Help me setup private network with a wireless hotspot

sultanbrunei · Wed May 06, 2020 11:51 am

I am using Mikrotik hex S as my main router, where I set:
- port 1 for getting internet from ISP's router.
- port 2 for my PC.
- port 3 goes to switch, and then my NAS and my TV.
- port 5 goes to my mesh router as wifi access point (tenda nova mw3)(set as bridge)

Currently I set:
- port 1 as bridge-WAN
- port 2 as bridge-LAN
- port 3 as bridge-LAN
- port 5 as bridge-HOTSPOT

And then I set:
- dhcp-server-1 : interface bridge-LAN : range 10.10.10.2-10.10.10.100
- dhcp-server-2 : interface bridge-HOTSPOT : range 10.10.11.2-10.10.11.100

Somehow, I feel that if I activate the hotspot server and changed port 5 from bridge-LAN to bridge-HOTSPOT, either bridge-LAN or bridge-HOTSPOT would lose it's internet connection out of nothing.
For example, I can continue surfing the internet from my phone devices (connected via wifi through hotspot system), but the internet connection within my LAN system would stop suddenly.
This happened a few minutes after starting the hotspot server.

If I changed port 4 back to bridge-LAN, and then reboot the mikrotik, everything seems normal, internet running fine at all devices.

What could have gone wrong?
Is it because I am having double dhcp server?
How do I set so that I only have 1 dhcp server, and this dhcp (ip-pool-range) can be enjoyed both by my bridge-LAN and my bridge-HOTSPOT?
How should I set my DNS setting with this kind of setup?
How should I set my basic firewall rule with this kind of setup?

anav · Wed May 06, 2020 1:47 pm

How would we know without seeing your config?
Please post
/export hide-sensitive file=anynameyouwish
(and remove any ISP IP numbers)

sultanbrunei · Wed May 06, 2020 6:59 pm

# may/06/2020 22:51:34 by RouterOS 6.46.5
# software id = E0QH-G6RQ
#
# model = RB760iGS
# serial number = A36A0BFEA28A
/interface bridge
add name=bridge-HOTSPOT
add name=bridge-LAN
add name=bridge-WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot login-by=http-chap
add hotspot-address=10.10.11.1 html-directory=flash/hotspot name=hsprof1
add hotspot-address=10.10.11.1 html-directory=flash/hotspot name=hsprof2
/ip hotspot user profile
set [ find default=yes ] name=defaultprofile
/ip pool
add name=dhcp_pool0 ranges=10.10.10.2-10.10.10.100
add name=hs-pool-9 ranges=10.10.11.6-10.10.11.100
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge-LAN name=dhcp1
add address-pool=hs-pool-9 disabled=no interface=bridge-HOTSPOT lease-time=1h \
name=dhcp2
/ip hotspot
add address-pool=hs-pool-9 disabled=no interface=bridge-HOTSPOT name=hotspot1 \
profile=hsprof2
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/tool user-manager profile
add name=bronze name-for-users="" override-shared-users=off owner=admin \
price=0 starts-at=logon validity=0s
/tool user-manager profile limitation
add address-list="" download-limit=0B group-name="" ip-pool="" ip-pool6="" \
name=limit1 owner=admin rate-limit-min-rx=131072B rate-limit-min-tx=\
1048576B rate-limit-rx=131072B rate-limit-tx=1048576B transfer-limit=0B \
upload-limit=0B uptime-limit=0s
/interface bridge port
add bridge=bridge-LAN interface=ether2
add bridge=bridge-LAN interface=ether3
add bridge=bridge-LAN interface=ether4
add bridge=bridge-HOTSPOT interface=ether5
add bridge=bridge-WAN interface=ether1
/ip address
add address=10.10.10.1/24 interface=bridge-LAN network=10.10.10.0
add address=10.10.11.1/24 comment="hotspot network" interface=bridge-HOTSPOT \
network=10.10.11.0
/ip dhcp-client
add disabled=no interface=bridge-WAN
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
add address=10.10.11.0/24 comment="hotspot network" gateway=10.10.11.1
/ip dns
set allow-remote-requests=yes servers=10.10.11.1
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=bridge-WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=10.10.11.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=10.10.11.0/24
/ip hotspot user
add name=admin
/system clock
set time-zone-name=Asia/Jakarta
/tool user-manager database
set db-path=flash/user-manager
/tool user-manager profile profile-limitation
add from-time=0s limitation=limit1 profile=bronze till-time=23h59m59s \
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=127.0.0.1 log=\
auth-fail name=hotspott use-coa=no
/tool user-manager user
add customer=admin disabled=no ipv6-dns=:: shared-users=1 username=testuser \
wireless-enc-algo=none wireless-enc-key="" wireless-psk=""

anav · Wed May 06, 2020 7:42 pm

(1) Missing firewall rules.
(2) Not sure why you have two extra sourceneat rules (is it a hotspot requirement)?
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=10.10.11.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=10.10.11.0/24
(3) DNS servers seems weird attempting to put all DNS queries from the lan subnet to the hotpot gateway?

sultanbrunei · Wed May 06, 2020 8:29 pm

(1) what firewall rules that I miss?
(2) I deleted these extra sourcenat rules (those were made automatically when I go through 'hotspot setup')
(3) In the DNS setting, I currently have "10.10.11.1" at 'Servers' field. and "my-dns-from-ISP" at 'Dynamic Servers' field. Is this how it should be set?

Apparently, after I deleted two extra srcnat from IP firewall rules, re-create from scratch hotspot settings through hotspot setup (this time I leave 'Masquarade Network' option unchecked), reboot the router, it has been a few minutes without trouble accessing the internet both from LAN and from Wifi-Hotspot.

There is a blue message 'dhcp warning' appearing in log, that says 'Detected conflict by ARP response for 10.10.10.x from MAC ADDRESS xx'.
What is the meaning of the message, and how should I fix that?

k6ccc · Wed May 06, 2020 11:06 pm

(1) what firewall rules that I miss?

All of them. You have absolutely zero operational firewall filter rules. That means (among other bad stuff), your router is fully accessible from the internet. At the absolute least, restrict access to the router itself from WAN port.
Start by reading this section of the Wiki. It is not everything you should know, but it's a good start.
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

anav · Wed May 06, 2020 11:22 pm

No accident, they come by default with Hex. You removed them............. lol

sultanbrunei · Wed May 06, 2020 11:33 pm

@k6ccc
Thank you for the article. I will read all of it and try to apply in my settings.
The reason I emptied all the firewall rules was because I resetted the default router configuration in the beginning (I found a tutorial on youtube that says it is a good thing to do so).
Other thing is because without a removal of default configuration, I was not able to use port 1 at all.

The tutorial on youtube guide me to set 1 NAT rule, which is:
1. At general, chain: srcnat, choose at out. interface list: bridge-WAN (my wan port)
2. At action, choose action: masquerade.

Is this what you meant (restrict access to the router itself from the WAN port) ?

sultanbrunei · Wed May 06, 2020 11:37 pm

I found that with my configuration of dual-dhcp-server & dual-ip-pool-range,

Sometimes when a device that Is located at my bridge-LAN connected, it automatically gets IP from my hotspot IP range.
I wonder, how could this happen? I thought I have set all the address list and route list accordingly....

Is there any way to prevent client from bridge-lan ports to not get auto IP assignment from IP pool of another dhcp server which is being reserved for hotspot?

k6ccc · Thu May 07, 2020 12:02 am

You really should not have two DHCP servers that are supplying IP addresses to the same LAN. Two DHCP servers feeding different LANs (or VLANs) is expected, but not on the same LAN. If for some reason you REALLY think that you need two DHCP servers on the same LAN, make sure that their address pools do not overlap (at the very least).

sultanbrunei · Thu May 07, 2020 7:59 am

@k6ccc

How do I set so that my config only have 1 DHCP server?
I have a port 2-4 for wired LAN, and port 5 for access point set with a hotspot.

Does IP pool of 10.10.10.1-10.10.10.100 and 10.10.11.1-10.10.11.100 overlap?
How do you define overlap and not?

sultanbrunei · Thu May 07, 2020 9:27 am

leases.png

ippool.png

please look at my DHCP Server - Leases,
I couldn't understand, how can my HOME-PC get DHCP leases from both DHCP ?
And also my Nova access point, can also get leases from both DHCP...
What mistake did I made?

anav · Thu May 07, 2020 4:45 pm

You are floundering and need a plan.
Start from scratch
Leave the default firewall rule settings in place that come from the factory.
Slowly add back in your requirements changes and networks.
The one WAN rule with masquerade should all you need for sourcenat rules
For DNS servers temporarily use 9.9.9.9 and not the one you have used in the settings from before.

Then repost config and we will go from there.
Starting clean with a proper config will make things go smoother in the long run and much easier for us to discern the exact problem area(s).

sultanbrunei · Sun May 10, 2020 10:41 am

I have resetted everything to default configuration, here is my topology:

topo.png

My goal is to make everyone who uses my wifi through my AP (port 4), will have to login through hotspot system. The wired LAN side (port 2 & 3), no need to login. If possible, I would like for devices that is connected via wifi and wired to be able to see and communicate with each other. This is because I am running a private family network, so I do not need to isolate.
I tried to run 'Hotspot Setup' on interface port-4, however MT won't allow me because it says port-4 is a slave interface.
Please help.

Here is my current config:

# may/10/2020 14:22:58 by RouterOS 6.46.5
# software id = E0QH-G6RQ
#
# model = RB760iGS
# serial number = A36A0BFEA28A
/interface bridge
add admin-mac=C4:AD:34:4E:4B:C1 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ZTE
set [ find default-name=ether2 ] name=ether2-PC
set [ find default-name=ether3 ] name=ether3-Switch
set [ find default-name=ether4 ] name=ether4-Nova
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-PC
add bridge=bridge comment=defconf interface=ether3-Switch
add bridge=bridge comment=defconf interface=ether4-Nova
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-ZTE list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1-ZTE
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Asia/Jakarta
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool user-manager database
set db-path=flash/user-manager

anav · Sun May 10, 2020 4:26 pm

I do not understand, who is connecting on wifi port 4 (guests or family members?) Do you mean you are making family members log into wifi???
If its a private family network then ditch the hotspot, it adds complication and no other value?

Do you mean that the AP at port 4 is for guests and if so, then why would you want to allow guest have access to your LAN.

Nothing makes sense to me??

your config to me looks fine other than I would ditch the static DNS setting there from the default and add standard dns servers at the top entry under ip dns, such as 9.9.9.9 or 1.1.1.1 for example (google is 8.8.8.

.

I dont know anything about hotspots but I would hazard a guess you are missing many hotspot settings. (also wouldnt hot spot need its own dhcp etc??)

sultanbrunei · Sun May 10, 2020 7:04 pm

Family members, and our guests would connect through hotspot via wifi at port-4.
It would be easier for me to control our kids, set rewards for them, and allow multiple guests with different bandwidth controls. At present, I don't think my guests is so savvy about hacking and stuff. They are mostly family, relatives, and friends. So I prefer my family including me to be able to access lan stuff from wifi. Because we have central NAS in our house that needs to be accessed. And also I liked hotspot system rather than normal wifi, so that I do not have to change my wifi password so often.

What would be the benefit for me to ditch the dns given by my wan (isp), and then replace with public dns such as 8.8.8.8 ,9.9.9.9, or 1.1.1.1 ?

So where do I go from here?

anav · Sun May 10, 2020 7:26 pm

Family members, and our guests would connect through hotspot via wifi at port-4.
It would be easier for me to control our kids, set rewards for them, and allow multiple guests with different bandwidth controls. At present, I don't think my guests is so savvy about hacking and stuff. So I prefer my family including me to be able to access lan stuff from wifi. Because we have central LAN in our house that needs to be accessed. And also I liked hotspot system rather than normal wifi, so that I do not have to change my wifi password so often.

What would be the benefit for me to ditch the dns given by my wan (isp), and then replace with public dns such as 8.8.8.8 ,9.9.9.9, or 1.1.1.1 ?

So where do I go from here?

What I do is in the dhcp server config assign the LANIP of the subnet as the DNS server.
Then stick the 9.9.9.9, 1.1.1.1 in the top of IP DNS as noted. In this way the router can cache often contacted sites as the most efficient and if not in the cache uses the other sites.
I have not seen anyone that uses their ISP DNS, but I have no good reason to say its a bad idea?
In any case none of your configs were setup to use the ISP dns so why you state the question was surprising.

For understanding purposes.
Groups of users include
a. two spouses - unlimited
b. kids - limited
c. guests - limited
However you are willing to put up with all being on the same subnet and all having to login via hotspot.

Wifi - is not vlan aware or capable and thus you really have no options.
Your wifi totally dictates what you can do.

So in summary, any issues are probably with your hotspot setup and thats what you need to focus on!

THis seems like a decent starting point.
https://www.youtube.com/watch?v=QlCC5b7dSlI

I guess one creates a separate network for the hotspot within the hotspot setup and no where else?
In your firewall rules you may need to add
add chain=forward action=accept in-interface=HotspotBridge out-interface-list=LAN

sultanbrunei · Sun May 17, 2020 7:21 pm

Ended up, setting all the interfaces in my router (the bridge) to hotspot mode.
For devices and PCs that I wanted to bypass login, I had to manually IP bind them, and set as bypass.

Temporarily, this is a solution that works for my case. No more internet drops.
Not a sophisticated technique though, as every new wired has to be pre-input to be able to access the internet.

anav · Sun May 17, 2020 7:37 pm

yes your config is probably not optimal
I will try to find some time reading up on hotspot so that we can get you to a useful efficient config!!

sultanbrunei · Mon May 25, 2020 12:17 pm

yes your config is probably not optimal
I will try to find some time reading up on hotspot so that we can get you to a useful efficient config!!

thank you! and please let me know how can I achieve my goals without using current config which I have to bypass all my private devices manually.

Help me setup private network with a wireless hotspot

Help me setup private network with a wireless hotspot

Re: Help me setup private network with a wireless hotspot

Re: Help me setup private network with a wireless hotspot

Re: Help me setup private network with a wireless hotspot

Re: Help me setup private network with a wireless hotspot

Re: Help me setup private network with a wireless hotspot

Re: Help me setup private network with a wireless hotspot

Re: Help me setup private network with a wireless hotspot

Re: Help me setup private network with a wireless hotspot

Re: Help me setup private network with a wireless hotspot

Re: Help me setup private network with a wireless hotspot

Re: Help me setup private network with a wireless hotspot

Re: Help me setup private network with a wireless hotspot

Re: Help me setup private network with a wireless hotspot

Re: Help me setup private network with a wireless hotspot

Re: Help me setup private network with a wireless hotspot

Re: Help me setup private network with a wireless hotspot

Re: Help me setup private network with a wireless hotspot

Re: Help me setup private network with a wireless hotspot

Re: Help me setup private network with a wireless hotspot

Who is online