I have a wireless network with all wireless interfaces (CPE´s and AP´s) with fixed ip addresses in 10.50.60.0/24 network. Client PC´s get ip from DHCP server on Gateway 172.25.30.1 in the 172.25.30.0/24 range. All MT interfaces (AP´s and CPE´s) also have ip adresses (fixed) in this 172.25.30 network.
Everything fine so far, everything works. I can reach all my AP´s and CPE´s (except 1, see next) and all Clients can browse the internet. Ping times are all in matter of 1 ms up to an occasional 20 or 30´er.

I have now 1 new MT rb535 CPE with ip 172.25.30.53 and ip 10.50.60.53 on wlan1 interface and the eth interface has 192.168.50.1 and has DHCP running on it assigning ip addresses in that same network to client PC´s.

I have set up src-nat and dst-nat same as other CPE working fine but off course other ip for itself. I also checked routing table which is same as this other CPE working fine (but with its ip´s). As far as I can see (comparing with the other working CPE) all settings are OK.

I can mac ping the CPE from its connected AP, I can mac telnet in that CPE. The unit comes up in Winbox (remote, after 5 hops) but only after some time. But in winbox I CANNOT reach it, not by mac nor by any of the two ip adresses!
If logged in by mac-telnet from its AccessPoint I can ip-ping back the AP and I can ping the Gateway with very good results.

So it looks outgoing traffic is fine, but incoming to that CPE is not possible on IP level.

If I ping the unit from it´s AP on the 172.25.30.53 address I get timeouts on that adress, or ¨host unreachable¨ on 10.50.60.1 (which is the gateway) or a 4ms return from the gateway (10.50.60.1)!!

If I ping the unit from it´s AP on the 10.50.60.53 address I get timeouts or 10.50.60.50 (wlan of the AP) telling me the host is unreachable.
The AP has its interfaces bridged so both wlan1 and Eth. carry both ip adresses in the two different networks. Both radios have forwarding on and also in the access list forwarding is enabled.

What am I doing wrong? I need access to the unit by ip to update the firmware and am not sure if client is able to surf the internet now.


Why can I not ip-ping the CPE from the network! (The client can ping it from within the DHCP network.)

I am not looking for an answer like ¨read the manual¨ or look in the WiKi. I´ve been doing this all day. I wan´t suggestions on what I might be overlooking.
Could it be the difference in the firmware versions? All units are on 2.9.41 except this CPE which is still in 2.9.38.


rgds.

These are the settings of that CPD:

[admin@MikroTik] ip> address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 ;;; added by setup
192.168.50.1/24 192.168.50.0 192.168.50.255 ether1
1 10.50.60.53/24 10.50.60.0 10.50.60.255 wlan1
2 172.25.30.53/24 172.25.30.0 172.25.30.255 wlan1
[admin@MikroTik] ip> route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf

DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE

0 ADC 10.50.60.0/24 10.50.60.53 wlan1
1 ADC 172.25.30.0/24 172.25.30.53 wlan1
2 ADC 192.168.50.0/24 192.168.50.1 ether1
3 A S 0.0.0.0/0 172.25.30.53 r 172.25.30.1 wlan1
[admin@MikroTik] ip> firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X chain=srcnat out-interface=wlan1 action=masquerade

1 chain=dstnat dst-address=10.50.60.53 action=dst-nat
to-addresses=192.168.50.1 to-ports=0-65535

2 chain=srcnat src-address=192.168.50.1 action=src-nat
to-addresses=172.25.30.53 to-ports=0-65535

3 chain=srcnat src-address=192.168.50.0/24 action=src-nat
to-addresses=0.0.0.0 to-ports=0-65535

4 chain=dstnat dst-address=172.25.30.53 action=dst-nat
to-addresses=192.168.50.1 to-ports=0-65535
[admin@MikroTik] ip>

WirelessRudy -
I use a lot of MT units in a few various setups - you setup is a bit convoluted but I think I see where you are going…

I am going to repeat back to you what it looks like you are trying to achieve;

1. 10.50.60.X is your ‘command and control’ address space for your internal Wlan system.

2. 172.25.30.X is your masquerade service for data to/from the client.

3. 192.168.50.X is the IP space your client is using on their LAN.

Using these assumptions I think you need to get rid of all of your current src/dst and masq rules and start over like this;

This rule src-nats’ all your client data to address 172.25.30.53 – which as I stated above it what it looks like you want.

chain=srcnat src-address=192.168.50.0/24 action=src-nat
to-addresses=172.25.30.53 to-ports=0-65535

Now this leaves your 10.50.60.53 open for your command and control system. I have to assume that somewhere in your system that your main router knows where to find 10.50.60.X address space and will route requests for that IP address to the appropriate device….. You said above that 10.50.60.1 can’t seem to find the device but I think it is because of your src/dst nat rules….

Well WirelessRudy – give this a try and let us know how it turns out.

Thom

Hi Thom,

Thnks for that answer. I´m going to try it out asap, but that will be later tonight.
You are right about the use of the different networks. I made the 10.50.60.x network to reach all antenna´s on a different network than all clients. I´ve had regular ip conflicts (coming from clients) when all was in one network and I have several SmartBridges equipment with their own monitor program that could not be reached when all in one network.
Now I can at least always reach all CPE´s and AP´s and the SmartBridge Monitor works fine too. And I save on ip adresses.

But if this is not the very best way of doing it I would certainly appreciate it how it can be done alternatively. The network is growing. We have now 4 ÁP´s, three Backhaul and 26 Client Antenna´s The aim is to gain 5 CPE´s (these will all be MT in the 5Ghz range) per month.
So maybe I need to setup different networks for segments to stay ahead of future problems.

I hope to tell you tonight what you solution brougt me for result regarding the problamatic CPE.

WirelessRudy –

My own opinion now based on my experiences over many years – I am sure that other folks have there’s as well. I’ve run bridged networks and WDS networks and I always come back to routed. Sure I have a couple of WDS links in some neighborhoods – helps keep the network segmentation manageable but that is the exception not the rule – so I say to you – use a routed network everywhere you can. You can route private IPs all day inside your network and when necessary the occasional public IP for a client.

You have started with a good idea – separating client and command/control IP space. I don’t know if you have started yet but be sure to map on paper your network – be sure to show routed/bridged segments with the associated IP and MAC addresses…

I’d drop any bridge I have as soon as I was able to in favor of routed equipment. No need to do that over night, just pick your busiest bridge and start there as time/funds permit. Bridges are easy to work with but the overhead data cost can get to be uneconomical as your network grows.

If you follow your own example of NATing the client IP space, as you are trying to do in this post, then you should never again have customer induced IP conflicts. You made a good choice in using 192.168.50.XX for client space – I use 192.168.10.xx for all my clients – why – well now and again a client will plug in a consumer grade firewall/internal wireless AP/or router. Most consumer grade equipment uses 192.168. 0, 1, 2 or 254 as the third octet on their LAN side, by staying away from these IP addresses there is no chance that there will be a conflict at/on the CPE on the client side. And since my NAT rules (this is only on the client CPE) only NAT 192.168.10.xx then nothing else shows up on my network. In my case I NAT all CPEs to 10.x.x.x. I used all the ‘x’s because depending on where a client is in the network the last three octets will be different…. You use 172 for your clients and that is fine. To refine what I have in my CPE…client (LAN) side of ALL CPEs is 192.168.10.1 – DHCP’d - the only exceptions are some business clients that need public IP space or static LAN IPs…. W/the MT (and some other CPEs) setting everyone to the same LAN IP is not an issue, there are no IP leaks past the CPE. You can further ensure this by adding a couple of firewall rules to drop anything not in the IP range you are looking for – thus making sure that only the client IP space you provided will make it to your network and eventually the Internet. Also by having the same LAN IP address space it makes it easier to troubleshoot client issues – you already know what their LAN IP address space should be…you get the picture.

Well that’s about it for now - if you want a a ‘sudu’ map of my network drop me a line at thom.lawless@rapidwifi.com and I’ll send you a word doc file that shows the model I am using…

Thom

Hi Thom,

Well, this is very helpfull and learning info you supply.
I´ve introduced the nat rules fm your 1st advice, and that CPE works fine now. Actually I already had something in like that but with the wrong network.

Yes, my aim is ultimately to have all clients behind a MT CPE-router on their own dhcp network 192.168.50.xxx.

The possible problem still excisting now is that the 25 non MT clients I still have together with the occasional short lived notebook clients (holiday makers) are directly with their equipment on my 172. network. Either their CPE or their own PC´s. Most of their CPE´s are transparant.

What is not completely clear to me is when an interface of one of my MT routers/Ap´s has both a 172.25.30.xxx address and a 10.50.60.xxx address and a client would still produce an ip conflict in the 172.25.30.xxx net, would this also affect my control network?
I mean, an ip conflict on network A will inflict a problem on network B if both are on the same interfaces? I never occured it but can it be?
How are these networks separated in the routers?

The 172.25.30.xxx will be only used for those clients coming in through the 2,4Ghz network. All CPE/Clients in the just started 5Ghz network will have their own routers with their DHCP as above.
What if I would give these 5Ghz CPE´s also a separate ¨Control¨ network, lets say 10.50.50.xxx??
The backhaul of the 5Ghz AP´s is the same as for the 2,4Ghz AP´s and operated with the 172.25.30.xxx and the 10.50.60.xxx network.
Should I give these backhaul units now also a 10.50.50.xxx ip on their interface to create a separate 10.50.50.xxx network?

I think this could be done by routing but I do not know exactly how. The given examples or advices in both the MT-OS ref manual, the Wiki and this forum are not as clear as ´beginners´ would like them to be.

Most of the examples or advices are given by people that already know and think it´s a peace of cake or they don´t write in the clear understandable english.
It´s like the advanced 25 year old Windows user trying to explain how to configure e-mail in Outlook, when it´s your mom of 60 that just got her first PC! In 99% of the cases they don´t speak the same language and mom doesn´t like her introduction in the IT-world anymore! (And you because you´r so impatient!)

I think for most ´beginner´ or basic advanced users the routing is the most difficult part to clearly understand and to work with it when it comes to setting up a wider network.
I think this community, but also others, lacks a bit in clearly understandable examples on how to do routing with gateways, dns settings, different networks etc. It cost me days to find out why a gateway wasn´t assigned to a dhcp client and when it was it still didn´t work because the route didn´t excist. Lots of times you work on one problem not knowing you have a second problem as well!

I also don´t really understand why to bridge two interfaces in a router should not be as good as having them routed? Its easy and it works?

(I had a guy trying to set up my network and he used al kind of networks and routes with hotspots on each AP and the end result was that I didn´t know what was the situation on my own network anymore and he lost control too. When there were problems he was the only one to be able to try to solve them and after a time even he couldn´t any more!

I thanked him for his help, reset all routers back to basics and set up the simple network with one ip range (now the two as explained) and it works, its stable and if theire is a problem I can work it out myself!

I´ll contact you for my e-mail adress.

rgds

Sent you a reply Rudy.

Thom