I am a bit stuck. I am configuring hAPL - reset it twice already. I removed wlan1 port from bridge in order to be able to set up a dhcp server with different ip address pool on wlan1.
My test client (linux laptop) can connect to the AP and get the correct IP address, however cannot ping anything but itself on its new address 192.168.99.200
The router similarly cannot ping this address, but can ping itself on 192.168.99.1 (which the client can't ping). It seems I have some problem with DHCP server functionality since I removed wlan1 port from bridge and now I seem to get the same problem with wired connection on the other laptop too (it is connected via cable). How could I look for error?
Re: Does wlan1 need to be part of bridge?
If you want to reach anything beyond the router without a bridge, you need NAT or routing. Normally SRC-NAT is used. Check in firewall menu if you have any NAT rules, you need a SRCNAT rule with action "masquerade"
Re: Does wlan1 need to be part of bridge?
As Normis has mentioned. You will need a src-nat rule (copy the existing one and put your new range in) but also make sure you haven't made a mistake with the IP address on your new network. You MUST put the subnet after the IP address.
You could do an export hide-sensitive to help us see your config and what could be wrong.
You could do an export hide-sensitive to help us see your config and what could be wrong.
Re: Does wlan1 need to be part of bridge?
Thanks. In NAT section of firewall I have these rules:
but I am a bit worried because the other laptop connected via cable to ether3 cannot get its settings too - even though there I have the default dhcp server running on the bridge with the default address pool. It feels like I messed something up when configuring DHCP server.
Code: Select all
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client
1 D chain=hotspot action=jump jump-target=pre-hotspot
2 D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53
3 D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53
4 D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst dst-port=80
5 D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-dst dst-port=443
6 D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth
7 D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth
8 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80
9 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128
10 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080
11 D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp dst-port=443
12 D chain=hs-unauth action=jump jump-target=hs-smtp protocol=tcp dst-port=25
13 D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http
14 D chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp dst-port=25
15 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
16 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,noneRe: Does wlan1 need to be part of bridge?
Check if your actual out interface is part of the WAN interface list
Re: Does wlan1 need to be part of bridge?
Thanks, this is my config:
Code: Select all
min@MikroTik] > export hide-sensitive
# aug/01/2018 11:54:28 by RouterOS 6.42.6
# software id = UNBA-EG2A
#
# model = RouterBOARD 941-2nD
# serial number = 8B1008CFA497
/interface bridge
add admin-mac=CC:2D:E0:7C:6B:31 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-7C6B35 \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] dns-name=mt.lab.7 login-by=""
add dns-name=miktik.lab.7 hotspot-address=192.168.99.1 login-by=cookie,http-pap,mac-cookie name=hsprof1
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add comment="pool for wifi" name=wi-pool ranges=192.168.99.100-192.168.99.200
add name=dhcp_pool2 ranges=192.168.99.100-192.168.99.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool2 disabled=no interface=wlan1 name=dhcp1
/ip hotspot
add address-pool=dhcp_pool2 disabled=no idle-timeout=none interface=wlan1 name=server1 profile=hsprof1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.99.1 interface=wlan1 network=192.168.99.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server alert
add disabled=no interface=wlan1
/ip dhcp-server lease
add address=192.168.88.254 client-id=ff:4c:11:26:3c:0:2:0:0:ab:11:87:9d:4a:6b:fb:cf:f5:83 mac-address=54:EE:75:19:3B:94 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.88.254 name=nausicaa.lab.7
add address=192.168.88.254 name=nausicaa.lan
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/London
/system ntp client
set enabled=yes primary-ntp=178.79.160.57 secondary-ntp=109.74.206.120 server-dns-names=0.pool.ntp.org,1.pool.ntp.org
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: Does wlan1 need to be part of bridge?
I can see that I have not deleted the pool wi-pool which is the same as dhcp-pool2 but I wouldn't think that should matter; wi-pool I am not using at all at the moment. Strange that on DHCP server leases list I can see the wireless laptop has connected (but does not ping) and the wired laptop connecting to ether3 is in status: waiting for a very long time.
I noted that the address for wlan1 in Ip addresses was incorrectly written without netmask and I appended /24 to it. But the situation did not change.
I noted that the address for wlan1 in Ip addresses was incorrectly written without netmask and I appended /24 to it. But the situation did not change.
Re: Does wlan1 need to be part of bridge?
I added wlan1 back to the bridge. What I got after a while was that wifi laptop could get properly configured via DHCP and was able to ping and browse internet. However the strange problem with the other laptop that connects vie ethernet remains - it cannot connect to the network. Maybe there is interference between the DHCP servers that run on different interfaces? Probably, because I re-added wlan1 to the bridge now. And its status is red again and tells DHCP server cannot be run on slave interface.
OK, when I removed wlan1 again from the bridge the dhcp server statuses turned black and the ethernet connected laptop could get it's lease fine, The wifi connected laptop however now says when pinging the router Destination Net Prohibited - could that be due to firewall rejecting?
And latest update: - it now started working fine. After connection to hotspot I was give a login page and after I set up a user this started working. I just do not know why and if this is going to happen again.
OK, when I removed wlan1 again from the bridge the dhcp server statuses turned black and the ethernet connected laptop could get it's lease fine, The wifi connected laptop however now says when pinging the router Destination Net Prohibited - could that be due to firewall rejecting?
And latest update: - it now started working fine. After connection to hotspot I was give a login page and after I set up a user this started working. I just do not know why and if this is going to happen again.
Last edited by r0berts on Wed Aug 01, 2018 2:43 pm, edited 1 time in total.
Re: Does wlan1 need to be part of bridge?
You can't ping the router, because the firewall drops everything not part of the LAN interface list (and inside you only have the Bridge, but you removed your interface from there).
Try pinging mikrotik.com for example.
Try pinging mikrotik.com for example.
Re: Does wlan1 need to be part of bridge?
Thanks, that did not come to my mind. So Interface List defines which interfaces are in which firewall rule group? It seems that for the hotspot pinging started working after I logged in via browser, which would make sense. After I have logged in, then the firewall rules change and I can browse anything, right?
My interface list currently is:
So it would seem that wlan1 is not here nor there and when I was setting up hostpot server then firewall rules were created automatically? Do I need to put wlan1 in any interface list?
My interface list currently is:
Code: Select all
LAN - bridge (via defconf)
WAN - ether1 (via defconf as well)Re: Does wlan1 need to be part of bridge? [SOLVED]
That is the point of hotspot. Block access until you log in.
And yes, the filter rules use interface lists. You can see here:
so it drops everything that tries to reach router itself, IF NOT from LAN interface list. So we check what is that list?
As you see, LAN contains only your bridge. Once you removed Wlan1 from the bridge, it no longer is considered LAN, so it can't connect to the router iself.
And yes, the filter rules use interface lists. You can see here:
Code: Select all
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LANCode: Select all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
Re: Does wlan1 need to be part of bridge?
Thank you, this absolutely makes sense. So if I understand right, wlan1 in my setup should not be part of LAN or WAN lists. You have been very helpful. Could you possibly have a look at my inital query and maybe you would have a suggestion for it? viewtopic.php?f=13&t=137445 where I placed a simple diagram. I think I now am able to achieve comfortably that WiFi user should be able to authenticate and then can browse internet; I would like to build on that so that a person when connects to wifi:
[*] is logged on automatically - perhaps just needs to press the button, not type in password.
[*] automatically (if possible, if not then QR code will be provided) and opens the survey page on my webserver running on the laptop
I suppose it might be achievable using dnat? Your comments would be much appreciated.
[*] is logged on automatically - perhaps just needs to press the button, not type in password.
[*] automatically (if possible, if not then QR code will be provided) and opens the survey page on my webserver running on the laptop
I suppose it might be achievable using dnat? Your comments would be much appreciated.
Re: Does wlan1 need to be part of bridge?
Once you add the wlan1 interface to the LAN interface list, you should be able to reach the router, and consequently also be able to open the Hotspot login page (it should pop open automatically, if you browse to some non https page like http://neverssl.com)
====
To make it log in automatically with no password, you can edit the hotspot login page and pre-fill some existing hotspot user details in the login form, then hide the form, but leave the login button. So that all you have in the login page is one button "LET ME BROWSE" and the actual login/pass things are hidden away. The user clicks the button he sees, and is logged in.
Code: Select all
/interface list member add comment=something interface=wlan1 list=LANTo make it log in automatically with no password, you can edit the hotspot login page and pre-fill some existing hotspot user details in the login form, then hide the form, but leave the login button. So that all you have in the login page is one button "LET ME BROWSE" and the actual login/pass things are hidden away. The user clicks the button he sees, and is logged in.
Re: Does wlan1 need to be part of bridge?
Thanks, that is great. Yes, I definitely can edit the login page. All that remains to be resolved is how to convince android and ios users that internet is OK, when they connect to the portal, if I do not have working internet on the side of ether1 (e.g. as it might be after a lecture in a different place from).