Is it possible to setup a mikrotik router in such a way that network 192.168.1.1/24 runs a DHCP server and then by physically connecting the mikrotik router on a DSL modem (from ISP) that probably runs a different network (let’s call it 192.168.0.1/24) without any static routes to have the mikrotik router automatically receive internet?
What I am looking to do is setup a mikrotik router with DHCP, VPN rules and a Wi-Fi AP station (let’s call it “VPNWIFI”) go to a friend’s house, physically connect the mikrotik router on the DSL modem, and have a device connected e.g. PHONE1 to VPNWIFI. I am looking for the phone to be able to receive Internet access without setting up anything at all in friend’s router.
Your insight will be much appreciated!
Re: routing internet without static rules
If the "WAN" on your Mikrotik is configured with a DHCP client it will obtain an ISP address from the ISP DSL router, devices on your "LAN" will be able to access the internet.
I would pick something other than 192.168.1.x for your LAN IP range as both 192.168.0.x and 192.168.1.x are commonly used by ISPs, and you must have different subnets for "WAN" and "LAN".
Your Mikrotik would be able to establish a VPN which connects out to a server somewhere else in order to tunnel traffic back to your Mikrotik, but you cannot make direct incoming connections Internet -> ISP DSL router -> Your Mikrotik without configuring port forwards, and having a public IP address, on the ISP DSL router.
I would pick something other than 192.168.1.x for your LAN IP range as both 192.168.0.x and 192.168.1.x are commonly used by ISPs, and you must have different subnets for "WAN" and "LAN".
Your Mikrotik would be able to establish a VPN which connects out to a server somewhere else in order to tunnel traffic back to your Mikrotik, but you cannot make direct incoming connections Internet -> ISP DSL router -> Your Mikrotik without configuring port forwards, and having a public IP address, on the ISP DSL router.
Re: routing internet without static rules
Thank you TDW
Ok so please advise if I got it right: I set up a client DHCP on ethernet 1 (Where I connect physically the DSL modem) . I create then a bridge for ports 2,3,4,5 and VPN wifi. Then in addresses I hand out 190.168.0.1/24 for ethernet 1 and 190.168.1.1/24 to bridge. I arrange on the LAN side DHCP server and pools and I create a static route 0.0.0.0/0 through 190.168.0.1/24 .
Do I need to create a NAT rule / masquerade on ethernet 1?
Also why do I need to set up port forwarding (if I do not wish to forward any ports)? I mean shouldn’t the above setup allow PHONE 1 that will be connected on VPNWIFI access internet?
P.S. DSL modems usually have some sort of firewall enabled in the sense that ports are closed by default, mikrotik routers work opposite as that everything is open and you need to setup firewall rules. I would like to have the DSL modem block malicious traffic or other threats. Is this possible?
Thanks in advance !
Ok so please advise if I got it right: I set up a client DHCP on ethernet 1 (Where I connect physically the DSL modem) . I create then a bridge for ports 2,3,4,5 and VPN wifi. Then in addresses I hand out 190.168.0.1/24 for ethernet 1 and 190.168.1.1/24 to bridge. I arrange on the LAN side DHCP server and pools and I create a static route 0.0.0.0/0 through 190.168.0.1/24 .
Do I need to create a NAT rule / masquerade on ethernet 1?
Also why do I need to set up port forwarding (if I do not wish to forward any ports)? I mean shouldn’t the above setup allow PHONE 1 that will be connected on VPNWIFI access internet?
P.S. DSL modems usually have some sort of firewall enabled in the sense that ports are closed by default, mikrotik routers work opposite as that everything is open and you need to setup firewall rules. I would like to have the DSL modem block malicious traffic or other threats. Is this possible?
Thanks in advance !
Re: routing internet without static rules
Almost. Do not manually assign an address for ethernet 1 or create a default static route - the DHCP client will do both of these automatically.Ok so please advise if I got it right: I set up a client DHCP on ethernet 1 (Where I connect physically the DSL modem) . I create then a bridge for ports 2,3,4,5 and VPN wifi. Then in addresses I hand out 190.168.0.1/24 for ethernet 1 and 190.168.1.1/24 to bridge. I arrange on the LAN side DHCP server and pools and I create a static route 0.0.0.0/0 through 190.168.0.1/24 .
Yes.Do I need to create a NAT rule / masquerade on ethernet 1?
You only need port forwarding if you want to connect to devices on the Mikrotik LAN from the internet. Connections from devices to the internet do not require any.Also why do I need to set up port forwarding (if I do not wish to forward any ports)? I mean shouldn’t the above setup allow PHONE 1 that will be connected on VPNWIFI access internet?
Any existing firewalling on the ISPs device will be unchanged, so there will be no access to the Mikrotik from the internet. Any existing devices on the 192.168.0.x network will be able to access the Mikrotik.P.S. DSL modems usually have some sort of firewall enabled in the sense that ports are closed by default, mikrotik routers work opposite as that everything is open and you need to setup firewall rules. I would like to have the DSL modem block malicious traffic or other threats. Is this possible?
It may be best to start with the default configuration (as described here https://wiki.mikrotik.com/wiki/Manual:D ... #AP_Router) and adjust it as required.
Re: routing internet without static rules
I see, I read the basic set up instructions but if I may, how will devices on the LAN side will have access to the internet without a static rule 0.0.0.0/0 to Ethernet 1 (WAN port)? Ethernet 1 and bridge will be different sub-nets, isn't that right?
Re: routing internet without static rules
As already said: DHCP client, run on ether1, will set things dynamically after receiving proper data (along with IP address for that interface also gateway address which gets used to setup default route).
Re: routing internet without static rules
Well understood, now would this be possible to accomplish over Wi-Fi in the sense that the router will connect to an access point in the house and then the router operate a DCHP server (on a virtual AP?) for devices to connect? In other words would it be possible for the router's Wi-Fi to replace the Ethernet 1 / DCHP client set up by connecting to an AP and operate as an AP as well?
Re: routing internet without static rules
Yes, but with restrictions - the throughput will be less (it can't receive and transmit at the same time), and will require manual configuration to connect to the host WiFi (SSID and passphrase).
Most importantly, the WLAN interface must be the station so it can scan for the host WiFi and set the channel in use, the access point must be a virtual interface. I'm not sure if the slave interface will operate before the station has connected, so you may need to configure using an ethernet connection to the Mikrotik, or what happens if the host WiFi changes channel.
Most importantly, the WLAN interface must be the station so it can scan for the host WiFi and set the channel in use, the access point must be a virtual interface. I'm not sure if the slave interface will operate before the station has connected, so you may need to configure using an ethernet connection to the Mikrotik, or what happens if the host WiFi changes channel.
Re: routing internet without static rules
Got it!
So would this scenario work in your opinion? I get 2 x mAP lite and I connect them with a network cable, I then program unit A to be a client to search for Wi-Fi networks and unit B to be as AP station for my devices to be able to connect to. I login to unit A and set SSID and password, then unit A is connected to my friend's AP. How do I then pass internet to unit B? I suppose I need a static rule right? For the sake of easiness let's assume that my friend's Wi-Fi runs a DHC server 192.168.1.1/24 (which I have no way of knowing) , after my unit A gets connected to that AP it will acquire 192.168.1.2, now let's assume that the ethernet port of Unit A is set as 190.168.1.1 and unit B's WIFI and ethernet is bridged as 190.168.1.2 (let's call it VPNWIFI). How do I allow PHONE1 which will be connected on "VPNWIFI" and have acquired address 190.168.1.3 from unit B's DHCP server (the only DHCP server running in 190.168.1.2/24) to access the Internet? If possible I am looking to have setup the 2 x map lite in such away that except entering SSID and password in unit A no other programming will be required on site to have PHONE1 receive internet from friend's AP ?
So would this scenario work in your opinion? I get 2 x mAP lite and I connect them with a network cable, I then program unit A to be a client to search for Wi-Fi networks and unit B to be as AP station for my devices to be able to connect to. I login to unit A and set SSID and password, then unit A is connected to my friend's AP. How do I then pass internet to unit B? I suppose I need a static rule right? For the sake of easiness let's assume that my friend's Wi-Fi runs a DHC server 192.168.1.1/24 (which I have no way of knowing) , after my unit A gets connected to that AP it will acquire 192.168.1.2, now let's assume that the ethernet port of Unit A is set as 190.168.1.1 and unit B's WIFI and ethernet is bridged as 190.168.1.2 (let's call it VPNWIFI). How do I allow PHONE1 which will be connected on "VPNWIFI" and have acquired address 190.168.1.3 from unit B's DHCP server (the only DHCP server running in 190.168.1.2/24) to access the Internet? If possible I am looking to have setup the 2 x map lite in such away that except entering SSID and password in unit A no other programming will be required on site to have PHONE1 receive internet from friend's AP ?
Re: routing internet without static rules
Yes, although you should use private IP addresses internally, I'd suggest something like 192.168.99.x
For the first Mikrotik, wlan1 operating as a station with a DHCP client to pick up an IP and gateway from the host, ether1 with IP 192.168.99.1 and DHCP server, DNS proxy and NAT for your devices
For the second Mikrotik, wlan1 operating as an AP, a bridge for ether1 and wlan1 with static IP, default route and DNS provided by first Mikrotik (only needed for this Mikrotik to access the internet)
These are not full configs, firewalling on the first Mikrotik would be good, but gives you the idea of what is needed.
For the first Mikrotik, wlan1 operating as a station with a DHCP client to pick up an IP and gateway from the host, ether1 with IP 192.168.99.1 and DHCP server, DNS proxy and NAT for your devices
Code: Select all
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto ssid=HOSTSSID wireless-protocol=802.11 wps-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=HOSTPASSWORD
/ip pool
add name=dhcp ranges=192.168.99.100-192.168.99.199
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether1 name=dhcp1
/ip address
add address=192.168.99.1/24 interface=ether1 network=192.168.99.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=wlan1
/ip dhcp-server network
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wlan1
For the second Mikrotik, wlan1 operating as an AP, a bridge for ether1 and wlan1 with static IP, default route and DNS provided by first Mikrotik (only needed for this Mikrotik to access the internet)
Code: Select all
/interface bridge
add name=bridge protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MYSSID wireless-protocol=802.11 wps-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=MYPASSWORD
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan1
/ip address
add address=192.168.99.2/24 interface=bridge network=192.168.99.0
/ip dns
set servers=192.168.99.1
/ip route
add distance=1 gateway=192.168.99.1
These are not full configs, firewalling on the first Mikrotik would be good, but gives you the idea of what is needed.
Re: routing internet without static rules
Thank you TDW,
You Rock!
You Rock!