Connection to Home Router

I have done a lot of searching and have been able to partially get my setup working, but need some additional help to complete my setup.

Here is what I have

Home Router (Asus RT-AC68P) connected to a Mikrotik hAP ac (RB952Ui-5ac2nD-US) into port 1.

From the Mikrotik I have TP-Link CPE210 connected into port 5.

Both the Mikrotik and the TP-Link have been flashed with the latest firmware and I have done all the required setup, but I must be missing something.

If I connect via a laptop into one of the other ports on the Mikrotik (say port 2) I am able to communicate just fine with both the Mikrotik and the CPE210.  When I look at the mesh on the Mikrotik I can see the CPE210 as a neighbor and I can click on it and it will open up its page.

The issue is when I am using my home computer and connected to the Mikrotik via my home router, I am able to see the Mikrotik and gets to its configuration page with no problem.  I can see the CPE210 as a neighbor, but when I try and access the CPE210 I get an error that it can't reach the local.mesh:8080.

I have configured port forwarding in my Asus router on the 5525 port for the IP address that I assigned to the hAP ac on my home network.

What else do I need to be able to do in order to get to the CPE210 from my home network so that I don't have to plug in a separate laptop into the Mikrotik, while still protecting my home network?

I have attached pictures of the setup page for both my Mikrotik and hAP ac.


KD0VWH - Keith

K6CCC's picture
You don't - that way anyway.

Port 1 on the hAP is used as a WAN interface for a tunnel.  Yes, you can access the local (connected) node, but the WAN port is not routed to the AREDN 10.x.y.z network.  The other part of the problem is that your computer has no idea how to route to a 10.x.y.z address,  I do things a little different, so I can't really explain the "normal" way of getting a computer on your home network to reach the AREDN network.  Hopefully someone else can.  BTW, port 5525 port forwarding is only used if you are operating as a Tunnel Server.

As I said, what I am doing is not "normal", but this is what I am doing.  I am not using a typical consumer grade router.  Port 1 on my hAP gets a DHCP address from one VLAN on router, and is used exclusively for tunnel connections (both as a tunnel server and a tunnel client).  Port 2 of the hAP is connected to a different VLAN (VLAN 5) on the router and on that LAN, the router is getting a DHCP address from the hAP.  My router has been told that traffic for 10.x.y.z can be reached on VLAN 5 with a gateway of the address of the hAP.  The router also knows that DNS service for .local.mesh can be obtained from the hAP.  So when this computer has traffic for a 10.x.y.z address, the computer sends it to the router on VLAN 101 (where this computer lives).  The router knows to send the traffic out VLAN 5 to the hAP and the hAP takes it from there.  If the computer first needs to do a DNS lookup for a .local.mesh url, the computer asks the router, which in turn asks the hAP.
Have I completely confused you?

nc8q's picture
get to the CPE210 from my home network

"What else do I need to be able to do in order to get to the CPE210 from my home network so that I don't have to plug in a separate laptop into the Mikrotik, while still protecting my home network?"

Your setup is common and sensible.
Your results are expected.

1. Why do you want to 'get to the CPE210' from your home LAN instead of from your Mikrotik hAP's LAN?
2. Neither the Mikrotik hAP nor the CPE210 offers any protection to your home network.

If you connect your 'laptop' to the LAN of the Mikrotik, the laptop will have access to
of course the Mikrotik's LAN, the CPE210, your local AREDN-mesh LAN, your home LAN, and your home routers ISP network.

If you seek something else, please specify.
I hope this helps,


