So, I am trying to setup a home network with Mikrotik gear, but I got kind of stuck at some basic routing; hoping someone here can perhaps help me out.
I understand some basic networking concepts but ain’t really an expert…
I have 2x CRS309 routers in my electricity room, where all the room cables converge to, I name these main and ancillary where main is the one connecting to the internet fiber and serving the internal DHCP.
I have a wAP AC access point service DHCP server for my wireless devices.
I have a room where I needed more than one ethernet port, so I connected a small hEX PoE device.
The internal LAN addresses are in the 10.1.1.x range and the wireless in the 192.168.10.x range.
However, I am trying to make my wireless clients being able to communicate with the clients on the LAN but I have been unsuccessful.
All your wireless clients on the wAP ac will appear as 10.1.1.124 on the MAiN router LAN network.
As 10.1.1.124 they can connect to whatever device on that LAN.
Devices on the LAN cannot connect to devices on the Wireless 192.168.10.0 network. Even adding a route will not help.
The wAP ac is masqerading them.
You want to route, and then the connection should be a LAN interface-list member on the wAP ac, not a WAN interface-list member to avoid the masquerade and the firewall blocking. (WAN is actually on the Main router only)
.
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
.
2. You have no reason to route, and want transparant connection. Then on the wAP ac the ether1 should be added to the bridge and the DHCP server stopped, and replaced with a DHCP client. wAP ac and wireless clients will get their own 10.1.1.0/24 range address from the DHCP server of the main router. wAP ac acts now as a switch only, not as a router, just as the hEX PoE.
So if I want option 1), how do I go about managing those interfaces-lists members ? I was looking around in webfig but I am a bit confused by its interface .. its seems a interface can refer to itself !?
also, for some reason neither my winbox, nor webfig, from 10.1.1.x network isn’t able to connect / configure the wAP … is there any specific setting I need to unable configuration from LAN ?!
Webfig → Interfaces → Interface List - > add new , or click a line to edit (eg change WAN to LAN)
Do not use “Lists”, there is no need here to make new Lists
The above screenshot is just from one of my AP settings (connected through WLAN1 not ethernet)
The wAP ac cannot be managed through ether1 as long as ether1 is on the WAN interface list.
Go in via wifi to make that WAN–>LAN interface list change.
Yeah … so I think I understand the concept, but this is really confusing as depicted in the User Interface …
Actually reading and modifying the exported config file seems much more intuitive clearer, unfortunately I cannot seem to import it back as he tries to add already existing configurations and stops … perhaps I need do a sort of ‘drop all’ command at the top ?!
but perhaps you can help me understand the UI …
I go into the “Interface List” tab … and there it shows me interface lists ? … but at the same time there is a “Lists” button ?
Then on the List column I see LAN and WAN … and on my screen LAN is using interface bridge while WAN is using ether1.
I have now disabled the WAN and that actually seems to do the trick as well … but actually what I expected was that I had to add ether1 to the bridge interface first ?!
But nowhere I can find a place to define what interfaces belong to the bridge interface …
and on my screen LAN is using interface bridge while WAN is using ether1.
OK not too fast: bridge is member of the interface list LAN, and ether1 is member of the interface list WAN.
There is nothing about ‘using’ . LAN and WAN are just the “names” of the list. The lists could have been been named London and Paris.
If in the firewall we would use London and Paris as lists for selecting interfaces it would just work the same.
Stopping WAN as list, will stop the firewall rules where the name “WAN” is used as reference. (Indeed stopping masquerade, but still not letting input access happen, that rule uses the name “LAN”)
This interface list is just a shortcut for naming all the members of that list. It should make more readable firewall rules.
Of course London and Paris is meaningless in a router config, so the default names used by MT are LAN and WAN, and they are used in multiple config lines.
.
But nowhere I can find a place to define what interfaces belong to the bridge interface …
.
Connecting an interface to the bridge (not to the “bridge interface”) happens in the bridge menu, tab Ports.
(Unfortunatly the word “bridge” is used for the bridge and also for the bridge interface)
I give again my screenshot … (This is an Omnitik with multiple ethernet ports. The only WLAN interface is also added to the bridge here)
.
.
You can manually copy parts of the rsc file to the terminal input. To make the processing consistent I always start with a line with a "/ "
perhaps I need do a sort of ‘drop all’ command at the top
That is a System->reset configuration with “no default configuration”, but be warned, you will need WinBox MAC access to get in, as all config lines are missing.
Why do you need the WAPAC to act as a router and not just a simple AP/Switch.
as you do for the other CRS309 and HEX ??? They are not setup as routers either!!
This is like 10min max to set these up as simple AP and Switches.using vlans…
The original intention was to have the WiFi separate from the LAN … I realized this was not really convenient and then when things were not really working as I expected this turned more into a “let’s learn what’s going on” thingy …
Also, what do you mean with “not setup as routers either” exactly ?
What is exactly your suggested configuration with the VLANs ?
I apologize for the word ‘using’, I think I may have given you the wrong impression… English isn’t my first language…
Yeah, so this is the part that is confusing to me, a single interface to me isn’t a list… why does a list have a single interface name ?!
I understand.
OK, good that you clarify that … so, if I understood this, do I need to
a) rename WAN to LAN in the Interfaces list; OR
b) add ether1 to the bridge ports ?
or if I do only b) will then ether1 be part of both the WAN list and the bridge list and still be affected by the masquerade ?
Humm.. ok, I will need to look into this for the future … I would like to save the configs somewhere so in the future its easy to restore when needed.
No need to apologize. A forum is a difficult medium as there is little interaction.
So I have to guess what you think, and saying “LAN is using bridge” you where too close to the physical working.
I want people to understand, because that’s how I remember all these settings. It must be logical for me or I forget.
A list can have just one interface. This is a programming technique to have general Firewall and other config rules independent of the name of the interface.
An interface can be member of multiple lists also.
.
OK, good that you clarify that … so, if I understood this, do I need to
a) rename WAN to LAN in the Interfaces list; OR
b) add ether1 to the bridge ports ?
or if I do only b) will then ether1 be part of both the WAN list and the bridge list and still be affected by the masquerade ?
a: making ether1 member of the LAN interface list instead of WAN, will make all config lines with interface-list LAN to act for ether1. It will stop config lines with interface-list WAN to act.
LAN members are allowed to do many things. WAN members get masqueraded and their access to the router and to other interfaces and devices is very limited.
b: adding ether1 to the bridge, will stop ether1 to act as an interface to the router, it will be an interface to the bridge (switch). In many cases the traffic of ether1 will not even enter the router and will be handled in hardware by the switch chip. Even if it passes through the router CPU, it will not be handled by the Firewall (this is IP level, or L3) and will not be routed unless it is send to an interface not on the bridge. The membership of ether1 to an address lists is not important, as the router only sees the bridge as interface, not ether1.
By doing a) you will have a router setup. Traffic is routed (not masqueraded). You can use the Firewall to limit what can pass or not.
By doing b) you have a switch connection to all interfaces to the same bridge. Traffic is not routed. If a) is done or not does not matter, because for the router the traffic comes from the bridge.
(Look at the hEX PoE, the IP routing is set but not used except for the traffic for or from the router itself.. As all interfaces are on the bridge, it just acts as a switch.)
