Remotely manage access points behind hotspot

RouterOS General
1

Hi all,
I have setup a pptp connection in an attempt to remotely manage the linksys wireless access points that exist on a mikrotik hotspot.
Hotspot internal ip is 192.168.1.1
I have given myself 192.168.1.11 when I sucessfully pptp into the router from the internet.
I can’t seem to connect ping or connect to any of the ap’s behind the router.
Access points have static ip’s such as 192.168.1.5

What would be the recommended suggestion to achieve this?

Thanks

Shane

2

I noticed if someone is logged into the hotspot, I can access the computer they have authenticated on. We have an internet cafe and I can browse files on the computers ( \192.168.1.40\c$ ) while a guest is using the computer.

3

block ports 135-139 and 445 and also make sure forwarding is disabled on all wireless clients.. That will eliminate the filesharing problem as well as disable client to client communciatons.

4

Thanks for your help. I have it sorted now.

Shane

5

the port block on 135-139/445 together with forwarding=off will only work for WLAN interface. As to your linksys AP connected to an ether port on the MT, no matter what you do you cannot prevent Windows workstations to see each other. Search for previous discussions on this matter.

been there done that -still doesnt work. grrrrr! :angry:

Robert S.

6

Accessing your AP’s from your wireless network should be ok - log on from a wireless workstation to your linksys AP and access it by typing the AP’s address.

Accessing the AP’s remotelly would be a little tricky. I havent tried it yet but you can try to do some port forwarding by adding a rule on the input firewall. Im not sure if you can set remote access port other than port80 on your linksys AP.

tell us results on your testing

Robert S.

7

sure you can… windows workstations use NetBIOS and MS Directory services to communicate with each other. By droping these services with the firewall it eliminates the possibility that a user can share/browse files across your network.

I missed the part where this was an ethernet network, so yeah default forwarding wouldn’t do much good.

What if you did the following:

ip firewall filter add chain=forward src-address=10.0.0.0/16 dst-address=10.0.0.0/16 action=drop

Wouldn’t that drop all client to client communications? maybe add an in-interface to that rule..

8

be my guest, I’ve lost half of my hair trying to solve the network neigborhood mystery.

but then again, I might be wrong. I would love to hear somebody successfully blocking windows network neigborhood traffic on the Ether port!

check-out the other post on the forum re: this matter.

Robert S.

9

As an AP acts much like a hub, two clients will simply connect through the AP at the layer 2 level, the traffic will not hit the router.

The only way I know of to stop this is to use an AP that can block forwarding to the wireless port.

10

i have no problem blocking NetBIOS traffic on my network.. By blocking UDP and TCP ports 135-139 and TCP 445 there is no way for windows networking to work/browse/function…

11

Going back to the original post by shanen_au, I also need to remotely manage an access point behind a MikroTik hotspot.

In my case, I just want to be able to reach the AP through the http port, which is configured to be 82. And even though I followed the information on http://www.mikrotik.com/docs/ros/2.9/ip/nat, I cannot get to the AP from the Internet.

Below are my NAT rules as well as my filter rules, where a.b.c.d is the WAN IP address of the MT.

 /ip firewall nat prin
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; masquerade hotspot network
     chain=srcnat out-interface=wan src-address=192.168.0.0/24 
     action=masquerade 

 1   ;;; masquerade for private network
     chain=srcnat out-interface=wan src-address=192.168.1.0/24 
     action=masquerade 

 2   chain=dstnat dst-address=a.b.c.d protocol=tcp dst-port=82 
     action=dst-nat to-addresses=192.168.0.2 to-ports=82 

 3   chain=srcnat src-address=192.168.0.2 protocol=tcp src-port=82 
     action=src-nat to-addresses=a.b.c.d to-ports=82


 /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Drop invalid connection packets
     chain=input connection-state=invalid action=drop 

 1   ;;; Allow established connections
     chain=input connection-state=established action=accept 

 2   ;;; Allow related connections
     chain=input connection-state=related action=accept 

 3   ;;; Allow UDP
     chain=input protocol=udp action=accept 

 4   ;;; Allow ICMP ping
     chain=input protocol=icmp action=accept 

 5   ;;; From private network
     chain=input src-address=192.168.1.0/24 action=accept 

 6   ;;; From hotspot network
     chain=input src-address=192.168.0.0/24 action=accept 

 7   ;;; Log everything else
     chain=input action=log log-prefix=""

Any help would be much appreciated.

Thank you guys in advance.

Regards,
juibar

12

Set for this wireless bridge bypass hotspot and then you will be able to access it.

Read section: Bypass hotspot for some devices in hotspot network
http://www.mikrotik.com/docs/ros/2.9/ip/hotspot.content#7.41.17.1

13

Thank you for your reply.

I tried your suggestion and it did not work.

By the way, I noticed that I have two srcnat chains. Can the problem be related to this?

Also, the counters of the dst-nat rule increase when I try to login the AP, but I get no reply. How can I find out if a filter rule is blocking the reply from the AP?

Thanks,
juibar

14

Shane,

U need to bybass your APs from hotspot. Do this for each AP, using the respective IP and MAC address:

ip hotspot ip-binding add address=192.168.1.15 to-address=192.168.1.15 mac-address=xx:xx:xx:xx:xx:xx type=bypassed

where xx:xx:xx:xx:xx:xx is the MAC address of whatever interface of the AP is connecting to the hotspot interface.

Sonny.