Guest-WLAN with dedicated AP - how to reach WAN?
Posted: Mon Feb 13, 2017 3:51 pm
Hello!
I run two mikrotik devices:
- Cloudswitch CRS125-24-1S
- Access point wAP ac
The private (W)LAN is 192.168.51.0/24 and the guest WLAN is 192.168.52.0/24. The private LAN incl. WLAN works fine. I setup the WLANs for guest WLAN as virtual APs, put them in a new bridge interface and defined a new DHCP server on the AP. So I get on a client a guest IP address, but I have no idea how to pass the traffic to the WAN interface on the cloudswitch. All tutorials I found on the net deals with built in APs and there the WAN interface is in list. The WAN is a PPPoE Interface on the cloudswitch. May be some has a hint regarding a strategy!?
BR Holger
Cloudswitch Conf:
AP Conf
I run two mikrotik devices:
- Cloudswitch CRS125-24-1S
- Access point wAP ac
The private (W)LAN is 192.168.51.0/24 and the guest WLAN is 192.168.52.0/24. The private LAN incl. WLAN works fine. I setup the WLANs for guest WLAN as virtual APs, put them in a new bridge interface and defined a new DHCP server on the AP. So I get on a client a guest IP address, but I have no idea how to pass the traffic to the WAN interface on the cloudswitch. All tutorials I found on the net deals with built in APs and there the WAN interface is in list. The WAN is a PPPoE Interface on the cloudswitch. May be some has a hint regarding a strategy!?
BR Holger
Cloudswitch Conf:
Code: Select all
[admin@Router-HH] > /export
# feb/13/2017 14:46:58 by RouterOS 6.38.1
# software id = D5X7-MT4X
#
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether6 ] master-port=ether1
set [ find default-name=ether7 ] master-port=ether1
set [ find default-name=ether8 ] master-port=ether1
set [ find default-name=ether9 ] master-port=ether1
set [ find default-name=ether10 ] master-port=ether1
set [ find default-name=ether11 ] master-port=ether1
set [ find default-name=ether12 ] master-port=ether1
set [ find default-name=ether13 ] master-port=ether1
set [ find default-name=ether14 ] master-port=ether1
set [ find default-name=ether15 ] master-port=ether1
set [ find default-name=ether16 ] master-port=ether1
set [ find default-name=ether17 ] master-port=ether1
set [ find default-name=ether18 ] master-port=ether1
set [ find default-name=ether19 ] master-port=ether1
set [ find default-name=ether20 ] master-port=ether1
set [ find default-name=ether21 ] master-port=ether1
set [ find default-name=ether22 ] master-port=ether1
set [ find default-name=ether23 ] name=ether23-MODEM
set [ find default-name=ether24 ] master-port=ether1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether23-MODEM \
keepalive-timeout=disabled name=PPPoE-ALICE use-peer-dns=yes user=\
04102981391
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.1.1-192.168.1.100
add name=dhcp-wired ranges=192.168.51.1-192.168.51.100
add name=dhcp-wlan ranges=192.168.51.100-192.168.51.200
/ip dhcp-server
add address-pool=dhcp-wired disabled=no interface=ether1 lease-time=2h name=\
dhcp-local-wire
/ip settings
set accept-source-route=yes
/interface ethernet switch vlan
add vlan-id=7
/ip address
add address=192.168.51.254/24 interface=ether1 network=192.168.51.0
add address=192.168.50.1/24 interface=ether23-MODEM network=192.168.50.0
/ip dhcp-server network
add address=192.168.51.0/24 dns-server=192.168.51.254 gateway=192.168.51.254 \
ntp-server=192.168.51.254
/ip dns
set allow-remote-requests=yes servers=213.73.91.35
/ip dns static
add address=192.168.51.230 name=server-hh ttl=0s
add address=192.168.51.245 name=VoIP-DECT ttl=0s
add address=192.168.51.246 name=VoIP-AB ttl=0s
/ip firewall address-list
add address=192.168.1.1-192.168.1.200 list=LAN
/ip firewall filter
add action=drop chain=input comment="Kaputte Pakete DROP" connection-state=\
invalid
add action=drop chain=forward comment="Kaputte Pakete Drop\
\n" connection-state=invalid
add action=fasttrack-connection chain=forward connection-state=\
established,related
add action=accept chain=forward comment=\
"Bestehende und initierte Verbindungen OK" connection-state=\
established,related
add action=accept chain=input comment=\
"Bestehende und initierte Verbindungen OK" connection-state=\
established,related
add action=accept chain=input comment="Forward auf Router" \
connection-nat-state=dstnat connection-state=established,related,new \
dst-address=192.168.51.254 dst-port=443 in-interface=PPPoE-ALICE protocol=\
tcp
add action=accept chain=input comment="von 192.168.1.0 -> 192.168.0.0 OK" \
dst-address=192.168.50.0/24 src-address=192.168.51.0/24
add action=accept chain=input comment="von 192.168.0.0 -> 192.168.1.0 OK" \
dst-address=192.168.51.0/24 src-address=192.168.50.0/24
add action=accept chain=input comment="von 192.168.1.0 -> 192.168.1.0 OK" \
dst-address=192.168.51.0/24 in-interface-list=all src-address=\
192.168.51.0/24
add action=accept chain=input dst-address=192.168.50.0/24 src-address=\
192.168.50.0/24
add action=drop chain=input comment="Der Rest geht in den Orkus...." \
log-prefix=FW
/ip firewall nat
add action=masquerade chain=srcnat comment="Maskierung LAN" out-interface=\
PPPoE-ALICE src-address=192.168.51.0/24
add action=masquerade chain=srcnat comment="Hairpin Server" dst-address=\
192.168.51.230 dst-port=22,80,443 out-interface=ether1 out-interface-list=\
all protocol=tcp src-address=192.168.51.0/24
add action=masquerade chain=srcnat comment="Hairpin Router" dst-address=\
192.168.51.254 dst-port=444 out-interface=ether1 protocol=tcp src-address=\
192.168.51.0/24
add action=dst-nat chain=dstnat comment="Port-forwarding HTTP zum Server" \
dst-address=!192.168.51.254 dst-address-type=local dst-port=80 protocol=tcp \
to-addresses=192.168.51.230 to-ports=80
add action=dst-nat chain=dstnat comment="Port-forwarding HTTPS zum Server" \
dst-address=!192.168.51.254 dst-address-type=local dst-port=443 protocol=\
tcp to-addresses=192.168.51.230 to-ports=443
add action=dst-nat chain=dstnat comment="Port-forwarding SSH auf Server" \
dst-address=!192.168.51.254 dst-address-type=local dst-port=22 protocol=tcp \
to-addresses=192.168.51.230 to-ports=22
add action=dst-nat chain=dstnat comment="Port-forwarding HTTPS auf Router" \
dst-address-type=local dst-port=444 protocol=tcp to-addresses=\
192.168.51.254 to-ports=443
/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet address=192.168.51.0/24
set ftp address=192.168.51.0/24
set www address=192.168.51.0/24
set ssh port=222
set www-ssl address=0.0.0.0/0 certificate=mikrotik-https disabled=no
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Berlin
/system clock manual
set time-zone=+02:00
/system identity
set name=Router-HH
/system ntp client
set enabled=yes primary-ntp=192.53.103.108 secondary-ntp=192.53.103.103
/system ntp server
set enabled=yes multicast=yes
/system scheduler
add interval=1m name=DynDNS-Strato on-event=dynDNS policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/30/2017 start-time=20:31:46
/system script
add name=dynDNS owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":gl\
obal ddnsuser \"lange-online.net\"\
\n:global ddnspass \"*********\"\
\n:global theinterface \"PPPoE-ALICE\"\
\n:global ddnshost hh.lange-online.net\
\n:global ddnsserver dyndns.strato.com\
\n:global protocol https\
\n:global ipddns [:resolve \$ddnshost];\
\n:global ipfresh [ /ip address get [/ip address find interface=\$theinterfa\
ce ] address ]\
\n:if ([ :typeof \$ipfresh ] = nil ) do={\
\n :log info (\"DynDNS: No ip address on \$theinterface .\")\
\n} else={\
\n :for i from=( [:len \$ipfresh] - 1) to=0 do={ \
\n :if ( [:pick \$ipfresh \$i] = \"/\") do={ \
\n :set ipfresh [:pick \$ipfresh 0 \$i];\
\n } \
\n}\
\n \
\n:if (\$ipddns != \$ipfresh) do={\
\n :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\
\n :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\
\n :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\
\n :global str \"/nic/update\\\?hostname=\$ddnshost&myip=\$ipfresh&wildcar\
d=NOCHG&mx=NOCHG&backmx=NOCHG\"\
\n /tool fetch address=\$ddnsserver src-path=\$str mode=\$protocol user=\$\
ddnsuser \\\
\n password=\$ddnspass dst-path=(\"/DynDNS.\".\$ddnshost)\
\n :delay 1\
\n :global str [/file find name=\"DynDNS.\$ddnshost\"];\
\n /file remove \$str\
\n :global ipddns \$ipfresh\
\n :log info \"DynDNS: IP updated to \$ipfresh!\"\
\n } else={\
\n# :log info \"DynDNS: dont need changes\";\
\n }\
\n} "
/tool graphing interface
add interface=PPPoE-ALICE
[admin@Router-HH] >
Code: Select all
[admin@MikroTik] >
caps-man console driver interface ipv6 metarouter partitions queue routing special-login tool beep export password quit setup
certificate disk file ip log mpls port radius snmp system user blink import ping redo undo
[admin@MikroTik] > /export
# feb/13/2017 14:48:13 by RouterOS 6.38.1
# software id = 099D-CQGT
#
/interface bridge
add name=wlan-gast
add name=wlan-privat
/interface wireless security-profiles
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=privat supplicant-identity="" wpa2-pre-shared-key=\
***********
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=gast supplicant-identity="" wpa2-pre-shared-key=\
***********
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC disabled=no frequency=2452 mode=ap-bridge name=wlan-2.4GHz security-profile=privat \
ssid=Yachthafen-2.4GHz wds-mode=dynamic
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-eeeC disabled=no frequency=auto mode=ap-bridge name=wlan-5.0GHz security-profile=\
privat ssid=Yachthafen-5.0GHz wds-mode=dynamic
add disabled=no keepalive-frames=disabled mac-address=6E:3B:6B:87:84:B8 master-interface=wlan-2.4GHz mode=ap-bridge multicast-buffering=disabled name=\
wlan-gast-2.4GHz security-profile=gast ssid=Gasthafen-2.4GHz wds-cost-range=0 wds-default-bridge=wlan-gast wds-default-cost=0 wds-mode=dynamic wps-mode=\
disabled
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=6E:3B:6B:87:84:B7 master-interface=wlan-5.0GHz mode=ap-bridge \
multicast-buffering=disabled name=wlan-gast-5.0GHz security-profile=gast ssid=Gasthafen-5.0GHz wds-cost-range=0 wds-default-bridge=wlan-gast \
wds-default-cost=0 wds-mode=dynamic wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool-gast ranges=192.168.52.1-192.168.52.200
/ip dhcp-server
add address-pool=pool-gast disabled=no interface=wlan-gast lease-time=1m name=dhcp-gast
/interface bridge port
add bridge=wlan-privat interface=ether1
add bridge=wlan-privat interface=wlan-2.4GHz
add bridge=wlan-privat interface=wlan-5.0GHz
add bridge=wlan-gast interface=wlan-gast-2.4GHz
add bridge=wlan-gast interface=wlan-gast-5.0GHz
/ip address
add address=192.168.51.253/24 interface=ether1 network=192.168.51.0
add address=192.168.52.254/24 interface=wlan-gast network=192.168.52.0
/system clock
set time-zone-name=Europe/Berlin
/system leds
set 0 interface=wlan-2.4GHz
set 1 interface=wlan-5.0GHz
/system ntp client
set enabled=yes primary-ntp=192.168.51.254
[admin@MikroTik] >