How to transparant bridge a mikrotik AP
Hi, i wish to set my RB532 (1 eth + 1 wlan) as an outdoor AP for my client. I have set it using bridge and it works, it could pass my client traffic to my mikrotik router (another mikrotik work as a main router). But when i use torch on my main router, what i see is the ip of my mikrotik AP, but not the ip of my client. Anyone could send me a config example of how to set a transparant bridge on my AP? please help me. Thank you
Re: How to transparant bridge a mikrotik AP
check the manual section Bridge Interface Setup this work for me, bridge ether1 <-> wlanHi, i wish to set my RB532 (1 eth + 1 wlan) as an outdoor AP for my client. I have set it using bridge and it works, it could pass my client traffic to my mikrotik router (another mikrotik work as a main router). But when i use torch on my main router, what i see is the ip of my mikrotik AP, but not the ip of my client. Anyone could send me a config example of how to set a transparant bridge on my AP? please help me. Thank you
I hope, this one is suitable for you:
http://www.mikrotik.com/docs/ros/2.8/ho ... nt#12.2.12
Syntax may differ in 2.9 version.
http://www.mikrotik.com/docs/ros/2.8/ho ... nt#12.2.12
Syntax may differ in 2.9 version.
I have set the config as followed :
IP
0 192.168.0.1/24 192.168.0.0 192.168.0.255 ether1
1 X 10.0.19.30/19 10.0.0.0 10.0.31.255 wlan1
2 192.168.1.1/24 192.168.1.0 192.168.1.255 ether3
3 10.0.19.30/19 10.0.0.0 10.0.31.255 ether1
4 10.0.19.29/19 10.0.0.0 10.0.31.255 bridge1
Bridge
0 ether1 bridge1 128 10
1 ether2 none 128 10
2 ether3 none 128 10
3 wlan1 bridge1 128 10
Firewall NAT
0 ;;; masquerade hotspot network
chain=srcnat src-address=10.0.0.0/19 action=masquerade
My network scheme is like this :
Main Mikrotik Router (10.0.0.1/19) <--> Outdoor RB532 AP (10.0.19.30/19) <--wirelessly--> CPE (smartbridges, 10.0.19.9/19) <--> Client Router (10.0.0.2/19)
All the device could ping each other. When i use torch on my RB532 wlan1, i could see that 10.0.0.2 are accessing and the address could be seen there, but when i torch on main mikrotik router 10.0.0.1, i could only see the RB532 (10.0.19.30) are accessing but not 10.0.0.2 are accessing. What i wish to do is i could see 10.0.0.2 are accessing but not the 10.0.19.30.
But there're something are weird with my RB532. When some of my client (10.10.1.2/19) whose address is not in the subnet of RB532, i could see their traffic on my main mikrotik router, but not the ip of RB532.
Hope i have make myself clear about my configuration. Could someone please help me with this?
IP
0 192.168.0.1/24 192.168.0.0 192.168.0.255 ether1
1 X 10.0.19.30/19 10.0.0.0 10.0.31.255 wlan1
2 192.168.1.1/24 192.168.1.0 192.168.1.255 ether3
3 10.0.19.30/19 10.0.0.0 10.0.31.255 ether1
4 10.0.19.29/19 10.0.0.0 10.0.31.255 bridge1
Bridge
0 ether1 bridge1 128 10
1 ether2 none 128 10
2 ether3 none 128 10
3 wlan1 bridge1 128 10
Firewall NAT
0 ;;; masquerade hotspot network
chain=srcnat src-address=10.0.0.0/19 action=masquerade
My network scheme is like this :
Main Mikrotik Router (10.0.0.1/19) <--> Outdoor RB532 AP (10.0.19.30/19) <--wirelessly--> CPE (smartbridges, 10.0.19.9/19) <--> Client Router (10.0.0.2/19)
All the device could ping each other. When i use torch on my RB532 wlan1, i could see that 10.0.0.2 are accessing and the address could be seen there, but when i torch on main mikrotik router 10.0.0.1, i could only see the RB532 (10.0.19.30) are accessing but not 10.0.0.2 are accessing. What i wish to do is i could see 10.0.0.2 are accessing but not the 10.0.19.30.
But there're something are weird with my RB532. When some of my client (10.10.1.2/19) whose address is not in the subnet of RB532, i could see their traffic on my main mikrotik router, but not the ip of RB532.
Hope i have make myself clear about my configuration. Could someone please help me with this?
Some more question I should have asked before. Sorry!!
The reason that you are seeing the AP ip address is because of the masq. rule.
You cannot nat and bridge the same subnet at the same time.
Are you running a hotspot?
What is the gateway for the 10.0.0.2/19 network and where does it live?
On your main Mikrotik router?
What does ether3 go to? What is the 192.168.0.1/24 network on ether1 do?
I think I understand exactly what you want to do, but this information would be a great help in helping you.
Dan
The reason that you are seeing the AP ip address is because of the masq. rule.
You cannot nat and bridge the same subnet at the same time.
Are you running a hotspot?
What is the gateway for the 10.0.0.2/19 network and where does it live?
On your main Mikrotik router?
What does ether3 go to? What is the 192.168.0.1/24 network on ether1 do?
I think I understand exactly what you want to do, but this information would be a great help in helping you.
Dan
No, i am not running a hotspot. Can i just stop the masq rule? Will the bridge still work? I think the problem is the masq rule itself.
The default gateway for 10.0.0.2 is 10.0.0.1 and is located on main mikrotik router.
the 192.168.0.1 is a ip that i add on my RB532 so that when i have misconfigured it, i could still get into winbox from that ip. eth3 is no use, it comes with RB532 (factory setting).
The default gateway for 10.0.0.2 is 10.0.0.1 and is located on main mikrotik router.
the 192.168.0.1 is a ip that i add on my RB532 so that when i have misconfigured it, i could still get into winbox from that ip. eth3 is no use, it comes with RB532 (factory setting).
Ok,
Just remove all the ip addresses from all the interfaces except the bridge, and remove the masquerade rule. Then change the ip address on the bridge interface from .29 to .30.
This will give you an ip address on the bridge interface, that can be reached by either ether1 and wlan1. The masquerade rule is not needed. I would put some firewall rules in your main router's forward chain only allowing certain ip from getting to the management lan(10.0.0.0/19). That way your customers can't hack the ap and cpe's.
I would also recommened installing mikrotiks mac telnet program. If you ever screw up a configuration and loose tcp access. You can always use that to still connect.
http://www.mikrotik.com/download.html#neighbour_mac
Dan
Just remove all the ip addresses from all the interfaces except the bridge, and remove the masquerade rule. Then change the ip address on the bridge interface from .29 to .30.
This will give you an ip address on the bridge interface, that can be reached by either ether1 and wlan1. The masquerade rule is not needed. I would put some firewall rules in your main router's forward chain only allowing certain ip from getting to the management lan(10.0.0.0/19). That way your customers can't hack the ap and cpe's.
I would also recommened installing mikrotiks mac telnet program. If you ever screw up a configuration and loose tcp access. You can always use that to still connect.
http://www.mikrotik.com/download.html#neighbour_mac
Dan