I have this setup. Airport Express accesses to wlan1 from Mikrotik hAP AC2 and creates a wireless bridge. Airport Express is configured to "join" the network, not to WDS or create new network. Wired to Airport Express there is CLIENT (sat tv decoder) using this bridge to join local network.
The problem is CLIENT can't get DHCP lease. Log shows:
It used to work with my old Asus AC56U router without any tweak. Tried other client device and the issue persists, something is wrong with DHCP over the wireless bridge. Client works with static ip and is reachable with ping. The problem is DHCP lease fails and some point.
My firewall config:
Code: Select all
/ip firewall address-list
add address=192.168.1.0/24 list=lan_horizon
add address=192.168.0.0/16 list=man_horizon
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log-prefix=invalid
add action=accept chain=input comment=\
"basicconf: accept router access from LAN" src-address-list=man_horizon
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=OpenVPN dst-port=1194 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"basicconf: drop tries to reach not public addresses from LAN" \
dst-address-list=not_in_internet in-interface=localbridge log=yes \
log-prefix=!public_from_LAN out-interface=!localbridge
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=jump chain=forward comment="basicconf: jump to ICMP filters" \
jump-target=icmp protocol=icmp
add action=drop chain=forward comment=\
"basicconf: drop incoming from internet which is not public IP" \
in-interface-list=WAN log=yes log-prefix=!public src-address-list=\
not_in_internet
add action=drop chain=forward comment=\
"basicconf: drop packets from LAN that do not have LAN IP" in-interface=\
localbridge log=yes log-prefix=LAN_!LAN src-address-list=!man_horizon
add action=accept chain=icmp comment="basicconf: echo reply" icmp-options=0:0 \
protocol=icmp
add action=accept chain=icmp comment="basicconf: net unreachable" \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="basicconf: host unreachable" \
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment=\
"basicconf: host unreachable fragmentation required" icmp-options=3:4 \
protocol=icmp
add action=accept chain=icmp comment="basicconf: allow echo request" \
icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="basicconf: allow time exceed" \
icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="basicconf: allow parameter bad" \
icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="basicconf: deny all other types"
/ip firewall nat
add action=accept chain=srcnat comment=\
"defconf: accept all that matches IPSec policy" disabled=yes \
ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
My DHCP config:
Code: Select all
/ip pool
add name=lan_pool0 ranges=192.168.1.101-192.168.1.254
/ip dhcp-server
add address-pool=lan_pool0 disabled=no interface=localbridge name=lan_dhcp0
Any help? Thanks in advance.