MT as a "media converter" - wifi to wired
I'm trying to use a spare Mikrotik router - an old 951G-2hnD - as a sort of media converter. The idea is that it associates with a mobile phone hotspot, and provides wired access to it. However, I want LAN-side devices to get their IP addresses from the phone, not the Mikotik. To that end I first reset the router to the default configuration. Then I configured the wireless interface as "mode=station-bridge", and added the phone's SSID. In the relevant security profile I set authentication-mode to wpa-psk and wpa2-psk, and put the phone's key into wpa-pre-shared-key and wpa2-preshared-key. The wireless interface and all the LAN ports are already in a bridge. I split one off and moved the dhcp-server and IP address to it so I have a management interface. The bridge thus has no dhcp-server on it, and no IP address. I was sort of expecting that to work, but a client connecting to a LAN port does not get an IP address. The wireless interface does not enter "running" state. SSID and passphrase have been checked. The phone definitely supports wpa2. I can connect to the phone from a laptop. There are no firewall rules that would affect the bridge. What did I forget? Regards, K. PS: Context: Internode shut down our ADSL link with no warning. They say they emailed me, but they didn't. So I am trying to turn a mobile phone hotspot into a WAN connection :-) -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au, he/him) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 Please feel free to deal with this email during your own working hours.
You may want to try station-pseudo bridge as the “AP” is not a MikroTik or compatible and station bridge does require some trickery internally. Even if pseudo bridge works you may find more benefit in just treating that tether connection the “internet circuit” for your router and still doing DHCP via your 951. A lot of phones (at least used to) limit their number of clients to ~5 and so very easy for you to have a device fail to connect and a hell of a time diagnosing / getting logs from the mobile phone. Regards Alexander Alexander Neilson Neilson Productions Limited 021 329 681 alexander@neilson.net.nz
On 16 Mar 2024, at 02:30, Karl Auer via Public <public@talk.mikrotik.com.au> wrote:
I'm trying to use a spare Mikrotik router - an old 951G-2hnD - as a sort of media converter.
The idea is that it associates with a mobile phone hotspot, and provides wired access to it. However, I want LAN-side devices to get their IP addresses from the phone, not the Mikotik.
To that end I first reset the router to the default configuration. Then I configured the wireless interface as "mode=station-bridge", and added the phone's SSID. In the relevant security profile I set authentication-mode to wpa-psk and wpa2-psk, and put the phone's key into wpa-pre-shared-key and wpa2-preshared-key. The wireless interface and all the LAN ports are already in a bridge. I split one off and moved the dhcp-server and IP address to it so I have a management interface. The bridge thus has no dhcp-server on it, and no IP address.
I was sort of expecting that to work, but a client connecting to a LAN port does not get an IP address. The wireless interface does not enter "running" state. SSID and passphrase have been checked. The phone definitely supports wpa2. I can connect to the phone from a laptop. There are no firewall rules that would affect the bridge.
What did I forget?
Regards, K.
PS: Context: Internode shut down our ADSL link with no warning. They say they emailed me, but they didn't. So I am trying to turn a mobile phone hotspot into a WAN connection :-)
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au, he/him) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
Please feel free to deal with this email during your own working hours.
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Sat, 2024-03-16 at 10:17 +1300, Alexander Neilson wrote:
You may want to try station-pseudo bridge as the “AP” is not a MikroTik or compatible and station bridge does require some trickery internally.
Thanks, Alexander. After sending my first message n this I did read the docs a bit more carefully, and there is a proviso for station-bridge that it only works with RouterOS APs. So I tried station-pseudobridge, sadly with no more success. Which, as the docs say it should be avoided where possible, is possibly a good thing. Which only leaves station- pseudobridge-clone, which actually looks like better deal (although I will only be connecting one node to the Mikrotik anyway) The irritating thing is that I had this working a few years ago with a much older MikroTik (now dead).
You may find more benefit in just treating that tether connection the “internet circuit” for your router and still doing DHCP via your 951. A lot of phones (at least used to) limit their number of clients to ~5 and so very easy for you to have a device fail to connect and a hell of a time diagnosing / getting logs from the mobile phone.
There will only be one client - I want to treat the Mikrotik+phone as my "WAN", so only my main router will be connected (wired) to it. As if to an ADSL modem in bridge mode, I wonder why? :-) I'm not sure I understand what you are saying here - that I should route over wlan1 and double-NAT? Rather than bridge at all? I'd say that was an acceptable solution, except that if the wlan interface can't connect to the phone's AP, it's all a moot point. The wlan interface should IMHO be connecting to the phone OK, but it doesn't appear to be. I'll see if I can double check that, maybe the phone will tell me. BTW a scan done on the MikroTik does see the phone's AP. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au, he/him) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 Please feel free to deal with this email during your own working hours.
You can just use normal “station” mode if you are routing the traffic no pseudobridge tricks and no “MikroTik only” bridge features. Tethering on phones does a lot of tricks these days and behaves all sorts of different ways. Regards Alexander Alexander Neilson Neilson Productions Limited alexander@neilson.net.nz 021 329 681 022 456 2326 On Sun, 17 Mar 2024 at 22:10, Karl Auer via Public < public@talk.mikrotik.com.au> wrote:
On Sat, 2024-03-16 at 10:17 +1300, Alexander Neilson wrote:
You may want to try station-pseudo bridge as the “AP” is not a MikroTik or compatible and station bridge does require some trickery internally.
Thanks, Alexander. After sending my first message n this I did read the docs a bit more carefully, and there is a proviso for station-bridge that it only works with RouterOS APs. So I tried station-pseudobridge, sadly with no more success. Which, as the docs say it should be avoided where possible, is possibly a good thing. Which only leaves station- pseudobridge-clone, which actually looks like better deal (although I will only be connecting one node to the Mikrotik anyway)
The irritating thing is that I had this working a few years ago with a much older MikroTik (now dead).
You may find more benefit in just treating that tether connection the “internet circuit” for your router and still doing DHCP via your 951. A lot of phones (at least used to) limit their number of clients to ~5 and so very easy for you to have a device fail to connect and a hell of a time diagnosing / getting logs from the mobile phone.
There will only be one client - I want to treat the Mikrotik+phone as my "WAN", so only my main router will be connected (wired) to it. As if to an ADSL modem in bridge mode, I wonder why? :-)
I'm not sure I understand what you are saying here - that I should route over wlan1 and double-NAT? Rather than bridge at all? I'd say that was an acceptable solution, except that if the wlan interface can't connect to the phone's AP, it's all a moot point. The wlan interface should IMHO be connecting to the phone OK, but it doesn't appear to be. I'll see if I can double check that, maybe the phone will tell me. BTW a scan done on the MikroTik does see the phone's AP.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au, he/him) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
Please feel free to deal with this email during your own working hours.
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi,
if the wlan interface can't connect to the phone's AP, it's all a moot point.
Check on the phone hotspot settings that “maximise compatibility” is enabled. This is for iPhone, not sure if android has a similar setting Andy Sent from iPhone On 17 Mar 2024, at 17:10, Karl Auer via Public <public@talk.mikrotik.com.au> wrote: if the wlan interface can't connect to the phone's AP, it's all a moot point.
I wrote:
if the wlan interface can't connect to the phone's AP, it's all a moot point.
Well, no amount of swearing at it got any form of bridged connection working. I retreated and set up a routed solution instead. Which worked perfectly just as soon as I set "mode=dynamic-keys" on the wireless interface. The bridged solution will probably work perfectly too, if I ever recover my composure enough to give it another go :-) I'll let you know if it does. Sorry for the noise :-( and many thanks for the help. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au, he/him) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 Please feel free to deal with this email during your own working hours.
I think for success without connecting to an AP that ISN'T Mikrotik you should stick with routed mode especially if time is short. I have had a lot of trouble in the past trying to join non-Mikrotik systems in a psudobridge(clone) mode and it never worked right. Primarily I presumed broadcasts just didn't flow properly which meant DHCP never worked right for example. Without getting too deep I don't think some router's DHCP server liked giving out more than one IP per MAC or they couldn't handle MAC proxy/spoofing. I have been mucking with bridge filtering of late with mDNS and I suspect there is a way to get psuedobridge to work well with clever use of ARP proxy and MAC SRCNAT. One reason I think that is I have seen cheapy Edimax Wifi extenders work just fine passing DHCP (dunno about other multicasts/broadcasts) so there is a trick to it that goes beyond just what psuedobridge does.
On Mon, 2024-03-18 at 07:38 +1100, Jason Hecker via Public wrote:
I think for success without connecting to an AP that ISN'T Mikrotik you should stick with routed mode especially if time is short.
Yes.
I have had a lot of trouble in the past trying to join non-Mikrotik systems in a psudobridge(clone) mode and it never worked right.
Well, that gives me some hope that it's not just me and the usual comedy of errors :-) Thanks, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au, he/him) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 Please feel free to deal with this email during your own working hours.
On Sun, 2024-03-17 at 21:28 +1100, Karl Auer via Public wrote:
The bridged solution will probably work perfectly too. I'll let you know if it does.
It didn't. wireless mode station-pseudobridge-clone no dhcp-server, no dhcp-client wlan1 and LAN ports bridged wide open firewall filter no nat wireless is associated and running ... but a node connected to a LAN port does not get a DHCP address from the phone. With a working routed solution my interest in troubleshooting this has waned a bit, so I think I'll leave it at that for now. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au, he/him) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 Please feel free to deal with this email during your own working hours.
Hi Karl, The MAC headers in 802.3 Ethernet and 802.11 wireless frames are very different. Bridging them transparently isn't really possible within the 802.11 standard and either requires hacks with ARP or "extending" the standard. Of course extending 802.11 to allow fully transparent bridging is vendor specific. Mikrotik does a very good job of "it just works" between their devices and therefore it can surprise a lot of people when it doesn't with others. The common hack is to do a proxy ARP or MAC NAT style "solution". This involves the station telling everything on the AP side of it that every MAC address behind it is in fact on the station. Layer 2 broadcasts have lots of problems working with this and DHCP is likely to have issues dependant on the DHCP server, the AP and the station. If you route traffic as you've done all the layer 2 MAC address issues go away and you are just left with standard layer 3 NAT since your phone won't be able to add any extra routes for the network behind the station. It will work and work reliably. And of course these days IPv4 is commonly NAT'ed multiple times for any customer of a large ISP anyway. On a side note: Now if you ever want to see a network completely stop: setup a station in one of these cursed proxy ARP style configs and then plug it's ethernet interface back in to the network. It will now see every device on the network on it's ethernet interface and tell the network on it's wifi interface that every MAC address is reachable via it's WiFi interface. Every packet it sends out via ethernet will come back to it via WiFi and get sent out the ethernet interface to... STP won't help in this situation because the proxy arp is hiding the MAC addresses as they go through. Regards Andrew Radke On Monday, 18-03-2024 at 7:39 Karl Auer via Public wrote: On Sun, 2024-03-17 at 21:28 +1100, Karl Auer via Public wrote:
The bridged solution will probably work perfectly too. I'll let you know if it does.
It didn't. wireless mode station-pseudobridge-clone no dhcp-server, no dhcp-client wlan1 and LAN ports bridged wide open firewall filter no nat wireless is associated and running ... but a node connected to a LAN port does not get a DHCP address from the phone. With a working routed solution my interest in troubleshooting this has waned a bit, so I think I'll leave it at that for now. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au, he/him) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 Please feel free to deal with this email during your own working hours. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
A bit late, but Often disabling rstp can help with station-pseudo bridge. (Not sure why...) If the AP has some sort of broadcast/multicast optimisation enabled attempting a bridge mode is unlikely to work. Regards Roger On Sun, 2024-03-17 at 21:28 +1100, Karl Auer via Public wrote:
The bridged solution will probably work perfectly too. I'll let you know if it does.
It didn't. wireless mode station-pseudobridge-clone no dhcp-server, no dhcp-client wlan1 and LAN ports bridged wide open firewall filter no nat wireless is associated and running ... but a node connected to a LAN port does not get a DHCP address from the phone. With a working routed solution my interest in troubleshooting this has waned a bit, so I think I'll leave it at that for now. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Karl Auer (kauer@nullarbor.com.au, he/him) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 Please feel free to deal with this email during your own working hours. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au---------------------------- Roger Plant
I think that's because pseudobridge attempts to treat every ethernet-side mac address as an independent client connection to the AP (so that AP 'sees' multiple registrations from just the one device) - thus the AP mac address appears in the bridge on multiple interfaces - since STP is intended to detect when the same mac address appears on more than one interface and shut down interfaces receiving those dupes, STP 'does its job' so turning stp off prevents active shutting off of dupe interfaces... something like that, anyway. one of those unexpected situations where 'smarter' platform like mikrotik appears to the uninitiated to work poorly compared to 'dumber' options :-D Cheers! -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Roger Plant via Public Sent: Monday, 18 March 2024 12:17 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Cc: Roger Plant <rplant@melbpc.org.au> Subject: Re: [MT-AU Public] MT as a "media converter" - wifi to wired A bit late, but Often disabling rstp can help with station-pseudo bridge. (Not sure why...) If the AP has some sort of broadcast/multicast optimisation enabled attempting a bridge mode is unlikely to work. Regards Roger On Sun, 2024-03-17 at 21:28 +1100, Karl Auer via Public wrote:
The bridged solution will probably work perfectly too. I'll let you know if it does.
It didn't. wireless mode station-pseudobridge-clone no dhcp-server, no dhcp-client wlan1 and LAN ports bridged wide open firewall filter no nat wireless is associated and running ... but a node connected to a LAN port does not get a DHCP address from the phone. With a working routed solution my interest in troubleshooting this has waned a bit, so I think I'll leave it at that for now. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Karl Auer (kauer@nullarbor.com.au, he/him) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 Please feel free to deal with this email during your own working hours. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au---------------------------- Roger Plant _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Ta, Thanks for that. I might mention I have also found some value in your comments around netinstall and weird behaviour/bad blocks you made not so long ago :) To: "'MikroTik Australia Public List'" <public@talk.mikrotik.com.au> Date sent: Mon, 18 Mar 2024 12:26:46 +1100 Organization: DuxTel Pty Ltd Subject: Re: [MT-AU Public] MT as a "media converter" - wifi to wired From: Mike Everest via Public <public@talk.mikrotik.com.au> Send reply to: MikroTik Australia Public List <public@talk.mikrotik.com.au> Copies to: Mike Everest <mike@duxtel.com> [ Double-click this line for list subscription options ] I think that's because pseudobridge attempts to treat every ethernet-side mac address as an independent client connection to the AP (so that AP 'sees' multiple registrations from just the one device) - thus the AP mac address appears in the bridge on multiple interfaces - since STP is intended to detect when the same mac address appears on more than one interface and shut down interfaces receiving those dupes, STP 'does its job' so turning stp off prevents active shutting off of dupe interfaces... something like that, anyway. one of those unexpected situations where 'smarter' platform like mikrotik appears to the uninitiated to work poorly compared to 'dumber' options :-D Cheers! -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Roger Plant via Public Sent: Monday, 18 March 2024 12:17 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Cc: Roger Plant <rplant@melbpc.org.au> Subject: Re: [MT-AU Public] MT as a "media converter" - wifi to wired A bit late, but Often disabling rstp can help with station-pseudo bridge. (Not sure why...) If the AP has some sort of broadcast/multicast optimisation enabled attempting a bridge mode is unlikely to work. Regards Roger On Sun, 2024-03-17 at 21:28 +1100, Karl Auer via Public wrote:
The bridged solution will probably work perfectly too. I'll let you know if it does.
It didn't. wireless mode station-pseudobridge-clone no dhcp-server, no dhcp-client wlan1 and LAN ports bridged wide open firewall filter no nat wireless is associated and running ... but a node connected to a LAN port does not get a DHCP address from the phone. With a working routed solution my interest in troubleshooting this has waned a bit, so I think I'll leave it at that for now. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Karl Auer (kauer@nullarbor.com.au, he/him) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 Please feel free to deal with this email during your own working hours. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au---------------------------- Roger Plant _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au---------------------------- Roger Plant
participants (7)
-
Alexander Neilson
-
Andrew Oakeley
-
Andrew Radke
-
Jason Hecker
-
Karl Auer
-
Mike Everest
-
Roger Plant