for home or small business network
tested with a casual RouterBOARD
I didn’t manage to get a lease from the device on the 192.168.88.0 network so I had to do it the other way around.
To reset the configuration, setup a dhcp server
ifconfig eth0 10.1.1.254/24 up systemctl restart isc-dhcp-server.service mii-tool eth0
and proceed as follows
now connect to the device first through the Web UI
ping 10.1.1.101 nmap -p 22,80 10.1.1.101 -Pn -T5 http://10.1.1.101/
and through SSH
ssh 10.1.1.101 -l admin
it’s easier from the WUI (webfig) than from the CLI/FTP
http://10.1.1.101/ --> check updates
then check after device reboot
/system resource print
from the WUI (webfig)
quick set: CAP dhcp source: ethernet bridge all hostname: rboard1 quick set: Home AP Dual Wireless/ SSID 2ghz SSID 5ghz choose country PSK/hide Internet/Eth1 **ENABLE DHCP** Firewall Router Local Network 192.168.100.1 / 255.255.255.0 bridge all dhcp server dhcp range 192.168.100.100-192.168.100.199 nat
(AT THIS POINT YOU LOOSE CONNECTION BECAUSE FIREWALL ENABLED)
plug ether1 to ISP’s media access device (assuming DHCP)
switch WLAN or plug another cable on ether2, disable your DHCP daemon and get a lease for yourself
systemctl stop isc-dhcp-server.service systemctl disable isc-dhcp-server.service
and get a lease for yourself
wpa... ip addr del 10.1.1.254/24 dev wlan0 dhclient -v wlan0 route add -net 192.168.100.0/24 dev wlan0 #dhclient -v eth0 #ip addr del 10.1.1.254/24 dev eth0 #route add -net 192.168.100.0/24 dev eth0
connect back to the Web UI
ping 192.168.100.1 nmap -p 22,80 192.168.100.1 -Pn -T5 http://192.168.100.1/
disable PoE
/interface ethernet poe set ether5 poe-out=off
enable DNS caching
/ip dns set allow-remote-requests=yes
and obtain a new lease to update your dns forwarder
dhclient -r wlan0 dhclient -v wlan0 resolvectl status
make the lease last longer
/ip dhcp-server set 0 lease-time=3d
/certificate add name=LocalCA common-name=LocalCA key-usage=key-cert-sign,crl-sign sign LocalCA add name=Webfig common-name=192.168.100.1 sign Webfig ca=LocalCA /ip service set www-ssl certificate=Webfig disabled=no
also disable unused services from the internal network
/ip service disable telnet disable ftp disable api disable-api-ssl
now imagine you also want to simply route packets without SNAT on ether5
remove ether5 from the LAN
/interface bridge port print disable 4
define an IP for routing
/ip address add address=x.x.x.x/xx interface=ether5
restrict dynamic SNAT to the LAN subnet
/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.100.0/24 out-interface-list=WAN
https://i.mt.lv/cdn/product_files/hAPac2-qg-v_190103.pdf
https://wiki.mikrotik.com/wiki/Manual:TOC
https://wiki.mikrotik.com/wiki/Manual:Reset
https://mhelp.pro/how-to-reset-mikrotik-to-factory-defaults/
https://wiki.mikrotik.com/wiki/Manual:Quickset
Which mode do I need? https://forum.mikrotik.com/viewtopic.php?t=148829
https://forum.mikrotik.com/viewtopic.php?t=111321
https://forum.mikrotik.com/viewtopic.php?t=156651
https://wiki.mikrotik.com/wiki/Manual:Webfig#Enabling_HTTPS
https://wiki.mikrotik.com/wiki/Manual:Hotspot_HTTPS_example
https://superuser.com/questions/1149022/how-to-redirect-webfig-to-https-on-mikrotik
https://wiki.mikrotik.com/wiki/Manual:Interface/Wireless
https://forum.mikrotik.com/viewtopic.php?t=156439 –> bridge between two SSIDs
https://wiki.mikrotik.com/wiki/Manual:IP/DNS
https://systemzone.net/mikrotik-dns-client-and-caching-dns-server-configuration/
https://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(public/private_key_login)
https://forum.mikrotik.com/viewtopic.php?t=151017
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering
https://help.mikrotik.com/docs/display/ROS/Bridge
https://www.madebywifi.com/blog/7-best-practices-for-professional-hotel-wifi-installation/
https://www.maketecheasier.com/access-point-vs-repeater-modes-routers/
https://www.waveform.com/pages/wifi-booster-repeater-extender-differences
https://wiki.mikrotik.com/wiki/Manual:PoE-Out#RouterOS_2
https://help.mikrotik.com/docs/display/ROS/PoE-Out