STFN

Configuring Mikrotik devices to be Access Points without NAT

This is a topic that I have been planning to dive into for a long time, but I kept procrastinating. Yet, finally I sat down to it and found out it is much, much simple than I anticipated.

I am a fan of MikroTik. They make high quality network devices for a good price, and they are based within the EU, in Latvia, close to my country of Poland. On the other hand, the learning curve of their software is so steep that sometimes feels to be a vertical wall. Especially for a person like me without a theoretical background in networking. But that does not stop from having my whole networking setup based on their devices, because I am a homelaber and we do things not because they are easy and all that stuff.

I wrote about my setup almost exactly a year ago, and a new post on the current state is long overdue, but as I said in at least three last blog posts, with moving to my new house it's often hard to find the energy to write.

A black cat lying on a blanket on a windowsill, looking at the camera

Instead of the photo of a router, have a CAT

Anyway, back to the topic of the post. All of the Mikrotik's devices that I have run NAT in the default configuration, and while this is desired for things like my main router, I'd rather not have the WiFi Access Points do Network Address Translation, because a) I think it adds an unnecessary layer of complexity and b) causes problems when I want to for example SSH from a machine connected straight to the main router into a machine connected to WiFi. That would go against the NAT.

And now it's time for the caveats:

I am not a networking expert, nor a MikroTik expert, I'd say I am quite the opposite. Everything I describe here is based on my searching of information on the internet, reading documentation, and painful trial and error. It is highly possible that the things I described are against best practices, or just silly. But it works for me.

Hardware

I have configured two different APs to work without a NAT: the MikroTik Audience (RBD25G-5HPacQD2HPnD) (don't you love their naming schemes), and the hAP acĀ² (RBD52G-5HacD2HnD-TC). I also have the cAP ax (cAPGi-5HaxD2HaxD), but that I do not want to touch for now, as it is the main AP of the house, and my wife and I rely on it for our remote work, and I don't want to break it with my experiments.

What I also found to be a source of confusion, at least for me, is that at some point the past, MikroTik changed their WiFi driver from the old wireless to the new wifi-qcom, and that changed a lot in the way WiFi is configured. Reminds me a lot of that time when Raspberry Pi changed the camera commands when moving to a more modern release of Debian, and so had made a lot of the old tutorials not work.

What I am describing here works on the new wifi-qcom WiFi driver and has been tested on RouterOS versions 7.16 and 7.22. You can check the version of RouterOS and the used WiFi driver through WinBox under System -> Packages. I recommend using WinBox over the Web UI, as WinBox will work even when the MikroTik device does not have an assigned IP address, which will be the case here.

With that prolonged introduction, let's go to the cream.

Configuration

All of the commands below need to be typed/pasted into a terminal in WinBox. I prefer the terminal over clicking, because terminals are cool, and it's much easier to share commands than make screenshots and tell what to click where. Also, being able to configure network equipment from the terminal feels so hackery, and that is a very important aspect.

Before starting, make sure you are connected to the device with a cable, as WiFi will not work until the end of the configuration. And preferably read through the whole post before doing it for yourself to make sure you understand all the steps.

The first step is to start with a clean slate, the command below removes the default configuration and restarts the device. Most probably you will get disconnected from the wired connection at all and your OS will not want to reconnect because the MikroTik device will not have an IP address, DHCP server and all that magic. In that case you will need to manually set an IP address for your computer to force the connection to work. Setting it up differs between OSes and even desktop environments, so I will not describe it here, good luck, your on your own, soldier. Any IP address should work, like 192.168.88.2.

/system reset-configuration no-defaults=yes

When connected again, go back to the terminal for the rest of the config. The next thing to be done is to set up the bridge. The aim of the bridge interface, is to, well, bridge all of the available connections to the device into a single internal web, just like a dumb switch does.

/interface bridge add name=br0 protocol-mode=none

/interface bridge port add bridge=br0 interface=ether1
/interface bridge port add bridge=br0 interface=ether2

The second part adds the ethernet ports to the bridge. The Audience has two RJ-45 ports, and the hAP has five, so for it I also needed to add ether3-5.

Now it's time to configure the WiFi.

/interface wifi security add name=sec-profile1 authentication-types=wpa2-psk passphrase="CorrectHorseBatteryStaple2026" 

/interface/wifi/ configuration/ add name=cfg-5ghz ssid="Mikrotik5" channel.band=5ghz-ac
/interface/wifi/ configuration/ add name=cfg-2ghz ssid="Mikrotik2" channel.band=2ghz-n

/interface/wifi set wifi2 configuration=cfg-5ghz security=sec-profile1 disabled=no
/interface/wifi set wifi1 configuration=cfg-2ghz security=sec-profile1 disabled=no

The first part configures the security part of the WiFi. It sets the auth type as the standard non-enterprise WPA2-PSK, and defines the password to the extremely secure one we all know and love.

The next two lines add two Configurations. This is one of those things that changed from the old wireless WiFi driver in the RouterOS. Now some things like the band are in the Configuration, which is later connected to the WiFi interface.

The final two lines connect the wifi interfaces into the corresponding configuration and the security profile defined in the first line.

What is important to remember here is that both the Audience and the hAP have two WiFi interfaces, with wifi1 being the 2.4GHz band, and wifi2 for the 5GHz. Again, check your device before following the instructions. The Audience also has the wifi3 interface, but we are not interested in it in this case, as it is only used to create a mesh with other Audiences.

With those lines, the WiFi should work again. It is possible you will need to wait for a few minutes as the AP scans the air for the available WiFi channels. In the case of the hAP it can take up to 10 minutes.

What is now left is to add the WiFis to the bridge, so that all ports, wired and wireless, are connected into one big family.

/interface/bridge/ port/ add bridge=br0 interface=wifi2
/interface/bridge/ port/ add bridge=br0 interface=wifi1

A final step is to set up a static IP address. You can skip this step, as you will still be able to connect to the device through WinBox using the MAC address, but with an IP address you will also be able to use the Web UI in the browser. It needs to be on the same subnet as the DHCP serving router to which the AP will be connected, but outside it's DHCP pool. For example, my main router is the MikroTik RB3011, and it has an IP address of 192.168.88.1 and a DHCP pool of 192.168.88.100-192.168.88.255, so I set the IP address of my AP as follows:

/ip address add address=192.168.88.5/24 interface=br0
/ip route add gateway=192.168.88.1
/ip dns set servers=192.168.88.1

The final line defines the DNS server that the AP itself will use, for example to check for updates. The clients will still be able to use different DNS servers.

With that done, you can unplug the AP from your computer and connect it to the port of your internet serving router. You can use any of the ports on the AP, as they are all connected to the same bridge. And le voila omellete du fromage, you should be able to connect to the newly created WiFi network, have internet access, and when you check the IP address of your laptop or other device, it will be on the same subnet as the subnet of your router, no NATs in the way.

Bottom Line

I hope you will find this post useful. I am writing it not only to share knowledge, but also to recap it for me, by writing it down here I make sure I understand it well enough to be able to pass it on.

If you see any glaring mistakes, let me know via email or on the Fediverse, links in the footer, and meanwhile, thanks for reading!

Previous: