I have 5 ports Wired Mikrotik router with hotspot accounts.

port 1: WAN (connect to modem)
port 2 : connected to Acess point 1 (AP1)
port 3 : connected to Acess point 2 (AP2)
port 4 : connected to Acess point 3 (AP3)
port 5: connect to home router

port 2-5 are LAN and they are bridge.

In the modem
WAN PPoE
LAN :192.168.0.1

Mikrotik WAN: 192.168.0.50
Mikrotik LAN: 192.168.1.1/24

home router WAN: 192.168.1.50
home router LAN: 192.168.2.1/24

AP1,AP2 and AP3's IPs are 192.168.1.100, 192.168.1.150, 192.168.1.200 respectively.

Problem:
when I am connect to the home router I can not access any of the APs pages but I can go to the modem page and Mikrotik router page.
but when I connect to any of APs, I can access any of the APs and I can go to the modem modem page and Mikrotik router page

In all cases, the internet is working fine but I want to be able to access the AP when I am connected to the home router.

Extra:
I did tracert to AP1 (192.168.1.100)
when I am connected to any of the access points (AP2), the result is
when I am connected to the home router, the result is:

Tracing route to 192.168.2.200 over a maximum of 30 ho

I almost had the same problem.

http://forum.mikrotik.com/viewtopic.php?f=14&t=37469

It is quite diffrent problem

The problem is actually the way you've set up your home router (HR). Firstly you've not included the gateway's you've set for your HR WAN but I know that you've included the mikrotik (MT) IP and the Modem IP in the gateway list. If you hadn't you'd not be able to see the web page for the MT and modem. Just so you know, adding the modem IP into the gateway list on your HR is actually redundant because if the MT is down, the HR won't be able to communicate with the modem.

Because you've put the IP addresses 192.168.0.1 and 192.168.1.1 into the WAN settings of the HR it has a route to them. The HR can resolve any requests to the modem or the MT from the 192.168.2.x network, via LAN to the WAN and then to the relevant device. However when you send a request to any other 192.168.1.x IP address the HR is unable to resolve it. It simply isn't clever enough in it's current settings to understand what to do with a request to 192.168.1.100 as you've not set up this route in the HR. Hence why it's not working for addresses 192.168.1.100 .150 or .200. Pings to these address will get a timeout or host not found and also why pings to the MT and modem will be resolved via the WAN.

Whilst it may be possible to add routes and/or dst/src nats in your HR to resolve these specific requests this is a MT forum and you'll need to goto the forum for your specific HR. You could set up a VPN from your HR to the MT but that's also a massive pain and very difficult given there is a very simple MT solution. Whilst I've told you how to do it below you can check out DNS static entries at http://wiki.mikrotik.com/wiki/DNS#Static_DNS_Entries for more information.

From winbox go IP / DNS / static

If you add these static entries;
name= http://www.modem.local address= 192.168.0.1 (technically not needed as this already is NAT'ed but shouldn't be on the HR)
name= http://www.mikrotik.local address=192.168.1.1 (technically not needed as this already is NAT'ed by the HR)
name= http://www.ap1.local address= 192.168.1.100
name= http://www.ap2.local address= 192.168.1.150
name= http://www.ap3.local address= 192.168.1.200

As all DNS traffic will automatically be routed via your home router to the MT, the MT will see that you are accessing something in it's static list and will 'serve' this DNS lookup directly on a LAN only basis (no internet used!!!) and point your browser to the correct ip address. This won't allow anything other than DNS lookup to be forwarded but you'll be able to log into your AP's as if you were on the same network, that's because the HR will assume your browsing the internet and forward traffic onto the gateway which is the MT. To access your ap's all you need to do is type in the relevant url in a web browser.

From behind the HR you still won't be able to ping 192.168.1.100 but you will be able to ping http://www.ap1.local and get a response that way.

Additionally the URL's will work anywhere behind the MT device, no matter how many times you route your traffic.

I hope this helps you, I currently don't have an MT devices to play with, nor any AP's to test this on as I'm at home for Xmas! Shouldn't take more than a few minutes for you to test though

Warmly

Josh Oliver

If you add these static entries;
name= http://www.modem.local address= 192.168.0.1 (technically not needed as this already is NAT'ed but shouldn't be on the HR)
name= http://www.mikrotik.local address=192.168.1.1 (technically not needed as this already is NAT'ed by the HR)
name= http://www.ap1.local address= 192.168.1.100
name= http://www.ap2.local address= 192.168.1.150
name= http://www.ap3.local address= 192.168.1.200



Josh Oliver

I did this in the Mikrotik but I couldn't connect to AP by the url. If you look at my ping it says that Mikrotik doesn't allow moving from 192.168.1.1 to 192.168.1.100. But when your are connecting to one of the APs, you don't need to pass the Mikrotik.

Note: the home router is not Mikrotik. It is Buffalo WHR-HP-G54 with dd-wrt setup page

Sorry, as I said before I don't have anything at home to test with .....

Figured the DNS mapping would work, sorry that it didn't. Just a little thought that may or may not be helpful, but it seems that whilst the Mikrotik is able to forward from the bridged interfaces to the WAN interface, there may be a rule stopping it 'backward' routing from ether0 back to the bridged interfaces. A simple way to test this is ping via winbox from the WAN interface and see if it's able to ping the AP's themselves. This may highlight that a firewall rule or routing setup is preventing access from WAN -> APs. This would also explain why the DNS mapping may not have worked.

The reason that pings work from behind the AP's is that the traffic isn't being routed, it's just going from one bridged interface to the other without the MT altering the packets in any way (i.e. traffic not passing onto the wan interface).

I'm sorry for assuming the error was with your home router, I appear to have misunderstood your first post . . .

Festively; Josh.

Sorry, as I said before I don't have anything at home to test with .....

Figured the DNS mapping would work, sorry that it didn't. Just a little thought that may or may not be helpful, but it seems that whilst the Mikrotik is able to forward from the bridged interfaces to the WAN interface, there may be a rule stopping it 'backward' routing from ether0 back to the bridged interfaces. A simple way to test this is ping via winbox from the WAN interface and see if it's able to ping the AP's themselves. This may highlight that a firewall rule or routing setup is preventing access from WAN -> APs. This would also explain why the DNS mapping may not have worked.

The reason that pings work from behind the AP's is that the traffic isn't being routed, it's just going from one bridged interface to the other without the MT altering the packets in any way (i.e. traffic not passing onto the wan interface).

I'm sorry for assuming the error was with your home router, I appear to have misunderstood your first post . . .

Festively; Josh.

Winbox ping to the AP timed out when I am coonected to the home router

Do you have the AP addresses bypassed through your hotspots?
/ip hotspot ip-binding
add address=192.168.0.100 type=bypassed
add address=192.168.0.150 type=bypassed
add address=192.168.0.200 type=bypassed

Do you have the AP addresses bypassed through your hotspots?
/ip hotspot ip-binding
add address=192.168.0.100 type=bypassed
add address=192.168.0.150 type=bypassed
add address=192.168.0.200 type=bypassed

thank you. It worked