This is how my network is setup

Router 1—>Router 2—>POE Switch—>Wireless AP’s

Router 1 is connected to the ISP via a Static Public IP 41.XX.XXX.XXX on Port 1

Router 1 has a local network address of 192.168.1.0/24
Port 2 of Router 1 has an IP address 192.168.255.1/30 and is not part of the LAN bridge

Router 2 has a local network address of 192.168.2.0/24
Port 1 of Router 2 has an IP address 192.168.255.2/30

Port 2 on Router 1 is connected to Port 1 on Router 2

On Router 1 created a static route to 192.168.2.0/24 to Router 2 via 192.168.255.2

All of the Wireless AP’s connected Router 2 network have static IP’s 192.168.2.21-30

From any of the wireless AP’s are able to access to the internet on Router 1

I have created NAT rule on Router 1 that allows me to access Router 2 from anywhere in the world

I want to be able to do the same and be able to access all the wireless AP’s on port 443 from anywhere as well.

Can anyone assist? All responses will be highly appreciated

Create NAT rules on both routers, for example on router 1 a single rule can NAT a block of ports

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=50021-50030 in-interface-list=WAN protocol=tcp to-addresses=192.168.255.2

And on router 2, on rule per target device

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=50021 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.21 to-ports=443
...
add action=dst-nat chain=dstnat dst-port=50030 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.30 to-ports=443

If you are not using the default interface lists change in-interface-list=WAN to in-interface=ether1.

Alternatively consider setting up a VPN server to limit global access to devices on your network.

TDW
When I first read and understood your suggestion, I was pretty sure that it would work. Sadly it did not.
Question:In your suggestion for Router 1, was it intentional that you did not have a setting for To Ports?

Let me re-state the network setup

Internet —> Router 1 (LAN=192.168.1.0/24) —> Router 2 —> (LAN2=192.168.2.0/24) —>PoE Switch —> WiFi AP1 (192.168.2.21)

Router 1 (LAN1)
Ether1 connected to the ISP with a static IP 41.x.x.x
Local network 192.168.1.0/24
Ether2 removed from LAN bridge and has a static IP of 192.168.255.1/30

Router 2 (LAN2)
Ether1 connected to Ether 2 on Router 1 and has a static IP 192.168.255.2/30
Local network 192.168.2.0/24

On Router 1 added a static route to 192.168.2.0/24 via 192.168.255.2
On Router 1 added a scrnat rule that allows 192.168.2.0/24 to go to the internet with NAT
On Router 2 the default gateway is 192.168.255.1
On Router 2 there is no NAT

This way, the traffic from LAN2 to the Internet does not go through LAN1

The IP ranges for all the WiFI AP’s are 192.168.2.21-30

There are no firewall rules.

Is this more clearer?
Any alternative suggestions?

If to-ports is not present a rule uses the same port(s) as given in dst-ports, you only need to specify to-ports if the port number is to be changed, as for the rules on router 2.

Any alternative suggestions?

Do the counters on the NAT rule increase when you try to connect? Are you testing from something not on LAN1 or LAN2 - this will fail as the NAT apply to traffic entering the WAN port only.

Ah, just had a thought - I missed On Router 2 there is no NAT. It is much easier to read configuration files than written descriptions!

If there is no NAT or firewalling on Router 2 then you do not need any changes to it, only some dstnat rules on Router 1:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=50021 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.21 to-ports=443
...
add action=dst-nat chain=dstnat dst-port=50030 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.30 to-ports=443

Again, if you are not using the default interface lists change in-interface-list=WAN to in-interface=ether1.

Are you connecting via a VPN? If not, I would suggest checking your sanity.

TDW
I am trying to accessing the AP’s from outside the LAN1 and LAN2 networks.
And yes, the counters did change.

Herewith are the configuration files

Router 1

aug/18/2019 08:02:03 by RouterOS 6.45.3

software id = VERF-DUV5

model = 2011UiAS-2HnD

serial number = B9070AA4FA9D

/interface bridge
add admin-mac=CC:2D:E0:39:D0:7E auto-mac=no name=“Bridge Nyika Master”
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no mac-address=
CC:2D:E0:39:D0:7D name=Ether01_WAN speed=100Mbps
set [ find default-name=ether2 ] mac-address=CC:2D:E0:39:D0:7E name=
Ether02_LAN_DS speed=100Mbps
set [ find default-name=ether3 ] mac-address=CC:2D:E0:39:D0:7F name=
Ether03_LAN speed=100Mbps
set [ find default-name=ether4 ] mac-address=CC:2D:E0:39:D0:80 name=
Ether04_LAN speed=100Mbps
set [ find default-name=ether5 ] mac-address=CC:2D:E0:39:D0:81 name=
Ether05_LAN speed=100Mbps
set [ find default-name=ether6 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=
CC:2D:E0:39:D0:82 name=Ether06_LAN
set [ find default-name=ether7 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=
CC:2D:E0:39:D0:83 name=Ether07_LAN
set [ find default-name=ether8 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=
CC:2D:E0:39:D0:84 name=Ether08_LAN
set [ find default-name=ether9 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=
CC:2D:E0:39:D0:85 name=Ether09_LAN
set [ find default-name=ether10 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=
CC:2D:E0:39:D0:86 name=Ether10_LAN
set [ find default-name=sfp1 ] disabled=yes mac-address=CC:2D:E0:39:D0:7C
/interface vlan
add interface=Ether01_WAN name=Safaricom vlan-id=798
/interface ethernet switch
set 0 name=“Mara Nyika Master Gb”
set 1 name=“Mara Nyika Master 100Mbps”
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods=“”
management-protection=allowed mode=dynamic-keys name=“Mara Nyika Master”
supplicant-identity=“” wpa-pre-shared-key=XXXXXX wpa2-pre-shared-key=
XXXXXX
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n basic-rates-b=“” disabled=no
frequency=auto mode=ap-bridge name=“WiFi Nyika Master” radio-name=
“Mara Nyika Master” rate-set=configured security-profile=
“Mara Nyika Master” ssid=“Mara Nyika Master” supported-rates-b=“”
wds-default-bridge=“Bridge Nyika Master” wds-mode=dynamic
/ip pool
add name=“DHCP Server Pool Nyika Master” ranges=192.168.1.51-192.168.1.254
/ip dhcp-server
add address-pool=“DHCP Server Pool Nyika Master” disabled=no interface=
“Bridge Nyika Master” lease-time=1d name=“DHCP Server Nyika Master”
/interface bridge port
add bridge=“Bridge Nyika Master” interface=Ether06_LAN
add bridge=“Bridge Nyika Master” interface=Ether03_LAN
add bridge=“Bridge Nyika Master” interface=Ether04_LAN
add bridge=“Bridge Nyika Master” interface=Ether05_LAN
add bridge=“Bridge Nyika Master” interface=Ether07_LAN
add bridge=“Bridge Nyika Master” interface=Ether08_LAN
add bridge=“Bridge Nyika Master” interface=Ether09_LAN
add bridge=“Bridge Nyika Master” interface=Ether10_LAN
add bridge=“Bridge Nyika Master” interface=“WiFi Nyika Master”
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=“Bridge Nyika Master” list=LAN
add interface=Ether01_WAN list=WAN
/ip address
add address=192.168.1.1/24 comment=“Local Network” interface=
“Bridge Nyika Master” network=192.168.1.0
add address=41.XX.XXX.XXX/30 comment=“Internet Connection from XXXXXXXXXX”
interface=Safaricom network=41.XX.XXX.XXX
add address=192.168.255.1/30 comment=“Network IP to Slave Router” interface=
Ether02_LAN_DS network=192.168.255.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=41.XXX.XXX.XX,41.XXX.XXX.XX,8.8.8.8
gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=41.XXX.XXX.XX,41.XXX.XXX.XX,8.8.8.8
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=1052 protocol=tcp
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid disabled=yes
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=input dst-port=53 in-interface=Ether01_WAN protocol=udp
add action=drop chain=input dst-port=53 in-interface=Ether01_WAN protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment=“Nyika Main” out-interface=
Safaricom
add action=masquerade chain=srcnat comment=“Nyika Slave” out-interface=
Safaricom src-address=192.168.2.0/24
add action=dst-nat chain=dstnat comment=“Nyika Slave Remote Access”
dst-address=41.XX.XXX.XXX dst-port=50080 protocol=tcp to-addresses=
192.168.255.2 to-ports=80
add action=dst-nat chain=dstnat comment=
“Nyika Slave Remote Access via Winbox” dst-address=41.XX.XXX.XXX
dst-port=8292 protocol=tcp to-addresses=192.168.255.2 to-ports=8291
add action=dst-nat chain=dstnat comment=“WiFI AP Access” dst-port=50021-50024
in-interface-list=WAN protocol=tcp to-addresses=192.168.2.1
/ip route
add distance=1 gateway=41.XX.XXX.XXX
add distance=1 dst-address=192.168.2.0/24 gateway=192.168.255.2
/ip service
set telnet disabled=yes
set ssh port=26711
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip socks
set port=1052
/ip socks access
add src-address=146.0.77.53
add src-address=31.172.128.25
add src-address=146.0.78.6
add src-address=10.0.0.0/8
add src-address=5.188.0.0/15
add src-address=192.243.0.0/16
add src-address=5.9.0.0/16
add src-address=5.104.0.0/16
add src-address=77.238.240.0/24
add src-address=95.213.221.0/24
add src-address=159.255.24.0/24
add src-address=31.184.210.0/24
add action=deny src-address=0.0.0.0/0
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Africa/Nairobi
/system clock manual
set time-zone=+03:00
/system identity
set name=“Mara Nyika Master”
/system ntp client
set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.4

Router 2

aug/18/2019 08:03:56 by RouterOS 6.45.3

software id = B4NY-8LTC

model = 2011UiAS-2HnD

serial number = B9070A7971CD

/interface bridge
add name=“Bridge Mara Nyika Slave”
/interface ethernet
set [ find default-name=ether1 ] name=Ether01_LAN_US
set [ find default-name=ether2 ] name=“Ether02_LAN_Tents 1 & 2”
set [ find default-name=ether3 ] name=“Ether03_LAN_Tents 3 & 4”
set [ find default-name=ether4 ] name=Ether04_LAN
set [ find default-name=ether5 ] name=Ether05_LAN
set [ find default-name=ether6 ] name=Ether06_LAN
set [ find default-name=ether7 ] name=Ether07_LAN
set [ find default-name=ether8 ] name=Ether08_LAN
set [ find default-name=ether9 ] name=Ether09_LAN
set [ find default-name=ether10 ] name=Ether10_LAN_Printer poe-out=off
set [ find default-name=sfp1 ] disabled=yes
/interface ethernet switch
set 0 name=“Mara Nyika Slave Gb”
set 1 name=“Mara Nyika Slave 100Mbps”
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods=“”
management-protection=allowed mode=dynamic-keys name=“Mara Nyika Office”
supplicant-identity=“” wpa-pre-shared-key=lampshade1 wpa2-pre-shared-key=
lampshade1
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode
band=2ghz-b/g/n basic-rates-b=“” disabled=no frequency=auto
hw-protection-mode=rts-cts mode=ap-bridge name=“WiFi Nyika Office”
radio-name=“Mara Nyika Slave” rate-set=configured security-profile=
“Mara Nyika Office” ssid=MaraNyikaOffice supported-rates-b=“”
wds-default-bridge=“Bridge Mara Nyika Slave” wds-mode=dynamic wps-mode=
disabled
/ip pool
add name=“DHCP Server Pool Nyika Slave” ranges=192.168.2.51-192.168.2.254
/ip dhcp-server
add address-pool=“DHCP Server Pool Nyika Slave” disabled=no interface=
“Bridge Mara Nyika Slave” lease-time=1d name=“DHCP Server Nyika Slave”
/interface bridge port
add bridge=“Bridge Mara Nyika Slave” hw=no interface=
“Ether02_LAN_Tents 1 & 2”
add bridge=“Bridge Mara Nyika Slave” hw=no interface=
“Ether03_LAN_Tents 3 & 4”
add bridge=“Bridge Mara Nyika Slave” hw=no interface=Ether04_LAN
add bridge=“Bridge Mara Nyika Slave” hw=no interface=Ether05_LAN
add bridge=“Bridge Mara Nyika Slave” hw=no interface=Ether06_LAN
add bridge=“Bridge Mara Nyika Slave” hw=no interface=Ether07_LAN
add bridge=“Bridge Mara Nyika Slave” hw=no interface=Ether08_LAN
add bridge=“Bridge Mara Nyika Slave” hw=no interface=Ether09_LAN
add bridge=“Bridge Mara Nyika Slave” hw=no interface=Ether10_LAN_Printer
add bridge=“Bridge Mara Nyika Slave” interface=“WiFi Nyika Office”
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=Ether01_LAN_US list=WAN
add interface=“Bridge Mara Nyika Slave” list=LAN
/ip address
add address=192.168.2.1/24 comment=“Local Network” interface=
“Bridge Mara Nyika Slave” network=192.168.2.0
add address=192.168.255.2/30 comment=“Network IP from Master Router”
interface=Ether01_LAN_US network=192.168.255.0
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.1,8.8.8.8
/ip route
add comment=“Default Gateway Office” distance=1 gateway=192.168.255.1
/ip service
set telnet disabled=yes
set www-ssl disabled=no
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Africa/Nairobi
/system identity
set name=“Mara Nyika Slave”
/system ntp client
set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.4

Router 1

• A backup from a different device has been loaded in the past - this is why there are mac-address=CC:2D:E0:39:D0:xx settings present. If the original router with these addresses is connected to the same network it will cause problems.
• Why the socks proxy setup?
• The WAN interface list is incomplete as you have a VLAN to connect to your ISP, requires /interface list member add interface=Safaricom list=WAN too.
• The static DNS entry router.lan is redundant and can be removed.
• All of the default firewall filter input rules have been removed and rules to stop DNS lookups from outside added. The original rules would have blocked all input, including DNS lookups, if the WAN interface list had been updated.
• The forward rule for the cameras is the one where I was expecting NAT on the second router, it wouldn’t work anyway due to the incomplete WAN interface list. Remove it, fix the interface list and add my last suggestion.
• The NAT rule for Nyika Slave is unnecessary, the the scope of the first NAT rule will NAT from any IP address exiting via the VLAN interface.
• The SSH settings are not ideal, they are badly updated by a firmware upgrade to v6.44.x and later.

Router 2

• The DNS server is set to send requests to itself, it should be /ip dns set allow-remote-requests=yes servers=192.168.255.1,8.8.8.8
• The SSH settings are not ideal, they are badly updated by a firmware upgrade to v6.44.x and later.

Thank you for the feedback. I believe all are very appropriate.

Router 1

1. Correct, I loaded a backup from another configuration. Have 5 similar sites, same router model, same ISP and configuration, only difference is the public IP and VLAN ID. Any suggestion to remove the MAC addresses?
2. Sock must have been added inadvertently, have checked and it is not enabled. Do you suggest it be removed?
3. Have updated the Interface list and added Safaricom interface to the WAN list
4. The static DNS entry router.lan removed.
5. I was experimenting with firewall options when I exported the configuration. They have been re-activated now.
6. Again, was experimenting options to access the AP connected to outer 2. Have since removed the rule.
7. Have since removed the masquerade NAT rule for Nyika Slave
8. Suggestions to correct the SSH settings?

Router 2

1. Corrected the DNS server setting.
2. Suggestions to correct the SSH settings?

There is a ‘Reset MAC Address’ button on the right-hand side of each ethernet/sfp interface dialog which reverts to the actual hardware address that interface has on the device. You have to go through each of the interfaces, there will be a command-line equivalent. There may be a break in traffic, usually just a few seconds, whilst ARP caches on connected devices update. I don’t know if there there would be any longer delay when your WAN MAC address changes, it depends on how the ISP handles it.

The admin MAC address on the bridge would have to be manually edited, I usually disable it and allow RouterOS to pick it from the attached interfaces as the process is much better than it was on older firmware.

2. Sock must have been added inadvertently, have checked and it is not enabled. Do you suggest it be removed?

If it isn’t going to be used I would remove it. If you didn’t add it it may be from an intrusion which was possible on older versions, the general recommendation for compromised devices is to completely wipe the flash memory by doing a Netinstall, then configuring using an .rsc rather than .backup dump of the setup. Restricting managment access (WinBox, Webfig) to a whitelist, or only via a VPN would have prevented the most recent vulnerabilities being exploited.

8. Suggestions to correct the SSH settings?

/ip ssh set allow-none-crypto=no strong-crypto=yes forwarding-enabled=none

and the same on router 2.

TDW
With your suggestions, I believe the routers are much better configured and secure now. Thank you
I have two questions though:

1. Managed to update all the interface with the correct MAC address. However, the Admin MAC Address on the Bridge is still incorrect. Will it effect the network in any way if I were to disable it and allow RouterOS to pick it from the attached interfaces?
2. Do I add a new entry with WAN and interface Safaricom? So there would be 2 WAN lists, one with Ether1_WAN interface and the other with Safaricom interface to cater for the ISP’s VLAN?
   Thank you

When you disable the bridge Admin MAC address and it changes to one of the member port addresses there will be an traffic interruption from any devices attached to bridge member ports (ether3-ether10 and WiFi) - they will attempt to send packet to the old ethernet address until their ARP entries for 192.168.1.1 of CC:2D:E0:39:D0:7E expire. This can take minutes, disconnecting and reconnecting the ethernet cables to those devices will usually force them to clear their ARP caches.

2. Do I add a new entry with WAN and interface Safaricom? So there would be 2 WAN lists, one with Ether1_WAN interface and the other with Safaricom interface to cater for the ISP’s VLAN?

It would be one interface list called ‘WAN’ with two entries, ‘Ether1_WAN’ and ‘Safaricom’ - RouterOS represents this as a separate line for each entry with the same list name, rather than one entry with a comma-separated list of interfaces.

There shouldn’t be any IP traffic on the base Ether1_WAN interface as it doesn’t have an IP address, the actual WAN IP traffic is on the child VLAN interface, but it does no harm to have the base interface in the list - if an IP address were to be added to the base interface any firewall rules using the interface list would automatically be applied.