MikroTik

Hi! I spending a long time on this problem. Hope you can help.

I configured my routeros 3.28 as this:
routeros ether1 IP 192.168.0.1, wlan1 IP 10.0.0.1
internet gateway/dns/etc 192.168.0.254

The wireless setup seems "OK" and working, but I cannot route packets across networks.

On routeros I can ping 192.168.0.0/24 ip addresses OK, but cant ping internet IP addresses. Default route 0.0.0.0/0 is set to 192.168.0.254. I also tried setting NAT/Masq but it doesnt change anything (I am testing from the routeros itself, to bypass any firewall/nat issue).

I am coming from a linux background, but I cant understand why this doesnt work. Please save me another day of messing around!

Thank you!

what is 192.168.0.254? does 192.168.0.254 allow access to Internet for 192.168.0.1?

try Traceroute from RouterOS to 4.4.4.4 - what do you see?

192.168.0.254 is a simple DSL Modem (w/NAT).
Traceroute to 4.4.4.4 gives timeout errors from Host 192.168.0.1. (It has a default route, and seems to be trying it).

IP Route rules is blank. Do I need to set any here? (I did try but didnt have any affect)

192.168.0.254 what subnet range is it

255.255.255.0?

no, you don't need routing rules.

are you sure 192.168.0.254 is'n blocking anything?.. can you ping it? is your default route active? try set 'Check Gateway' parameter

thanks for the replies.

Fixed by entering a /24 subnet to the end of the IP address. I didnt know I needed it there, because it accepted the normal 192.168.0.1 IP address.

For some reason I thought it was generated/calcuated when entering the network mask .0 and broadcast address .255.

no problems we all glad to help!

no problems we all glad to help!

Hi all,

I would like to take that thread over, as I have a similar problem, but don't see any solution.

Hotspot is working so that users do get the login page and can login, then they get the status page and are redirected to the web address they asked for. But the traffic seems not to get throught to ether1 (public side). I cannot ping anything on the public side from the client side (ether2).

From the Mikrotik I can ping the internet gateway and any server in the internet.

Does anyone have a hint for me?

br Matthias

can you post your route from the hotspot ap?

and ip firewall nat?

can you post your route from the hotspot ap?

Note:
[*]192.168.178.0/24 is the public side,
[*]192.168.100.0/24 is the hotspot side
[*]192.168.178.1 is the DSL router and by that gate to internet
[*]192.168.178.222 is the public side of the mikrotik
[*]192.168.100.1 is the hotspot side of the mikrotik

[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE
0 A S 0.0.0.0/0 reachable 192.168.178.1 1 ether1
1 ADC 192.168.100.0/24 192.168.100.1 0 ether2
2 ADC 192.168.178.0/24 192.168.178.222 0 ether1
[admin@MikroTik] >

and ip firewall nat?

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
[admin@MikroTik] /ip firewall nat>

dont you need a masquerade rule in there?

dont you need a masquerade rule in there?

I tried this documentation: http://www.mikrotik.com/testdocs/ros/2. ... notfound=6& but reading it again with your question I found that masquerading is set during /ip hotspot setup, but as I used winBox I tried to find that in these dialogs there any failed.

So I deactivated the existing hotspot and defined a new one, and verified that the nat was set, and it worked immediately (but again, from the setup dialog [double click on the hotspot] one doesn't find the information about nat).

So the (actually) only thing I very much wonder about is, that the status window in the browser say it uses 192.168.100.99 (same does the hotspot/Active window say), but ifconfig and DHCP lease say that the MacBook uses 192.168.100.100?!

Finally, when I click LOG OFF and login then again, the redirect to the requested website doesn't work. When I request the wanted website manually it immediately works, just the redirect doesn't.

First thanx for your pointer, second: any hint for the rest?

br Matthias

Post the output of

/interface export
/ip address export
/ip route export
/ip hotspot export
/ip dhcp-server export
/ip pool export

as well as your version.

thats why i say with your post of ip firewall nat print there is no masquerade rule in there


start again
uninstall hotspot reboot reinstall reboot

and recreate hotspot
or
upgrade to 3.30

or post everything asked for so we can see whats not there

thats why i say with your post of ip firewall nat print there is no masquerade rule in there


start again
uninstall hotspot reboot reinstall reboot

and recreate hotspot
or
upgrade to 3.30

or post everything asked for so we can see whats not there

Sorry in case that my last post was so unclear, but it IS working after recreating the hotspot setup.

The new question was, whether there is a known reason that redirect after re-login doesn't work? Will try v3.30 next.

The most likely reason you're seeing the status window showing .99 and the client itself reporting .100 is the universal NAT feature of the Hotspot. To turn it off, remove the address-pool configured on the Hotspot (set it to 'none').

This also fixes a known bug with redirects after login not working right.

The most likely reason you're seeing the status window showing .99 and the client itself reporting .100 is the universal NAT feature of the Hotspot. To turn it off, remove the address-pool configured on the Hotspot (set it to 'none').

This also fixes a known bug with redirects after login not working right.

Many thanx for your help. Will try so later this evening. Am I right that the "universal NAT" is something that is called "Zero-Configuration" at other places (means that it changes IP-settings transparently).

No. Zeroconf is completely different. Zeroconf is essentially a protocol that allows a client to negotiate an IP address without manual client configuration or a DHCP server.

Universal NAT means that the Hotspot will NAT you, no matter what your IP address is, but it requires the client to have an IP address somehow to begin with. You have a static IP address on your laptop that is invalid on the network you're connecting to - the Hotspot NATs you to something that'll work. There's no DHCP server and the client used zeroconf to configure an IP address - the Hotspot NATs you to something that'll work. The corollary is that the Hotspot will always NAT you, even if you received a legitimate DHCP lease from the same router that runs the Hotspot. If you configure the same address pool for both DHCP and the Hotspot, the Hotspot will NAT your IP to an IP in the same range, because it NATs to IPs in the pool it's told to NAT to. That's why you saw .99 and .100 - the router assigned via DHCP .100 to your laptop because that was the next free address in the pool. The Hotspot then, because of Universal NAT, picked the next free address in the pool (.99) and now NATs you from .100 to .99.

On the one hand, this simplifies everything for clients that may have invalid static addresses, or that couldn't receive a DHCP lease from your for some reason. That might reduce trouble tickets, and is potentially a nice feature. On the other hand - and this is of course just anecdotal - I've never seen this feature work well and bug free in any other implementation (many Hotspot products offer something similar), and once it doesn't work right it makes troubleshooting much harder. I always turn it off and require that clients use DHCP.

Thank you very much for your detailed explanation. That is what I meant, and what is called Zero-configuration (not zeroconf) at Zyxel G.4100.

So even that it cuts the capacity of the IP-pool to the half, as long as the feature is working, it may help to redurce trouble. I will try it with using two different pools to see the effect.

I have to say that I still struggle with the number of different documentation pieces, not always finding the right one. Actually i.e. I try to find something that describes the firewall chains and its relation. I'm somehow familiar with iptables and similar, but I'm still not sure that I understood the chains at Mikrotik.

My bad on the 'zeroconf' vs 'zero-configuration' thing. I'd never heard it called that anywhere, but I've never worked with Zyxel gear.

Hi fewi,

The most likely reason you're seeing the status window showing .99 and the client itself reporting .100 is the universal NAT feature of the Hotspot. To turn it off, remove the address-pool configured on the Hotspot (set it to 'none').

This also fixes a known bug with redirects after login not working right.

Just to give feedback about my findings:

- I did update to v3.30
- I removed the address-pool from hotspot, selected none

[admin@MikroTik] > /ip hotspot print
Flags: X - disabled, I - invalid, S - HTTPS
# NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT
0 hotspot1 local hsprof1 5m

Nevertheless the DHCP shows an address .100 as used, where the hotspot active user shows .99? Did I miss to change something? But as the redirect after login seem to work, everything is fine.

Thanx for your assistance, Matthias