Pages

Thursday 19 December 2013

Mikrotik Wifi - NAT and DNS

I had to spend some time to figure how to get my Mikrotik router working with my WiFi. It seemed either the DNS did not work or the nat was wrong, well it was the NAT. 

Here is some experience, some key points. Not neccesary in the correct order, but hope it helps you. 


After setting up the wifi networks (2 - one guest and one primary).

The IPs for the networks:

/ip address
add address=<internal network>/<mask> comment="default configuration" disabled=no \
    interface=wlan1 network=<internal network>

This will set the real ip to the WAN port:

add address=<real ip>/<mask> disabled=no interface=ether1-gateway network=\
    <the isp network>

add address=<internal network>/<mask> disabled=no interface=bridge-local network=\
    <internal network>
add address=<guest network>/<mask> disabled=no interface=wlan2 network=<guest network>


Set the address list:

/ip firewall address-list
add address=<internal network> disabled=no list=Internal
add address=<guest network> disabled=no list=Guest

<other IPs and networks>

And the DHCP pools too:
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=<internal network>/<mask> comment="default configuration" dhcp-option="" \
    dns-server=<set the internal ip of the router here> gateway=<set the internal ip of the router here> netmask=<mask> ntp-server="" \
    wins-server=""
add address=<guest network>/<mask> dhcp-option="" dns-server="" gateway=<set the internal ip of the router here> \
    ntp-server="" wins-server=""

Set the dns:
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=4096 servers=<isp dns>
/ip dns static
add address=<isp dns> disabled=no name=router ttl=1d


Add this to the firewall to allow established connections:

/ip firewall filter
add action=accept chain=input connection-state=established disabled=no \
    in-interface=ether1-gateway

You have to add a nat rule for the guest and primary wifi networks to use the WAN port:

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=ether1-gateway \
    src-address=<internal network>/<mask>
add action=masquerade chain=srcnat disabled=no out-interface=ether1-gateway \
    src-address=<guest network>/<mask>

Add a route to have access to the outside world

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=<isp gateway> scope=30 \
    target-scope=10