I have an RB951 at my home that was configured for me. This particular router is setup so that ether2 is my WAN, and all other ether (ether1,3,4,5) are all LAN on 192.168.15.x. I also have a wlan1 that is on 192.168.15.x
I was set up a second wlan (wlan2) that is configured to be on 10.0.0.x. wlan2 can access only the internet via ether2. 192.x.x.x and 10.x.x.x do not see each other.
I copied this configuration to a new RB951 to try and duplicate it for a friend. I just renamed the wireless networks and adjusted my 192.168.15.x to 192.168.25.x
I cannot get the new wlan2 to connect at all. I can connect to the ether ports fine, I can connect to wlan1 fine. But when I try to connect to wlan2, I get “Windows was unable to connect” error.
Any ideas where to begin looking? I will do an export and post the configuration shortly.
Thank you in advance for your help.
Export from 951:
[admin@Wolfpack-RB951G] > export
# apr/08/2016 12:39:20 by RouterOS 6.34.3
# software id = LVYF-JY9J
#
/interface bridge
add mtu=1500 name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-LAN speed=1Gbps
set [ find default-name=ether2 ] name=ether2-WAN speed=1Gbps
set [ find default-name=ether3 ] name=ether3-LAN speed=1Gbps
set [ find default-name=ether4 ] name=ether4-LAN speed=1Gbps
set [ find default-name=ether5 ] name=ether5-LAN speed=1Gbps
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country="united states" disabled=no frequency=2442 mode=ap-bridge ssid=Baxley-Ent wireless-protocol=802.11
/interface ethernet switch port
set 0 vlan-mode=fallback
set 1 vlan-mode=fallback
set 2 vlan-mode=fallback
set 3 vlan-mode=fallback
set 4 vlan-mode=fallback
set 5 vlan-mode=fallback
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm group-key-update=1h mode=dynamic-keys supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=******** wpa2-pre-shared-key=********
add authentication-types=wpa2-psk eap-methods="" group-key-update=1h management-protection=allowed name=NSA supplicant-identity="" wpa2-pre-shared-key=********
/interface wireless
add disabled=no mac-address=xx:xx:xx:xx:xx:xx master-interface=wlan1 name=wlan2 security-profile=NSA ssid="Wolfpack MMA" wds-cost-range=0 wds-default-cost= 0
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool1 ranges=192.168.25.100-192.168.25.150
add name=dhcp_pool2 ranges=10.0.0.0/24
add name=dhcp_pool3 ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 lease-time=3d name=dhcp1
add address-pool=dhcp_pool3 disabled=no interface=wlan2 lease-time=3d name=dhcp2
/queue simple
add dst=10.0.0.0/24 limit-at=256k/256k max-limit=256k/256k name=Public priority=2/2 target=wlan2
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge filter
add action=drop chain=input dst-port=68 in-interface=ether1-LAN ip-protocol=udp mac-protocol=ip
/interface bridge port
add bridge=bridge1 interface=ether3-LAN
add bridge=bridge1 interface=ether4-LAN
add bridge=bridge1 interface=ether1-LAN
add bridge=bridge1 interface=ether5-LAN
add bridge=bridge1 interface=wlan1
/interface bridge settings
set use-ip-firewall=yes
/interface pptp-server server
set enabled=yes max-mru=1460 max-mtu=1460
/ip address
add address=10.0.0.1/24 interface=wlan2 network=10.0.0.0
add address=192.168.25.1/24 interface=ether2-WAN network=192.168.25.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether2-WAN use-peer-dns=no use-peer-ntp=no
add dhcp-options=hostname,clientid interface=bridge1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1
add address=192.168.25.0/24 dns-server=192.168.25.1 gateway=192.168.25.1 netmask=24
/ip dns
set servers=208.67.222.222,208.67.220.220,8.8.8.8,4.4.4.4
/ip firewall address-list
add address=192.168.0.0/16 list=rfc-1918
add address=192.168.25.0/24 list=private
add address=10.0.0.0/8 list=private
/ip firewall filter
add chain=inbound comment="Accept established connections" connection-state=established
add action=drop chain=inbound comment="Drop invalid" connection-state=invalid
add action=drop chain=inbound comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add chain=output comment="LoginIncorrect Tarpitting" content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=inbound comment="drop ssh brute forcers" dst-port=22 in-interface=ether2-WAN protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=inbound connection-state=new dst-port=22 in-interface=ether2-WAN protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=inbound connection-state=new dst-port=22 in-interface=ether2-WAN protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=inbound connection-state=new dst-port=22 in-interface=ether2-WAN protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=inbound connection-state=new dst-port=22 in-interface=ether2-WAN protocol=tcp src-address-list=ssh_stage3
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 in-interface=ether2-WAN protocol=tcp src-address-list=ssh_blacklist
add chain=inbound comment="SSH for secure shell" dst-port=22 protocol=tcp src-address-list=private
add action=drop chain=forward comment="drop excessive icmp traffic for 12 hours" protocol=icmp src-address-list=icmp-attack
add chain=forward comment="Allow HTTP" dst-port=80 in-interface=ether2-WAN protocol=tcp
add chain=forward comment="Allow SMTP" dst-port=25 in-interface=ether2-WAN protocol=tcp
add chain=inbound comment="Allow limited icmp" limit=50,2:packet protocol=icmp
add action=drop chain=inbound comment="Drop excess icmp" protocol=icmp
add action=reject chain=inbound reject-with=icmp-admin-prohibited src-address-list=ssh_blacklist
add chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add chain=inbound comment="allow private addresses for ssh" dst-port=22 protocol=tcp src-address-list=private
add chain=forward comment="allow smtp-bypass list to create multiple sessions" dst-port=25 protocol=tcp src-address-list=smtp-bypass
add action=add-src-to-address-list address-list=spam-block address-list-timeout=2h chain=forward comment="more than 5 smtp connections out as spam. add to address list" connection-limit=30,32 dst-port=25 limit=50,5:packet protocol=tcp src-address-list=rfc-1918
add action=drop chain=forward comment="drop smtp traffic marked as spam" dst-port=25 protocol=tcp src-address-list=spam-block
add chain=inbound comment="Internal traffic can do what it wants." src-address-list=private
add chain=output comment="Allow everything out"
add action=drop chain=forward comment="block rfc 1918 and multicast inbound" in-interface=ether2-WAN src-address-list=rfc-1918
add action=drop chain=forward comment="block our addressing inbound - spoofed" in-interface=ether2-WAN src-address-list=public-add
add action=drop chain=forward comment="drop port-scan address list to our infrastructure" src-address-list=port-scan
add action=drop chain=forward comment="drop windows ports" port=135-139 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat dst-address-list=!nat-null out-interface=ether2-WAN src-address-list=private
add chain=srcnat dst-address=192.168.0.0/16 src-address=192.168.25.0/24 to-addresses=0.0.0.0
add chain=srcnat dst-address=192.168.0.0/16 src-address=10.0.0.0/24 to-addresses=0.0.0.0
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set cache-path=web-proxy1 max-cache-size=none parent-proxy=0.0.0.0
/ip service
set telnet disabled=yes
set www address=192.168.0.0/16
set api disabled=yes
/ip traffic-flow
set cache-entries=4k
/snmp
set enabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago
/system identity
set name=Wolfpack-RB951G
/system leds
set 0 type=flash-access
set 5 interface=wlan1
/system logging
add topics=wireless
/system ntp client
set enabled=yes primary-ntp=129.6.15.28 secondary-ntp=129.6.15.29
/tool bandwidth-server
set enabled=no
There is one more “feature” I would like to add, but it is not critical. If possible, I would like ether5-LAN to be on 10.0.0.0/24 and not on 192.168.25.0/24.
pe1chl
April 8, 2016, 6:26pm
4
vader7071:
I copied this configuration to a new RB951 to try and duplicate it for a friend. I just renamed the wireless networks and adjusted my 192.168.15.x to 192.168.25.x
I cannot get the new wlan2 to connect at all. I can connect to the ether ports fine, I can connect to wlan1 fine. But when I try to connect to wlan2, I get “Windows was unable to connect” error.
How did you copy it? By making a backup and restoring it on your friend’s router which is now at your home?
If so, that explains it. The copy router will have the same MAC addresses (binary addresses used by the hardware
It will work OK once you move it to your friend’s house (assuming he is not in the same block), but really you
A bit better is to use /export file=filename and then transfer the file to the other router and do a “reset configuration”
To copy it, I did an export like I did here and removed all mac addresses or anything that was specific to the physical router itself.
I also forgot to mention, currently my router is at my house, and my friends (that I am trying to make work) is at my office. So the 2 units are not connected in any way