Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Guest-WLAN with dedicated AP - how to reach WAN?

Locked
 
dg3feh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Mon Jan 30, 2017 10:52 am

Guest-WLAN with dedicated AP - how to reach WAN?

Mon Feb 13, 2017 3:51 pm

Hello!

I run two mikrotik devices:
- Cloudswitch CRS125-24-1S
- Access point wAP ac

The private (W)LAN is 192.168.51.0/24 and the guest WLAN is 192.168.52.0/24. The private LAN incl. WLAN works fine. I setup the WLANs for guest WLAN as virtual APs, put them in a new bridge interface and defined a new DHCP server on the AP. So I get on a client a guest IP address, but I have no idea how to pass the traffic to the WAN interface on the cloudswitch. All tutorials I found on the net deals with built in APs and there the WAN interface is in list. The WAN is a PPPoE Interface on the cloudswitch. May be some has a hint regarding a strategy!? ;)

BR Holger

Cloudswitch Conf:
Code: Select all
[admin@Router-HH] > /export
# feb/13/2017 14:46:58 by RouterOS 6.38.1
# software id = D5X7-MT4X
#
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether6 ] master-port=ether1
set [ find default-name=ether7 ] master-port=ether1
set [ find default-name=ether8 ] master-port=ether1
set [ find default-name=ether9 ] master-port=ether1
set [ find default-name=ether10 ] master-port=ether1
set [ find default-name=ether11 ] master-port=ether1
set [ find default-name=ether12 ] master-port=ether1
set [ find default-name=ether13 ] master-port=ether1
set [ find default-name=ether14 ] master-port=ether1
set [ find default-name=ether15 ] master-port=ether1
set [ find default-name=ether16 ] master-port=ether1
set [ find default-name=ether17 ] master-port=ether1
set [ find default-name=ether18 ] master-port=ether1
set [ find default-name=ether19 ] master-port=ether1
set [ find default-name=ether20 ] master-port=ether1
set [ find default-name=ether21 ] master-port=ether1
set [ find default-name=ether22 ] master-port=ether1
set [ find default-name=ether23 ] name=ether23-MODEM
set [ find default-name=ether24 ] master-port=ether1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether23-MODEM \
    keepalive-timeout=disabled name=PPPoE-ALICE use-peer-dns=yes user=\
    04102981391
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.1.1-192.168.1.100
add name=dhcp-wired ranges=192.168.51.1-192.168.51.100
add name=dhcp-wlan ranges=192.168.51.100-192.168.51.200
/ip dhcp-server
add address-pool=dhcp-wired disabled=no interface=ether1 lease-time=2h name=\
    dhcp-local-wire
/ip settings
set accept-source-route=yes
/interface ethernet switch vlan
add vlan-id=7
/ip address
add address=192.168.51.254/24 interface=ether1 network=192.168.51.0
add address=192.168.50.1/24 interface=ether23-MODEM network=192.168.50.0
/ip dhcp-server network
add address=192.168.51.0/24 dns-server=192.168.51.254 gateway=192.168.51.254 \
    ntp-server=192.168.51.254
/ip dns
set allow-remote-requests=yes servers=213.73.91.35
/ip dns static
add address=192.168.51.230 name=server-hh ttl=0s
add address=192.168.51.245 name=VoIP-DECT ttl=0s
add address=192.168.51.246 name=VoIP-AB ttl=0s
/ip firewall address-list
add address=192.168.1.1-192.168.1.200 list=LAN
/ip firewall filter
add action=drop chain=input comment="Kaputte Pakete DROP" connection-state=\
    invalid
add action=drop chain=forward comment="Kaputte Pakete Drop\
    \n" connection-state=invalid
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward comment=\
    "Bestehende und initierte Verbindungen OK" connection-state=\
    established,related
add action=accept chain=input comment=\
    "Bestehende und initierte Verbindungen OK" connection-state=\
    established,related
add action=accept chain=input comment="Forward auf Router" \
    connection-nat-state=dstnat connection-state=established,related,new \
    dst-address=192.168.51.254 dst-port=443 in-interface=PPPoE-ALICE protocol=\
    tcp
add action=accept chain=input comment="von 192.168.1.0 -> 192.168.0.0 OK" \
    dst-address=192.168.50.0/24 src-address=192.168.51.0/24
add action=accept chain=input comment="von 192.168.0.0 -> 192.168.1.0 OK" \
    dst-address=192.168.51.0/24 src-address=192.168.50.0/24
add action=accept chain=input comment="von 192.168.1.0 -> 192.168.1.0 OK" \
    dst-address=192.168.51.0/24 in-interface-list=all src-address=\
    192.168.51.0/24
add action=accept chain=input dst-address=192.168.50.0/24 src-address=\
    192.168.50.0/24
add action=drop chain=input comment="Der Rest geht in den Orkus...." \
    log-prefix=FW
/ip firewall nat
add action=masquerade chain=srcnat comment="Maskierung LAN" out-interface=\
    PPPoE-ALICE src-address=192.168.51.0/24
add action=masquerade chain=srcnat comment="Hairpin Server" dst-address=\
    192.168.51.230 dst-port=22,80,443 out-interface=ether1 out-interface-list=\
    all protocol=tcp src-address=192.168.51.0/24
add action=masquerade chain=srcnat comment="Hairpin Router" dst-address=\
    192.168.51.254 dst-port=444 out-interface=ether1 protocol=tcp src-address=\
    192.168.51.0/24
add action=dst-nat chain=dstnat comment="Port-forwarding HTTP zum Server" \
    dst-address=!192.168.51.254 dst-address-type=local dst-port=80 protocol=tcp \
    to-addresses=192.168.51.230 to-ports=80
add action=dst-nat chain=dstnat comment="Port-forwarding HTTPS zum Server" \
    dst-address=!192.168.51.254 dst-address-type=local dst-port=443 protocol=\
    tcp to-addresses=192.168.51.230 to-ports=443
add action=dst-nat chain=dstnat comment="Port-forwarding SSH auf Server" \
    dst-address=!192.168.51.254 dst-address-type=local dst-port=22 protocol=tcp \
    to-addresses=192.168.51.230 to-ports=22
add action=dst-nat chain=dstnat comment="Port-forwarding HTTPS auf Router" \
    dst-address-type=local dst-port=444 protocol=tcp to-addresses=\
    192.168.51.254 to-ports=443
/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet address=192.168.51.0/24
set ftp address=192.168.51.0/24
set www address=192.168.51.0/24
set ssh port=222
set www-ssl address=0.0.0.0/0 certificate=mikrotik-https disabled=no
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Berlin
/system clock manual
set time-zone=+02:00
/system identity
set name=Router-HH
/system ntp client
set enabled=yes primary-ntp=192.53.103.108 secondary-ntp=192.53.103.103
/system ntp server
set enabled=yes multicast=yes
/system scheduler
add interval=1m name=DynDNS-Strato on-event=dynDNS policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/30/2017 start-time=20:31:46
/system script
add name=dynDNS owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":gl\
    obal ddnsuser \"lange-online.net\"\
    \n:global ddnspass \"*********\"\
    \n:global theinterface \"PPPoE-ALICE\"\
    \n:global ddnshost hh.lange-online.net\
    \n:global ddnsserver dyndns.strato.com\
    \n:global protocol https\
    \n:global ipddns [:resolve \$ddnshost];\
    \n:global ipfresh [ /ip address get [/ip address find interface=\$theinterfa\
    ce ] address ]\
    \n:if ([ :typeof \$ipfresh ] = nil ) do={\
    \n   :log info (\"DynDNS: No ip address on \$theinterface .\")\
    \n} else={\
    \n   :for i from=( [:len \$ipfresh] - 1) to=0 do={ \
    \n      :if ( [:pick \$ipfresh \$i] = \"/\") do={ \
    \n    :set ipfresh [:pick \$ipfresh 0 \$i];\
    \n      } \
    \n}\
    \n \
    \n:if (\$ipddns != \$ipfresh) do={\
    \n    :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\
    \n    :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\
    \n   :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\
    \n   :global str \"/nic/update\\\?hostname=\$ddnshost&myip=\$ipfresh&wildcar\
    d=NOCHG&mx=NOCHG&backmx=NOCHG\"\
    \n   /tool fetch address=\$ddnsserver src-path=\$str mode=\$protocol user=\$\
    ddnsuser \\\
    \n         password=\$ddnspass dst-path=(\"/DynDNS.\".\$ddnshost)\
    \n    :delay 1\
    \n    :global str [/file find name=\"DynDNS.\$ddnshost\"];\
    \n    /file remove \$str\
    \n    :global ipddns \$ipfresh\
    \n  :log info \"DynDNS: IP updated to \$ipfresh!\"\
    \n    } else={\
    \n#     :log info \"DynDNS: dont need changes\";\
    \n    }\
    \n} "
/tool graphing interface
add interface=PPPoE-ALICE
[admin@Router-HH] >
AP Conf
Code: Select all
[admin@MikroTik] > 
caps-man     console  driver  interface  ipv6  metarouter  partitions  queue   routing  special-login  tool  beep   export  password  quit  setup
certificate  disk     file    ip         log   mpls        port        radius  snmp     system         user  blink  import  ping      redo  undo 
[admin@MikroTik] > /export
# feb/13/2017 14:48:13 by RouterOS 6.38.1
# software id = 099D-CQGT
#
/interface bridge
add name=wlan-gast
add name=wlan-privat
/interface wireless security-profiles
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=privat supplicant-identity="" wpa2-pre-shared-key=\
    ***********
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=gast supplicant-identity="" wpa2-pre-shared-key=\
    ***********
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC disabled=no frequency=2452 mode=ap-bridge name=wlan-2.4GHz security-profile=privat \
    ssid=Yachthafen-2.4GHz wds-mode=dynamic
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-eeeC disabled=no frequency=auto mode=ap-bridge name=wlan-5.0GHz security-profile=\
    privat ssid=Yachthafen-5.0GHz wds-mode=dynamic
add disabled=no keepalive-frames=disabled mac-address=6E:3B:6B:87:84:B8 master-interface=wlan-2.4GHz mode=ap-bridge multicast-buffering=disabled name=\
    wlan-gast-2.4GHz security-profile=gast ssid=Gasthafen-2.4GHz wds-cost-range=0 wds-default-bridge=wlan-gast wds-default-cost=0 wds-mode=dynamic wps-mode=\
    disabled
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=6E:3B:6B:87:84:B7 master-interface=wlan-5.0GHz mode=ap-bridge \
    multicast-buffering=disabled name=wlan-gast-5.0GHz security-profile=gast ssid=Gasthafen-5.0GHz wds-cost-range=0 wds-default-bridge=wlan-gast \
    wds-default-cost=0 wds-mode=dynamic wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool-gast ranges=192.168.52.1-192.168.52.200
/ip dhcp-server
add address-pool=pool-gast disabled=no interface=wlan-gast lease-time=1m name=dhcp-gast
/interface bridge port
add bridge=wlan-privat interface=ether1
add bridge=wlan-privat interface=wlan-2.4GHz
add bridge=wlan-privat interface=wlan-5.0GHz
add bridge=wlan-gast interface=wlan-gast-2.4GHz
add bridge=wlan-gast interface=wlan-gast-5.0GHz
/ip address
add address=192.168.51.253/24 interface=ether1 network=192.168.51.0
add address=192.168.52.254/24 interface=wlan-gast network=192.168.52.0
/system clock
set time-zone-name=Europe/Berlin
/system leds
set 0 interface=wlan-2.4GHz
set 1 interface=wlan-5.0GHz
/system ntp client
set enabled=yes primary-ntp=192.168.51.254
[admin@MikroTik] >
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Guest-WLAN with dedicated AP - how to reach WAN?

Tue Feb 14, 2017 1:49 am

As usual, there are different ways. You got routers, just let them do their job. Add route to guest subnet to CRS and it should get you internet access for guests:
Code: Select all
/ip route
add dst-address=192.168.52.0/24 gateway=192.168.51.253
Then block access from guest interface to main subnet on AP:
Code: Select all
/ip firewall filter
add action=reject chain=forward dst-address=192.168.51.0/24 in-interface=wlan-gast reject-with=icmp-admin-prohibited
The other way is to move all IP config to CRS and use VLAN. That means adding VLAN interface to CRS's ether1 and moving whole 192.168.51.0/24 subnet and its DHCP server there. And then on AP you'd use one of following:

a) add VLAN interface to wlan-privat and then add this VLAN interface to wlan-gast
b) bridge all interfaces using one common bridge and separate wlan-gast-*GHz ones from others using vlan-mode=use-tag vlan-id=X on them, to make them work as untagged access port

Finally add bridge filter to prevent tagged packets from going to otherwlan-*GHz intefaces. AP does not require any address from 192.168.52.0/24 subnet for itself.
Top
Locked
  4. RouterOS
  5. Beginner Basics