MikroTik

Hi There,

I have the following configuration

DSL-MODEM
===============
ether1: 192.168.1.254
Portforwarding 8291==>192.168.1.1

AP 1
===============
ETHER1: 192.168.1.1
WLAN1: 10.5.50.1 (ap-bridge with dynamic wds enabled)
WDS-BRIDGE: (WLAN1 ports included)
DHCP setup to give ip's to wds-bridge clients

AP 2 (WDS AP)
===============
WLAN1: (wds station mode)
WLAN2: (ap bridge)
wds-bridge created with WLAN1 & WLAN2 ports included

Using port forwarding on 8291 we can successfully manage and more importantly monitor AP1 from public IP address

How can I monitor AP2 from a public IP address ?

I know I can mac telnet from one AP to the other but I want to be able to use DUDE to monitor its status so I can tell if it goes offline.

Hope this makes sense.

Cheers

It is not possible to manage over NAT multiple router via Winbox without full nat, when separate IP address is assigned to router, it is possible to use SSH.

It is not possible to manage over NAT multiple router via Winbox without full nat, when separate IP address is assigned to router, it is possible to use SSH.

So what would I need to do to use ssh ?

You have to use DST-NAT at border router (that uses public/routeable address), and redirect specific port to the required router.

You have to use DST-NAT at border router (that uses public/routeable address), and redirect specific port to the required router.

yep understand that, and I have succesfully done that but can not get it to work with WDS.

if my router and ap 1 are on 192.168.0.0 address range, should I make AP2 on 192.168.0.0 as well ?

How would my DSL router know to get to AP 2 via AP 1 ?

You could use vpn to get access to everything in the 192.168.0.0 range. With 3.0 you can put a dude server on the router.

If you have WDS, I assume you have bridged network between AP1 AP2 and DSL router.
They should be accessible directly, if they are not assign another private subnet to AP2 and setup routing on DSL and AP1 and set NAT rules to forward SSH.

I've one question/doubt.
Why someone would use NAT while bridging one net?.

Regards.

what if I have 3 or 4 routeros devices in the same network?

Surely this has come up before.

what if I have 3 or 4 routeros devices in the same network?

Surely this has come up before.

you can only manage 1 of your routers/devices using winbox on port 8291. This is done by setting up port forwarding on your DSL modem.

The rest you will have to use the web interface and select a different port for each device.

Does this make sense ?

yes thanks. i havnt really looked into the web interface. from what I can remember it was quite limited but better than nothing.
cheers

i am very confuse with your setup,
NATing with bridge???

We run a bridged mesh network with two radios (bridged) per node.

On each node, one radio is used for BackHaul (uplink/downlink), and the other is an AP for local users to connect.
The BH radios are all configured as ap-bridge/WDS, with SSID hidden.

All of our nodes are part of a single private subnet.

One node is the gateway and has a public Internet connection. The GW node also runs the hotspot for all the other nodes.

We spent much time trying to figure out how to reach all our nodes from the Internet via winbox. As has
been pointed out, if you have only 1 public IP, you can only port forward 8291 once. You can edit
the firewall each time you want to connect to another node, but this is not useful for managing your network since you need to see all nodes at once.

Our solution turned out to be trivial (after spending 2 months struggling to find a solution, that is!).

On the gateway node we enable the PPTP server, create a pptp user, and assign it a unique address on the
private subnet.

On our network management client where we run winbox, we create a pptp tunnel over the public Internet to the gateway node. Now winbox acts like it's on the same subnet as all of the other nodes and can manage everything at once. I haven't used the Dude yet, but I expect it will work the same as winbox.

If you have never used windows to create a VPN, just select "Create a new connection" under Network Connections and select the options for VPN. Enter the public ip address of the gateway node when asked
and that's about it.

If you have a separate gateway router between the public Internet and the MikroTik nodes, forward TCP port 1723 (which is PPTP) from the gateway router to the private IP address of the first MT node. You also need to forward protocol 47 (GRE) the same way. Some routers do that for you automatically when you forward port 1723. Other routers have special ways of forwarding protocols rather than ports.

Note that you do NOT need to forward port 8291 at all. Once the VPN tunnel is set up, any request from
winbox on port 8291 will appear to originate from inside the first MT node.

A previous response to this post mentioned VPN also, but I saw more posts after that one so I thought I'd
add some more details.

Please let me know if this help you out.

Does anyone think this would be worth a Wiki entry?

I think it should go in the Wiki for sure. Great post

We run a bridged mesh network with two radios (bridged) per node.

On each node, one radio is used for BackHaul (uplink/downlink), and the other is an AP for local users to connect.
The BH radios are all configured as ap-bridge/WDS, with SSID hidden.

All of our nodes are part of a single private subnet.

One node is the gateway and has a public Internet connection. The GW node also runs the hotspot for all the other nodes.

We spent much time trying to figure out how to reach all our nodes from the Internet via winbox. As has
been pointed out, if you have only 1 public IP, you can only port forward 8291 once. You can edit
the firewall each time you want to connect to another node, but this is not useful for managing your network since you need to see all nodes at once.

Our solution turned out to be trivial (after spending 2 months struggling to find a solution, that is!).

On the gateway node we enable the PPTP server, create a pptp user, and assign it a unique address on the
private subnet.

On our network management client where we run winbox, we create a pptp tunnel over the public Internet to the gateway node. Now winbox acts like it's on the same subnet as all of the other nodes and can manage everything at once. I haven't used the Dude yet, but I expect it will work the same as winbox.

If you have never used windows to create a VPN, just select "Create a new connection" under Network Connections and select the options for VPN. Enter the public ip address of the gateway node when asked
and that's about it.

If you have a separate gateway router between the public Internet and the MikroTik nodes, forward TCP port 1723 (which is PPTP) from the gateway router to the private IP address of the first MT node. You also need to forward protocol 47 (GRE) the same way. Some routers do that for you automatically when you forward port 1723. Other routers have special ways of forwarding protocols rather than ports.

Note that you do NOT need to forward port 8291 at all. Once the VPN tunnel is set up, any request from
winbox on port 8291 will appear to originate from inside the first MT node.

A previous response to this post mentioned VPN also, but I saw more posts after that one so I thought I'd
add some more details.

Please let me know if this help you out.

Does anyone think this would be worth a Wiki entry?

awesome - will give it a go - thanks for the tip

We run a bridged mesh network with two radios (bridged) per node.

On each node, one radio is used for BackHaul (uplink/downlink), and the other is an AP for local users to connect.
The BH radios are all configured as ap-bridge/WDS, with SSID hidden.

All of our nodes are part of a single private subnet.

One node is the gateway and has a public Internet connection. The GW node also runs the hotspot for all the other nodes.

We spent much time trying to figure out how to reach all our nodes from the Internet via winbox. As has
been pointed out, if you have only 1 public IP, you can only port forward 8291 once. You can edit
the firewall each time you want to connect to another node, but this is not useful for managing your network since you need to see all nodes at once.

Our solution turned out to be trivial (after spending 2 months struggling to find a solution, that is!).

On the gateway node we enable the PPTP server, create a pptp user, and assign it a unique address on the
private subnet.

On our network management client where we run winbox, we create a pptp tunnel over the public Internet to the gateway node. Now winbox acts like it's on the same subnet as all of the other nodes and can manage everything at once. I haven't used the Dude yet, but I expect it will work the same as winbox.

If you have never used windows to create a VPN, just select "Create a new connection" under Network Connections and select the options for VPN. Enter the public ip address of the gateway node when asked
and that's about it.

If you have a separate gateway router between the public Internet and the MikroTik nodes, forward TCP port 1723 (which is PPTP) from the gateway router to the private IP address of the first MT node. You also need to forward protocol 47 (GRE) the same way. Some routers do that for you automatically when you forward port 1723. Other routers have special ways of forwarding protocols rather than ports.

Note that you do NOT need to forward port 8291 at all. Once the VPN tunnel is set up, any request from
winbox on port 8291 will appear to originate from inside the first MT node.

A previous response to this post mentioned VPN also, but I saw more posts after that one so I thought I'd
add some more details.

Please let me know if this help you out.

Does anyone think this would be worth a Wiki entry?

I should clarify something - this is good for managing using winbox but for monitoring using dude it won't work so well if fthe vpn connection drops and does not reconnect.

Our solution was to use port forarding using dst-nat etc and the :"make binding" function - if anyone is interested I will post the configs.

After my last post, we started using Dude via VPN (pptp) and found that it works fine. We've had the connection up since right after that post with no problems. Also, I'm told that we can configure this VPN connection to auto reconnect if it drops.

What is your concern about having the VPN drop? Has this happened after you tried it? Since the
VPN is just a connection over an existing hardwired Internet connection, what might cause it to drop?

We are counting on continuing to use VPN tunnels for the Dude, so any experience you might have with VPN's dropping, or any other problems with this configuration, would be of interest to us.

After my last post, we started using Dude via VPN (pptp) and found that it works fine. We've had the connection up since right after that post with no problems. Also, I'm told that we can configure this VPN connection to auto reconnect if it drops.

What is your concern about having the VPN drop? Has this happened after you tried it? Since the
VPN is just a connection over an existing hardwired Internet connection, what might cause it to drop?

We are counting on continuing to use VPN tunnels for the Dude, so any experience you might have with VPN's dropping, or any other problems with this configuration, would be of interest to us.

I would have thought that if the modem connection drops the adsl connection the chances of it reconnecting are slim - just a gut feel - I have nothing to base this one. I will do some testing over the next few weeks and let you know.

Question for you: How many separate vpn connections will you be maintaining ?

We currently have 3 VPN connections up to different parts of our network, each with a different subnet. Each subnet has between 5 and 10 nodes.

We use DSL at our main location, and it drops for only few minutes maybe once every 3 months, usually in the early hours of the morning. I assume this is maintenance downtime from Verizon.

Since we have a hotspot at the gateway node of each subnet, we also use a make-binding/bypass entry on the hotspot for each node on the subnet.

I think we need a wiki for "How to access servers with static-IP behind a hotspot". We struggled for awhile before figuring it out.

hello davidw.

come on Post your solution here, it is very interenting.

regards