Hi inter-webs folk.
I'm feeling somewhat beaten, deflated and inept with my first routerOS experience.
I have a small (ish) manufacturing business with relatively (in your folks terms) simple network requirements, and have always been able to muddle my way through with simple off the shelf equipment and Windows network environment.

In a futile ( so far) attempt I've attempted to leap into the Mikrotik realm at the suggestion of my hardware supplier to fulfil a 'simple' immediate need, with a view to lster replacing all my active network with similar gear.

I've read numerous 'beginner' pages and videos but can't seem to bring it all together.
HELP... please!


I have a simple 192.168.1.x/24 network on a fibre connection to a router DG of 192.168.1.1 .

This Bain of my life health and safety environment sees me needing to give several of my staff tablets to connect to an external web site via an app to upload compliance details.

What I want is to publish a SSID for them to connect to, (max 10 concurrently) the hap ac2 to hand out DHCPaddresses that are a subset of my main pool (192.168.1.180-190), and then the clients to have all web traffic blocked apart from one web address for the H&S app.

What I can do (remember I'm not an engineer so am doing this from the quickset and webfig gui)
Get the DHCP POOL and WPA PSK SSID running... Check
Set an 'local Network' IP address for the device 192.168.1.221 and connect to it and config page via wifi (most of the time)
Get the 'WAN' to pick up a DHCP reservation address 192.168.1.220 from my fibre router 192.168.1.1
... Then that's it... I can't get to whe www from my iPad when it has 192.168.1.190 from the ac2

I understand to use the firewall it needs to be in Router Not Bridge mode.
AP Mode needs to be WISP AP
Quick connect needs to be deleted from the firewall config to force traffis to be inspected.

Apologies if this all sounds a bit amateur but I've really struggled to find a succinct explanation of how this all fits together... Within this kits obvious complexity.

To be honest the whole 'bridge', difference between interface1 , or interface 2-6, bridge vs router mode, multiple AP modes etc is doing my head in.

Thanks for any guidance gentle-folk

Andy
.. Humble in near defeat....

I can be your "consultant" if you want and I am willing to help you as much as I can

Concur with mlenhart. Since this is for your business, there should be no frigging around. Get expert help($) to learn how to do it properly AND quickly and then get another unit for yourself to play with on the side and dont touch the experts config unless using safe mode and you have a retainer for support LOL.

The expert help can teamviewer in for example but he/she has to have a better articulated set of requirements (not based on your assessment of how the network should look but simply based on what you expect to accomplish work wise (a use-case approach explaining the jobs of you and your employees without any mention of IP addresses or routers just the tools they use do the job and the inputs they need (information) and outputs (expected work) in the mix - Oh and a schematic of the network would help.
Trust me trying to do a half baked implementation with half of it using the default setting is a recipe for disaster and worse - time wasting.

It sounds like you have 2 dhcp servers serving up 192.168.1.0/24 ?

Why wouldn't wireless clients be able to get an IP address from the "fibre router" through the MT ? (bridge?)

It sounds like you have 2 dhcp servers serving up 192.168.1.0/24 ?

Why wouldn't wireless clients be able to get an IP address from the "fibre router" through the MT ? (bridge?)

eXs,
Hi,
Yep, I have excluded 10 addresses from my main pool and created a 10 address pool for the ac2 to hand out, mainly so I can see what devices are connected and apply hopefully a simple 'block all except one address' rule on the Mikrotik firewall.

Secondly I understood (from interpretation rather than specific documentation as its hard to coherently follow it that way) that if in bridge mode to utilise the LAN's DHCP.... that you cant use the inbuilt firewall traffic filtering.

A

Trying to tell me something?

First things first -

Did you secure your hAP ac before connecting it to the internet?

@Andyc: if you want to hire me, please mail me to matus.lenhart@gmail.com
You can check my MikroTik certificates at https://mikrotik.com/certificateSearch and type there my name (Matus Lenhart)

Admins: if it is not allowed to publish e-mail address, please remove this post. Thank you

What I want is to publish a SSID for them to connect to, (max 10 concurrently) the hap ac2 to hand out DHCPaddresses that are a subset of my main pool (192.168.1.180-190), and then the clients to have all web traffic blocked apart from one web address for the H&S

It seems to me that the most straightforward way to do this without leaving out some requirement is to create a standard hotspot on that SSID, and allow only the H & S site and any sites it references inside the walled garden. If you have used the hotspot before, this is not a difficult task, but learning the hotspot facility from ground zero can be a daunting task. I agree with the assessment that you should have an experienced consultant perform this for you.



Sent from my iPhone using Tapatalk

We are assuming profit is the motivator here and could be wrong.
We are assuming the OP wants free time to spend doing non-work related activities or to spend time with people (all mikrotik devices world wide collectively shudder).
It could be a hobby business or one where its a bottom line loser to deduct for tax purposes. Perhaps spending countless hours in frustration beats spending time with family?
Thus, consultant not required!

So lets help the guy.
A. upload latest firmware
B. start from scratch reset device
C. provide a diagram of what your network looks like (devices and connectivity in place (fiber, ethernet, wifi)
D. provide use case set of requirements, what work has to be accomplished and by whom without any references to routers and switches just devices people actually use do their job be it tablets, laptops, desktops, smartphones, etc. Make sure you include any restrictions or special requirements (all access common printer) or only this group should access wifi or any other exclusions or business rules that have to be followed.

Based on that a design can be recommended and we can chew away at that......
If the expectation is attempt answer and peck away at isolated questions or problems without any context - well forgetaboutit