Wireless Bridging

RouterOS Beginner Basics
1

I’ve been working on getting this achieved for a collective of 6 hours at least and am all googled out. I’m replacing my old cisco running ddwrt with a 951g and am trying to achieve the following config:

[Internet–Ubiquiti Network on 192.168.0.0/24| {Wireless} [Mikrotik on 192.168.88.0/24]

Goal will be to have both networks be able to see each other, but I want the option to disconnect the 88 network during network backups.

I’ve got the Mikrotik connected to my network via wifi, nat is off since I don’t need it, firewall rules are disabled, the MT router has internet directly, but I haven’t been able to share the internet connection with the lan ports even though all ports are bridged.

The only thing that’s been done from default is to bridge all ports, set wlan1 as dhcp client and connect to my network.

Any input would be awesome. Thanks!

2

Unfortunately a true wireless bridge between vendors is not possible. This is a shortcoming of the WDS (wireless bridging) spec.

Your options are:

  • use mode=station-pseudobridge (masquerades all clients on MT side as MT MAC; IPv4 only)
  • set MT as AP, add virtual client on Ubiquity (MT won’t be able to see other clients on Ubiquity side)
  • buy a 2nd MT router, attached wired to the Ubiquity, use to form EoIP link to MT AP
  • don’t bridge, route

Of course none of these options are great. Though I’ve never worked with Ubiquity gear, so maybe there are better options.

3

I did something like this for my house. It’s not WDS.

FTTH 30mbps ------ RB2011UAS-2HnD (my router) ------ hAP Lite —{wifi}Asus RT-N2D1(Neighbour) ------ FTTH 30mbps

The hAP Lite is acting as a wireless repeater (station pseudobridge). My network is 10.0.1.0/24 and neighbour’s is 192.168.1.0/24. Both networks can see each other. I did it for load balancing.

RB2011 is 10.0.1.1.
RB2011’s Ether10 is 192.168.251 and connected to the hAP Lite and of course, a dynamic route is created: dst-address=192.168.1.0/24 gateway=ether10-wan2
hAP Lite is 192.168.1.250 with this route dst-address=10.0.1.0/24 gateway=192.168.1.251
Asus has this route dst-address=10.0.1.0/24 gateway=192.168.1.250

I’m still very much a beginner so not sure if that’s the correct way to do it but it works.

4

Sounds like all you need is a static route on the Ubiquiti side of the network, pointing 192.168.88.0/24 to the 192.168.0.x-IP assigned to the dhcp client on mikrotik. This should ofcourse be made static.

5

Thanks for the input. I’ll play with it more tonight and this weekend. Coming from using a Cisco DDWRT setup with DHCP forwarding, wanted to take some of the load off my main router during backups.

6

So seems after playing around with routing on the ubnt, nat and user modes on the MT, it seems like I’ve covered all the options and still unable to get access to the Ethernet ports. What else could I possibly be missing?

7

Hi,

Could you post a network diagram and also your mikrotik config ( /export hide-sensitive ) ?

kind regards,

8

This what you’re looking for?

# mar/09/2017 19:37:57 by RouterOS 6.30.4
# software id = 7YT0-ZJ14
#
/interface bridge
add admin-mac=E4:8D:8C:74:3D:83 auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
    ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
    ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
    ether5-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=Merc
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors \
    frequency=2422 l2mtu=1600 security-profile=Merc ssid=Merc \
    wds-default-bridge=bridge-local wireless-protocol=802.11
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/interface bridge nat
# in/out-bridge-port matcher not possible when interface (wlan1) is not slave
add chain=srcnat out-interface=wlan1
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local disabled=yes interface=wlan1
add bridge=bridge-local interface=ether1-gateway
add bridge=bridge-local
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
    ether1-gateway network=192.168.88.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=wlan1
/ip dhcp-server lease
add address=192.168.88.254 client-id=1:58:b0:35:fd:cd:d9 mac-address=\
    58:B0:35:FD:CD:D9 server=default
add address=192.168.88.113 mac-address=00:90:A9:F7:BA:EE
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="default configuration" \
    connection-state=established,related
add chain=forward comment="default configuration" connection-state=\
    established,related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface=ether1-gateway
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input disabled=yes in-interface=wlan1
/ip firewall nat
add chain=srcnat disabled=yes out-interface=wlan1
add action=masquerade chain=srcnat out-interface=wlan1
/ip route
add distance=1 dst-address=192.168.0.222/32 gateway=192.168.0.1
/ip traffic-flow
set interfaces=bridge-local
/system clock
set time-zone-name=America/Phoenix
/system leds
set 0 interface=wlan1
/system routerboard settings
set protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether1-gateway
add interface=ether2-master-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether1-gateway
add interface=ether2-master-local
/tool romon port
9

Any other thoughts? :slight_smile:

10

Still looking for a solution :frowning:

11

Looks like this has been solved! Woot. Finally. Probably some unecessaries?

# mar/20/2017 19:33:37 by RouterOS 6.30.4
# software id = 7YT0-ZJ14
#
/interface bridge
add admin-mac=E4:8D:8C:74:3D:83 auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
    ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
    ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
    ether5-slave-local
/interface eoip
add !keepalive mac-address=02:9A:87:0C:51:A2 name=eoip-tunnel1 \
    remote-address=192.168.0.222 tunnel-id=0
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=Merc
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors \
    frequency=2422 l2mtu=1600 mode=station-pseudobridge security-profile=Merc \
    ssid=Merc wds-default-bridge=bridge-local wireless-protocol=802.11
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/interface bridge nat
add chain=srcnat out-interface=wlan1
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether1-gateway
add bridge=bridge-local interface=eoip-tunnel1
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
    ether1-gateway network=192.168.88.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=wlan1
/ip dhcp-server lease
add address=192.168.88.254 client-id=1:58:b0:35:fd:cd:d9 mac-address=\
    58:B0:35:FD:CD:D9 server=default
add address=192.168.88.113 mac-address=00:90:A9:F7:BA:EE
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="default configuration" \
    connection-state=established,related
add chain=forward comment="default configuration" connection-state=\
    established,related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface=ether1-gateway
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input disabled=yes in-interface=wlan1
/ip firewall nat
add chain=srcnat disabled=yes out-interface=wlan1
# in/out-interface matcher not possible when interface (wlan1) is slave - use ma
 ter instead (bridge-local)
add action=masquerade chain=srcnat out-interface=wlan1
/ip route
add distance=1 dst-address=192.168.0.222/32 gateway=192.168.0.1
/ip traffic-flow
set interfaces=bridge-local
/system clock
set time-zone-name=America/Phoenix
/system leds
set 0 interface=wlan1
/system routerboard settings
set protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether1-gateway
add interface=ether2-master-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether1-gateway
add interface=ether2-master-local
/tool romon port
12

I wanted to chime back in on this if anyone has any thoughts. I decided to try to change my MTK to pass dhcp requests, since accessing the wired network became difficult and the double firewalled connection was stupid slow. After looking and looking, it occurred to me that according to the wiki, the mtk can’t pass DHCP requests and the MAC over wifi (which my old DD-WRT router DID do, still don’t get why this isn’t possible with mtk?).

Does anyone have any thoughts or potential solutions before I get rid of the MTK for something less time-consuming?

Goal:
[Internet–Ubiquiti Network on 192.168.0.0/24| {Wireless} [Mikrotik on same lan with 2-3 devices WIRED]

13

When you have mikrotik on both sides in bridging mode, it works reliably. At least for me…

14

I don’t have MTK on both sides. I wanna know the logic behind that one, why the lack of compatibility with non routerboard.

15

I’m a little confused here cap’n. You want to bridge (layer 2) your Ubiquiti network (192.168.0.0/24) to the LAN ports of your MikroTik?

This is a different objective than your original post. I just want to be crystal clear on your expectation.

If your goal is bridge (layer 2) your 192.168.0.0/24 network via wireless and have all services function that is not possible. The method that would work the cleanest is station-bridge. That requires like hardware. The MikroTik wiki clearly calls this out as only MikroTik to MikroTik hardware for their particular implementation. Like one of the earlier replies hinted at. You can blame the WDS standard for this incompatibility. They called out the need for this behavior but left it up to each vendor to implement it independently. Meaning it is a standard that only works when each vendor implements it in a like fashion. Typically this boils down to chip-set constraints of the actual wireless brand. You can try the station-wds mode but no promises there on whether it will work or not. That’s supposed to be MikroTik proprietary as well but can provide the 4 address frame like some other WDS implementations might be expecting.

If you’re serious about your original statement, having 192.168.0.0/24 separate from 192.168.88.0/24 then it is possible to connect via wireless to 192.168.0.0/24 and route packets to your 192.168.88.0/24 network. You can even have a single layer of NAT if you add a route to the Ubiquiti router.

For this setup, you’d use the regular station mode and connect the MikroTik to your 192.168.0.0/24 wireless network. It’d be best to assign a static IP to the WLAN interface. Then create a static route on the Ubiquiti device to point to the MikroTik device IP for the destination of 192.168.88.0/24. Then you’ll need to provide a DHCP server for the LAN ports on the network of 192.168.88.0/24 locally on the MikroTik. If you wish to have the MikroTik also broadcast an SSID you’ll need a device with 2 radio’s I believe (wlan1 and wlan2). I’m not sure if you can set virtual-ap’s in different modes and how well that would work sharing a single radio (it would for sure cut bandwidth in half).