Hello Mikrotik Forum!
I have a pretty much defconf RB5009 acting as my main router, which is connected to my provider. It’s default LAN is 192.168.88.0/24. My PC and server are wired to MT. I also have a Keenetic Ultra on MT LAN, acting as a wifi AP for now, it’s default LAN is 192.168.0.0/24.
Now here’s my goal: I wanna be able to access clients on Keenetic LAN from MT, and vice versa. How would I achieve that?
Many thanks!
The best choice would be setting Keenetic Ultra to Wi-Fi Access Point mode.
Weird, the default setup on keenetic devices seems to be 192.168.1.1
Best bet is to connect laptop to keenetic, and change it to whatever AP mode is, and give it a fixed IP address on the 192.168.88.0/subnet. Be sure its not used currently on the MT, and then add it statically to the lease list by adding the keentic by IP address used and its mac address.
If you want to keep the keneetic as a router, you dont need to do anything as it will get a private WANIP on the lan of 192.168.88.0 subnet. Lets say it gets 192.168.88.100
Since I am assuming the NAT is on as a default on the AP/Router (keenetic), any traffic leaving the router will have the private WANIP of the AP/Router. So the users behind it should automatically be able to reach users on the MT LAN and the return traffic will work fine.
The real issue is how to users on the main lan of the MT reach the users on 192.168.0.0 lan.
YOU need to add a manual static route to let the router know where to send such traffic.
Thus something like
/ip route
add dst-address=192.168.0.0/24 gateway=192.168.88.100 routing-table=main
Now the router will know to send such requests to your Keenetic.
The keenetic should recognized such traffic as being local and it should work.
It may be necessary to add a firwall rule, if still not working.
add chain=forward action=accept in-interface-list=LAN dst-address=192.168.0.0/24
Just did what @anav said, Keenetic web is reachable (192.168.0.1), but loads very slow. All devices on Keenetic LAN seems unreachable, connection times out. Do I maybe need to do something with KN’s NAT settings?
I wanted to try and retain it as a router for now, so I have a backup if I ever mess up somewhere while transitioning to MT 
Which option of @anav did you choose? It was kinda multiple-choice situation 
If the KN supports adding static routes, you'd need to add a static route for 192.168.88.0/24 to 192.168.0.100 on the Keenetic device & add a unique /ip/address on MikroTik side for 192.168.0.100/24 (replace .100 with unique IP on Keenetic network) – this will allow non-NAT routing ("multihoming"). Otherwise, you need a NAT src-nat/masqurade rule on MikroTik side in /ip/firewall/nat.
Oh, sorry, I added the ip route and firewall rule as described.
Since there are multiple devices I’d like to reach, would it be a better solution to masquerade on MT side?
I'm a fan IP routing, so I'd add a 192.168.0.x address on MikroTik bridge interface (assuming default). This will allow routing from MikroTik to AP – but you need a static route on AP side to send 192.168.88.x address to the 192.168.0.x of MikroTik LAN which allow traffic to MikroTik. But IDK if that's possible on Keenetic.
Whether you need NAT... that depends how the AP is configured & I'm not familiar with the Keenetic devices. Perhaps if you posted a couple screenshots of the AP's config that might help suggest a course of action.
Okay, I’ll look into routing on KN side, I know it’s possible to some extent. Here are my settings on the KN:
I’ll post more screenshots of whatever setting are needed. Thanks for the help again!
You really should switch the Keenetic device to AP mode. This excuse is lame:
If you mess up the configuration on the MikroTik device, then you can always change the Keenetic device back to the "Router" mode by changing the value of a single radio button in 5 seconds.
Okay, tried to learn how to maybe get out of similar situations or some new stuff, but if it’s lame, then I’ll change the mode. Any additional configuration needed then?
Edit: backup is not the only reason, I forgot to mention, excuse me. I also have a proxmox server with a bunch of containers and VMs with set configurations referring to the old subnet, 192.168.0.0/24. I know that I will have to change them anyway, just wanted a sort of “quick fix” for now. If its not possible and I’m better off with changing the mode, I’ll do so. Didn’t mean to be sarcastic or anything, sorry.
To use NAT - which may be simpler - I think you just need the following. This will put the MikroTik on the AP's LAN at .99 which is outside its DHCP range. You shouldn't need any specific /ip/route in this case (including @anav's example) since by adding an IP address, that will automatically add the need route to the MikroTik routing table. Now you do need the NAT rule so that traffic on the AP's LAN will see all of you MikroTik devices as coming from 192.168.0.99, but no additional route rules are needed on the AP side since it's masquerade'ed.
/ip/address/add address=192.168.0.99/24 interface=bridge1
/ip/firewall/nat/add chain=srcnat action=masquerade dst-address=192.168.0.0/24
You might have to change the bridge1 below, depending on which interface is use by the 192.168.88.1 address in /ip/address
I dont recommend doing anything but posting your config for review as people are sending you in all kinds of directions................ bunch of scatter brains 
/export file=anynameyouwish (MT serial number, any public WANIP information, keys )
If the reason is that you want to keep all the devices behind the Keenetic AP in the 192.168.0.0/24 subnet, then use the RB5009 to manage that subnet too! Use the RB5009 as a router that manages multiple subnets and routes between multiple subnets!
Here I assume that your RB5009 is in a near default configuration defconf, because you mentioned it has the default LAN 192.168.88.0/24, probably configured on the bridge. Make sure the router runs a recent version of RouterOS, 7.19.6 or 7.20.2, if possible!
Assuming the Keenetic is connected to port ether4 of the RB5009, on the RB5009, do the following:
Create a VLAN 100 interface named vlan100:
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
Add the vlan100 interface to the LAN interface list:
/interface list member
add interface=vlan100 list=LAN
Configure the subnet 192.168.0.0/24 on vlan100:
/ip address add address=192.168.0.1/24 interface=vlan100 network=192.168.0.0
Configure DHCP server on vlan100 (adjust the pool range if you wish)
/ip pool
add name=dhcp-vlan100 ranges=192.168.0.10-192.168.0.254
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dhcp-server
add address-pool=dhcp-vlan100 interface=vlan100 name=dhcp-vlan100
Now it's the time to make port ether4, that the Keenetic is connected to, into an access port of VLAN 100 (adjust accordingly if you use another port). First, we set PVID to 100 on the port and set Frame Types to admit-only-untagged-and-priority-tagged.
/interface bridge port set [find bridge=bridge interface=ether4] \
pvid=100 frame-types=admit-only-untagged-and-priority-tagged
Or use the GUI with WinBox, go to Bridge -> Ports, open the entry for ether4 and make the changes:
Next is to enable VLAN Filtering on the bridge interface. Note: if your configuration is based on the default RB5009 configuration, and you have not done any VLAN work before on the router, then turning on VLAN filtering here is perfectly safe. The recent RouterOS 7 versions (≥ 7.16) will ensure that the necessary entries in the /interface bridge vlan are there for you. You won't have to worry about being locked out of the RB5009.
/interface bridge set bridge vlan-filtering=yes
Or use the GUI in WinBox:
As you can see, there is nothing scary or complicated if you just need to add bridge VLANs using access ports to the router.
If you use the default defconf firewall on the RB5009, then no further FW adjustments are needed. This concludes the necessary setup steps on the RB5009.
Now go back to the Keenetic Ultra and change the mode to the AP mode (which is called Extender Mode in the settings). The Keenetic will simply work as bridge/switch/access point and all DHCP IP address assignment, routing, firewalling (including NAT when going to the internet) are performed by the RB5009. The connected devices are all under vlan100 and have the 192.168.0.0/24 subnet.
If you want to do static IP address assignments for your Proxmox guests, assign static leases on the RB5009 under IP -> DHCP Server -> Leases.
In emergency cases, you can always switch the Keenetic back to "Router" mode.
The problem with this approach is when you put RB5009 in the LAN ports of the Keenetic, that device and its LAN clients don't have internet access anymore. It needs the RB5009 on the WAN port when working in "Router" mode.
And if you put the RB5009 on the WAN port, then the FW on the Keenetic will prevent access from WAN to LAN, unless a DMZ host is configured or individual port forwarding entries are added.
It only works if the Keenetic allows to fully disable the FW and NAT while in Router mode.
Just did this, many thanks! WIreless clients connecret flawlessly after restoring old ssid, not wired clients though.
Also, a small add-on question. How do I make DHCP lease addresses in ascending order? Right now it’s descending from 192.168.0.254
Thanks again to all of you for the help, truly appreciate!
You don't. 
Mikrotik assigns DHCP addresses from the top down and this is not changeable.
