MikroTik

Community discussions
https://forum.mikrotik.com/

Setup mAP in reverse config from default

https://forum.mikrotik.com/viewtopic.php?t=212863

Page 1 of 1

Setup mAP in reverse config from default

Posted: Tue Nov 26, 2024 11:15 pm
by ocgltd
I have a new mAP which I want to use in the reverse of the configuration that it's normally used in. In other words, the ethernet cable will connect my LAN to the mAP port 1. And the WiFi will connect to my phone "hotspot" as a client. I am trying to create a backup route in case my cablemodem goes down. Since the mAP will be on the outside of my firewall it should pass through packets. It will be the job of my firewall to route packets to the mAP when the cablemodem is down.

I find the QuiCKSet confusing, so I went to the full WinBox interface (and I have *basic* familiarity with MikroTik). I can access the new mAP from ethernet and wifi side, so that's great. But now I'm stuck.

Has anyone done this before? Is there a guide somewhere that explains how to configure what I want? I thought I could at least figure out how to make the WiFi side into a client to connect to my phone...but I don't even see a "client" mode (under Interfaces > wlan1 > Wireless > Mode)

Thanks

Re: Setup mAP in reverse config from default

Posted: Wed Nov 27, 2024 12:07 am
by jaclaz
In Mikrotik client is called "station".
And there are a few modes available, you want station pseudobridge, see:
https://help.mikrotik.com/docs/spaces/R ... tion+Modes

Re: Setup mAP in reverse config from default

Posted: Fri Nov 29, 2024 5:02 am
by ocgltd
I've spent around 7 hours messing with my new mAP in total. I just can't get it to do what I want! What's I'm trying to do is:

1. Device acts as a bridge (briding eth1 + wlan1)
2. WLAN1 Acts as station, connecting to my phone's hotspot
3. ETH1 passes the IP config received from the wifi along to the ETH1 port
4. No IP > firewall rules (which shouldn't even make sense for bridge)

I keep getting locked out, resetting it, and trying again....argh

I'm getting stuck around the bridge point. I disabled the default ports in the bridge, and added all of the ports (ETH1/WLAN1) to the bridge. But the WLAN1 just always says disabled port. Why? Can you not add a wlan port to a bridge?

Is the above config even possible with this device? Do I have to make this device into a router?

Re: Setup mAP in reverse config from default

Posted: Fri Nov 29, 2024 6:04 am
by phascogale
So you want a straight bridge, wireless included, not a router.

Search for full instructions. The basic process is to connect via MAC address, delete the existing configuration, create a bridge and add everything to it, with wireless set up as a DHCP client for connection.

Re: Setup mAP in reverse config from default

Posted: Fri Nov 29, 2024 11:13 am
by jaclaz
Post what you have, see instructions here:
viewtopic.php?t=203686#p1051720

If you want a reference, I have somewhere a hap lite (should be very similar to the map/map lite) with a very simple configuration that I can share.

Re: Setup mAP in reverse config from default

Posted: Fri Nov 29, 2024 11:14 am
by normis
Did you use pseudobridge mode, as mentioned above?

Re: Setup mAP in reverse config from default

Posted: Fri Nov 29, 2024 11:20 am
by jaclaz
Ok, here is the (very, very basic) configuration that you could use as a base:
Code: Select all
# nov/29/2024 10:09:05 by RouterOS 6.49.17
# software id = [redacted]
#
# model = RouterBOARD 941-2nD
# serial number =  [redacted]
/interface bridge
add admin-mac=[redacted] auto-mac=no name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    station-pseudobridge ssid=[redacted] wireless-protocol=802.11
/interface pwr-line
set [ find default-name=pwr-line1 ] disabled=yes
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=[redacted] \
    wpa2-pre-shared-key=[redacted]
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/ip address
add address=192.168.1.160/24 interface=bridge1 network=192.168.1.0
/ip dhcp-client
add interface=bridge1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 gateway=192.168.1.1
/system clock
set time-zone-name=Europe/Rome
/system ntp client
set enabled=yes server-dns-names=0.it.pool.ntp.org,1.it.pool.ntp.org
It is the simplest one I could come up with, it is completely static, in you case you will need to add a dhcp client, but that is easy, once you have it working as static.

Re: Setup mAP in reverse config from default

Posted: Fri Nov 29, 2024 3:18 pm
by ocgltd
First of all I didn't realize I could connect by MAC address...wow what a time saver. Thank you.

Next, I'm looking at the script above and I've tried to do each step manually from the WinBOX gui. But I clearly am missing an important concept here...i can't get my head around this:

1. I see you set set a static IP on the device as well. Why? I want this device to get the IP from the WLAN side, and that pass that along to the wired side (so this device is transparent). Is this IP an "EXTRA" ip I can use to connect to the device for further management?

2. Since I want my device to pass the WAN side IP to the LAN side, do I also need a DHCP server to pass along the IP to the LAN side?

3. Since this is a bridge, why do I need a route? Shouldn't everything coming in one side just pass through to the other? Or is this just for the management interface?

The script you posted bridges all the ports, yet it gets an address via DHCP from one side, and has a static IP on the other. How can that be? How can it be a "transparent bridge" if it has different IP's on each side?

Re: Setup mAP in reverse config from default

Posted: Fri Nov 29, 2024 3:49 pm
by mkx
  1. Yes
    DHCP client sends out broadcast packets when doing DHCP discover and bridge will send these frames out via all member ports. In principle only one DHCP server is necessary per L2 broadcast domain and if there are multiple servers in given L2 broadcast domain (not wrong by itself), it's expected that they all reply with leases valid for a client.
  2. Yes, statically set IP address (specially so if it's from different IP subnet) can be used for management purposes (if you know management IP address, you can connect computer with IP address from the same subnet and you can connect). With Mikrotik this is not needed if you leave MAC Winbox connectivity enabled.
  3. bridge transparently passes ethernet frames between member ports. This in principle includes also wireless interfaces. So none of DHCP functionality (DHCP server nor DHCP relay) is needed in this case.
    However: depending on wireless radio mode things might no be as transparent as we'd wish. If wireless radio is set as station or station-pseudobridge, then wireless interface (or rather: communication with AP) is not transparent, MAC address of wired machine on station side gets lost ... which can upset a few services (e.g. DHCP server if it works with MAC addresses and not with client-ID values).

Re: Setup mAP in reverse config from default

Posted: Fri Nov 29, 2024 4:00 pm
by ocgltd
Ok then I have it setup as specified. But something seems strange:

1. I can ping the mAP 's wireless address (received via DHCP), from other hosts on the same subnet. Good!
2. When I tried to connect to the mAP using winbox via the wireless address, it will not connect. Strange?
3. I can NOT ping the mAp's static IP, from host directly connected via the eth1 port. Strange?
4. I can connect to the mAP using the MAC address via the wired eth1 connection. Good!

Do I have to adjust firewall rules to permit something here? Can someone explain why #2 and #3 are happening?

Re: Setup mAP in reverse config from default

Posted: Fri Nov 29, 2024 4:06 pm
by jaclaz
Well, the setup I posted is (intentionally) static only, it is that of a device that I use to give wireless connectivity to a device that has only a wired port but is physically in a room where there is not an ethernet cable arriving nearby.

In your case you may want or need to set it with a DHCP client.
In this case the DHCP client will be assigned to the bridge.
The DHCP server should be your telephone hotspot (that acts as an AP).
The issue might be, if you also have a DHCP server on any device connected to the ether1, a conflict of some kind.
As well, devices connected to ether1 that run a DHCP client may get confused from the (added) DHCP server of your phone hotspot.
But since the device on the other side of the cable connected is your "main" router/firewall, you can "stop" the DHCP on its side

Cannot really say if it is possible, but if you can change settings or your phone hotspot (i.e. have a same, known, IP address as gateway), I would think that it would be better to use in your case static settings as well.
BUT it has to be considered how - due to some limitations of the 802.11 standards - the mode=station-pseudobridge is not really-really a complete L2 switch/bridge equivalent, it is complicated, but basically there could be issues with more devices connected to ether1.

An alternative could be to set your map to work as a router (yes, you will have double NAT, but it is (IMHO) largely a myth that it represents a problem).
In this alternate configuration, you would have ether1 and wlan1 routed, you would have the wlan1 running a DHCP client (that would get the DHCP data from the DHCP server of your phone hotspot) and ether1 with a static IP address, the route/gateway would be automatically added from the DHCP data, and all you would have to do would be to set in your main router the map ether1 address as (failover) gateway.

Re: Setup mAP in reverse config from default

Posted: Fri Nov 29, 2024 4:07 pm
by jaclaz
Do I have to adjust firewall rules to permit something here?
We won't know until you post your current configuration for review.

Re: Setup mAP in reverse config from default

Posted: Fri Nov 29, 2024 4:13 pm
by ocgltd
I meant conceptually (since I'm not sure IP firewall rules are even processed between ports that are bridged). But just in case, I added accept rules for in/out/fwd at the top of the list, and no difference.

There must be a reason for this I don't understand.

BUT!!!! It is working, in that traffic is flowing the the mAP as expected. So it works for general traffic, but I can't ping the static IP I set, and can't access the static (wired) IP.

Re: Setup mAP in reverse config from default

Posted: Fri Nov 29, 2024 4:25 pm
by jaclaz
I meant conceptually (since I'm not sure IP firewall rules are even processed when ports are bridged). But just in case, I added accept rules for in/out/fwd at the top of the list, and no difference.

There must be a reason for this I don't understand
Conceptually firewall should be not part of the issue(s), unless you are using firewall on the bridge.

Which leaves us with around 42 :shock: other possible reasons (give or take a couple ones).

The only way to hopefully find it/them is to actually read your configuration, otherwise we would just make (educated or not) guesses.

Re: Setup mAP in reverse config from default

Posted: Fri Nov 29, 2024 4:49 pm
by ocgltd
Ok here's my config. Note that it's built on the default config, so some garbage left over but I think it is harmless. But after being locked out of the mAP so many times, I did not want to reset the config (since the is no serial interface to this device).

Any clues in the below as to why I can't ping the static IP? Or use winbox via the lan/wan IP?

Code: Select all
/interface bridge
add admin-mac=78:9A:18:98:XX:XX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
/interface pwr-line
set [ find default-name=pwr-line1 ] disabled=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk group-ciphers=tkip,aes-ccm mode=\
    dynamic-keys name=MYNAME supplicant-identity="" unicast-ciphers=tkip,aes-ccm \
    wpa-pre-shared-key=presharedkey wpa2-pre-shared-key=\
    MYKEYY
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=canada disabled=no distance=indoors installation=indoor mode=\
    station-pseudobridge security-profile=MYKEY ssid=MYSID wireless-protocol=\
    nv2-nstreme-802.11
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether2
add bridge=bridge comment=defconf disabled=yes interface=pwr-line1
add bridge=bridge comment=defconf disabled=yes interface=wlan1
add bridge=bridge interface=ether1
add bridge=bridge interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=wlan1 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
/ip address
add address=172.31.246.2 interface=ether1 network=172.31.246.2
/ip dhcp-client
add disabled=no interface=bridge
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward
add action=accept chain=output
add action=accept chain=input
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=172.31.246.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes secrets=MYSECRET

Re: Setup mAP in reverse config from default

Posted: Fri Nov 29, 2024 5:10 pm
by jaclaz
Well, which IP address are you pinging?

The bridge has none set.

Only ether1 has one (and it is a /32):
Code: Select all
/ip address
add address=172.31.246.2 interface=ether1 network=172.31.246.2
Try running /ip address print and post the output.
Same for /ip route print, this way we can understand what happens with Dynamic settings (coming from DHCP).
Since right now your device is essentially a "dumb switch", it is well possible that no IP is assigned to bridge, a switch doesn't really need one, still you might want to set one for pinging or IP access.

Once you add an interface to a bridge, it loses its own "self-standing" identity and follows the settings for the bridge.

As well, the bridge is not in interface list WAN nor LAN:
Code: Select all
/interface list member
add interface=wlan1 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
As a side note, do not be so sure that the whole set of completely unneeded things you have set right now is harmless (it may be so, but do not assume that).

Having running on the bridge both a DHCP client and a DHCP server (which you shouldn't need) seems to me like a good example of something that may well (before or later) create issues.

Since you have right now an unused interface, ether2, it is a good idea to set it independent, with a static address of (say) 192.168.88.1/24, make sure that it is part of LAN interface-list.
This way you have a "dedicated management port" that you can reach in case connectivity via wlan1 or ether1 is compromised by some "wrong" configuration experiment.

Re: Setup mAP in reverse config from default

Posted: Fri Nov 29, 2024 6:06 pm
by ocgltd
I thought that adding the static IP to eth1 was a good idea, so that some bad actor on the WAN side couldn't access. But I don't understand if that is valid for a bridge, or in that case why the mikrotik let me do it :?

I got rid of the DHCP server, and moved the static IP to the bridge, and changed the static IP address from /32 to /24. This leads me to my next question...but I think everything is working!! :D :D But I have to test more. Now my left over questions...

1. What does it mean adding /24 onto the field marked "ADDRESS" for this interface? I thought an address was a single value. But adding the /24 (mask bits) I am defining a subnet. Is that "ADDRESS" field actually 2 things combined?

2. Since all ports are bridged, now the outside world can see my WinBox port! That feels dangerous. Do I need to disable this via IP > SERVICES?

3. I've read about ReMON. Is that a "safer" way to manage the mAP from WinBOX tool (since my firewall is a mtik, which connects to this mtik, I'm guessing the neighbor detection would allow me to manage it from inside my LAN).

4. Or does exposing ReMON to the internet cause even more problems? Do I need to add a separate IP (to eth2) and only manage it that way? Seems very cumbersome, but better safe than sorry.

Re: Setup mAP in reverse config from default

Posted: Fri Nov 29, 2024 7:21 pm
by jaclaz
0.
ether1 is an interface and it has its own "dignity" and you can assign an address to it.
But when you add it to a bridge, the bridge is *like*
WE ARE THE BORG; YOU WILL BE ASSIMILATED.YOUR UNIQUENESS WILL BE ADDED TO OUR COLLECTIVE. RESISTANCE IS FUTILE. :wink:
the individual address of the port looses significance.
Still, the moment you take the interface out of the bridge, its address will become relevant again.

1. Yes.
An address in itself is just an address, you need to also define its network mask.
On Windows and most other consumer network stuff your ether1 address would have been:
IP address: 172.31.246.2
Netmask: 255.255.255.255

In Ros, if you input:
Code: Select all
/ip address add address=172.31.246.2 interface=ether1
it is the same (missing / parameter) as:
Code: Select all
/ip address add address=172.31.246.2/32 interface=ether1
and the result (in /ip address export) will be *like*
Code: Select all
/ip address
add address=172.31.246.2 interface=ether1 network=172.31.246.2
i.e the network parameter is added automatically and set to the single address.

If you try:
Code: Select all
/ip address add address=172.31.246.2/24 interface=ether1
you will see that (in /ip address export) you will have:
Code: Select all
/ip address
add address=172.31.246.2/24 interface=ether1 network=172.31.246.0
the network now is correct for the /24.

Check on this calculator:
https://www.calculator.net/ip-subnet-calculator.html
to get familiar with the various possible syntaxes.

2. Yes and no
Since the device is now a (dumb) switch it has no way to filter anything.
Though it should be possible to use firewall on the bridge and (say) drop the port Winbox uses (default port 8291) or simply change it to a new "random" one, the hypothetical attacker will now need to know (or guess) 3 pieces of credentials, user, password and port #.

As said, where possible it is better to take one port out of the bridge (and leave it not connected normally) and use it for management via Winbox during configuration and, once you are substantially satisfied with your tests, allow winbox only on that port.
Typically you would have (example):
Code: Select all
/interface list
add list=WAN
add list=LAN
add list=MGM
/interface list member
add interface=bridge list=WAN
add interface=ether2 list=MGM
/tool mac-server
set allowed-interface-list=MGM
/tool mac-server mac-winbox
set allowed-interface-list=MGM
Many people disable Winbox alltogether and leave only ssh access (as well usually only from connections on a single port, and in some cases - even safer - only allowing management from a single source IP).

3&4
Cannot say, you mean RoMON:
https://help.mikrotik.com/docs/spaces/R ... 8569/RoMON
I have no experience with it.

Re: Setup mAP in reverse config from default

Posted: Fri Nov 29, 2024 11:34 pm
by rplant
2. Yes and no
Since the device is now a (dumb) switch it has no way to filter anything.
The input firewall chain still works.
However by default the bridge is a LAN interface and input is allowed from LAN interfaces, ie. All ports.
(Input is disallowed from all except LAN interfaces)

You can add (and remove/modify) firewall rules to filter access to the router (eg. by IP address, or from a port removed from the bridge)
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/