the same thing as I suggested, so you can leave it that way if you’re comfortable with the setup.