Wireless AP and Router on different subnets - imperfect communication

icefield · October 26, 2024, 9:11pm

I have a Mikrotik router (2011UiAS-2HnD) and a wireless AP (RBcAPGi-5acD2nD). The router is connected to a cable modem, and the AP's ether1 is plugged into the router (via a GS208 switch). The router has DHCP on 192.168.123.0/24 (100..199). The AP has DHCP on 192.168.130.0/24 (100..199), though it has a fixed IP of 192.192.123.2 on it's ether1.

Wireless devices on the 192.168.130.0 network are able to interact with the outside world and devices on the 192.168.123.0 network, but devices on 192.168.123.0/24 cannot interact with devices on 192.168.130/0. There is a static route on the router to send traffic to 192.168.130.0/24 to 192.168.123.2, but that seems to be insufficient (or incorrect).

Any pointers would be appreciated!

Sanitized export from the 2011UiAS-2HnD router:

oct/26/2024 12:56:56 by RouterOS 6.49.13

software id = KLJL-ZM9C

model = 2011UiAS-2HnD

serial number = XXX

/interface bridge
add admin-mac=XXX auto-mac=no fast-forward=no name=bridge-house
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether4 ] comment="house LAN" speed=100Mbps
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/ip pool
add name=pool-house ranges=192.168.123.100-192.168.123.199
/ip dhcp-server
add add-arp=yes address-pool=pool-house authoritative=after-2sec-delay
disabled=no interface=bridge-house lease-time=1h name=dhcp-house
/interface bridge port
add bridge=bridge-house comment="to home switch" interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether4 list=discover
add interface=wlan1 list=discover
add interface=bridge-house list=discover
/ip address
add address=192.168.123.1/24 interface=bridge-house network=192.168.123.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
add add-default-route=no disabled=no use-peer-dns=no use-peer-ntp=no
/ip dhcp-server config
set store-leases-disk=1h
/ip dhcp-server network
add address=192.168.123.0/24 comment=house gateway=192.168.123.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=8.8.8.8 name=Google
/ip firewall address-list
add address=192.168.0.0/16 comment="from private IP" list=accept-icmp
/ip firewall filter
add action=accept chain=input comment="permit incoming SMTP" protocol=tcp
src-port=587
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=ICMP
protocol=icmp src-address-list=accept-icmp
add action=drop chain=input comment="drop ICMP from WAN" in-interface=ether1
protocol=icmp
add action=accept chain=input comment="defconf: accept established,related"
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=
ether1
add action=accept chain=forward comment="defconf: accept established,related"
connection-state=established,related
add action=drop chain=forward comment="Drop if connection state is invalid"
connection-state=invalid
add action=drop chain=forward comment=
"Drop new connections from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface=ether1
add action=passthrough chain=forward comment="count packets"
/ip firewall nat
add action=masquerade chain=srcnat comment="IMPORTANT masquerade out ether1"
out-interface=ether1
/ip route
add comment="Static route to Sigma7 wifi router" distance=1 dst-address=
192.168.130.0/24 gateway=192.168.123.2
/lcd interface pages
set 0 interfaces=
sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10
/system clock
set time-zone-name=XXX
/system clock manual
set time-zone=XXX
/system identity
set name=XXX
/system logging
add disabled=yes topics=ipsec
/system routerboard settings
set silent-boot=yes
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

Sanitized export from the RBcAPGi-5acD2nD AP:

oct/26/2024 13:25:18 by RouterOS 6.49.13

software id = KQI9-WQRJ

model = RBcAPGi-5acD2nD

serial number = XXX

/interface bridge
add admin-mac=XXX auto-mac=no comment="Bridge wan1, & wan2 - see Bridge|Ports" name=bridge_LAN
/interface ethernet
set [ find default-name=ether1 ] comment="Connection to 192.168.123.x"
set [ find default-name=ether2 ] comment="Not connected"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=profile1 supplicant-identity="" wpa-pre-shared-key="XXX" wpa2-pre-shared-key="XXX"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=XXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name="wlan1 (2GHz)" security-profile=profile1 ssid=XXX station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=XXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name="wlan2 (5GHz)" security-profile=profile1 ssid=XXX station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
/ip pool
add name=dhcp_pool ranges=192.168.130.100-192.168.130.199
/ip dhcp-server
add address-pool=dhcp_pool disabled=no interface=bridge_LAN lease-time=8h name=wireless_dhcp
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge_LAN comment=defconf interface="wlan1 (2GHz)"
add bridge=bridge_LAN comment=defconf interface="wlan2 (5GHz)"
add bridge=bridge_LAN comment=defconf interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge_LAN list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.130.2/24 comment="Set IP address for LAN/wifi bridged interface" interface=bridge_LAN network=192.168.130.0
add address=192.168.123.2/24 comment="Set IP address for WAN (connection to main router)" interface=ether1 network=192.168.123.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.130.0/24 comment=defconf gateway=192.168.130.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.123.1
/ip dns static
add address=192.168.130.2 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment="Static route to 192.168.123.0/24 network" distance=1 gateway=192.168.123.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=XXX
/system identity
set name="XXX"
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r
\n :if ([system leds settings get all-leds-off] = "never") do={\r
\n /system leds settings set all-leds-off=immediate \r
\n } else={\r
\n /system leds settings set all-leds-off=never \r
\n }\r
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

TheCat12 · October 27, 2024, 6:14am

That is because of the following rule on the AP:

/ip firewall filter
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

If you disable it, you should be able to access wireless devices from the 192.168.123.0 network

mkx · October 27, 2024, 9:37am

Conceptually a very important question: do you have any reason not to configure AP as only switch/AP combo (i.e. eliminate the routing part) and let wireless clients become full-time part of “main” LAN ? Because this is very much possible with Mikrotik wireless devices.

anav · October 27, 2024, 3:42pm

Second MKx’s comment. The router can handle all DHCP and routing traffic for all clients.
The Ap should simply act as an AP switch… what are we missing out of your scenario???