Alrighty, I have a customer network, which is now requiring some sort of “Universal IP” functionality (i.e. misconfigured clients still work, the router just sorts things out), and for doing that MikroTik’s Universal Client (and DNS/SMTP dst-nat rules) works great. But…
There are several APs on this network which require remote management, and don’t support DHCP while bridging, nor do they support VLANs (stupid Orinoco BG-2000s). So, these devices need staticly assigned IPs that are reachable from outside the network.
I setup Universal Client with access list entries for each of the APs, maping their configured static IP to itself, with their MAC address. (the MikroTik does have a gateway IP for them, on the same interface as the Universal Client / DHCP pool gateway IP).
Works great for clients, they get their bogus IPs translated nicely, and all is well from their perspective.
However, management traffic going to the APs won’t go through the MikroTik, until a packet has been sent from the AP to the outside (thus causing an entry to appear in the Active Host list for Universal Client). Once that has happened, and until the Active Host entry expires, management traffic moves correctly.
If I try pinging an AP from the MikroTik, which does not have an entry in the Active Host list, I get “packet rejected”. Once the AP is in the Active Host list, it pings correctly.
The network looks something like this:
Our WAN
|
MikroTik (a.a.a.a on WAN, b.b.b.b and c.c.c.c on LAN)
|
Dumb switches
|
Orinoco BG-2000s (in bridge mode, with static IPs in the b.b.b.b subnet)
|
Clients (which get DHCP into the c.c.c.c subnet, or Universal Client into same c.c.c.c subnet)
I have tried static ARP entries, but they had no effect.
I know the correct way to fix this would be to replace the BGs with something smarter, but the customer isn’t going to foot the bill for that.
If I had room, I would just toss another ethernet card into the MT, tie two interfaces onto the same dumb switch, and put the gateway for the devices on the new interface (with ARP set to reply-only, and static ARP entries for the APs), and leave Universal Client on the other. Unfortunately, there isn’t room for that in the little RB230.
So, question is: is there a way to either force a Universal Client Active Host entry to remain persistantly, or somehow configure the MT to ignore a particular subnet with respect to Universal Client even though it’s on the same interface as the Universal Client.
Any other (cheap) suggestions?
Thanks,
–Eric
