2nd router no internet access

brg3466 · Fri Mar 02, 2018 10:55 pm

Hi all,
My house has a main router RB3011 and wired from LAN Port to different rooms. So every room has internet access. The network is 192.168.88.0/24.

Now at my Study, I want to have a different network 192.168.10.0/24. I plug the ethernet cable from wallplate to hAP lite WAN port, setting the mode at quick set as "Home AP" I changed the IP address of hAP lite to 192.168.10.1 and assigned dhcp server (192.168.10.10-192.168.10.200) to the bridge on hAP lite. But there is no internet access.

Anything I am missing something ?

Thank you !

MJ

samsung172 · Sat Mar 03, 2018 1:24 am

check that you have wan port.
check that you have a default GW and ip to wan port. . manualy set, or by dhcp. (on wan) in your setup it seems like your wan port should have a 192.168.88.x address and 192.168.88.1 as GW,
check that you are doing nat (src-nat masqurade)
check that your lan bridge have a ip. in your setup 192.168.10.x ((1))
Check that your client use your ip as GW. Setup dhcp???

then you have internett... You also need to check DNS setting, so internett is xxxx.yy not just 8.8.8.8

anav · Sat Mar 03, 2018 6:31 pm

Newbie here but believe this should work basically from defaults.
The only thing you would need to do is change anything that says .88 to .10 (like whacka mole LOL)
such as the DHCP Server setting on the LAN to 192.168.10.1 as a gateway and an IP pool as desired.

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
TO
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=\
192.168.10.0

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
TO
/ip pool
add name=default-dhcp ranges=192.168.10.10-192.168.10.254

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
TO
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1

/ip dns static
add address=192.168.88.1 name=router.lan
TO
/ip dns static
add address=192.168.10.1 name=router.lan

I think thats it???

The Hex LIte will grab an IP from the first router ( A LAN IP, which is in fact the WAN IP for the second router)

The question of doublenat always comes up in these circumstances, in other words if one wanted to have an FTP server behind the second router, one would have to, in the first router port forward the service to the second routers LANIP(WANIP) and create a FW rule for same. In the second router, create a port forward rule to the Servers LANIP 192.168.10.x and create an associated FW rule.

QUESTION?
What I would like to know, is if policy route or more clearly a SNAT rule is needed for the second router?
It is created by the default setup. But when the packets leave the primary router the traffic will be SNATED by the primary going out the WAN. Then upon return it will know to send them to the LANIP/WANIP of the secondary router. IS the original SNAT assigned in the secondary router NEEDED to then get the packet to the right device behind the second router ( or is that already done by the basic connection tracking function these Mikrotiks do)??????

In other words, on the second router, could one delete the following default rule?? (or modify it???) with no harm done?
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN

Sob · Sat Mar 03, 2018 6:57 pm

@anav: If you just remove default masquerade from second router, without doing anything else, it won't work, because main router will have no idea where to look for 192.168.10.x. So you must either keep the masquerade, or add static route to main router.

brg3466 · Sun Mar 04, 2018 1:54 am

Thank you so much for the help !
I double checked the settings:

check that you have wan port. - Ethernet cable from wallplate to WAN port of hAP lite.

check that you have a default GW and ip to wan port. - It is default setting, so there is DHCP client on WAN port, and I can see that hAP lite got a IP address from RB3011 : 192.168.88.104, as well as the gateway 192.168.88.1

check that you are doing nat (src-nat masqurade) - Yes, IP>Firewall > NAT, src-nat masquerade

check that your lan bridge have a ip. in your setup 192.168.10.x ((1)) - bridge all the LAN port and assign 192.168.10.1/24 to Ethernet 2.

Check that your client use your ip as GW. Setup dhcp??? - DHCP server also set on bridge.

DNS - I set 8.8.8.8 as DNS.

BUT THERE IS STILL NO INTERNET.

BTW, I somehow feel it is related to the DNS settings, as I got a message from my laptop when no internet " The DNS name does not exist". I tried 192.168.10.1 and 192.168.88.1, but none of them works.

I posted the configuration below, hopefully someone can figure it out why no internet.

Thank you again !
___________________________
# jan/02/1970 00:13:15 by RouterOS 6.41.2
# software id = R9PH-9U6S
#
# model = RouterBOARD 941-2nD
# serial number = 5C1502D24752
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
MikroTik-C27BFD wireless-protocol=802.11
/interface bridge
add admin-mac=D4:CA:6D:C2:7B:FA auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.10.1/24 comment=defconf interface=ether2 network=\
192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.10.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · Sun Mar 04, 2018 2:05 am

I think...........the answer maybe in your DNS??? -why did you use 8.8.8.8 for DNS server, it should be the gateway 192.168.10.1 as per the example given.

Sob · Sun Mar 04, 2018 4:36 am

/ip address
add address=192.168.10.1/24 comment=defconf interface=ether2 network=192.168.10.0

This should be on bridge, but it's not the problem.

/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1

This needs dns-server=192.168.10.1 to give DNS resolver to clients.

brg3466 · Sun Mar 04, 2018 9:48 am

/ip address
add address=192.168.10.1/24 comment=defconf interface=ether2 network=192.168.10.0
This should be on bridge, but it's not the problem.

/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1
This needs dns-server=192.168.10.1 to give DNS resolver to clients.

Hi Sob & Anav,
Thank you again for your great help !
I changed the IP address 192.168.10.1/24 on bridge and changed the DNS to 192.168.10.1.

Very Weird, the laptop shows that I have internet (the icon on the bottome indicated 'internet access'. But when I try to open the website, there is no internet in fact.

Here below is the new config. I highlight the change in bold. Could you please take a look if anything else is wrong ?

# jan/02/1970 07:55:07 by RouterOS 6.41.2
# software id = R9PH-9U6S
#
# model = RouterBOARD 941-2nD
# serial number = 5C1502D24752
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
MikroTik-C27BFD wireless-protocol=802.11
/interface bridge
add admin-mac=D4:CA:6D:C2:7B:FA auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=\
192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 gateway=\
192.168.10.1
/ip dns
set allow-remote-requests=yes servers=192.168.10.1
/ip dns static
add address=192.168.10.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Sob · Sun Mar 04, 2018 5:33 pm

The change in "/ip dns" is wrong, it's what router uses as resolver, so it's now asking itself. It should also get dynamic resolver set by dhcp client, so it should have working one, but maybe it gets confused sometimes. Either remove it (only from "/ip dns") and let it use just what it gets from dhcp, or you can use something else (your previous 8.8.8.8, ISP resolvers, ...).

xvo · Sun Mar 04, 2018 6:40 pm

Why don't you simply remove the LAN port going to your study from the bridge on your 3011, run second DHCP on this port and put hAP lite in bridge mode?
No double NAT, no extra load on hAP lite this way.

anav · Sun Mar 04, 2018 7:25 pm

Concur that is the problem area.
a. agree try removing that command altogether (no IP DNS rule) BUT KEEP the IP DNS STATIC rule.
b. I am looking at my configuration for my LAN (not behind another router but this is what I find..... (allow-r3mote requests set to NO!)

/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB \
max-concurrent-queries=100 max-concurrent-tcp-sessions=20 \
max-udp-packet-size=4096 query-server-timeout=2s query-total-timeout=10s \
servers=""

Sob · Sun Mar 04, 2018 7:57 pm

Option allow-remote-requests tells router whether it can work as resolver for others. So if you give router's address as resolver to clients (in "/ip dhcp-server network"), it needs to be set to yes.

brg3466 · Sun Mar 04, 2018 9:30 pm

Hi both,
I appreciated your fast response and help !

I am a bit confused. This goes back to the scenario 1. If you look back the first config rsc file I posted, it is what you suggested now.

Scenario #1
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.10.1 name=router.lan

Scenario #2
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 gateway=\
192.168.10.1
/ip dns
set allow-remote-requests=yes servers=192.168.10.1
/ip dns static
add address=192.168.10.1 name=router.lan

Neverheless, I tried to remove the /ip dns , here comes the scenario #3
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 gateway=\
192.168.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.10.1 name=router.lan

BUT it still doesn't work. I also tried to change dns under '/ip dhcp-server network' to aa) dns-server=8.8.8.8, it doesn't work. bb) remove it, leave it as blank. Same, it doesn't work.

It is getting interesting ! I encourage if you have a second Mikrotik router, you make a try to see what happens. Just reset to all default settings and change the ip address for the second router in order not have address conflict with the first router.

I thought it is a piece of cake to get the different network with the 2nd router, but obviously, it is not.

Wish you all have a great weekend !

Sob · Sun Mar 04, 2018 9:56 pm

Scenario #1: You don't give any resolver to clients => can't work.

Scenario #2: You tell router to use itself as resolver => can't work, unless it gets dynamic one(s) from dhcp (and even then I'm not sure if having itself as resolver won't confuse it).

Scenario #3: Should work, if router gets working resolver(s) from dhcp. Check if you see any dynamic servers added under "/ip dns". You can also try to ping hostname from router. Use "/ping forum.mikrotik.com" from Terminal (not WinBox, because in that case it's not the router doing resolving).

aa) If you give working resolver (which 8.8.8.8 should be) to clients directly, then it definitely must work. Just make sure that client got it. It won't happen immediatelly. E.g. on Windows you can use "ipconfig /all" and look for DNS servers to see what's there.

bb) It's Scenario #1.

brg3466 · Sun Mar 04, 2018 10:06 pm

Many thanks !

I will set to Scenario #3. and reboot the 2nd router and restart my laptop to see what happens !

Will keep you informed of the result !
Cheers !

anav · Sun Mar 04, 2018 10:38 pm

Sorry, beyond my capabilities, all I can say is that I have the default setup (one router, one LAN) and thought the settings would be the same for second router.

My settings include the following:

/interface ethernet
set [ find default-name=ether1 ] name=Eastlink
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
(this is repeated for all etherports on this LAN)

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=Eastlink list=WAN

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
Eastlink
add add-default-route=no dhcp-options=hostname,clientid disabled=no \

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns static
add address=192.168.88.1 name=router.lan

SET TO A SECOND ROUTER>................

My settings would include the following (calling the WAN interface for the second router as MIKROTIK_PRIMARY!

/interface ethernet
set [ find default-name=ether1 ] name=MIKROTIK_PRIMARY
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name=dhcp ranges=192.168.810.10-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf

[assuming a default setup for the interfaces being on the same bridge]

/ip address
add address=192.168.10.1/24 comment=defconf interface=ether2 network=\
192.168.10.0
(this is repeated for all etherports on this LAN)

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=MIKROTIK_PRIMARY list=WAN

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
MIKROTIK_PRIMARY
add add-default-route=no dhcp-options=hostname,clientid disabled=no \

/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1
/ip dns static
add address=192.168.10.1 name=router.lan

[I am assuming all DNS requests would be get sent to the gateway 10.1, and from there would be routed out the WAN interface, and then hit the PRIMARY ROUTER gateway 88.1, and then be sent onwards....... to the WAN interface as part of the DHCP client. I DO NOT SEE ANY RULE that SENDS MY DNS specifically to DNS servers anywhwere.

brg3466 · Sun Mar 04, 2018 11:07 pm

Hi Anav,
thanks for simulating my situation.
Do you get internet ?

I tried Scenario # 3 again and even below #4 , but no luck.

I still cannot get internet. My laptop always shows ' The DNS name does not exist'.

/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=8.8.8.8 gateway=\
192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.10.1 name=router.lan

Sob · Sun Mar 04, 2018 11:27 pm

1) What does your laptop have as dns server (use "ipconfig /all")?
2) What happens when you try "ping 8.8.8.8" or "tracert 8.8.8.8"?

CZFan · Mon Mar 05, 2018 12:31 am

Need a default route from hap to 3011, then also a route back from 3011 to hap for network 192.168.10.0/24

brg3466 · Mon Mar 05, 2018 12:58 am

@sob
my laptop has 8.8.8.8 as dns server (use ipconfig/all)
and ping 8.8.8.8 will not get through. " request timed out'

@CZfan
Could you elaborate a bit how to do it ?

anav · Mon Mar 05, 2018 1:37 am

CZFAN, I dont understand what you are selling.
I have no such extra route rules for my default setup.
Why should the second router have them in this scenario??

Any traffic coming from the second router (out of its WAN port) will be detected and tracked as any other LANIP devices traffic on the primary router. It will be routed to the internet and return packets back to the LANIP of the Secondary Router, it will be allowed back in through the WAN port of the secondary router as it was tracked on the way out. The return packet will then go to the correct device on the secondary router as it was tracked on the way out.

The only time I figure that extra routing would be required is if the Secondary Router is serving, such as an FTP server, and in this case an extra route is not needed simply a port forward rule that says for this port/service, move the traffic to the LANIP (of the secondary router), and in the secondary router another port forward rule that says, a service/port coming through the WAN needs to go to this particular LANIP (of the server). Probably need FW rules for both journeys as well.

Sob · Mon Mar 05, 2018 1:42 am

@CZFan: There's DHCP client on WAN and default masquerade. You can argue that it's not the best config, but it should work.

@brg3466: Try also:
- "tracert 8.8.8.8" from laptop
- "/tool traceroute 8.8.8.8" from router
- "/ip dhcp-client print", "/ip address print" and "/ip route print" on router

Sob · Mon Mar 05, 2018 1:46 am

@anav: It's to avoid double NAT, which is not the best thing to have (even though it's not a problem in many/most cases).

CZFan · Mon Mar 05, 2018 1:46 am

I re read your posts and see you are using dhcp / nat, so ignore what I said re routes for now.

I suspect your problem might be your masquerade / NAT rule, remove the "IPSec-policy=out, none" and test.

My thinking is that with that in the rule, it will only match packets such as ESP

Sob · Mon Mar 05, 2018 1:51 am

No, it's the opposite, means "no outgoing IPSec policy".

anav · Mon Mar 05, 2018 1:56 am

Hi CZfan, worth a shot I suppose, but if the traffic is not ipsec related I dont see how this would stop traffic.
(SOB, the main worry about double nat is when one has servers on the second router, other than that its not going to be problematic).

brg3466 · Mon Mar 05, 2018 3:20 am

@CZFan: There's DHCP client on WAN and default masquerade. You can argue that it's not the best config, but it should work.

@brg3466: Try also:
- "tracert 8.8.8.8" from laptop
- "/tool traceroute 8.8.8.8" from router
- "/ip dhcp-client print", "/ip address print" and "/ip route print" on router

@Sob,
tracert 8.8.8.8 from laptop

C:\Users\brg34>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 8.8.8.8:
Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),
Control-C
^C

C:\Users\brg34>tracert 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

1 1 ms 1 ms 1 ms 192.168.10.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * ^C
C:\Users\brg34>

- "/tool traceroute 8.8.8.8" from router

[admin@MikroTik] > /tool traceroute 8.8.8.8
# ADDRESS LOSS SENT LAST AVG BEST WORST
1 100% 3 timeout
2 100% 3 timeout
3 100% 3 timeout
4 100% 3 timeout
5 100% 3 timeout

- "/ip dhcp-client print", "/ip address print" and "/ip route print" on router

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
192.168.10.1/24 192.168.10.0 bridge
1 D 192.168.88.104/24 192.168.88.0 ether1

[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 DS 0.0.0.0/0 192.168.88.1 1
1 ADC 192.168.10.0/24 192.168.10.1 bridge 0
2 DC 192.168.88.0/24 192.168.88.104 ether1 255
[admin@MikroTik] >

Sob · Mon Mar 05, 2018 3:51 am

No wonder it doesn't work for clients, when even the router doesn't have outside connectivity. The problem is with your routes, only the one for 192.168.10.0/24 is active. Distance 255 for 192.168.88.0/24 is definitely not right. To be honest, I'm not sure how it could happen and what to do to fix it. You can try to "turn it off and on again", i.e. remove dhcp client from ether1, add new one with same options and see if it helps. If not, you can use static config instead:

/ip address
add address=192.168.88.X/24 interface=ether1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.88.1

Choose the X in 192.168.88.X outside of dhcp pool on main router.

anav · Mon Mar 05, 2018 4:03 am

Edit. Erroneous thinking on my part, text removed.

brg3466 · Mon Mar 05, 2018 4:47 am

Hi all,
Really appreciated your great help !

I will reset the hAP lite to default configuration and do it over again. i.e change the IP pool , LAN address and the DNS accordingly. See if it will work.
Will let you know in half an hour.

Thanks again !

brg3466 · Mon Mar 05, 2018 5:18 am

Hi all,
NO LUCK !

What I did is to reset the configuration to factory settings, then change the IP address to 192.168.10.1/24 on the bridge and change the default dhcp pool to 192.168.10.10-192.168.10.254 ....

Herebelow are the settings, I think I didn't miss anything.

# jan/02/1970 00:02:35 by RouterOS 6.41.2
# software id = R9PH-9U6S
#
# model = RouterBOARD 941-2nD
# serial number = 5C1502D24752
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
MikroTik-C27BFD wireless-protocol=802.11
/interface bridge
add admin-mac=D4:CA:6D:C2:7B:FA auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=\
192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 gateway=\
192.168.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

from my laptop, it shows below, I think my laptop get the ip address from the dhcp server
IPv4 address: 192.168.10.254
IPv4 DNS servers: 192.168.10.1
Manufacturer: Microsoft
Description: Surface Ethernet Adapter
Driver version: 10.4.124.2017
Physical address (MAC): 28-18-78-BB-EC-33

below are the prints from hAP lite
[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.88.1 1
1 ADC 192.168.10.0/24 192.168.10.1 bridge 0
2 ADC 192.168.88.0/24 192.168.88.104 ether1 0
[admin@MikroTik] > ip dhcp-client print
Flags: X - disabled, I - invalid, D - dynamic
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS
0 ;;; defconf
ether1 yes yes bound 192.168.88.104/24
[admin@MikroTik] > ip dhcp-server print
Flags: D - dynamic, X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 defconf bridge default-dhcp 10m
[admin@MikroTik] > /tool traceroute 8.8.8.8
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV STATUS
1 100% 2 timeout
2 100% 2 timeout
3 100% 1 timeout
4 100% 1 timeout
5 100% 1 timeout

[admin@MikroTik] >

brg3466 · Mon Mar 05, 2018 5:25 am

@anav
have you tried with the 2nd router with default settings ? Did you get
Internet ?

The weird thing is if I replace RB3011 with hAP ( default configuration) , I can get internet.

2frogs · Mon Mar 05, 2018 5:37 am

Can you try connecting your hap to 3011 with a different cable? Connect it directly to it instead of using the wall plug.

brg3466 · Mon Mar 05, 2018 6:19 am

@2frogs
Any reason for doing this ? I thought it is the same , the other end of the cable behind the wall goes to lan port of 3011, I think hap is directly connected to 3011 lan port in this way.

2frogs · Mon Mar 05, 2018 6:26 am

Your cable in the wall or a patch cable connecting it to the wall plug could be bad. It can be bad and still kind of working. Connecting it directly to to the 3011 with a different cable eliminates it being the cable.

brg3466 · Mon Mar 05, 2018 8:31 am

@ 2frogs
Thank you for the explanation ! I will try it to see if different.

Sob · Mon Mar 05, 2018 6:04 pm

New status looks better. Connected route on ether1 has distance 0 (correct), and all routes inluding default one are active. So it looks like it should work. But traceroute to 8.8.8.8 still doesn't get anywhere. Now it looks like it may be blocked by main router. But why? Do you have any special config there? What if you try "/ping 192.168.88.1" from hAP lite?

brg3466 · Mon Mar 05, 2018 6:38 pm

@ Sob,
thank you so much ! I finally get the internet through !!!

I connected the hAP lite (hereafter called hAP1) to RB3011 directly and it get internet, then I connected it back to the Study wallplate socket, no internet. then I recalled I used another hAP ( hereafter called hAP2) behind the wall as a 'switch' to 3 different wallplates in study.
here is the topology of the network : RB3011 - hAP2 (switch) - hAP1.

I set the hAP2 as below like a switch:
1. bridge all ports (ether1- ether4)
2. assign static IP address 192.168.88.4/24
3. no DHCP client, no DHCP server - so RB3011 takes care of dhcp function.

NOW, I have the new question: Why hAP1 get no internet if it connected to hAP2 ? If I connect my laptop to hAP2 (i.e wallplate) , there is internet.

It gets more interesting ! Thank you !

brg3466 · Mon Mar 05, 2018 7:18 pm

Hi all,
I did another test , I replaced the hAP2 ( switch）with a real unmanaged switch (a netgear 8 port swtich) , and then I connected hAP1 to the switch. so it is RB3011 - netgear Switch - hAP1.
And I GOT INTERNET on hAP1.

This is beyond my understanding, I assume bridge is transparent, so it should be no difference when connecting hAP1 to netgear and hAP2.

Any commetns or explanations are welcome !

Sob · Mon Mar 05, 2018 7:26 pm

"And then I remembered, there's another router in the wall that I completely forgot about!... wonderful.

Try posting hAP2's config, perhaps you configured something different than just simple switch.

anav · Mon Mar 05, 2018 7:30 pm

Good to hear!

brg3466 · Tue Mar 06, 2018 12:54 am

Hi Sob, anav,

After I updated the ROS to 6.41.2, it works now, don't know why before it doesn't work. Anyway, here below is the set up.

Would like to thanks everyone who provide their expertise on this topic, especailly Sob and Anav, really appreciated your patience and guidance.

Next issue will be the VPN, I have posted another topic regarding the VPN which puzzled me. You are welcome to comment and give your support as well.

Thank you again and have a good day !

# model = RouterBOARD 941-2nD
# serial number = 5C150460DE08
/interface bridge
add fast-forward=no name=bridge1
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether3
/ip address
add address=192.168.88.4/24 interface=bridge1 network=192.168.88.0

Who is online