Community discussions

MikroTik App
 
Hammer
newbie
Topic Author
Posts: 40
Joined: Sat Sep 20, 2014 6:39 am

Managed AP behind double NAT

Mon Mar 30, 2015 2:29 am

Hi @ all
I'm testing here a possible scenario and need your advice (see PDF). I want some AP for Hotspot behind double NAT manage and use Central Mikrotik User Manager radius. I'm test MikroTik User Manager on AP and work.

FYI: At the "Home Router ISP" I can do nothing, are just as they are!

I did a test configuration. I have the first time OpenVPN used because of double NAT. OpenVPN works, and from OVPN interface I can ping everything, but with the routing I have problems. I can not reach the APs with Winbox from the LAN network, ping also is not possible. If this works I have to solve this with the routes for central radius.

Has anyone done something like this? Recommendations? This should be possible with the Mikrotik devices? What do I need to do that can acces APs from the Remote LAN via VPN (Winbox)? Static route?
I do this for a charity Project and I am grateful for support!
Managed-AP.behind-NAT.png
You do not have the required permissions to view the files attached to this post.
 
Hammer
newbie
Topic Author
Posts: 40
Joined: Sat Sep 20, 2014 6:39 am

Re: Managed AP behind double NAT

Tue Mar 31, 2015 8:30 am

As an example, the route List
Route List WLAN AP
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0        						192.168.1.1		1
 1 ADS  10.51.0.0/24        					10.51.0.1		0
 2 ADC  10.51.0.1/32       10.51.0.2         ovpn-a1001         0
 3 ADC  10.0.1.0/24         10.0.1.1          bridge-hotspot     0
 4 ADC  10.88.0.0/24       10.88.0.1        bridge-loopback  0
 5 ADC  192.168.1.0/24     192.168.1.153 bridge-transit        0




Route List Management LAN
 #      DST-ADDRESS        PREF-SRC        GATEWAY                  DISTANCE
 0 A S  0.0.0.0/0           					81.23.45.67                1
 3 ADC  10.51.0.2/32       10.51.0.1       <ovpn-ovpn-a1001>  0
 4 ADC  81.23.45.67/32     81.23.45.68      ether1-gateway          0
 5 ADC  10.200.0.0/24     10.200.0.1        bridge-LAN                  0

of the two ovpn-A1001 interface I can ping everything.
The loopback Bridge is temporary for local Mikrotik User Manager.

What must I do to be able to manage the AP via Winbox and OVPN from "bridge-LAN".
What do I need to do, to access Centralized Mikrotik User Manager from AP over the OVPN?

Thank You
 
Hammer
newbie
Topic Author
Posts: 40
Joined: Sat Sep 20, 2014 6:39 am

Re: Managed AP behind double NAT

Tue Mar 31, 2015 12:13 pm

I could help myself. Since missing two static routes.
#Site A
/ip route
add distance=1 dst-address=10.0.1.0/24 gateway=10.51.0.2

#Site AP
/ip route
add distance=1 dst-address=10.100.0.0/24 gateway=10.51.0.1

Now I have an additional problem. The AP gets via DHCP IP and GW (eg IP 192.168.1.123; GW 192.168.1.1). I want to prevent that, other clients on the subnet (192.168.1.0) can NOT be reached by the AP Clients. I can usually do this with the FW:
add action=drop chain=forward comment="Drop Access to Clients in Subnet (only Access to Gateway)" disabled=no dst-address=192.168.1.2-192.168.1.254 src-address=10.0.1.0/24
But I want a universal solution. I do not know in advance what I get for an address via DHCP. In this case I would not like to always manually check and configure.

Does anyone have an idea?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Managed AP behind double NAT

Tue Mar 31, 2015 3:30 pm

You could use VRF to keep the master routing table and the hotspot routing table completely isolated from each other.
Have the "plug me in anywhere" interface with dhcp client and so forth.

Assign the management interface, hotspot user LAN, and ovpn tunnel interfaces into a VRF.
Add a static default gateway on the VRF which points through the tunnel.

On the server, you won't need VRF.

You could also create a port on the main VRF which has the same IP on ever AP (10.10.10.1/24 or some 'well-known' address) just for local management access.
 
Hammer
newbie
Topic Author
Posts: 40
Joined: Sat Sep 20, 2014 6:39 am

Re: Managed AP behind double NAT

Tue Mar 31, 2015 4:54 pm

Thanks for the answer,

I understand, I have two routing tables, and can route the way I want. But I do not want to route Internet traffic from the hotspot to the VPN tunnel. Can I still use VRF and use GW / 32? Can i use gateway= and then the interface?

example:
add dst-address=0.0.0.0/32 gateway=ether2 routing-mark=vrf-ap
 
Hammer
newbie
Topic Author
Posts: 40
Joined: Sat Sep 20, 2014 6:39 am

Re: Managed AP behind double NAT

Tue Mar 31, 2015 5:06 pm

I think it was a bad idea from me, this will not work.
Can I make something that the other IP addresses are not listed in the ARP table? Then you could not access the other clients or I understand that wrong?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Managed AP behind double NAT

Tue Mar 31, 2015 6:17 pm

If you want the management to be isolated on the vrf, then just make the vpn interface be on the vrf, and put a vrf-default gateway = vpn and you're done.

Tunnel packets, hotspot traffic, etc will all go on the main routing table.
Then if you want the AP to only be available for DHCP/DNS/ping (such things end users would need to have for functionality / self-help) then make an input filter chain that says allow established,related / allow everything on vpn interface / allow DHCP/DNS/Ping on any interface / drop everything else
 
Hammer
newbie
Topic Author
Posts: 40
Joined: Sat Sep 20, 2014 6:39 am

Re: Managed AP behind double NAT

Tue Mar 31, 2015 7:25 pm

I think that does not solve my problem or I understand it wrong.

I would like to block access to the clients in the private subnet. The access point is plugged by a student. If the AP via DHCP gets IP everything should work, and it connects via OpenVPN to the central RADIUS server (Mikrotik User Manager). If necessary I can remotely connect to the router via VPN tunnel.

If the access point get IP 192.168.1.123, I do not want that Hotspot users have access to 192.168.1.20 Client PC, Printer... Hotspot User only use 192.168.1.1 Gateway. I can do that with a FW rule:
add action=drop chain=forward comment="Drop Access to Clients in Subnet (only Access to Gateway)" disabled=no dst-address=192.168.1.2-192.168.1.254 src-address=10.0.1.0/24
But it must not be that 192.168.1.1 is used. So I have to check each time manually.

Who is online

Users browsing this forum: Google [Bot], syahendrareca and 53 guests