Community discussions

MikroTik App
 
dean-za
just joined
Topic Author
Posts: 10
Joined: Tue Feb 15, 2005 1:26 am

Virual AP

Thu May 26, 2005 11:04 am

Hi Guys
I have an integrated board with an atheros5213a I want to setup 2 seperate wireless networks one for me and one for clients. I have setup already ether1 with ip on my lan 192.168.3.11/24 and wlan1 with 172.16.0.1/24 I then enable masq for wlan1 and setup dhcp etc and can connect using 40bit wep and get 172.16.0.x ip and connect to the internet through gateway on lan 192.168.3.1 , then I setup virtual ap much higher wep setting and 172.16.1.x network. This works ok but is not what I want. Essentially I want to have a network address fom my lan ie 192.168.3.6x on wlan2 (virtual AP). I read that for this I must have bridging turned on ? correct ? Also If this works how can I stop client using 172.16.0.x ip from accessing anything but specific ip on my lan , I want them to be able to connect to internet and maybe my asterisk server to be able to call me but nothing else. Is this simply firewall rule ? And if so how with masquerade running ? I hope all of this made sense.

Regards
Dean
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Re: Virual AP

Thu May 26, 2005 11:51 am

Essentially I want to have a network address fom my lan ie 192.168.3.6x on wlan2 (virtual AP). I read that for this I must have bridging turned on ? correct ?
Yes, that's correct.
Also If this works how can I stop client using 172.16.0.x ip from accessing anything but specific ip on my lan , I want them to be able to connect to internet and maybe my asterisk server to be able to call me but nothing else. Is this simply firewall rule ? And if so how with masquerade running ?
Why would you want to masquerade between between lan and wlan1?
Just masquerade to the internet and route between your internal networks.

--Tom
 
dean-za
just joined
Topic Author
Posts: 10
Joined: Tue Feb 15, 2005 1:26 am

Thu May 26, 2005 12:03 pm

Yes, that's correct.
Do I assign the lan ip 192.168.3.11 and the wlan2 ip 192.168.3.12 and then create the bridge and add these two interfaces to the bridge ? Does the bridge itself not get an IP ?
Why would you want to masquerade between between lan and wlan1?
Just masquerade to the internet and route between your internal networks.
the gate way to the internet is on my lan 192.168.3.1 so currently wlan1 with network 172.16.0.0 is masqueraded to 192.168.3.11 should this be different ?
I only want this masq traffic to be able to go out the gateway and maybe one ther ip on the lan 192.168.3.5.

Thanks for your help Tom.
Dean
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Thu May 26, 2005 1:02 pm

Do I assign the lan ip 192.168.3.11 and the wlan2 ip 192.168.3.12 and then create the bridge and add these two interfaces to the bridge ? Does the bridge itself not get an IP ?
You can do it either way, i.e. have IP addresses from the 192.168.3.0/24 on both physical interfaces, or on only one of them, or neither on lan nor wlan1 but only assign an IP address to the bridge (that would make the most sense I think, why would you need more than one address from 192.168.3.0/24 on the router).
the gate way to the internet is on my lan 192.168.3.1 so currently wlan1 with network 172.16.0.0 is masqueraded to 192.168.3.11 should this be different ?
In that situation I'd prefer to just add a route to your wlan1 network 172.16.0.0 via your MikroTik router on your internet gateway. NAT always makes you lose information (source IP etc.) and tends to introduce additional complexity, so why NAT if you don't need to? While you're in RFC1918 space you almost never need to NAT, unless you have overlapping addresses and can't resolve this for some reason.

--Tom
 
dean-za
just joined
Topic Author
Posts: 10
Joined: Tue Feb 15, 2005 1:26 am

Thu May 26, 2005 1:48 pm

In that situation I'd prefer to just add a route to your wlan1 network 172.16.0.0 via your MikroTik router on your internet gateway.
Ok this all makes sense with the route on my gateway I can connect to the network. I suppose my last question is how do I prevent all machines in the 172.16.0.2-172.16.0.254 range from accessing any machnies on my network expect the default gateway ?

Thanks again for you help.

Dean
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Thu May 26, 2005 2:27 pm

I suppose my last question is how do I prevent all machines in the 172.16.0.2-172.16.0.254 range from accessing any machnies on my network expect the default gateway ?
Use the firewall capabilities of the MikroTik router, see

http://www.mikrotik.com/docs/ros/2.8/ip/firewall

Note that you probably do not need to communicate with the
internet gateway itself from the 172.16.0.2-172.16.0.254 range
but just through the internet gateway to all of the internet.
Keep that in mind when you configure the firewall filter rules
(it might make sense to be liberal with ICMP, so you at least get
a clean traceroute and working Path-MTU-Discovery, though).

--Tom

Who is online

Users browsing this forum: justmema, k6ccc, Mikro82, MSN [Bot] and 186 guests