Network Hardware:
ARRIS NVG589 Modem/Gateway
Mikrotik RB3011UIAS
Mikrotik hAP ac3
Primary computer for config:
Ubuntu laptop with QHD display - important to note because winbox is painful to use with Wine as I can't zoom in on the super tiny text, making webfig the preferred option (contrary to the pervasive ethos of oldtimers on this board based on my reading)
Network Topology:
I have positioned the RB3011 to act as my primary router. The hAP is acting solely as an AP (overkill I know, but I will likely want to use the hAP elsewhere later with a cheaper Gb AP in this position).
Code: Select all
[W. Users] [Wless Users]
| |
[Internet]--[Arris]--[RB3011]--[hAP]--[IOT devices]
| | | |
[DNS/URL] [Pihole] |
[Server]
Q1: Address Collision - [FIXED]
Since I have both the RB3011 and the hAP which default to 192.168.88.1, what is the proper way to resolve this address collision? I've already discovered how to change the default IP of Mikrotik devices through the quickset basics, but which one should I change, the AP or the Router? What is the numbering convention I should use here? I've seen some posts where the router uses something like 10.0.0.x. Is that what people usually do?
Is Bridge mode on the hAP good enough for now? If so, how will I access the hAP to change it to router mode later?
Q2: Inaccessible Webfig - [FIXED]
When I first tested the collision avoidance from Q1 with the two Mikrotik devices on my network, I suddenly found that I could not access webfig! This persisted after I disconnected one device and only connected through the other on both devices. I cannot connect to it from any computer on the network either. I can still connect to the device through ssh and winbox using both MAC addresses and the default IP. Chromium gives me Err timeout and Firefox gives me temporarily unavailable errors. What gives?
Q3: Hairpin NAT - [FIXED]
If my reading is correct, I think I need a hairpin NAT for the serve because I want to access the server from inside and outside the network. For my server which has a static lease at 192.168.88.140 on my firewall, I have added:
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat comment="Internal Chain" \
dst-port=80 protocol=tcp src-port="" to-addresses=192.168.88.140
Code: Select all
/ip firewall filter
add action=accept chain=forward comment=External dst-address=\
192.168.88.140 dst-port=80 in-interface=ether1 protocol=tcp
Q4: Mismatch Port Routing - [FIXED]
I want to open another port externally to access ssh on my server. Obviously, I want to keep blocking external ssh on my router. So I want to point anything coming from some nonsense port like 66622 at port 22 on the target server. How would I do that in Router OS? Is there a more correct term I need to use to google that myself?
EDITS:
Applied [FIXED] tag to Q2, see post 2 in this thread.
Applied [FIXED] tag to Q1, see post 3 in this thread.
Applied [FIXED] tag to Q3 and Q4, see posts #16 and #13, respectively, in this thread for details of the fix.