I have a routed network, with a rb450 and userman sitting on the 11 vlan @ 192.168.11.214, one hotspot sitting on the same vlan at 192.168.11.250, one hotspot sitting on the 192.168.22.250 vlan etc. Radius authentication is working fine but the moment I enter a second gateway on the 22.250 hotspot to route 0.0.0.0/0 to 192.168.11.214 it says unreacable, I can however ping this interface and access anything else on my routed network. Where am I going wrong, I still have to add another 6 hotspots to the routed network on different vlan's.

joshi,

please paste your routing table, ip addresess, and intefaces.

also information from where to where you are not able to connect to.

Hi Cieplik

These are my actual ip's and routes.

/interface ethernet
set 0 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1526 mac-address=00:0C:42:97:05:D4 mtu=1500 name=ether1 speed=100Mbps
/interface wireless security-profiles
set default authentication-types="" eap-methods=passthrough group-ciphers="" group-key-update=5m interim-update=0s management-protection=disabled \
management-protection-key="" mode=none name=default radius-eap-accounting=no radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=\
disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=none \
static-key-0="" static-key-1="" static-key-2="" static-key-3="" static-sta-private-algo=none static-sta-private-key="" static-transmit-key=key-0 \
supplicant-identity=MikroTik tls-certificate=none tls-mode=no-certificates unicast-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key=""
/interface wireless
set 0 adaptive-noise-immunity=none allow-sharedkey=no antenna-gain=0 area="" arp=enabled band=2ghz-b/g basic-rates-a/g=6Mbps basic-rates-b=1Mbps bridge-mode=\
enabled channel-width=20mhz compression=no country=no_country_set default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=0 \
default-forwarding=yes dfs-mode=none disable-running-check=no disabled=no disconnect-timeout=3s distance=dynamic frame-lifetime=0 frequency=2412 \
frequency-mode=manual-txpower frequency-offset=0 hide-ssid=no ht-ampdu-priorities=0 ht-amsdu-limit=8192 ht-amsdu-threshold=8192 ht-basic-mcs=\
mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-extension-channel=disabled ht-guard-interval=any ht-rxchains=0 ht-supported-mcs=\
mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15 ht-txchains=0 hw-fragmentation-threshold=disabled \
hw-protection-mode=none hw-protection-threshold=0 hw-retries=7 l2mtu=2290 mac-address=00:0C:42:65:AC:D9 max-station-count=2007 mode=ap-bridge mtu=1500 \
name=wlan1 noise-floor-threshold=default nv2-cell-radius=30 nv2-noise-floor-offset=default nv2-preshared-key="" nv2-qos=default nv2-queue-count=2 \
nv2-security=disabled on-fail-retry-time=100ms periodic-calibration=default periodic-calibration-interval=60 preamble-mode=both proprietary-extensions=\
post-2.9.25 radio-name=000C4265ACD9 rate-set=default scan-list=default security-profile=default ssid=Amica-Hotspot station-bridge-clone-mac=\
00:00:00:00:00:00 supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps tdma-period-size=\
2 tx-power-mode=default update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no wds-mode=\
disabled wireless-protocol=unspecified wmm-support=disabled
/interface wireless manual-tx-power-table
set wlan1 manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9Mbps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:17,HT20\
-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,HT40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-7:17"
/interface wireless nstreme
set wlan1 disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=3200 framer-policy=none
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=default enabled=no keepalive-timeout=60 mac-address=FE:00:46:D9:E2:37 max-mtu=\
1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled \
port=443 verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 frames-per-second=25 receive-all=\
no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 multiple-channels=no only-headers=no receive-errors=no streaming-enabled=no \
streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no



/ip address
add address=172.17.22.200/24 comment="WLan connection to SZ" disabled=no interface=ether1 network=172.17.22.0
add address=192.168.1.1/24 disabled=no interface=wlan1 network=192.168.1.0

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.17.11.214 scope=30 target-scope=10
add disabled=no distance=1 dst-address=172.17.0.0/16 gateway=172.17.22.1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=172.17.11.0/24 gateway=ether1 scope=30 target-scope=10

The gateway ip subnet (172.17.11.x/24) on that default route must be assigned to an interface on this router. This should work:

Hi SurferTim

/ip route
add disabled=no distance=1 dst-address=172.17.0.0/16 gateway=172.17.22.1 scope=30 target-scope=10

My route 172.17.0.0/16 gateway points to all 172.17 traffick, and it works but I want 0.0.0.0 to route to 172.17.11.214. I can ping this interface from the MT. But
the route 0.0.0.0/24 gateway 172.17.11.214 says unreacable.

add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.17.11.214 scope=30 target-scope=10

The top route is unreachable, eeven if I change the scope of it.

If you use the route I suggested, this router will find the 172.17.22.0/24 subnet if it is on the gateway router with the 172.17.22.1 assigned.

Hi SurferTim

it does not, as it does not get default routes from my Cisco equipment, and I have two routes out of the network, 1 for official traffick and one for visitors where
they use the backbone for connectivity but are routed out on a different gateway, bypassing all sensitive equipment on other vlans.

As I said, I can ping the 172.17.11.214 gateway from the MT, but the route says unreachable.

You may have two WAN routes from the Cisco router, but not from this MT router:

/ip address
add address=172.17.22.200/24 comment="WLan connection to SZ" disabled=no interface=ether1 network=172.17.22.0
add address=192.168.1.1/24 disabled=no interface=wlan1 network=192.168.1.0

Only one WAN subnet here. If you want to route this traffic out another interface, that should be done on the Cisco router. Unless the 192.168.1.1/24 interface is a WAN also.

Maybe I am expressing myself wrong.

I have a 172.17.0.0/16 network, my MT is 172.17.22.200 gateway 172.17.22.1, My ADSl gateway is 172.17.11.214. I can ping from both sides, (forget my wlan interface and ip.) I now want my MT to route all unknown traffick out the gateway 172.17.11.214. (Can ping it from both sides) but this route shows up as unknown. So in short I have two gateways 1. 172.17.0.0/16 gateway 172.17.22.1 2. (ether1) 0.0.0.0/0 gateway 172.17.11.214. (unknown interface)

My dillema is getting unknown traffick to use the 172.17.11.214 gateway

I don't see the interface that the ADSL subnet is connected to on this router. If it is connected to this router, then you need to assign that ip/subnet (172.17.11.x/24) to that interface. Maybe ether2?

Otherwise, if the ADSL modem is connected to another interface on the Cisco, you will need to do the gateway routing there.

The 172.17.11.214 is not attached directly to the MT

it is 172.17.22.200 -> 172.17.22.1 -> 172.17.11.1 -> 172.17.11.214

See picture

One more time:
If the 172.17.11.x/24 subnet is not assigned to this router, you CANNOT USE IT AS A GATEWAY!

So what you are telling me is that I cannot route from router to anther router if the particular vlan is not assigned to it, not all routes on the internet are attached to every router in the world.

As I am using about 30 vlans how do I then connect them, what is the function of distance scope etc.

You are routing to it. If the address is not 172.17.22.x/24 (ether1), or 192.168.1.x/24 (wlan1), then it sends the request through 172.17.22.1 (gateway for ether1).
Is the 172.17.11.x network assigned on the Cisco router on another interface?

ADD: Insure you have a route for the 192.168.1.0/24 net in the Cisco if this is not masqueraded out the ether1 interface.

The 2nd router 172.17.11.214 is on another interface. 172.17.11.1-172.17.22.1 are on the same Cisco core, and not propogating routes to the MT. So mt 172.17.22.200 is 30 km from the core 172.17.11.214 is 5 km from the core just to give you a mental picture.

Would you please post "/ip firewall nat"?
And the connection failure is happening from the wlan1 interface?

As I said forget the wlan interface, leave it disabled. See the pic. Lower left corner is the MT (Amica Guesthouse) Right hand corner is the Mikrtik (Unsupported device)

I need to route from Amica to the MT right hand corner for outgoing traffick, No nat involved at this time. everything on this network can ping any other device without problems, I want the 172.17.22.200 to use the 172.17.11.214 as a nexthop router to the outside world.

I want the 172.17.22.200 to use the 172.17.11.214 as a nexthop router to the outside world.

That is a job for the Cisco router.

ADD: Do you understand why? Because it is the only router that has both those subnets on it. The Cisco router must decide which gateway on the Cisco router you should use.

That I do understand, I just tried to not use the cisco.

I guess I though there would be an easier way of doing it, thanks for your help