I have 5 ports Wired Mikrotik router with hotspot accounts.

port 1: WAN (connect to modem)
port 2 : connected to Acess point 1 (AP1)
port 3 : connected to Acess point 2 (AP2)
port 4 : connected to Acess point 3 (AP3)
port 5: connect to home router

port 2-5 are LAN and they are bridge.

In the ADSL modem
WAN :IP from ISP
LAN :192.168.0.1

Mikrotik WAN: 192.168.0.50
Mikrotik LAN: 192.168.1.1/24

Buffalo home router WAN: 192.168.1.50
Buffalo home router LAN: 192.168.2.1/24

AP1,AP2 and AP3's IPs are 192.168.1.100, 192.168.1.150, 192.168.1.200 respectively.

my problem Problem:
when I am connect to the home router I can not access any of the APs pages but I can go to the modem page and Mikrotik router page.
but when I connect to any of APs, I can access any of the APs and I can go to the modem modem page and Mikrotik router page

In all cases, the internet is working fine but I want to be able to access the AP when I am connected to the home router.

To solve this problem I did the fallowing:
But the problem now is that if someone get the mac and ip of AP and change his to match it, he will get ultimate access without username and password or speed limit

Try this: Same for the other two ips. With this, you can connect to them from any interface, but they can't start a new connection.
Insure the three ips have a static lease in "/ip dhcp-server lease" if you are using the universal nat feature of the hotspot.

Try this:

Code: Select all

/ip firewall filter
add chain=forward action=drop src-address=192.168.1.100 connection-state=new

Same for the other two ips. With this, you can connect to them from any interface, but they can't start a new connection.
Insure the three ips have a static lease in "/ip dhcp-server lease" if you are using the universal nat feature of the hotspot.

I added the rule on the top filter rules but it didn't work. I still get full internet access with IP 192.168.1.100 and mac of AP.

Is there anoter solution or another way to access the AP without IP binding?

Check "/ip hotspot host". Insure the 192.168.1.100 is not already being translated to another ip. If the to-address is not 192.168.1.100, then you should fix that.

ADD: I don't issue the entire ip subnet with dhcp. I set dhcp to issue 192.168.1.32-192.168.1.250 only. That leaves a few lower and a few higher that are not issued. Then I assign my AP a static ip 192.168.1.4/24. When the hotspot issues another ip in the dhcp range, I change that dhcp lease assignment to static and change the address. And to answer your edit: Yes! You do not need to use ip-binding. You can disable the hotspot, make your changes to the AP, then enable the hotspot.

Check "/ip hotspot host". Insure the 192.168.1.100 is not already being translated to another ip. If the to-address is not 192.168.1.100, then you should fix that.

ADD: I don't issue the entire ip subnet with dhcp. I set dhcp to issue 192.168.1.32-192.168.1.250 only. That leaves a few lower and a few higher that are not issued. Then I assign my AP a static ip 192.168.1.4/24. When the hotspot issues another ip in the dhcp range, I change that dhcp lease assignment to static and change the address.

Code: Select all

/ip dhcp-server lease
make-static X
set X address=192.168.1.4

And to answer your edit: Yes! You do not need to use ip-binding. You can disable the hotspot, make your changes to the AP, then enable the hotspot.

the lease is not the problem, the problem that a person can take ip and mac of the AP and have full internet access of the IP and mac is in the IP binding. I can not access the AP without IP bending. Now each time I want to access the AP page, I have to enable the ip binding in winbox and access the page. After I am done , I have to disabled it again so no one have full access by using the AP mac and IP.

Buy an AP that supports the concept of management ports, either physically dedicated ones or via VLANs. Then run the Hotspot on the customer interface, and manage the AP via the management interface. Also has the advantage of customers not being able to access or see your APs.

Buy an AP that supports the concept of management ports, either physically dedicated ones or via VLANs. Then run the Hotspot on the customer interface, and manage the AP via the management interface. Also has the advantage of customers not being able to access or see your APs.

I have ubiquiti nanostation M2. I am behind a router that is connected to the Mikrotik and not connected to the Mikrotik router directly and I want to access the AP that is connected to Mikrotik router. I used ip binding as sugested before but I discover the problem of stealing mac and IP. Stealing mac and ip of an account let you have limited speed but the one from ip binding let you have full speed.

I know that I can make the access to AP to 192.168.1.100:100 but this doesn't prevent taking the mac and ip. Is it possible to block all access to 192.168.1.100 expect port 100

That was the secondary purpose of getting a static lease on the AP. You can now use that ip to block access on new connections from the AP (or mac thief) to the internet with "/ip firewall filter". The Nanostation have any services that need internet access?
Move this rule to the top of the filter list.

EDIT: I changed the src-address to 192.168.1.100. That is the ip that is bypassed?

That was the secondary purpose of getting a static lease on the AP. You can now use that ip to block access on new connections from the AP (or mac thief) to the internet with "/ip firewall filter". The Nanostation have any services that need internet access?

Code: Select all

/ip firewall filter
add chain=forward action=drop src-address=192.168.1.100 connection-state=new

Move this rule to the top of the filter list.

EDIT: I changed the src-address to 192.168.1.100. That is the ip that is bypassed?

I tried this but wit this I can not access the AP.

Add "in-interface=ifname", substituting the interface name the Hotspot is configured on. That way the AP cannot establish outbound connections, but can respond to inbound connections.

I block the AP IP expect port 80 and now it is working.

I just checked my rule I posted above with V4.14, and it works as it is. Allows inbound requests, blocks outbound requests. ??