4

I've got the following network configuration:

  • Comtrend 5813 FTTH Router, connected to WAN, let's say in 192.168.50.x (being .1 router's address) and a DHCP server active, giving addresses from .150 to .200
  • Mikrotik 951G-2HnD connected to the Comtrend router, with address .2

This configuration works for ethernet; I mean, I can plug a computer to Mikrotik and the machine will get its own IP address and will be able to browse internet.

I need to setup 2 different WLANs, each of them in different subnets, 192.168.60.0/24 and 192.168.70.0/24 For that I set up 2 different DHCP servers in Mikrotik, assigned to each Virtual AP, and with Mikrotiks address as .2 on both (192.168.60.2 and 192.168.70.2).

When I connect one device to those WLANs I get a correct IP but I'm not able to get traffic pass through the router to the internet.

I've tried using different routing options, but it seems I don't master Mikrotik's architecture enough.

Can anyone guide me to get this job done?

Thanks!

F.D.F.
  • 155
  • 1
  • 1
  • 6

2 Answers2

3

It sounds like you may need to configure the firewall to pass through the NAT traffic on the Mikrotik. This is 'masquerading'.

When you enable NAT, by default the Mikrotik doesn't enable masquerading and as a result won't pass through established traffic. You must specifically enable the Firewall rule. An equivalent in IPTABLES would be the basic "allow all established" rule.

/ip firewall nat add chain=srcnat action=masquerade out-interface=Public

Where Public is the name of the interface on your WAN facing port (in your example with the 192.168.50.1 IP).

reference: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

Daniel
  • 285
  • 2
  • 13
  • While your phraseology is kind of weird for mikrotik's standards, the actual command you gave is most likely the solution to the OP's question. Just to clarify, in Mikrotik there is no notion of 'pass through NAT traffic' or 'enable NAT' or 'masquerade by default' By default (without the 'Default configuration') Mikrotik will route everything. It doesn't drop anything and it doesn't NAT anything. Everything in Mikrotik is configured manually according to each network's needs. In other words it's not like your standard home router with 'firewall on/off' buttons :P – Cha0s Feb 21 '15 at 15:36
  • Thanks, that was it (more or less). I already had that entry in my firewall rules, but I made a mistake adding the public interface to the Bridge and that caused the rule not to apply. It's working now. Thanks! – F.D.F. Feb 22 '15 at 00:38
  • I've been hung up in that same situation. – Daniel Feb 22 '15 at 00:48
  • I also hung up. This answer helped me. Btw, is it persistent? I.e. is it preserved after router reboot? – ivan.ukr Aug 29 '21 at 17:19
0

By default the Mikrotik has no firewall forward rules and will forward all traffic (default policy is accept).

The Mikrotik needs to know where to forward the traffic from the wireless clients. Add a default route via your FTTH router. Run this command on the Mikrotik:

/ip route
add gateway=192.168.50.1

The FTTH router needs to know how to reply to the wireless client IP subnets so you can add static routes in the FTTH router via 192.168.50.2 (preferable).

  • 192.168.60.0/24 via 192.168.50.2
  • 192.168.70.0/24 via 192.168.50.2

If adding static routes to the FTTH isn't possible you can tell the Mikrotik to NAT the wireless clients so the FTTH router sees all traffic originating as 192.168.50.2 (not preferable, double NAT is less than ideal).

/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1

Where ether1 is the port you have allocated the 192.168.50.2 address. Hint: /ip address export

webberist
  • 1