Hi,
I'd like to combine a hAP AC with a wAP R, where the former would be used as the main DHCP server and the latter would be used to get an LTE internet connection for the complete network and extend WiFi network coverage.
What i'd like to prevent is having to configure the same things on the two devices in terms of open and closed ports, guest network (only providing limited internet access), DHCP range, etc.
In a way the wAP R would be nothing more then a passthrough device, but it would still need to provide the internet connection for the whole network.
Giving both WiFi networks the same name and password should do the trick for extending the WiFi coverage, but I do not really have an idea how to do the rest.
Not knowing all the jargon and thus what to look for: How would I configure the two devices to achieve this? Can the wAP R just act as a DHCP client as well instead of having a fixed IP?
Will I still be able to access the wAP R webUI to deal with the LTE connection?
Re: hAP AC + wAP R
You don't need to do anything special on the wAP R. Give its interface an IP (you'll probably create a bridge, that is the interface I'm referring to), set the ip route and your DNS to be your hAP's IP, good to go.
Re: hAP AC + wAP R
It would be much easier if you configured your wAP R as your main router (and firewall).
The other possibility would be to create a "wan" VLAN, spanning LTE interface on wAP and hAP. In this case wAP would only shuffle bits between hAP and LTE modem. But you have to be careful not to allow any traffic between wAP other interfaces (wifi, untagged ethernet) and LTE interface. Probably wAP would need to do NAT ... even though only hAP would in practice talk to the internet.
Probably you would need two bridges in wAP: one spanning LTE interface with "wan" VLAN interface. The other bridge would span all other interfaces (LAN and wlan).
Again: it would be much easier if wAP would be router and default gateway for your network even though hAP is more powerful device than wAP. Other functionality can be done on hAP ... I wonder if that's necessary, routing is the most CPU consuming task in typical home LAN.
All of the above assumes that LTE modem presents itself as a serial device in RouterOS, meaning that ROS runs some kind of PPP client. If LTE modem presents itself as an ethernet device, running DHCP/NAT/... services (I've seen such USB-connected LTE modems, smart phones with USB tethering are similar), then life would be much easier ... you'd just create a VLAN, connecting LTE modem and hAP, hAP would do the rest.
The other possibility would be to create a "wan" VLAN, spanning LTE interface on wAP and hAP. In this case wAP would only shuffle bits between hAP and LTE modem. But you have to be careful not to allow any traffic between wAP other interfaces (wifi, untagged ethernet) and LTE interface. Probably wAP would need to do NAT ... even though only hAP would in practice talk to the internet.
Probably you would need two bridges in wAP: one spanning LTE interface with "wan" VLAN interface. The other bridge would span all other interfaces (LAN and wlan).
Again: it would be much easier if wAP would be router and default gateway for your network even though hAP is more powerful device than wAP. Other functionality can be done on hAP ... I wonder if that's necessary, routing is the most CPU consuming task in typical home LAN.
All of the above assumes that LTE modem presents itself as a serial device in RouterOS, meaning that ROS runs some kind of PPP client. If LTE modem presents itself as an ethernet device, running DHCP/NAT/... services (I've seen such USB-connected LTE modems, smart phones with USB tethering are similar), then life would be much easier ... you'd just create a VLAN, connecting LTE modem and hAP, hAP would do the rest.
Re: hAP AC + wAP R
Thanks for your advice.
The two responses are two extremes, how can that be?
I forgot the add that I will be connecting the wAP R with the hAP AC with an Ethernet cable. The internet connection is obtained by a mini-PCIe card in the wAP R.
Examples I found for configuring multiple devices with an access point all assume they are connected wirelessly, or they don't mention it at all. In those cases the wireless interface of one is set to "ac bridge" and the other as "station". Would it be the same if the two are connected by wire?
I assume I'd need to disable NAT and the DHCP Server of the wAP R, to only have the hAP giving the IP addresses.
@pcunite: you talk about creating a bridge, but in what way?
The two responses are two extremes, how can that be?
I forgot the add that I will be connecting the wAP R with the hAP AC with an Ethernet cable. The internet connection is obtained by a mini-PCIe card in the wAP R.
Examples I found for configuring multiple devices with an access point all assume they are connected wirelessly, or they don't mention it at all. In those cases the wireless interface of one is set to "ac bridge" and the other as "station". Would it be the same if the two are connected by wire?
I assume I'd need to disable NAT and the DHCP Server of the wAP R, to only have the hAP giving the IP addresses.
@pcunite: you talk about creating a bridge, but in what way?
Re: hAP AC + wAP R
The difference in answers above comes from different understanding of what you want to do I guess.
If you want to use both APs to provide wlan coverage, then the two radios are completely independant ... all you need to set are same SSIDs and same security profiles. wifi devices will then autonomously decide about which AP they will use in certain moment. You need to make sure that only one device will serve DHCP answers, but that's obvious way to go in any SOHO network - wired or wireless.
If you want to use both APs to provide wlan coverage, then the two radios are completely independant ... all you need to set are same SSIDs and same security profiles. wifi devices will then autonomously decide about which AP they will use in certain moment. You need to make sure that only one device will serve DHCP answers, but that's obvious way to go in any SOHO network - wired or wireless.
Re: hAP AC + wAP R
@pcunite: you talk about creating a bridge, but in what way?
Configure the hAP to provide wifi, dhcp, routing to the internet, etc. On the wAP R, plug it's ether1 into hAP's ether2 (or whatever is available), and set up wAP something like so.
Code: Select all
/system identity
set name=wAPR
/interface bridge
add name=bridge-LAN protocol-mode=none
/interface bridge port
add bridge=bridge-LAN interface=ether1
add bridge=bridge-LAN interface=wlan1
add bridge=bridge-LAN interface=wlan2
add bridge=bridge-LAN interface=LTE_whatever
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
/ip address
add address=10.1.1.2/24 interface=bridge-LAN
/ip route
add distance=1 gateway=10.1.1.1
/ip dns
set servers=10.1.1.1
/interface wireless
# standard settings
/interface wireless security-profiles
# standard settings
Re: hAP AC + wAP R
I disabled the wAP's firewall rules, I stripped all extra configuration, but I still can not get internet sharing to work...
I can happily ping or traceroute with the lte1 interface, so I have a connection, but where the following was enough with an LTE USB dongle in the hAP, the wAP with its LTE card refuse to work:
I have no internet when being connected to the wAP nor the hAP.
My config so far:
The DHCP server on wlan1 (default config) is still there for the moment to be able to connect to the wAP by WiFi for testing. The single eth1 port is connected to the hAP and it receives an IP from that device as expected.
What could be the problem?
I had to put the lte1 interface in a WAN list in order to be able to add the latter to the bridge as well. Why can I not add the lte1 interface directly? It simply does not show up in the dropdown list of the bridge ports.
I can happily ping or traceroute with the lte1 interface, so I have a connection, but where the following was enough with an LTE USB dongle in the hAP, the wAP with its LTE card refuse to work:
Code: Select all
/ip firewall nat add action=masquerade chain=srcnat out-interface=lte1My config so far:
Code: Select all
# feb/22/2018 19:32:12 by RouterOS 6.41.2
# software id = ET4X-ZJMR
#
# model = RouterBOARD wAP R-2nD
# serial number = 8287076F0592
/interface lte
set [ find ] mac-address=02:1E:10:1F:00:00 name=lte1
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
MikroTik-95CFF4 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
# DHCP server can not run on slave interface!
add address-pool=default-dhcp disabled=no interface=wlan1 name=defconf
/port
set 0 name=usb1
/interface ppp-client
add apn=internet name=ppp-out1 port=usb1
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=WAN
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf disabled=yes interface=wlan1 list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=wlan1 network=\
192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1
add dhcp-options=hostname,clientid disabled=no interface=lte1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=lte1
/system clock
set time-zone-name=Europe/Paris
/system identity
set name="MikroTik wAP"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LANWhat could be the problem?
I had to put the lte1 interface in a WAN list in order to be able to add the latter to the bridge as well. Why can I not add the lte1 interface directly? It simply does not show up in the dropdown list of the bridge ports.
Re: hAP AC + wAP R
Still being stuck with no internet connection on the combined network I feel that there are two things missing but I can't find a way to solve it:
- Internet requests are being routed to 192.168.1.1 (hAP's IP) and from there it can't find its way to the lte1 interface on the wAP. How should this link be created?
- The lte1 interface cannot, for some reason, be included in any of options suggested: not in a bridge group, not in a vlan. I simply can't select the interface from the available dropdowns. How does one get round this limitation?
Re: hAP AC + wAP R
Disclaimer: I don't have any experience with LTE devices in ROS. I'm just thinking of parallels with PPPoE. I do have some experience with LTE devices when used in consumer-grade OS (e.g. Linux).
Most probably the lte1 device has kind of MAC address, but that doesn't make it ethernet-like (=layer2) interface. Basically it's useless for practicalities. What you do have is the ppp pseudo-device which actually has IP connectivity. So in short: you only have layer3 connectivity to your LTE-based internet link and to utilize it from your LAN, you need to do layer3 connectivity ... and that's routing, not bridging. Multiple routers can for sure co-exist in single network, but configuration is non-trivial.
Let's assume a simple setup: ppp in wAP gets local public IP address, say 12.13.14.15 and remote IP address say 12.15.18.23. wAP has also local LAN address 192.168.88.13, bound to ether1 interface. Hence two routes: 0.0.0.0/0 on dst interface ppp and 192.168.88.0/24 on dst interface ether1.
Then you have hAP with single LAN IP address 182.168.88.1 bound to bridge. It shall also have two IP routes: 192.168.88.0/24 on dst interface bridge and 0.0.0.0/0 using gateway 192.168.88.13 (note: not bound to any particular interface).
Other LAN services (DHCP, ...) can then be configured to use hAP as default gateway, DNS server, ..., but that makes it redundant ... FW and NAT really needs to be done by wAP and other things are not that much complex to be worth splitting them to a separate box. I can't think of configuration that would allow hAP to do the FW and NAT and be safe at the same time.
Most probably the lte1 device has kind of MAC address, but that doesn't make it ethernet-like (=layer2) interface. Basically it's useless for practicalities. What you do have is the ppp pseudo-device which actually has IP connectivity. So in short: you only have layer3 connectivity to your LTE-based internet link and to utilize it from your LAN, you need to do layer3 connectivity ... and that's routing, not bridging. Multiple routers can for sure co-exist in single network, but configuration is non-trivial.
Let's assume a simple setup: ppp in wAP gets local public IP address, say 12.13.14.15 and remote IP address say 12.15.18.23. wAP has also local LAN address 192.168.88.13, bound to ether1 interface. Hence two routes: 0.0.0.0/0 on dst interface ppp and 192.168.88.0/24 on dst interface ether1.
Then you have hAP with single LAN IP address 182.168.88.1 bound to bridge. It shall also have two IP routes: 192.168.88.0/24 on dst interface bridge and 0.0.0.0/0 using gateway 192.168.88.13 (note: not bound to any particular interface).
Other LAN services (DHCP, ...) can then be configured to use hAP as default gateway, DNS server, ..., but that makes it redundant ... FW and NAT really needs to be done by wAP and other things are not that much complex to be worth splitting them to a separate box. I can't think of configuration that would allow hAP to do the FW and NAT and be safe at the same time.