I feel dumb because I swear I had this working, but I’m not sure what I did to make it stop. Greatly appreciate any suggestions.
Quick topology overview
Mikrotik RB750Gr3:
- ether1 - ISP; IP is provided by ISP’s router (Mikrotik is DHCP client). ISP router NATs to internet, so IP given to Mikrotik is a private IP
- ether2 - Wireless router configured as AP (let’s call this “AP1”); Mikrotik is DHCP server
- ether3 - Another wireless router configured as AP (let’s call this “AP2”); Mikrotik is DHCP server
- ether5 - Hardwire to switch that has NAS, RaspberryPi, etc
Problem
- If I connect my laptop (Macbook) to AP1, it gets an IP from DHCP, can ping devices on all subnets, and can access internet & DNS fine.
- If I connect the same laptop to AP2, it gets a correct IP from the new DHCP, can ping the other IP addresses assigned to the Mikrotik in other subnets (192.168.x.1), but cannot reach any of the other IPs outside of its own subnet
Want AP1 & AP2 to have access to ISP router (and internet) via NAT. Want AP1 and AP2 to be able to reach each other bidirectionally without NAT.
[admin@Mikrotik] > interface list member print
Columns: LIST, INTERFACE
# LIST INTERFACE
0 LAN Infrastructure Bridge
1 WAN ether1
2 LAN ether2
3 LAN ether3
4 LAN ether4
5 LAN ether5
6 LAN Limited-access Bridge
7 LAN Full-access Bridge
[admin@Mikrotik] > ip export
# 2024-11-26 22:51:53 by RouterOS 7.15.3
# software id = 0LQQ-L5BL
#
# model = RB750Gr3
# serial number = XXXXXXXXXXX
/ip pool
add name="131.x Infrastructure" ranges=192.168.131.100-192.168.131.253
add name="132.x All-Access" ranges=192.168.132.100-192.168.132.249
add name="133.x Limited Access" ranges=192.168.133.100-192.168.133.253
add name="134.x Pihole Strict" ranges=192.168.134.100-192.168.134.253
/ip dhcp-server
add address-pool="131.x Infrastructure" interface="Infrastructure Bridge" lease-time=2w name="Infrastructure DHCP"
add address-pool="132.x All-Access" interface="Full-access Bridge" lease-time=2w name="Primary DHCP"
add address-pool="133.x Limited Access" interface="Limited-access Bridge" lease-time=10m name="Limited Access DHCP"
/ip smb users
set [ find default=yes ] disabled=yes
/ip address
add address=192.168.131.1/24 interface="Infrastructure Bridge" network=192.168.131.0
add address=192.168.132.1/24 interface="Full-access Bridge" network=192.168.132.0
add address=192.168.133.1/24 interface="Limited-access Bridge" network=192.168.133.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=12h
/ip dhcp-client
add comment="ISP Connection" interface=ether1
/ip dhcp-server lease
< OMITTED >
/ip dhcp-server network
add address=192.168.131.0/24 comment="Infrastructure network" dns-server=192.168.131.1 gateway=192.168.131.1 netmask=24
add address=192.168.132.0/24 comment="All-access network" dns-server=192.168.131.254 gateway=192.168.132.1 netmask=24
add address=192.168.133.0/24 comment="Limited-access network" dns-server=192.168.131.254 gateway=192.168.133.1 netmask=24
add address=192.168.134.0/24 comment="Strict network" dns-server=192.168.131.254 gateway=192.168.134.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
< OMITTED >
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=none lldp-med-net-policy-vlan=1
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ip traffic-flow
set interfaces=wg-intf1