Community discussions

MikroTik App
 
kraksna
just joined
Topic Author
Posts: 2
Joined: Wed Jun 30, 2021 12:11 am

Guest AP routing headache

Wed Jun 30, 2021 12:28 am

Hi,

I tried to make a free guest wifi for the people after a tornado, because I got now working DSL and mobile signal is bad most of the time. It doesn't work and i'm running out of ideas what could be wrong.

I have my SSID and guest SSID. I would like for my SSID to be bridged and guest SSID routed.

Here's the config :
# jun/29/2021 23:15:37 by RouterOS 6.48.3
# software id = L91T-8RII
#
# model = RB952Ui-5ac2nD
# serial number = D3D50CD5D7FB
/interface bridge
add name=bridge1 protocol-mode=none
add mtu=1500 name=bridge2 protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="czech republic" disabled=no frequency=2462 mode=ap-bridge ssid=HeslojeAhoj station-roaming=enabled wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-n/ac country="czech republic" disabled=no frequency=5290 mode=ap-bridge ssid=HeslojeAhoj station-roaming=enabled wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add name=profile supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=4A:8F:5A:04:E9:B3 master-interface=wlan2 name=wlan3 security-profile=profile ssid=Verejne-wifi
add disabled=no mac-address=4A:8F:5A:04:E9:B4 master-interface=wlan1 name=wlan4 security-profile=profile ssid=Verejne-wifi
/ip pool
add name=dhcp_pool1 ranges=172.16.0.2-172.16.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 name=dhcp1
/snmp community
add addresses=0.0.0.0/0 name=xpear1x
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge filter
add action=accept chain=forward in-interface=wlan3
add action=accept chain=forward out-interface=wlan3
add action=accept chain=forward in-interface=wlan4
add action=accept chain=forward out-interface=wlan4
/interface bridge port
add bridge=bridge2 interface=ether2
add bridge=bridge2 interface=ether3
add bridge=bridge2 interface=ether4
add bridge=bridge2 interface=ether5
add bridge=bridge2 interface=wlan2
add bridge=bridge2 interface=wlan1
add bridge=bridge1 interface=wlan3
add bridge=bridge1 interface=wlan4
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=bridge2 list=LAN
/ip address
add address=10.0.0.195/24 interface=bridge2 network=10.0.0.0
add address=172.16.0.1 interface=bridge1 network=172.16.0.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server network
add address=172.16.0.0/24 dns-server=9.9.9.9 gateway=172.16.0.1 netmask=24
/ip dns
set servers=10.0.0.138
/ip firewall filter
add action=accept chain=forward dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge2
/ip route
add distance=1 gateway=10.0.0.138
/snmp
set contact=tomas enabled=yes location=h22 trap-community=xpear1x
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=miniap3-5g-garaz
/system upgrade mirror
set primary-server=10.0.0.166
/tool sniffer
set filter-interface=bridge2 filter-ip-address=9.9.9.9/32
Now, I connect my client to the "Verejne-wifi" SSID, I get IP from DHCP, it's a correct IP from the defined pool. I try to ping 9.9.9.9 and watch on my router ( the GW of the AP = 10.0.0.138 ) via tcpdump. Packets are correctly natted behind 10.0.0.195 and return traffic going back to 10.0.0.195.

The client doesn't receive any pings back ( all end with timeout ). Packet sniffer running on the AP catches the following :
[admin@miniap3-5g-garaz] > /tool sniffer packet print
 #    TIME INTERFACE                                     SRC-ADDRESS                                                                  DST-ADDRESS                                                                  IP-PROTOCOL  SIZE CPU FP
 0   0.132 bridge2                                       10.0.0.195                                                                   9.9.9.9                                                                      icmp           64   0 no
 1   0.158 bridge2                                       9.9.9.9                                                                      10.0.0.195                                                                   icmp           64   0 no
 2   0.159 bridge2                                       9.9.9.9                                                                      172.16.0.254                                                                 icmp           64   0 no
 3   1.161 bridge2                                       10.0.0.195                                                                   9.9.9.9                                                                      icmp           64   0 no
 4   1.187 bridge2                                       9.9.9.9                                                                      10.0.0.195                                                                   icmp           64   0 no
 5   1.187 bridge2                                       9.9.9.9                                                                      172.16.0.254                                                                 icmp           64   0 no
 
It appears, that the packets towards the client are leaving via wrong interface, but I can't figure out why.

It's possible, that there are some unecessary things configured, because I tried to fiddle with different checkboxes (it actually works as a troubleshooting method on checkpoint firewalls, apparently not here... )
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Guest AP routing headache

Wed Jun 30, 2021 5:35 pm

Suggest reading this link. I am not conversant in a config using bridge filters
Also not seeing all the subnets defined for the users, and where is wlan1 and wlan2 etc...
Seems to be much missing?

viewtopic.php?f=23&t=143620
 
kraksna
just joined
Topic Author
Posts: 2
Joined: Wed Jun 30, 2021 12:11 am

Re: Guest AP routing headache

Wed Jun 30, 2021 5:40 pm

An independent consultant found out that there was no mask specified on the bridge1 interface IP.

fix & reboot did the trick.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Guest AP routing headache  [SOLVED]

Wed Jun 30, 2021 5:42 pm

add address=172.16.0.1 interface=bridge1 network=172.16.0.0
=>
add address=172.16.0.1/24 interface=bridge1 network=172.16.0.0

Who is online

Users browsing this forum: 0xsepa, onnyloh and 38 guests