IIRC, ever since I started using 7.13 beta (now with 7.14b4) I have started experiencing this weird behavior with my hap ac3 AX.
After a couple of days (2 or 3) it stops responding to PING, I cannot access it via Winbox (discovery also doesn't pick it up) or HTTP, and 2.4Ghz WiFi stops being available (devices disconnect), but 5Ghz ones are still connected :S
What would be the recommended way of collecting the required data for troubleshooting or trying to do an RCA? Particularly given that hard reset (pulling power) is the only way to bring back the device.
Cheers,
anthonws.
Re: hap ac3 ax - From 7.13 to 7.14 betas - No 2.4Ghz WiFi, Winbox, PING - 5Ghz WiFi and LAN works
You say 5GHz and LAN still works, so does it mean you can connect to the router or not?
Re: hap ac3 ax - From 7.13 to 7.14 betas - No 2.4Ghz WiFi, Winbox, PING - 5Ghz WiFi and LAN works
Two things you can do (I would do):
Are you running any "special" services like Docker?
- Do a complete export: /export show-sensitive file=anynameyoulike
- netinstall the device: https://help.mikrotik.com/docs/display/ROS/Netinstall
Are you running any "special" services like Docker?
Re: hap ac3 ax - From 7.13 to 7.14 betas - No 2.4Ghz WiFi, Winbox, PING - 5Ghz WiFi and LAN works
@normis, I can access devices that are connected via LAN and WiFi (5Ghz), but cannot access the router itself (no PING, Winbox, SSH, HTTP).
2.4Ghz devices (Shelly mainly) are also not accessible.
@erlinden, will do.
Thanks
2.4Ghz devices (Shelly mainly) are also not accessible.
@erlinden, will do.
Thanks
Re: hap ac3 ax - From 7.13 to 7.14 betas - No 2.4Ghz WiFi, Winbox, PING - 5Ghz WiFi and LAN works
show-sensitive are you sure?Two things you can do (I would do):
- Do a complete export: /export show-sensitive file=anynameyoulike
Re: hap ac3 ax - From 7.13 to 7.14 betas - No 2.4Ghz WiFi, Winbox, PING - 5Ghz WiFi and LAN works
That helps importing the (near) complete config after performing a netinstall.show-sensitive are you sure?
Re: hap ac3 ax - From 7.13 to 7.14 betas - No 2.4Ghz WiFi, Winbox, PING - 5Ghz WiFi and LAN works
ah yes, now I see. You suggested to netinstall (step 1 export, step 2 perform netinstall). but when OP shares his config better don't show sensitive. 
Re: hap ac3 ax - From 7.13 to 7.14 betas - No 2.4Ghz WiFi, Winbox, PING - 5Ghz WiFi and LAN works
Here's an "/export hide-sensitive" output.
This is a simple config, since this is a "child" bridged AP device, that sits in my storage room. It has a VLAN for a specific port, for my Hyper-V server malware/trash lab VMs (it basically creates a direct isolated path towards my ISP).
Some of the PPP/IPSEC configs are leftovers (hopefully not creating any issue) from my attempts at protecting the physical link, but I am trying to go with MACSEC in the meantime (have another post in the forum where I asked for some help).
This is a simple config, since this is a "child" bridged AP device, that sits in my storage room. It has a VLAN for a specific port, for my Hyper-V server malware/trash lab VMs (it basically creates a direct isolated path towards my ISP).
Some of the PPP/IPSEC configs are leftovers (hopefully not creating any issue) from my attempts at protecting the physical link, but I am trying to go with MACSEC in the meantime (have another post in the forum where I asked for some help).
Code: Select all
# 2024-01-02 12:44:25 by RouterOS 7.14beta4
# software id = Y5YP-7K50
#
# model = RBD53iG-5HacD2HnD
/interface bridge
add admin-mac=DC:2C:6E:2E:42:82 auto-mac=no comment=defconf name=bridge port-cost-mode=short
add name=bridge-vlan10
/interface ethernet
set [ find default-name=ether1 ] comment="Router LAN Port"
set [ find default-name=ether4 ] comment=DARKSTAR
set [ find default-name=ether5 ] poe-out=off
/interface vlan
add interface=ether1 name=ether1.10 vlan-id=10
add interface=ether4 name=ether4.10 vlan-id=10
/interface ethernet switch port
set 0 default-vlan-id=auto vlan-mode=disabled
set 1 default-vlan-id=auto vlan-mode=disabled
set 2 default-vlan-id=auto vlan-mode=disabled
set 3 default-vlan-id=auto vlan-mode=disabled
set 4 default-vlan-id=auto vlan-mode=disabled
set 5 default-vlan-id=auto vlan-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi channel
add band=5ghz-ac disabled=no name=5GHz_AC_20_40_80MHz width=20/40/80mhz
add band=2ghz-n disabled=no name=2GHz_N_20_40MHz width=20/40mhz
/interface wifi datapath
add bridge=bridge disabled=no interface-list=LAN name=datapath1
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=WIFISSID wps=disable
add authentication-types=wpa2-psk disabled=no name="WIFISSID - IoT" wps=disable
/interface wifi configuration
add channel=5GHz_AC_20_40_80MHz channel.band=5ghz-ac .width=20/40/80mhz country=Portugal datapath=datapath1 datapath.bridge=bridge disabled=no mode=ap name=cfg1 security=WIFISSID \
security.authentication-types=wpa2-psk,wpa3-psk .wps=disable ssid=WIFISSID
add channel=2GHz_N_20_40MHz channel.band=2ghz-n .skip-dfs-channels=all .width=20/40mhz country=Portugal datapath=datapath1 datapath.bridge=bridge disabled=no mode=ap name=cfg2 security=\
"WIFISSID - IoT" security.authentication-types=wpa2-psk .management-protection=disabled .wps=disable ssid="WIFISSID - IoT"
/interface wifi
set [ find default-name=wifi1 ] channel=2GHz_N_20_40MHz channel.skip-dfs-channels=all configuration=cfg2 configuration.mode=ap datapath=datapath1 disabled=no security="WIFISSID - IoT" \
security.authentication-types=wpa2-psk
set [ find default-name=wifi2 ] channel=5GHz_AC_20_40_80MHz channel.skip-dfs-channels=all configuration=cfg1 configuration.mode=ap .multicast-enhance=enabled datapath=datapath1 disabled=no \
security=WIFI security.authentication-types=wpa2-psk
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048
/ppp profile
set *FFFFFFFE use-compression=no use-encryption=required use-ipv6=no use-mpls=no
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment="::: defconf" ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge comment="::: defconf" interface=wifi1
add bridge=bridge comment="::: defconf" interface=wifi2
add bridge=bridge-vlan10 interface=ether1.10
add bridge=bridge-vlan10 interface=ether4.10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.25.3/24 comment=LAN interface=ether1 network=192.168.25.0
add address=172.16.10.3/24 interface=ether1.10 network=172.16.10.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dns
set allow-remote-requests=yes servers=192.168.25.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.25.3 name=router.lan
/ip firewall filter
add action=drop chain=forward in-interface=bridge-vlan10 out-interface=bridge
add action=drop chain=input dst-address=192.168.25.0/24 src-address=172.16.10.0/24
add action=fasttrack-connection chain=forward comment="fasttrack established/related" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established/related" connection-state=established,related
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.25.2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.25.0.0/24 gateway=192.168.25.2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip ssh
set forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Lisbon
/system identity
set name=Storage
/system leds
set 0 disabled=yes interface=*1 leds=led1,led2,led3,led4,led5 type=wireless-signal-strength
set 1 disabled=yes leds=poe-led type=poe-out
/system leds settings
set all-leds-off=immediate
/system logging
add disabled=yes topics=wireless,debug
/system note
set show-at-login=no
/system package update
set channel=testing
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/system watchdog
set watch-address=192.168.25.2
/tool bandwidth-server
set authenticate=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by anthonws on Tue Jan 02, 2024 7:53 pm, edited 2 times in total.
Re: hap ac3 ax - From 7.13 to 7.14 betas - No 2.4Ghz WiFi, Winbox, PING - 5Ghz WiFi and LAN works
When using VLAN, everyone should read this great topic:
viewtopic.php?t=143620
To summarize:
Use a single bridge
Do VLAN filtering on the bridge
Do VLAN all the way (any network should be a VLAN)
viewtopic.php?t=143620
To summarize:
Use a single bridge
Do VLAN filtering on the bridge
Do VLAN all the way (any network should be a VLAN)
Re: hap ac3 ax - From 7.13 to 7.14 betas - No 2.4Ghz WiFi, Winbox, PING - 5Ghz WiFi and LAN works
Thanks for the info. But, is my config incorrect then? Would this be a possible cause for the issues I described?
Re: hap ac3 ax - From 7.13 to 7.14 betas - No 2.4Ghz WiFi, Winbox, PING - 5Ghz WiFi and LAN works
Probably not...still a bit overwhelmed by the config. Can you describe what you would like to achieve with this device?Thanks for the info. But, is my config incorrect then? Would this be a possible cause for the issues I described?
Re: hap ac3 ax - From 7.13 to 7.14 betas - No 2.4Ghz WiFi, Winbox, PING - 5Ghz WiFi and LAN works
Sure, I'll explain a bit better. But I am now scared since you said "overwhelmed" :S
1. Device B (HAP AC3 AX), IP 192.168.25.3, is connected via RJ45 to Device A (RB4011 WiFi), IP 192.168.25.2.
2. Device B sits outside of the apartment (private storage room in the building) and is responsible for allowing access to Internet, plus comms with IoT WiFi devices and driving regular LAN/WiFi comms for devices in that room.
3. Device A is responsible for WAN access, plus regular LAN/WiFi and IoT WiFi.
4. Currently I do not have IoT WiFi segregated in its own VLAN (still have to find the time to dwell in mDNS and other important elements for Home Assistant to work properly with all my IoT devices)
5. VLAN10 (172.16.10.0/24) is used only for Hyper-V VMs, where I tag the VLAN ID for the respective interfaces where I want to just provide Internet access
6. Ether4 is where my Windows Server is connected to (which will have access to regular LAN and VMs to VLAN10)
6. 172.25.0.0/24 is the subnet for ZeroTier, which is configured in Device A (192.168.25.2)
Hopefully that provides a bit more clarity.
Thanks for your help!
Edit: This device has been working for quite some time now. The specific behavior I mentioned started happening recently, and IIRC, it started showing up after 7.13.
Edit 2: Re-did the whole VLAN configuration based on the post you mentioned. I hope I have interpreted it correctly. Also applied the necessary changes to Device A VLAN configuration.
1. Device B (HAP AC3 AX), IP 192.168.25.3, is connected via RJ45 to Device A (RB4011 WiFi), IP 192.168.25.2.
2. Device B sits outside of the apartment (private storage room in the building) and is responsible for allowing access to Internet, plus comms with IoT WiFi devices and driving regular LAN/WiFi comms for devices in that room.
3. Device A is responsible for WAN access, plus regular LAN/WiFi and IoT WiFi.
4. Currently I do not have IoT WiFi segregated in its own VLAN (still have to find the time to dwell in mDNS and other important elements for Home Assistant to work properly with all my IoT devices)
5. VLAN10 (172.16.10.0/24) is used only for Hyper-V VMs, where I tag the VLAN ID for the respective interfaces where I want to just provide Internet access
6. Ether4 is where my Windows Server is connected to (which will have access to regular LAN and VMs to VLAN10)
6. 172.25.0.0/24 is the subnet for ZeroTier, which is configured in Device A (192.168.25.2)
Hopefully that provides a bit more clarity.
Thanks for your help!
Edit: This device has been working for quite some time now. The specific behavior I mentioned started happening recently, and IIRC, it started showing up after 7.13.
Edit 2: Re-did the whole VLAN configuration based on the post you mentioned. I hope I have interpreted it correctly. Also applied the necessary changes to Device A VLAN configuration.
Code: Select all
[admin@Storage] > /export hide-sensitive
# 2024-01-02 17:48:20 by RouterOS 7.14beta4
# software id = Y5YP-7K50
#
# model = RBD53iG-5HacD2HnD
/interface bridge
add admin-mac=DC:2C:6E:2E:42:82 auto-mac=no comment=defconf ingress-filtering=no name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Router LAN Port"
set [ find default-name=ether4 ] comment=DARKSTAR
set [ find default-name=ether5 ] poe-out=off
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
/interface ethernet switch port
set 0 default-vlan-id=auto vlan-mode=disabled
set 1 default-vlan-id=auto vlan-mode=disabled
set 2 default-vlan-id=auto vlan-mode=disabled
set 3 default-vlan-id=auto vlan-mode=disabled
set 4 default-vlan-id=auto vlan-mode=disabled
set 5 default-vlan-id=auto vlan-mode=disabled
/interface list
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi channel
add band=5ghz-ac disabled=no name=5GHz_AC_20_40_80MHz width=20/40/80mhz
add band=2ghz-n disabled=no name=2GHz_N_20_40MHz width=20/40mhz
/interface wifi datapath
add bridge=bridge disabled=no interface-list=LAN name=datapath1
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=WIFI wps=disable
add authentication-types=wpa2-psk disabled=no name="WIFI - IoT" wps=disable
/interface wifi configuration
add channel=5GHz_AC_20_40_80MHz channel.band=5ghz-ac .width=20/40/80mhz country=Portugal datapath=datapath1 datapath.bridge=bridge disabled=no mode=ap name=cfg1 security=WIFI \
security.authentication-types=wpa2-psk,wpa3-psk .wps=disable ssid=WIFI
add channel=2GHz_N_20_40MHz channel.band=2ghz-n .skip-dfs-channels=all .width=20/40mhz country=Portugal datapath=datapath1 datapath.bridge=bridge disabled=no mode=ap name=cfg2 \
security="WIFI - IoT" security.authentication-types=wpa2-psk .management-protection=disabled .wps=disable ssid="WIFI - IoT"
/interface wifi
set [ find default-name=wifi1 ] channel=2GHz_N_20_40MHz channel.skip-dfs-channels=all configuration=cfg2 configuration.mode=ap datapath=datapath1 disabled=no security=\
"WIFI - IoT" security.authentication-types=wpa2-psk
set [ find default-name=wifi2 ] channel=5GHz_AC_20_40_80MHz channel.skip-dfs-channels=all configuration=cfg1 configuration.mode=ap .multicast-enhance=enabled datapath=datapath1 \
disabled=no security=WIFI security.authentication-types=wpa2-psk
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048
/ppp profile
set *FFFFFFFE use-compression=no use-encryption=required use-ipv6=no use-mpls=no
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment="::: defconf" ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge comment="::: defconf" interface=wifi1
add bridge=bridge comment="::: defconf" interface=wifi2
add bridge=bridge interface=vlan10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether1,ether4,bridge,vlan10 vlan-ids=10
add bridge=bridge untagged=bridge,ether1,ether2,ether3,ether4,ether5,wifi1,wifi2 vlan-ids=1
/interface list member
add comment=defconf interface=bridge list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.25.3/24 comment=LAN interface=bridge network=192.168.25.0
add address=172.16.10.3/24 interface=vlan10 network=172.16.10.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dns
set allow-remote-requests=yes servers=192.168.25.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.25.3 name=router.lan
/ip firewall filter
add action=drop chain=forward in-interface=vlan10 out-interface=!vlan10
add action=fasttrack-connection chain=forward comment="fasttrack established/related" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established/related" connection-state=established,related
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.25.2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.25.0.0/24 gateway=192.168.25.2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip ssh
set forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Lisbon
/system identity
set name=Storage
/system leds
set 0 disabled=yes interface=*1 leds=led1,led2,led3,led4,led5 type=wireless-signal-strength
set 1 disabled=yes leds=poe-led type=poe-out
/system leds settings
set all-leds-off=immediate
/system logging
add disabled=yes topics=wireless,debug
/system note
set show-at-login=no
/system package update
set channel=testing
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/system watchdog
set watch-address=192.168.25.2
/tool bandwidth-server
set authenticate=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LANWho is online
Users browsing this forum: Ahrefs [Bot], Amazon [Bot] and 19 guests