mAp lite setup problem

rookoola · Wed Jun 01, 2022 4:32 pm

Hey guys, I am somewhat new to this whole mikrotik stuff and have a configuration question regarding my - what I assume - pretty simple setup.

I have a printer with an ethernet port that I want to connect with the mAP lite via wifi to my home network, so that other devices can access it.

printer <-------- ethernet --------> mAP lite <----- wifi -------> home router <----- other devices

I already had this working in station-pseudobridge mode, but the connection was very unstable and it was interfering with other wifi devices, I presume because my home router ist not a MikroTik device.

So I thought it should be possible to have this setup on layer 3 with the mAP lite configured as a router with NAT.

The important part of the config I currently have is:

fixed IP 192.168.88.252 for printer on ether1
fixed IP 192.168.1.4 for mAP lite assigned by the home router in wifi

Forward rules for all traffic according to https://wiki.mikrotik.com/wiki/Manual:I ... ernal_host :

add action=dst-nat chain=dstnat dst-address=192.168.1.4 to-addresses=\
    192.168.88.252
add action=src-nat chain=srcnat src-address=192.168.88.252 to-addresses=\
    192.168.1.4

wlan1 as WAN
A bridge with ether1 as LAN

The setup unfortunately works only partially.
When I try to print from another device, the printer either does not report back and I get a "print job failed" message, although the document was printed successfully, OR the printer goes into an infinite loop of printing the same thing over and over again.
The printer is unable to communicate back to the device, that started the print job, so that it gets flooded with retries of the same print job over and over.

It seems that something is interfering with my src-nat rule, as the packet count on this one stays zero all the time.

I tried to disable all the defconf Filter Rules and replaced them with the rules suggested here:
viewtopic.php?t=81006#p463336

However there are now a lot of packets droped on the final rule, and the src-nat still does not work.

Help?

current config export compact:

/interface bridge
add admin-mac=<removed info> auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors \
    frequency=2462 installation=indoor ssid="<removed info>" \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] <removed info>
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=wlan1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=wlan1
/ip dhcp-server lease
add address=192.168.88.252 mac-address=<removed info> server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=\
    127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface-list=WAN
add chain=forward comment=outgoing in-interface=bridge out-interface=wlan1
add chain=forward comment=established connection-state=established in-interface=\
    wlan1 out-interface=bridge
add chain=forward comment=related connection-state=related in-interface=wlan1 \
    out-interface=bridge
add action=drop chain=forward comment="Drop the rest"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=192.168.1.4 to-addresses=\
    192.168.88.252
add action=src-nat chain=srcnat out-interface=wlan1 src-address=192.168.88.252 \
    to-addresses=192.168.1.4

Ca6ko · Thu Jun 02, 2022 9:40 am

1. Reset the device mAP lite to factory settings
.
2. Go to quick settings and apply the settings in the figure select your network enter the password and moving the device as close as possible to the router achieve a signal -60 or better as I have -40

Screenshot_2.jpg

.
3.Open the wireless tab and apply the settings like in the picture.

Screenshot_3.jpg

.
After this, everything should work.

rookoola · Thu Jun 02, 2022 12:19 pm

As I already said in my initial post:
I already had this somewhat working in station-pseudobridge mode, but the connection was very unstable and it was interfering with other wifi devices, I presume because my home router ist not a MikroTik device. One time the printer started to print a job that was started 7 days (!) ago. The station-pseudobridge mode is not usuable in this way. That is why I tried to set it up in a non-bridge mode.

Ca6ko · Thu Jun 02, 2022 4:15 pm

moving the device as close as possible to the router achieve a signal -60

What level of wifi signal mAP lite is connected to the router?
Only a computer can store a week's worth of print jobs.

rookoola · Thu Jun 02, 2022 4:41 pm

Signal strength is around -50.

Regarding the "printed after 7 days in pseudobridge mode": The computer retried to print, until it got the successful connection to the printer - which is why I do not want the pseudobridge-station mode any more, when establishing the connection is so unstable in my environment. I cannot move around devices, especially not the printer with the mAP lite attached to it.

In the current config the print jobs start immediately after being triggerd by a computer. I understood that generally L3 routing is preferable over L2 bridging, if possible. So the only thing I need now is the src-nat to be working, so that my devices know that the print job was delivered succesfully and stop resending for infinite printing (device 1), or giving me error messages that "print job was not successful", although everything was printed just fine (device 2).

Why would I not keep the current mode and make the src-nat work?
I see no good point in going back to pseudobridge mode instead of making the current setup work. Or is there a reason why it should not work with NAT?

Thu Jun 02, 2022 11:27 pm

I have a similar setup like that for a client's location (waiting already for 3 months for an electrician to pull an ethernet cable to the printer, other story ...).
It's configured with ... pseudo-station bridge.

Printouts are available within 15 seconds. Not days

Signal strength at 57db.
But in my case printer and mAP Lite are in the same subnet as the clients they serve.

Yet ... I have zero zip nada src-nat rules.
Why would that be needed ? Simple firewall rules should suffice, I think ?

Simple test: try to reach the web page for that printer. If that fails, your config is not ok.

Thu Jun 02, 2022 11:36 pm

Other question:
why is the printer in another subnet ?
You're "printing" to the address of map Lite and translating it to another subnet ?
Keep the same subnet then for the printer as well, a lot easier.
And configure your map Lite as a simple bridge with all interfaces on LAN, no firewall nor nat rules needed. It is part of a trusted network behind a firewall, no ?

My view.

Ca6ko · Fri Jun 03, 2022 9:07 am

If you have only one device for Map Lite, then turn on station mode. My past recommendations, without point 3. In this mode, all devices connected by wire to the Map Lite will be visible in the network with the MAC address of the Map Lite. If there is only one device, it is not a problem.
If you want to experiment with your settings, the first thing to do is to disable all firewall rules

mAp lite setup problem

mAp lite setup problem

Re: mAp lite setup problem

Re: mAp lite setup problem

Re: mAp lite setup problem

Re: mAp lite setup problem

Re: mAp lite setup problem

Re: mAp lite setup problem

Re: mAp lite setup problem

Who is online