Hello everyone, I could use some help with my network. I have dsl options in this area so I brought in a T1 and am sharing my connection with my neighbors to help cover the costs. I have a 750g as my main router hooked up to my T1 router. It is setup as a hotspot. From the 750g I have a line to an a rb400 in a tree with a 2.4ghz and 900mhz brodcasting wifi.

I have a couple rb411’s with 900mhz bridged to the main rb400 in the tree that users connect to. Each one has a Virtual AP setup with wpa encryption for each user, but when a user connects they get an IP from the main router and have to enter their hotspot user and password to get on. So if I want the whole household that uses that Virtual AP, they all have to enter their users and password.

Is it possible to setup the Virtual AP as a dhcp server with nat so that anyone in the house will not have to enter any users or passwords, they will just be online, and the Virtual AP will be the signle sign on to the main router. I can setup a hotspot bypass for the user.

Thank you

Hello,

yes, create a DHCP server in the internal interface (where the house users will connect) and make a NAT rule to them:

/ip firewall nat add action=masquerade chain=srcnat comment=“” disabled=no out-interface=“your out interface(wireless one..)”

If they must enter without user/pass, you need to create a ipbinding in your hotspot with the ip/mac of this remote 411. Without doing this, when the first user put the user/pass, all the others will enter to the network without user/pass.

Ibersystems, thank you for the quick reply. I tried that but have issues. For instance the dhcp server always says invalid unless I remove the virtual ap from the bridge, but when I do that I don’t get connectivity.

Do you think you could provide a quick step by step of what should be done?

Current setup on rb411

900mhz wan
2.4ghz brodcasting open wifi (working fine with hotspot)
2 virtual ap’s. 1 setup without dhcp or nat and working but using hotspot
2nd virtual ap setup with wpa and dhcp/nat (masquerade) but does not connect to main router.

Thank you

Remove the new virtual ap from the bridge and add a gateway to the main router.

ip route add gateway=ip_of the hotspot

ok, we are making progress. I now have an ip from the virtual ap but the masquerade is not working. when I bring up a web page on the pc hooked up to the virtual ap, I still get the hotspot lignin page. I see the pc ip trying to access the hotspot when it’s supposed to be the va ip. thank you

Please copy paste your export config.

/ip export
/interface export

Sorry for the delay. Here is the configuration.

jan/02/1970 17:38:55 by RouterOS 5.0beta6

software id = GTZB-QIZ1

/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=default
rate-limit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
/ip pool
add name=dhcp_pool1 ranges=172.168.0.2-172.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=static disabled=no interface=Carrillos lease-time=3d name=carrillos
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=192.168.0.204/24 broadcast=192.168.0.255 disabled=no interface=bridge1 network=192.168.0.0
add address=172.168.0.1/24 broadcast=172.168.0.255 disabled=no network=172.168.0.0
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=172.168.0.0/24 gateway=172.168.0.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 servers=192.168.0.1
/ip dns static
add address=10.10.10.1 disabled=no name=VDns ttl=1d
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s
tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=
10s
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface="(unknown)"
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip neighbor discovery
set ether1 discover=yes
set 2.4ghz discover=no
set 900mhz discover=no
set bridge1 discover=yes
set Ames discover=no
set Fujii discover=no
set Carrillos discover=no
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=no max-cache-size=none max-client-connections=600
max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 scope=30 target-scope=10
/ip service
set telnet address=0.0.0.0/0 disabled=no port=23
set ftp address=0.0.0.0/0 disabled=no port=21
set www address=0.0.0.0/0 disabled=no port=80
set ssh address=0.0.0.0/0 disabled=no port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip ssh
set forwarding-enabled=yes
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes

\

\

jan/02/1970 17:39:05 by RouterOS 5.0beta6

software id = GTZB-QIZ1

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes disabled=no forward-delay=15s l2mtu=1526 max-message-age=20s mtu=1500 name=bridge1
priority=0x8000 protocol-mode=rstp transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1526 mac-address=00:0C:42:40:AC:88 mtu=1500 name=ether1 speed=100Mbps
/interface wireless security-profiles
set default authentication-types="" eap-methods=passthrough group-ciphers="" group-key-update=5m interim-update=0s management-protection=disabled
management-protection-key="" mode=none name=default radius-eap-accounting=no radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=
disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=none
static-key-0="" static-key-1="" static-key-2="" static-key-3="" static-sta-private-algo=none static-sta-private-key="" static-transmit-key=key-0
supplicant-identity=MikroTik tls-certificate=none tls-mode=no-certificates unicast-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key=""
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip group-key-update=5m interim-update=0s management-protection=allowed management-protection-key=""
mode=dynamic-keys name=carrillos radius-eap-accounting=no radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=disabled
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=none static-key-0=""
static-key-1="" static-key-2="" static-key-3="" static-sta-private-algo=none static-sta-private-key="" static-transmit-key=key-0 supplicant-identity=""
tls-certificate=none tls-mode=no-certificates unicast-ciphers=tkip wpa-pre-shared-key=avcarrillo wpa2-pre-shared-key=avcarrillo
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip group-key-update=5m interim-update=0s management-protection=allowed management-protection-key=""
mode=dynamic-keys name=Ames radius-eap-accounting=no radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=disabled radius-mac-format=
XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=none static-key-0="" static-key-1=""
static-key-2="" static-key-3="" static-sta-private-algo=none static-sta-private-key="" static-transmit-key=key-0 supplicant-identity="" tls-certificate=
none tls-mode=no-certificates unicast-ciphers=tkip wpa-pre-shared-key=valleyforge wpa2-pre-shared-key=valleyforge
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip group-key-update=5m interim-update=0s management-protection=allowed management-protection-key=""
mode=dynamic-keys name=Fujii radius-eap-accounting=no radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=disabled radius-mac-format=
XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=none static-key-0="" static-key-1=""
static-key-2="" static-key-3="" static-sta-private-algo=none static-sta-private-key="" static-transmit-key=key-0 supplicant-identity="" tls-certificate=
none tls-mode=no-certificates unicast-ciphers=tkip wpa-pre-shared-key=yoshiofujii wpa2-pre-shared-key=yoshiofujii
/interface wireless
set 0 adaptive-noise-immunity=none allow-sharedkey=no antenna-gain=0 antenna-mode=ant-a area="" arp=enabled band=2ghz-b/g basic-rates-a/g=6Mbps basic-rates-b=
1Mbps burst-time=disabled channel-width=20mhz compression=no country=no_country_set default-ap-tx-limit=0 default-authentication=yes
default-client-tx-limit=0 default-forwarding=yes dfs-mode=none disable-running-check=no disabled=no disconnect-timeout=3s distance=dynamic frame-lifetime=0
frequency=2417 frequency-mode=manual-txpower frequency-offset=0 hide-ssid=no hw-fragmentation-threshold=disabled hw-protection-mode=none
hw-protection-threshold=0 hw-retries=4 l2mtu=2290 mac-address=00:0C:42:40:AC:89 max-station-count=2007 mode=ap-bridge mtu=1500 name=2.4ghz
noise-floor-offset=default noise-floor-threshold=default nv2-qos=default nv2-queue-count=2 on-fail-retry-time=100ms periodic-calibration=default
periodic-calibration-interval=60 preamble-mode=both proprietary-extensions=post-2.9.25 radio-name="20624 Cheif Fuller" rate-set=default scan-list=default
security-profile=default ssid=Internet station-bridge-clone-mac=00:00:00:00:00:00 supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps tdma-additional-txrxguard=0 tdma-debug=0 tdma-override-rate=disabled tdma-override-size=0 tdma-period-size=2
tx-power=10 tx-power-mode=all-rates-fixed update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=none wds-default-cost=100
wds-ignore-ssid=no wds-mode=disabled wireless-protocol=unspecified wmm-support=disabled
set 1 adaptive-noise-immunity=ap-and-client-mode allow-sharedkey=no antenna-gain=0 antenna-mode=ant-a area="" arp=enabled band=2ghz-b/g basic-rates-a/g=6Mbps
basic-rates-b=1Mbps burst-time=disabled channel-width=5mhz compression=no country="united states" default-ap-tx-limit=0 default-authentication=yes
default-client-tx-limit=0 default-forwarding=yes dfs-mode=none disable-running-check=no disabled=no disconnect-timeout=3s distance=dynamic frame-lifetime=0
frequency=2442 frequency-mode=manual-txpower frequency-offset=0 hide-ssid=no hw-fragmentation-threshold=disabled hw-protection-mode=none
hw-protection-threshold=0 hw-retries=4 l2mtu=2290 mac-address=00:15:6D:94:38:7D max-station-count=2007 mode=station-wds mtu=1500 name=900mhz
noise-floor-offset=default noise-floor-threshold=default nv2-qos=default nv2-queue-count=2 on-fail-retry-time=100ms periodic-calibration=default
periodic-calibration-interval=60 preamble-mode=both proprietary-extensions=post-2.9.25 radio-name="20624 Chief Fuller" rate-set=default scan-list=default
security-profile=default ssid=900mhz station-bridge-clone-mac=00:00:00:00:00:00 supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps tdma-additional-txrxguard=0 tdma-debug=0 tdma-override-rate=disabled tdma-override-size=0 tdma-period-size=2
tx-power=10 tx-power-mode=all-rates-fixed update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=none wds-default-cost=100
wds-ignore-ssid=no wds-mode=disabled wireless-protocol=any wmm-support=disabled
add area="" arp=enabled default-ap-tx-limit=500000 default-authentication=yes default-client-tx-limit=500000 default-forwarding=yes disable-running-check=no
disabled=no hide-ssid=no l2mtu=2290 mac-address=02:0C:42:40:AC:8B master-interface=2.4ghz max-station-count=2007 mtu=1500 name=Ames proprietary-extensions=
post-2.9.25 security-profile=Ames ssid=Ames update-stats-interval=disabled wds-cost-range=0 wds-default-bridge=none wds-default-cost=0 wds-ignore-ssid=no
wds-mode=disabled wmm-support=disabled
add area="" arp=enabled default-ap-tx-limit=500000 default-authentication=yes default-client-tx-limit=500000 default-forwarding=yes disable-running-check=no
disabled=no hide-ssid=no l2mtu=2290 mac-address=02:0C:42:40:AC:89 master-interface=2.4ghz max-station-count=2007 mtu=1500 name=Fujii
proprietary-extensions=post-2.9.25 security-profile=Fujii ssid=Fujii update-stats-interval=disabled wds-cost-range=0 wds-default-bridge=none
wds-default-cost=0 wds-ignore-ssid=no wds-mode=disabled wmm-support=disabled
add area="" arp=enabled default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=0 default-forwarding=yes disable-running-check=no disabled=no
hide-ssid=no l2mtu=2290 mac-address=02:0C:42:40:AC:8C master-interface=2.4ghz max-station-count=2007 mtu=1500 name=Carrillos proprietary-extensions=
post-2.9.25 security-profile=carrillos ssid=Carrillos update-stats-interval=disabled wds-cost-range=0 wds-default-bridge=none wds-default-cost=0
wds-ignore-ssid=no wds-mode=disabled wmm-support=disabled
/interface wireless manual-tx-power-table
set 2.4ghz manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9Mbps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:0,HT20-
1:0,HT20-2:0,HT20-3:0,HT20-4:0,HT20-5:0,HT20-6:0,HT20-7:0,HT40-0:0,HT40-1:0,HT40-2:0,HT40-3:0,HT40-4:0,HT40-5:0,HT40-6:0,HT40-7:0"
set 900mhz manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9Mbps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:0,HT20-
1:0,HT20-2:0,HT20-3:0,HT20-4:0,HT20-5:0,HT20-6:0,HT20-7:0,HT40-0:0,HT40-1:0,HT40-2:0,HT40-3:0,HT40-4:0,HT40-5:0,HT40-6:0,HT40-7:0"
set Ames
set Fujii
set Carrillos
/interface wireless nstreme
set 2.4ghz disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=3200 framer-policy=none
set 900mhz disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=3200 framer-policy=none
set "(unknown)"
set "(unknown)"
set "(unknown)"
/interface bridge port
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none interface=ether1 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none interface=900mhz path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none interface=2.4ghz path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none interface=Ames path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none interface=Fujii path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=default enabled=no keepalive-timeout=60 mac-address=FE:EC:4C:62:54:11 max-mtu=1500
mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled
port=443 verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 frames-per-second=25 receive-all=
no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 multiple-channels=no only-headers=no receive-errors=no streaming-enabled=no
streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
[tony@MikroTik] >

Hi,

look at ip firewall nat:

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=“(unknown)”

Oops sorry I was trying different things before I sent my dump. I changed it to

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=“900mhz”

with no success. Looking at the Statistics for the nat rule nothing is going through it.

Out interface must be the interface to the rb433

yes that’s the 900mhz. That doesnt work.

Ok, I got it working. I had to put it on the bridge.

Thanx for your help.

karma vote please!, I need to catch fewi…