I have very simple setup: WIFI - MAP Lite -Ethernet cable - HMI Panel. Station pseudo bridge. Used to work 2 years ago with different SSID. Configuration:
model = RBmAPL-2nD
serial number = CF290CE910C9
/interface bridge
add admin-mac=48:8F:5A:28:F3:7B auto-mac=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods=“” group-ciphers=tkip,aes-ccm
mode=dynamic-keys name=Home supplicant-identity=“” unicast-ciphers=
tkip,aes-ccm wpa2-pre-shared-key=****************
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors
frequency=2462 installation=indoor mode=station-pseudobridge
security-profile=Home ssid=XXXXXXXXXXXX station-roaming=enabled
wireless-protocol=802.11
/interface bridge port
add bridge=bridge1 interface=ether1 trusted=yes
add bridge=bridge1 interface=wlan1 trusted=yes
/ip neighbor discovery-settings
set discover-interface-list=*2000011
/interface list member
add interface=ether1 list=LAN
add interface=wlan1 list=LAN
add interface=bridge1 list=LAN
/interface wireless cap
set bridge=bridge1
/ip address
add address=XXX.XXX.XXX.32/24 comment=defconf interface=bridge1 network=
XXX.XXX.XXX.0
DIdn’t say this is happening here, but it could be this. Is the client device using DHCP? Then test first with a static IP address.
“pseudobridge” needs the client to communicate first, before it is reachable
Did the wifi connect? (SSID security could have been changed in 2 years).
Is that admin-mac still unique?
If the host AP for the mAP is also a MT, then use wifi mode “station bridge” , not “station pseudobridge” as needed only for connection to other AP brands.
Use “station bridge” if you can, far superior to “station pseudobridge”. “Station bridge” with Mikrotik’s is full 4-address mode wifi (transparent like ethernet connection)
good to hearing from you. In fact, I remember you helped me more than 2 years ago with this setup. (Topic: Home WIFI instead Mikrotik Wifi to Ethernet issue". The device is the same, literally.
No DHCP involved here.
What must be changed in the configuration, if I shift to station bridge?
Of course, the problem is that I cannot communicate with HMI through WiFi with HMI design software or SCADA.
I changed the setup to station bridge. It does not work either. Here is registration log:
Forgot about your previous setup. And here I’m missing information.
This registration printout makes me think this is not connected to a MT AP with wifi mode =“AP bridge” , and in which Bridge mode = “enabled” on the AP.
It that case with mode “station bridge” on the mAP Lite, the “bridge” part is still not activated.
The only way then is using the regular wifi possibilities, and that is the regular 3-MAC-address mode : sender - transmitter - receiver (missing the 4th address : destination)
So the wifi IP traffic is always terminated in the mAP Lite itself. You need to forward it to the destination with either dst-nat, if not a response on the masquerade NAT firewall rule.
Masquerade is what we do in a “Home AP” setup, where the IP is routed and masqueraded (what is using src-nat for outgoing traffic, and handling it’s responses), All IP traffic is using the mAP Lite’s IP address for all devices on the mAP Lite LAN (ethernet) side.
(Incoming traffic, iniated from the AP side, to a device on the mAP ethernet interface, must be explicitly forwarded with dst-nat in the mAP Lite. See http://forum.mikrotik.com/t/how-to-forward-dmz/35097/1 )
"“Wifi AP-bridge and station-bridge” mode = wifi 4-address mode
Setup 1
Having a “bridge” interface in the mAP Lite , and having wlan1 and ether1 as ports on that bridge, and using 4-address mode gives one L2 network for WLAN1 and ether1, aka one bridged/switched network where all devices connect without routing if in the same IP subnet.
Setup 2
Having wlan1 or ether1 disconnected from bridge interface (or just no bridge interface defined) gives L3 routed network. The IP subnet on WLAN1 and on ether1 are then different.
Local devices on ether1 use the mAP Lite ether1 IP as router/gateway.
WLAN1 has an IP address in the IP range of the AP.
3-address mode wifi is OK for this setup.
Access to the AP and to internet and other devices via WLAN1 is done with src-NAT/masquerade NAT FW rule, using the WLAN1 IP address only as src-IP.
Setup 3
Station Pseudobridge tries to imitate the setup 1, with only the setup 2 style 3-address mode wifi connection.
That imitation comes with limitations.
src-nat or masquerade
Local device 192.168.36.13 on ether1 will use 192.168.36.15 as gateway, and reach 192..168.0.213 via wlan1, identifying itself (masqeraded) to that device as source with IP 192.168.1.11
The answer packets in that connection will come back to 192.168.0.213 via 192.168.1.11 because that router will still remember that initial session as “established” and NATed.
dst-nat
Having 192.168.0.213 initiating a connection to 192.168.36.16 port 502 will need an extra FW dst-nat rule in the router.
192.168.0.213 will connect to 182.168.1.1 port 502 who will forward that to 192.168.32.16 port 502 , identifying itself as 192.168.0.213. “forward” because of the extra dst-nat FW rule
Now lets look again to the config (not tested, can be incomplete or contain typo’s)
/ip address
add address=192.168.36.15/24 interface=ether1 network=192.168.36.0
add address=192.168.1.11/24 interface=wlan1 network=192.168.1.0
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.0.213 out-interface=wlan1 protocol=tcp src-address=192.168.36.16
#or more general#
add action=masquerade chain=srcnat out-interface=wlan1 protocol=tcp src-address=192.168.36.0/24
#incoming request from wlan1 side requires#
add action=dst-nat chain=dstnat dst-address=192.168.1.1 dst-port=502 in-interface=wlan1 protocol=tcp src-address=192.168.0.213 to-addresses=192.168.36.16 to-ports=502
/ip route
add distance=1 gateway=192.168.1.1
# following line is redundant on the above
add distance=1 dst-address=192.168.0.213/32 gateway=192.168.1.1
If default FW rules are active blocking all incoming connections from WAN, and WLAN1 is still added to the WAN interface list … then a special “accept” rule needs to be added in the FW
Something like (can be more specifc from what interface, from what SRC address, … etc etc)
Why 192.168.36.16? Shouldn’t be 192.168.36.13 - the local device? And, the local device has its own gateway 192.168.36.120 setup, does that mean 192.168.36.15 will work like gateway for connection to 192.168.1.11?
Yes yes, correct. 192.168.36.13 if you take the same device for dst-nat as for the masquerade. (What is a very logical choice)
If have no clear diagram of the whole network setup in my head, and jumping from case to case in this forum, I don’t reread the full story every time, and sometimes addresses get mixed up.
Any of the 192.168.36.0/24 adresses can be used in outgoing or incoming connections, which are independent sessions when initiated from ether1 or from the wlan1 side.
For multiple client devices for incoming connections, then different ports, or different IP addresses are used with 192.168.1.0/24 to differentiate the devices.
For outgoing connections from ether1, src-nat (with different IP addresses) or masquerade (with the WLAN1 IP address) can be used (the outgoing TCP port is randomised with masquerade, so the TCP port number is the differentiator)
192.168.36.15 and 192.168.1.11 is the same device (router/gateway)
That router has 192.168.1.1 as its gateway for going to the rest (e.g. internet) of the IP networks.
192.168.36.15 will normaly be the gateway address for all the devices on ether1 (network 192.168.36.0/24)
Your other gateway 192.68.36.120 is also possible, and might point to gateway 192.168.36.15 for anything that is in that direction (e.g.over wlan1)
Stuck badly. No progress done.
Once again the topology I have, just to make sure I present it properly:
PC connect to wifi network - MT (Lite or MAP 2nd) - ethernet cable - Ethernet device (PLC with Ethernet port, no need of Internet)
In essence, I try to connect to the PLC without having connected the PC to it, but via MT.
For this last setup: one dedicated device using the MT as “wifi adapter”, the “station-pseudobridge-clone” mode is the most logical to use.
Maybe you had this earlier in a working condition, but are using a different device now (so there is a different MAC address to be set as clone, or none must be set)
“station-pseudobridge-clone” - similar to the station-pseudobridge, but the station will clone MAC address of a particular device (set in the station-bridge-clone-mac property), i.e. it will change itsown address to the one of a different device. In case no address is set in the station-bridge-clone-mac property, the station postpones connecting to an AP until some packet, with the source MAC address different from any of the router itself, needs to be transmitted over that interface. It then connects to an AP with the MAC address of the device that have sent that packet
Pseudo-bridge you want (transparent wifi access to a non-MT AP) ?
Then don’t bother about WDS or “Controller Bridge and Port Extender”
I’ll try to clean up. IP addresses are only for IP access to the MT mAP and for the mAP own outgoing traffic.
Your connected device doesn’t use that IP information, goes straight through to the AP. The mAP acts as a bridge (pseudo bridge).
The IP network is between the AP and the client device only.
# model = RBmAP2nD
# serial number = DE4F0FF1A15E
/interface bridge
add name=bridge1
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik wpa2-pre-shared-key=password
add authentication-types=wpa2-psk mode=dynamic-keys name=WDS \
supplicant-identity="" wpa-pre-shared-key=password \
wpa2-pre-shared-key=password
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no mode=\
station-pseudobridge-clone security-profile=WDS ssid=\
CXNK00765F8D tx-power-mode=all-rates-fixed wireless-protocol=802.11
/interface bridge port
add bridge=bridge1 interface=ether1 trusted=yes
add bridge=bridge1 interface=ether2 trusted=yes
add bridge=bridge1 interface=wlan1 trusted=yes
#
# following info only used by mAP
#
/ip address
add address=192.168.36.15/24 interface=bridge1 network=192.168.36.0
/ip route
add distance=1 gateway=192.168.36.120
/system identity
set name=RouterOS
With this setup wlan1 does not run. WIFI SSID CXNK00765F8D cannot be even found during the scan, perhaps the reason is the mode “station pseudobridge clone”?
/log print
17:08:41 system,info router rebooted
17:08:42 bridge,info “bridge1” mac address changed to DC:2C:6E:E2:FC:00
17:08:43 bridge,info hardware offloading activated on bridge “bridge1” ports: ether1,ether2
17:08:44 interface,info ether1 link up (speed 100M, full duplex)
17:08:44 interface,info ether2 link up (speed 100M, full duplex)
17:08:51 system,info,account user admin logged in from 38:EA:A7:F5:8C:FD via winbox
17:08:53 system,info,account user admin logged in via local
17:09:19 system,info,account user admin logged in via local
17:12:22 system,info,account user admin logged out via local
17:12:28 system,info,account user admin logged in via local
17:12:31 system,info wireless security profile changed by admin
17:12:32 system,info device changed by admin
17:12:32 system,info route added by admin
17:12:32 system,info system identity changed by admin
17:14:11 bridge,info “bridge1” mac address changed to DC:2C:6E:E2:FC:00
17:14:11 system,info device changed by admin
17:14:11 bridge,info hardware offloading activated on bridge “bridge1” ports: ether1,ether2
17:15:02 system,info,account user admin logged out via local
17:15:20 system,info wireless security profile changed by admin
17:15:57 system,info,account user admin logged out via local
Further, I am pretty sure that the PLC port must be used somewhere in the setup. Don’t you think so? If yes, where?
When I connect the PC to the PLC directly, the OPC UA server I use to communicate with the PLC requires IP address and port number. The connection is instant, no issues.
WIFI SSID CXNK00765F8D cannot be even found during the scan
So why was it in the config then ? I have no idea and don’t have any saying on what your SSID look like. I only left it in the config because it was in yours.
last-ip=192.168.1.7
Where does this come from??? AP and PLC need an IP in the same subnet! With a bridge or pseudo-bridge one does not route between subnets. It’s all one and the same subnet.
