WDS Bridge & Routing newbie questions

RouterOS Beginner Basics
1

Hello all,
I have set up a wds bridge as per the wiki and the two machines (rb 532s w/atheros cards if that matters) can ping each other. That’s as far as I have gotten. The Station is connected to my lan on ether1 via dhcp and gets an ip and can get to the internet. The AP can ping wlan1 but cannot ping the ether1 ip or the gateway.
If anybody can tell me what I need to add to allow traffic from the AP to route correctly over the internet through the Station I would appreciate it very much. Big picture I’d like to attach another LAN to the AP and this would connect to the internet via this connection.
Thanks!

2

I had a bit of trouble figuring out the wiki. I use CLI, so translate if necessary.
I will use ether2 and wlan2 on each end of the bridge as an example.
I use 10.0.x.x for the ether2 ports, and 10.1.x.x for the bridge interfaces. None for the wlan2 cards. Just enable them.

On the AP (ap-bridge mode):
/ip address add address=10.0.0.1/24 interface=ether2
/interface bridge add name=bridge1
/interface bridge port add interface=ether2 bridge=bridge1
/interface bridge port add interface=wlan2 bridge=bridge1
/ip address add address=10.1.0.1/24 interface=bridge1
/interface wireless set wlan2 wds-mode=dynamic wds-default-bridge=bridge1

On the Station (station-wds mode):
/ip address add address=10.0.0.2/24 interface=ether2
/interface bridge add name=bridge1
/interface bridge port add interface=ether2 bridge=bridge1
/interface bridge port add interface=wlan2 bridge=bridge1
/ip address add address=10.1.0.2/24 interface=bridge1
/interface wireless set wlan2 wds-mode=dynamic wds-default-bridge=bridge1

I found I have to masqerade this setup as “out-interface=bridge1” on the station:
/ip firewall nat add chain=srcnat action=masquerade out-interface=bridge1

Hope all that is right. :smiley:

3

Hi ; from this statement you wrote i assume that you are connecting to your AP via wireless and not via ethernet .
really i need to test such connetion by myself to answer your questions because i only configured router OS working as AP bridge with wds and to connect access points with it .
it worked fine , but to connect another MT to receive wds and re-send it again i didn’t do it before .
any way , there are two types of wds . station wds which i think it should be connected with the internet and slave wds which it at clients side .
i am not sure if wds slave read wireless signal and send it again to wireless users or they should connect by wire .
there are many ways to achive your requirement .

  1. some use direct reoute from wlan2 at the AP side to the ether1 at station side .
  2. some will use NAT as follow :
    assume the internet ip is 10.1.1.1 and wlan1 ip is 192.168.0.1 and wlan2 is 192.168.0.2
    both wlan are in same network so just at the ap side add route to GW 192.168.0.1
    at station side you should add NAT roule :
    / ip firewall nat
    add chain=srcnat out-interface=!wlan1 src-address=!192.168.0.1
    action=masquerade comment=“” disabled=no
    first you should add ip to ether1 and wlan1 and then add route to your isp GW .
    if you need to connect pc’s to the AP via utp cable you could make bridge1 and add two ports to it " wlan2 and ether2 " and put the ip 192.168.0.2 to bridge1 .
    important note :
    when you work with wds , you should be sure that the wds is running all the time .
    go to New terminals and write the following command
/interface wireless export

you will get long list copy from it :
/ interface wireless
set wlan1 name=“wlan1” mtu=1500 mac-address=aa:bb:cc:dd:ee:ff arp=enabled
disable-running-check=no radio-name=“aabbccddeeff” mode=ap-bridge
ssid=“your wireless network name” area=“” frequency-mode=manual-txpower
country=no_country_set antenna-gain=0 frequency=xxxx band=2.4ghz-b/g
scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power-mode=default noise-floor-threshold=default
periodic-calibration=default periodic-calibration-interval=60
burst-time=disabled dfs-mode=none antenna-mode=ant-a wds-mode=static
wds-default-bridge=bridge1 wds-default-cost=100 wds-cost-range=50-150
wds-ignore-ssid=no update-stats-interval=disabled
default-authentication=yes default-forwarding=no default-ap-tx-limit=0
default-client-tx-limit=0 proprietary-extensions=post-2.9.25 hide-ssid=no
security-profile=default disconnect-timeout=3s on-fail-retry-time=100ms
preamble-mode=both compression=no allow-sharedkey=no comment=“”
disabled=no
select this part copy it and paste it in text file then change disable-running-check from NO to YES .
select it all copy it go to new terminals and paste it there .
add wds1 from the wireless and put the MAC of the ap device then go again to new terminals and type again

/interface wireless export

this time select this part and copy it to text file :
/ interface wireless wds
add name=“wds1” mtu=1500 arp=enabled disable-running-check=no
master-interface=wlan1 wds-address=00:00:00:00:00:00 comment=“” disabled=no
change disable-running-check to yes , select it all copy it and this time you should delete wds1 first then go to new terminals and paste
in this way your wds1 will be running all the time and when you add it to bridge1 you will not see the mark ! with it .

I made the quote to say i am not agree with you in this , but when i read it carefully and write it on a paper with smoking a cigarette i found it breaty trick and i will think more in it to use it with another case .
thanks to you and to the cigarette :laughing:
just you need to put a route in the station side to isp GW and i think it will work .
not forget to follow the important note above .

with best regards

4

Thanks you guys - that worked great

I had everything but /ip firewall nat add chain=srcnat action=masquerade out-interface=bridge1 and that did the trick!

So, since I had everything working I decided that I needed to make some changes :smiley: !
I changed ether1 to static ip (172.16.0.103/24) and added that ip to the bridge. I can ssh in from my lan (192.168.0.0/24 - different interface on a shared firewall) so that ip is coming up. From the Station I can ping other machines inside the firewall, including those on different interfaces, but I cannot get out to the internet. The gateway for this subnet is 172.16.0.1 so I figured that I would add this as a route, to no avail. I think this is a route issue but I am at my wits end. Any thoughts?
Here are my current routes:

[admin@routername] ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf

DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE

0 ADC 10.6.6.0/24 10.6.6.1 bridge1
1 ADC 172.16.0.0/24 172.16.0.103 bridge1
2 X S 0.0.0.0/0 u 10.10.10.254
3 A S 0.0.0.0/0 r 172.16.0.1 bridge1

A local ping ( to the machine I’m ssh-ing in from):

[admin@routername] ip route> /ping 192.168.1.48
192.168.1.48 64 byte ping: ttl=63 time=2 ms
192.168.1.48 64 byte ping: ttl=63 time=1 ms
192.168.1.48 64 byte ping: ttl=63 time=1 ms
192.168.1.48 64 byte ping: ttl=63 time=1 ms
4 packets transmitted, 4 packets received, 0% packet loss


And a remote ping (I have confirmed that I can ping this computer from other machines in the same subnet):

[admin@routername] ip route> /ping 216.68.1.100
216.68.1.100 ping timeout
216.68.1.100 ping timeout
3 packets transmitted, 0 packets received, 100% packet loss

5

Just to follow up, the problem had nothing to do with my routes, it was a firewall issue (with my firewall not the Station, I had forgotten to set the binat rule for the ip).
Doh!

6

All that worked great for outbound traffic, now I am trying to forward traffic to a server on the AP side.
Something like this:

my firewall (172.16.0.1) ↔ (172.16.0.103) Station (10.6.6.1) ↔ AP (10.6.6.2) ↔ remote server (10.6.6.3)

The remote server can get out with minimal issue but all inbound traffic seems to stop at the Station. That’s probably good (I can remotely ssh in, etc) but it isn’t what I need. I added the following rules in ip->firewall->filter:

[admin@RouterName] ip firewall filter> p
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward src-address=10.6.6.2 dst-address=0.0.0.0 action=accept
1 chain=forward src-address=172.16.0.103 dst-address=0.0.0.0 action=accept
2 chain=forward src-address=0.0.0.0 dst-address=172.16.0.103 action=accept
3 chain=input src-address=0.0.0.0/0 action=accept
4 chain=input protocol=udp action=accept
5 chain=input protocol=icmp limit=50/5s,2 action=accept
6 chain=input protocol=tcp dst-port=0-65535 action=accept
7 chain=input src-address=0.0.0.0 action=accept

But that didn’t do it. Do I need to add some NAT rules, additional filter rules (or are these broken)? Any help would be appreciated.
Thanks!

7

This ended up being pretty simple, even if it took me forever to figure it out.

On the station I did:
/ip firewall nat add chain=dstnat dst-address=172.16.103 action=dst-nat to-addresses 10.6.6.2
And then on the AP I did:
/ip firewall nat add chain=dstnat dst-address=10.6.6.2 action=dst-nat to-addresses 10.6.6.3

And it works!