Hello,

I have a very basic setup with which I am unable to make it work.

• ADSL Router from ISP with local address 192.168.254.252
• Apple Airport wifi Access Point, with primary + guest wifi network
• Routerboard 750g with RouterOS 6.19

I have setup RB750g with a DHCP server handling IPs on 192.168.254.*

I have also setup a VLAN on 1003 which is what the apple AP is using, and I have setup a DHCP server handling IPs on 192.168.253.*

Clients on primary network are able to both access internet, and also ping guest wifi network clients.

My problem is that clients on guest wifi network are unable to access internet and/or ping primary network clients.

Any help is appreciated…

NAME TYPE MTU L2MTU MAX-L2MTU

0 ether1-gateway ether 1500 1520 1520
1 R ether2-master-local ether 1500 1520 1520
2 RS ether3-slave-local ether 1500 1520 1520
3 S ether4-slave-local ether 1500 1520 1520
4 S ether5-slave-local ether 1500 1520 1520
5 R vlan1 vlan 1500 1516

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 192.168.254.252 1
1 ADC 192.168.253.0/24 192.168.253.1 vlan1 0
2 ADC 192.168.254.0/24 192.168.254.1 ether2-master-l… 0

The first step, I propose to set up ppp-session on the RB. ADSL-modem has to be in the bridge-mode.

Hi - thank you for the reply.

I wanted to keep the ppp-session on the ADSL modem, and using the ADSL as a gateway.

So basically the Mikrotik is using the ADSL as a gateway.

The problem is that the vlan does not seem to route the traffic there.

Reading what you have, I think you have the devices connected wrong.

You can leave your ADSL modem as is, then connect to the 750 using port one and then set up your DHCP in the 750, then connect your wifi access point into port two of the 750 and turn off DHCP in this device and set your password.

This will allow for any device wired to the other three ports plus devices connected by wifi to see each other as they will all be on the same network.

I don’t think what you say applies to this situation. Set which password?

assume …
modem has an address in the subnet 192.168.254.x
requests come from a subnet 192.168.253.x
modem rejects those requests.
I think you should add to the modem a local route.

You are probably right - so how do I do that???

Log in modem’s web interface - static routes and add the route for 192.168.253.0/255.255.255.0
Just look the active routes, you have route for 192.168.254.0, make same.

Did that, but it does not work.

Problem is that the VLAN does not seem to be able to communicate with anything that is not part of the VLAN.

So any devices part of the VLAN cannot connect (or even ping) anything else on the network, including the gateway/adsl modem.

I think that there must be a way for mikrotik to make that routing, but I cannot make it work.

The strange thing is that other devices on the network that are not part of the VLAN, are able to ping devices on the VLAN.

After searching for a lot of time I managed to find the solution.

I had to add a firewall rule

/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.xxx.0/24 out-interface=[WAN if internet, or in my case ether2-local-master]

In order to keep my internal network isolated from the guest network I created for the VLAN /Apple Airport, I added also this:

/ip firewall filter add chain=forward action=drop src-address=192.168.xxx.0/24 dst-address=192.168.yyy.0/24, where xxx is the apple guest network, and yyy is my internal/private lan.