Community discussions

MikroTik App
  4. RouterOS
  5. Wireless Networking

hap AX² as CAP not reachable via winbox/IP

Post Reply
 
Willi
just joined
Topic Author
Posts: 13
Joined: Sun Dec 24, 2023 4:49 pm

hap AX² as CAP not reachable via winbox/IP

Tue Dec 26, 2023 7:15 pm

Hi,

I have a setup with 3 hap AX²: one as router and two as CAP. I can see all three devices in winbox but the two CAP's are not reachable (not via winbox, nor via accessing their IP's). I have set a static IP for both (192.168.60.250 and 192.168.60.251). What am I doing wrong? Please find my config below:
Code: Select all
# 2023-12-26 18:07:04 by RouterOS 7.13
# software id = 7Z28-IETK
#
# model = C52iG-5HaxD2HaxD
# serial number = HEP099KCHF8
/interface bridge
add comment=WAN name=br_WAN_ISP port-cost-mode=short
add comment=WAN name=br_WAN_LTE port-cost-mode=short
add comment="Guest network" ingress-filtering=no name=br_guest \
    port-cost-mode=short vlan-filtering=yes
add comment="LAN network" ingress-filtering=no name=br_lan port-cost-mode=\
    short vlan-filtering=yes
add comment=OOB name=br_local port-cost-mode=short
/interface wireguard
add comment=back-to-home-vpn listen-port=43955 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=ether1 name=ether1_vl_GUEST vlan-id=70
add interface=ether1 name=ether1_vl_LAN vlan-id=60
add interface=ether1 name=ether1_vl_WAN_LTE vlan-id=50
add interface=ether3 name=ether3_vl_GUEST vlan-id=70
add interface=ether3 name=ether3_vl_LAN vlan-id=60
add interface=ether4 name=ether4_vl_GUEST vlan-id=70
add interface=ether4 name=ether4_vl_LAN vlan-id=60
add interface=ether5 name=ether5_vl_local vlan-id=70
add interface=br_guest name="vl_GUEST on br_GUEST" vlan-id=70
add interface=br_lan name="vl_LAN on br_LAN" vlan-id=60
/interface list
add name=LEASES
add name=UNTRUSTED
add name=WAN
add name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no name=ch_2.4Ghz width=20mhz
add band=5ghz-ax disabled=no name=ch_5Ghz width=20/40/80mhz
/interface wifi datapath
add bridge=br_lan disabled=no interface-list=LAN name="br_LAN - VLAN 60" \
    vlan-id=60
add bridge=br_guest disabled=no name="br_GUEST - VLAN 70" vlan-id=70
/interface wifi security
add authentication-types=wpa2-psk connect-priority=0 disabled=no name=\
    seccfg_Cussangy
add authentication-types=wpa2-psk connect-priority=0 disabled=no name=\
    seccfg_Cussangy_guest
/interface wifi configuration
add channel=ch_2.4Ghz country=France disabled=no mode=ap name=\
    cfg_Cussangy_2.4Ghz security=seccfg_Cussangy security.connect-priority=0 \
    ssid=Cussangy
add channel=ch_5Ghz country=France datapath="br_LAN - VLAN 60" disabled=no \
    mode=ap name=cfg_Cussangy_5Ghz security=seccfg_Cussangy \
    security.connect-priority=0 ssid=Cussangy
add channel=ch_2.4Ghz country=France datapath="br_GUEST - VLAN 70" disabled=\
    no mode=ap name=cfg_Cussangy_guest_2.4Ghz security=seccfg_Cussangy_guest \
    security.connect-priority=0 ssid=Cussangy_guest
add channel=ch_5Ghz country=France datapath="br_GUEST - VLAN 70" disabled=no \
    mode=ap name=cfg_Cussangy_guest_5Ghz security=seccfg_Cussangy_guest \
    security.connect-priority=0 ssid=Cussangy_guest
add comment=test country=France disabled=yes mode=ap name=cfg24Cussangy \
    security=seccfg_Cussangy security.connect-priority=0 ssid=Cussangy
add comment=test country=France datapath="br_LAN - VLAN 60" disabled=yes \
    mode=ap name=cfg5Cussangy security=seccfg_Cussangy \
    security.connect-priority=0 ssid=Cussangy
/interface wifi
set [ find default-name=wifi2 ] configuration=cfg_Cussangy_2.4Ghz \
    configuration.mode=ap datapath.bridge=br_lan disabled=no name=\
    Router_Cussangy_2.4Ghz security=seccfg_Cussangy \
    security.connect-priority=0
set [ find default-name=wifi1 ] configuration=cfg_Cussangy_5Ghz \
    configuration.mode=ap datapath.bridge=br_lan disabled=no name=\
    Router_Cussangy_5Ghz security=seccfg_Cussangy security.connect-priority=0
add configuration=cfg_Cussangy_guest_2.4Ghz configuration.mode=ap \
    datapath.bridge=br_guest disabled=no mac-address=7A:9A:18:01:AE:31 \
    master-interface=Router_Cussangy_2.4Ghz name=Router_Cussangy_guest_2.4Ghz \
    security=seccfg_Cussangy_guest security.connect-priority=0
add configuration=cfg_Cussangy_guest_5Ghz configuration.mode=ap \
    datapath.bridge=br_guest disabled=no mac-address=7A:9A:18:01:AE:2F \
    master-interface=Router_Cussangy_5Ghz name=Router_Cussangy_guest_5Ghz \
    security=seccfg_Cussangy_guest security.connect-priority=0
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
    profile1 proposal-check=strict
/ip ipsec peer
add address=bpnet.duckdns.org exchange-mode=ike2 name=bpnet profile=profile1
/ip ipsec proposal
add auth-algorithms="" enc-algorithms=aes-128-gcm lifetime=1h name=proposal1 \
    pfs-group=modp2048
/ip pool
add name=dhcp_local ranges=192.168.77.10-192.168.77.250
add name=dhcp_lan ranges=192.168.60.10-192.168.60.250
add name=dhcp_guest ranges=192.168.70.10-192.168.70.250
/ip dhcp-server
add address-pool=dhcp_local interface=br_local lease-time=1h name=dhcp_local
add address-pool=dhcp_lan interface=br_lan lease-time=1d name=dhcp_lan
add address-pool=dhcp_guest interface=br_guest name=dhcp_guest
/user group
add name=homeassistant policy="read,test,api,!local,!telnet,!ssh,!ftp,!reboot,\
    !write,!policy,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/interface bridge port
add bridge=br_WAN_ISP disabled=yes interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=br_WAN_LTE interface=ether1_vl_WAN_LTE internal-path-cost=10 \
    path-cost=10
add bridge=br_lan interface=ether3_vl_LAN internal-path-cost=10 path-cost=10
add bridge=br_lan interface=ether4_vl_LAN internal-path-cost=10 path-cost=10
add bridge=br_local interface=ether5_vl_local internal-path-cost=10 \
    path-cost=10
add bridge=br_guest interface=ether3_vl_GUEST internal-path-cost=10 \
    path-cost=10
add bridge=br_guest interface=ether4_vl_GUEST internal-path-cost=10 \
    path-cost=10
add bridge=br_local disabled=yes interface=ether5 internal-path-cost=10 \
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 5500
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: hap AX² as CAP not reachable via winbox/IP

Tue Dec 26, 2023 9:54 pm

Quickly scanned your config.

Problem 1:
exactly 4 bridges too much.
Stick to 1 bridge and ONE only unless you really know WHY you need multiple.
For your case, I don't think it's needed.
For management access, unassign one ethernet port from bridge. That's your safeguard.

Problem 2:
you say 2 APs are used as CAP but there is no capsman config on your router (assuming the config you showed is the one for the router) ?
CAP = CONTROLLED Access Point.
Or are you using those 2 devices as AP (= simple Access Point) ? Not clear what you want.

Problem 3:
Since when does AX2 have USB port for LTE, let be LTE interface ? So why Lte bridge ?
Unclear again what the intention is.

With all due respect, your config is a small mess.

You may want to start with describing WHAT you want to achieve and a small drawing indicating how those devices are interconnected.

Homework: read this excellent tutorial on setting up VLANs (using ONE bridge).
viewtopic.php?t=143620
Let it sink in.
Read it again.
Then apply.
Top
 
Willi
just joined
Topic Author
Posts: 13
Joined: Sun Dec 24, 2023 4:49 pm

Re: hap AX² as CAP not reachable via winbox/IP

Tue Dec 26, 2023 10:19 pm

Hi Holvoetn, thanks for your reply.

The configuration I have intended can be seen in the image below (only one access point is shown in the drawing). The LTE bridge exists because I use this setup in a rural area without fibre/cable coverage. In the future, when this comes available, I might take a cable subscription. This is the reason why I have a bridge WAN_ISP and a bridge WAN_LTE. I have two scripts running which make a dyn DNS update do duckDNS with the WAN IP's of both bridges. The WAN IP of the Wap ACE LTE Kit is for that reason in passtrough to the bridge WAN_LTE
20231226_205937.jpg
I do think that both AP's are centrally managed by the router (see screenshots from the router here under):
CAP.PNG
[
Radios.PNG
You do not have the required permissions to view the files attached to this post.
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 5500
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: hap AX² as CAP not reachable via winbox/IP

Tue Dec 26, 2023 10:28 pm

Then you did not show full config since something like this part is missing ??
Code: Select all
/interface wifi capsman
set enabled=yes interfaces=VLAN2 package-path=upgradecaps require-peer-certificate=no upgrade-policy=none
(my config listens on VLAN2 for CAPs devices, I use a folder "upgradecaps" on USB-stick on RB5009 for upgrading caps devices)

I'm also missing parts for tool and system.
So your posted config is not complete !

Please post full config, just leave out serial and wan ip.
Also post config of one of the caps devices (assuming they are setup identical).

You don't need bridge_WAN_ISP nor bridge_WAN_LTE.
Just remove those ports from main bridge.

When VLANs are setup properly, you also don't need Guest bridge nor OOB bridge.
Just one bridge.
Top
 
Willi
just joined
Topic Author
Posts: 13
Joined: Sun Dec 24, 2023 4:49 pm

Re: hap AX² as CAP not reachable via winbox/IP

Tue Dec 26, 2023 10:57 pm

Hi Holvoetn,

See my export of my router below, the section "/interface wifi capsman" part is in the export:
Code: Select all
# 2023-12-26 21:47:16 by RouterOS 7.13
# software id = 7Z28-IETK
#
# model = C52iG-5HaxD2HaxD
# serial number = HEP099KCHF8
/interface bridge
add comment=WAN name=br_WAN_ISP port-cost-mode=short
add comment=WAN name=br_WAN_LTE port-cost-mode=short
add comment="Guest network" ingress-filtering=no name=br_guest \
    port-cost-mode=short vlan-filtering=yes
add comment="LAN network" ingress-filtering=no name=br_lan port-cost-mode=\
    short vlan-filtering=yes
add comment=OOB name=br_local port-cost-mode=short
/interface wireguard
add comment=back-to-home-vpn listen-port=43955 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=ether1 name=ether1_vl_GUEST vlan-id=70
add interface=ether1 name=ether1_vl_LAN vlan-id=60
add interface=ether1 name=ether1_vl_WAN_LTE vlan-id=50
add interface=ether3 name=ether3_vl_GUEST vlan-id=70
add interface=ether3 name=ether3_vl_LAN vlan-id=60
add interface=ether4 name=ether4_vl_GUEST vlan-id=70
add interface=ether4 name=ether4_vl_LAN vlan-id=60
add interface=ether5 name=ether5_vl_local vlan-id=70
add interface=br_guest name="vl_GUEST on br_GUEST" vlan-id=70
add interface=br_lan name="vl_LAN on br_LAN" vlan-id=60
/interface list
add name=LEASES
add name=UNTRUSTED
add name=WAN
add name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no name=ch_2.4Ghz width=20mhz
add band=5ghz-ax disabled=no name=ch_5Ghz width=20/40/80mhz
/interface wifi datapath
add bridge=br_lan disabled=no name="br_LAN - VLAN 60" vlan-id=60
add bridge=br_guest disabled=no name="br_GUEST - VLAN 70" vlan-id=70
/interface wifi security
add authentication-types=wpa2-psk connect-priority=0 disabled=no name=\
    seccfg_Cussangy
add authentication-types=wpa2-psk connect-priority=0 disabled=no name=\
    seccfg_Cussangy_guest
/interface wifi
set [ find default-name=wifi2 ] configuration.country=France .mode=ap .ssid=\
    Cussangy datapath.bridge=br_lan disabled=no name=Router_Cussangy_2.4Ghz \
    security=seccfg_Cussangy security.connect-priority=0
set [ find default-name=wifi1 ] configuration.country=France .mode=ap .ssid=\
    Cussangy datapath.bridge=br_lan disabled=no name=Router_Cussangy_5Ghz \
    security=seccfg_Cussangy security.connect-priority=0
add configuration.mode=ap .ssid=Cussangy_guest datapath.bridge=br_guest \
    disabled=no mac-address=7A:9A:18:01:AE:31 master-interface=\
    Router_Cussangy_2.4Ghz name=Router_Cussangy_guest_2.4Ghz security=\
    seccfg_Cussangy_guest security.connect-priority=0
add configuration.mode=ap .ssid=Cussangy_guest datapath.bridge=br_guest \
    disabled=no mac-address=7A:9A:18:01:AE:2F master-interface=\
    Router_Cussangy_5Ghz name=Router_Cussangy_guest_5Ghz security=\
    seccfg_Cussangy_guest security.connect-priority=0
/interface wifi configuration
add datapath="br_LAN - VLAN 60" disabled=no mode=ap name=cfg_Cussangy_2.4Ghz \
    security=seccfg_Cussangy security.connect-priority=0 ssid=Cussangy
add channel=ch_5Ghz country=France datapath="br_LAN - VLAN 60" disabled=no \
    mode=ap name=cfg_Cussangy_5Ghz security=seccfg_Cussangy \
    security.connect-priority=0 ssid=Cussangy
add channel=ch_2.4Ghz country=France datapath="br_GUEST - VLAN 70" disabled=\
    no mode=ap name=cfg_Cussangy_guest_2.4Ghz security=seccfg_Cussangy_guest \
    security.connect-priority=0 ssid=Cussangy_guest
add channel=ch_5Ghz country=France datapath="br_GUEST - VLAN 70" disabled=no \
    mode=ap name=cfg_Cussangy_guest_5Ghz security=seccfg_Cussangy_guest \
    security.connect-priority=0 ssid=Cussangy_guest
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
    profile1 proposal-check=strict
/ip ipsec peer
add address=bpnet.duckdns.org exchange-mode=ike2 name=bpnet profile=profile1
/ip ipsec proposal
add auth-algorithms="" enc-algorithms=aes-128-gcm lifetime=1h name=proposal1 \
    pfs-group=modp2048
/ip pool
add name=dhcp_local ranges=192.168.77.10-192.168.77.250
add name=dhcp_lan ranges=192.168.60.10-192.168.60.250
add name=dhcp_guest ranges=192.168.70.10-192.168.70.250
/ip dhcp-server
add address-pool=dhcp_local interface=br_local lease-time=1h name=dhcp_local
add address-pool=dhcp_lan interface=br_lan lease-time=1d name=dhcp_lan
add address-pool=dhcp_guest interface=br_guest name=dhcp_guest
/user group
add name=homeassistant policy="read,test,api,!local,!telnet,!ssh,!ftp,!reboot,\
    !write,!policy,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/interface bridge port
add bridge=br_WAN_ISP disabled=yes interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=br_WAN_LTE interface=ether1_vl_WAN_LTE internal-path-cost=10 \
    path-cost=10
add bridge=br_lan interface=ether3_vl_LAN internal-path-cost=10 path-cost=10
add bridge=br_lan interface=ether4_vl_LAN internal-path-cost=10 path-cost=10
add bridge=br_local interface=ether5_vl_local internal-path-cost=10 \
    path-cost=10
add bridge=br_guest interface=ether3_vl_GUEST internal-path-cost=10 \
    path-cost=10
add bridge=br_guest interface=ether4_vl_GUEST internal-path-cost=10 \
    path-cost=10
add bridge=br_local disabled=yes interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=br_lan disabled=yes interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=br_lan disabled=yes interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=br_guest interface=ether1_vl_GUEST internal-path-cost=10 \
    path-cost=10
add bridge=br_lan interface=ether1_vl_LAN internal-path-cost=10 path-cost=10
add bridge=br_local interface=ether5 internal-path-cost=10 path-cost=10
add bridge=br_lan interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set wan-interface-list=WAN
/interface list member
add disabled=yes interface=br_guest list=LEASES
add interface=br_WAN_LTE list=UNTRUSTED
add interface=br_WAN_ISP list=UNTRUSTED
add disabled=yes interface=br_guest list=UNTRUSTED
add interface=br_WAN_ISP list=WAN
add interface=br_WAN_LTE list=WAN
/interface wifi access-list
add action=accept comment="Accept rule" disabled=no signal-range=-90..-10 \
    time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=reject comment="Reject rule" disabled=no signal-range=-120..-90 \
    time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/interface wifi cap
set caps-man-names=2.4-Cussangy discovery-interfaces=all enabled=yes
/interface wifi capsman
set enabled=yes interfaces=all package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled comment=APCussangyBureau5Ghz disabled=no \
    master-configuration=cfg_Cussangy_5Ghz name-format=AP_Bureau_5Ghz \
    radio-mac=48:A9:8A:92:7B:F5 slave-configurations=cfg_Cussangy_guest_5Ghz
add action=create-dynamic-enabled comment=APCussangyBureau2.4Ghz disabled=no \
    master-configuration=cfg_Cussangy_2.4Ghz name-format=AP_Bureau_2.4Ghz \
    radio-mac=48:A9:8A:92:7B:F6 slave-configurations=\
    cfg_Cussangy_guest_2.4Ghz
add action=create-dynamic-enabled comment=APCussangyBoven5Ghz disabled=no \
    master-configuration=cfg_Cussangy_5Ghz name-format=AP_Boven_5Ghz \
    radio-mac=48:A9:8A:B8:F2:29 slave-configurations=cfg_Cussangy_guest_5Ghz
add action=create-dynamic-enabled comment=APCussangyBoven2.4Ghz disabled=no \
    master-configuration=cfg_Cussangy_2.4Ghz name-format=AP_Boven_2.4Ghz \
    radio-mac=48:A9:8A:B8:F2:2A slave-configurations=\
    cfg_Cussangy_guest_2.4Ghz
/interface wireguard peers
add allowed-address=192.168.216.3/32,fc00:0:0:216::3/128 client-address=\
    192.168.216.3/32,fc00:0:0:216::3/128 client-dns=192.168.216.1 \
    client-endpoint=hep099kchf8.vpn.mynetname.net client-keepalive=30s \
    comment="RouterCussangy | samsung SM-S901B" interface=back-to-home-vpn \
    persistent-keepalive=30s private-key=\
    "kOnGRkkmHF57J4ItY44BhSTcgfLH+9tgXWJA3l6s628=" public-key=\
    "yuSjX+e/CXlIWf58G9pTp2dyqgPIRsywKJd+k6xefBU="
add allowed-address=192.168.216.5/32,fc00:0:0:216::5/128 client-address=\
    192.168.216.5/32,fc00:0:0:216::5/128 client-dns=192.168.216.1 \
    client-endpoint=hep099kchf8.vpn.mynetname.net client-keepalive=30s \
    comment="BjornPC | samsung SM-S901B" interface=back-to-home-vpn \
    persistent-keepalive=30s private-key=\
    "aDmBo2O0lMUKTyP5LD4mWWuPvHW8m8VKx3Dib+gpm2g=" public-key=\
    "4aRPQ0KHaOqD4dKuPt10vg5j2WW94JUvrKIvBnox0m4="
add allowed-address=192.168.216.4/32,fc00:0:0:216::4/128 client-address=\
    192.168.216.4/32,fc00:0:0:216::4/128 client-dns=192.168.216.1 \
    client-endpoint=hep099kchf8.vpn.mynetname.net client-keepalive=30s \
    comment="BjornPC | samsung SM-S901B" interface=back-to-home-vpn \
    persistent-keepalive=30s private-key=\
    "mBrFwwQOswSP9AM0KrMK19oP54lXEkIUE5UefU9bo1o=" public-key=\
    "mmbD54Qgxfs9Y1F+WZzmmcFIvxJ68HsZGSYSzaPuRDg="
/ip address
add address=192.168.77.254/24 interface=br_local network=192.168.77.0
add address=192.168.60.254/24 interface=br_lan network=192.168.60.0
add address=192.168.70.254/24 interface=br_guest network=192.168.70.0
add address=192.168.80.1/24 interface=*16 network=192.168.80.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface=br_WAN_ISP use-peer-dns=no
add interface=br_WAN_LTE
/ip dhcp-server lease
add address=192.168.60.250 client-id=1:48:a9:8a:92:7b:f0 mac-address=\
    48:A9:8A:92:7B:F0 server=dhcp_lan
add address=192.168.60.251 client-id=1:48:a9:8a:b8:f2:24 mac-address=\
    48:A9:8A:B8:F2:24 server=dhcp_lan
/ip dhcp-server network
add address=192.168.60.0/24 comment=net_lan dns-server=192.168.60.254 domain=\
    lan.cussangy.local gateway=192.168.60.254 netmask=24
add address=192.168.70.0/24 comment=net_guest dns-server=192.168.70.254 \
    domain=guest.cussangy.local gateway=192.168.70.254 netmask=24
add address=192.168.77.0/24 comment=net_oob dns-server=192.168.77.1 gateway=\
    192.168.77.1
/ip dns
set allow-remote-requests=yes servers=193.190.198.14,1.1.1.1
/ip firewall address-list
add address=172.16.0.0/12 list=RFC1918
add address=192.168.0.0/16 list=RFC1918
add address=10.0.0.0/8 list=RFC1918
add address=bpnet.duckdns.org list="VPN sources"
/ip firewall filter
add action=passthrough chain=forward comment=\
    "special dummy rule to show fasttrack counters"
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Accept OOB Access" in-interface=\
    br_local
add action=accept chain=input comment="General - Established Input"
add action=accept chain=input comment="Allow Wireguard VPN" disabled=yes \
    src-address=192.168.80.0/24
add action=accept chain=input comment="Allow Wireguard VPN" disabled=yes \
    dst-port=13231 protocol=udp
add action=accept chain=input comment="VPN - Accept incoming IKE" disabled=\
    yes dst-port=500,4500 in-interface=br_WAN_LTE log-prefix=IKE protocol=udp \
    src-address-list="VPN sources"
add action=accept chain=input disabled=yes in-interface=br_WAN_LTE protocol=\
    ipsec-esp src-address-list="VPN sources"
add action=accept chain=forward comment=\
    "OPENVPN forward to Raspberry Pi static adress" disabled=yes dst-address=\
    192.168.60.33 dst-port=1194 protocol=udp
add action=accept chain=input comment="HomeAssistant Integration" \
    dst-address=192.168.60.254 dst-port=8728 in-interface=br_lan protocol=tcp
add action=accept chain=input comment="FW - Accept ICMP to FW" in-interface=\
    !br_WAN_ISP protocol=icmp src-address-list=RFC1918
add action=accept chain=input comment="FW - Accept ICMP to FW" in-interface=\
    !br_WAN_LTE protocol=icmp src-address-list=RFC1918
add action=accept chain=input comment="FW - DNS to FW" dst-port=53 \
    in-interface=!br_WAN_ISP protocol=udp
add action=accept chain=input comment="FW - DNS to FW" dst-port=53 \
    in-interface=!br_WAN_LTE protocol=udp
add action=accept chain=input comment="FW - Accept incoming from LAN" \
    dst-address=192.168.60.254 in-interface=br_lan src-address=\
    192.168.60.0/24
add action=accept chain=input comment=\
    "FW - accept incoming Veemarkt over ISP" disabled=yes dst-address=\
    192.168.60.254 in-interface=br_WAN_ISP src-address=192.168.205.0/24
add action=accept chain=input comment=\
    "FW - Accept incoming Veemarkt over LTE" disabled=yes dst-address=\
    192.168.60.254 in-interface=br_WAN_LTE src-address=192.168.205.0/24
add action=accept chain=input comment=\
    "FW - Accept incoming from PBNET over ISP" disabled=yes dst-address=\
    192.168.60.254 in-interface=br_WAN_ISP src-address=192.168.1.0/24
add action=accept chain=input comment=\
    "FW - Accept incoming from PBNET over LTE" disabled=yes dst-address=\
    192.168.60.254 in-interface=br_WAN_LTE src-address=192.168.1.0/24
add action=drop chain=input comment="FW - Drop Input UDP - silent" dst-port=\
    123,137,138 protocol=udp
add action=drop chain=input comment="FW - Drop Incoming WAN over ISP" \
    in-interface=br_WAN_ISP
add action=drop chain=input comment="FW - Drop incoming WAN over LTE" \
    in-interface=br_WAN_LTE
add action=drop chain=input comment="FW - Drop all IN"
add action=drop chain=input comment="General - Broadcast silent drop" \
    dst-address=255.255.255.255
add action=drop chain=input comment="General - Drop Invalid Input"
add action=accept chain=forward comment="Allow Wireguard to LAN" disabled=yes \
    in-interface=*16 out-interface="vl_LAN on br_LAN"
add action=accept chain=forward comment="VPN: accept incoming IPSEC" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="VPN: accept outgoing IPSEC" \
    disabled=yes ipsec-policy=out,ipsec
add action=accept chain=forward comment="LAN - Allow Internet over ISP" \
    dst-address-list=!RFC1918 in-interface=br_lan out-interface=br_WAN_ISP \
    src-address=192.168.60.0/24
add action=accept chain=forward comment="LAN - Allow Internet over LTE" \
    dst-address-list=!RFC1918 in-interface=br_lan out-interface=br_WAN_LTE \
    src-address=192.168.60.0/24
add action=accept chain=forward comment="GUEST - Allow Internet over ISP" \
    dst-address-list=!RFC1918 in-interface=br_guest out-interface=br_WAN_ISP \
    src-address=192.168.70.0/24
add action=accept chain=forward comment="GUEST - Allow Internet over LTE" \
    dst-address-list=!RFC1918 in-interface=all-wireless out-interface=\
    br_guest src-address=192.168.70.0/24
add action=accept chain=forward comment=Statefull connection-state=\
    established
add action=accept chain=output comment="Outgoing DNS over ISP" dst-port=53 \
    out-interface=br_WAN_ISP protocol=udp
add action=accept chain=output comment="Outgoing DNS over LTE" dst-port=53 \
    out-interface=br_WAN_LTE protocol=udp
add action=accept chain=forward comment="VPN IN from PBNET" disabled=yes \
    dst-address=192.168.60.0/24 src-address=192.168.1.0/24
add action=accept chain=forward comment="VPN IN from Veemarkt" disabled=yes \
    dst-address=192.168.60.0/24 src-address=192.168.205.0/24
add action=accept chain=forward comment="VPN - LAN out to PBNET" disabled=yes \
    dst-address=192.168.1.0/24 src-address=192.168.60.0/24
add action=accept chain=forward comment="VPN - LAN out to Veemarkt" disabled=\
    yes dst-address=192.168.205.0/24 src-address=192.168.60.0/24
add action=accept chain=forward comment=\
    "General - Accept established forward"
add action=drop chain=forward comment="General - Drop invalid forward"
add action=accept chain=forward comment="LAN - ping not ISP" in-interface=\
    br_lan out-interface=!br_WAN_ISP protocol=icmp src-address=\
    192.168.60.0/24
add action=accept chain=forward comment="LAN - ping not LTE" in-interface=\
    br_lan out-interface=!br_WAN_LTE protocol=icmp src-address=\
    192.168.60.0/24
add action=accept chain=forward comment="LAN - Allow internet over ISP" \
    disabled=yes dst-address-list=!RFC1918 in-interface=br_lan out-interface=\
    br_WAN_ISP src-address=192.168.60.0/24
add action=accept chain=forward comment="LAN - Allow internet over LTE" \
    disabled=yes dst-address-list=!RFC1918 in-interface=br_lan out-interface=\
    br_WAN_LTE src-address=192.168.60.0/24
add action=accept chain=forward comment="GUEST - Allow internet over ISP" \
    disabled=yes dst-address-list=!RFC1918 in-interface=br_guest \
    out-interface=br_WAN_ISP src-address=192.168.70.0/24
add action=accept chain=forward comment="GUEST - Allow internet over LTE" \
    disabled=yes dst-address-list=!RFC1918 in-interface=br_guest \
    out-interface=br_WAN_LTE src-address=192.168.70.0/24
add action=drop chain=forward comment="DROP ALL - Silent Drop" dst-port=\
    123,137,138 protocol=udp
add action=drop chain=forward comment="DROP ALL"
/ip firewall mangle
add action=clear-df chain=postrouting disabled=yes out-interface=br_WAN_ISP \
    passthrough=yes
add action=clear-df chain=postrouting disabled=yes out-interface=br_WAN_LTE \
    passthrough=yes
/ip firewall nat
add action=accept chain=srcnat comment="IPsec No-NAT" ipsec-policy=out,ipsec
add action=src-nat chain=srcnat comment="NAT OpenVPN server" disabled=yes \
    dst-address=192.168.60.33 dst-port=1194 protocol=udp to-addresses=\
    192.168.60.254
add action=dst-nat chain=dstnat comment="NAT OpenVPN server" disabled=yes \
    dst-port=1194 protocol=udp to-addresses=192.168.60.33 to-ports=1104
add action=masquerade chain=srcnat disabled=yes log=yes out-interface=\
    br_WAN_ISP
add action=masquerade chain=srcnat out-interface=br_WAN_LTE
add action=masquerade chain=srcnat comment="Masquerade out LAN to WAN" \
    disabled=yes out-interface-list=WAN src-address=192.168.60.0/24
add action=masquerade chain=srcnat comment="Masquerade out guest to WAN" \
    out-interface-list=WAN src-address=192.168.70.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec identity
add auth-method=digital-signature certificate=cert01-vpn-cussangy \
    generate-policy=port-strict match-by=certificate peer=bpnet \
    remote-certificate=cert02-vpn-bpnet.crt_0
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.1.0/24 peer=bpnet proposal=proposal1 src-address=\
    192.168.60.0/24 tunnel=yes
/ip route
add comment="Route to PBNET over ISP" disabled=yes distance=1 dst-address=\
    192.168.1.0/24 gateway=br_WAN_ISP pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Route to PBNET over LTE" disabled=no distance=2 dst-address=\
    192.168.1.0/24 gateway=br_WAN_LTE pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Route to Veemarkt over ISP" disabled=yes distance=1 dst-address=\
    192.168.205.0/24 gateway=br_WAN_ISP pref-src="" routing-table=main scope=\
    30 suppress-hw-offload=no target-scope=10
add comment="Route to Veemarkt over LTE" disabled=no distance=2 dst-address=\
    192.168.205.0/24 gateway=br_WAN_LTE pref-src="" routing-table=main scope=\
    30 suppress-hw-offload=no target-scope=10
add comment="To WAN over br_WAN_ISP" disabled=yes distance=1 dst-address=\
    0.0.0.0/0 gateway=br_WAN_ISP pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="To WAN over br_WAN_LTE" disabled=no distance=2 dst-address=\
    0.0.0.0/0 gateway=br_WAN_LTE pref-src="" routing-table=main \
    suppress-hw-offload=no
add comment="Recursive routing: check route over WAN_ISP" disabled=yes \
    distance=1 dst-address=8.8.8.8/32 gateway=br_WAN_ISP pref-src="" \
    routing-table=main scope=10 suppress-hw-offload=no target-scope=10
add comment="Recursive routing: check route over WAN_LTE" disabled=yes \
    distance=1 dst-address=1.1.1.1/32 gateway=br_WAN_LTE pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Recursive routing over WAN_ISP" disabled=yes \
    distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Recursive routing over WAN_LTE" disabled=yes \
    distance=2 dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src="" \
    routing-table=main scope=10 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name=RouterCussangy
/system logging
add topics=wireless,debug
/system note
set show-at-login=no
/system scheduler
add comment="schedule duckdns cussangylte" interval=1d name=cussangylte \
    on-event="DuckDNS CussangyLTE" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2023-11-17 start-time=00:00:00
add comment="schedule duckdns cussangyisp" interval=1d name=cussangyisp \
    on-event="DuckDNS CussangyISP" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2023-11-17 start-time=00:00:00
/system script
add dont-require-permissions=no name="DUCKDNS Update CussangyLTE" owner=admin \
    policy=read,write,policy,test,password,sniff,sensitive,romon source="# Get\
    \_the actual public IP from the br_WAN_LTE interface\
    \n:global actualIP value=[/ip address get [find where interface=br_WAN_LTE\
    ] value-name=address];\
    \n\
    \n# Remove the subnet from the result, so only the IP is left\
    \n:global actualIP value=[:pick \$actualIP -1 [:find \$actualIP \"/\" -1] \
    ];\
    \n\
    \n# If there is no ipstore.txt file yet, create it\
    \n:if ([:len [/file find where name=ipstore.txt]] < 1 ) do={\
    \n   /file print file=ipstore.txt where name=ipstore.txt;\
    \n   /delay delay-time=2;\
    \n   /file set ipstore.txt contents=\"0.0.0.0\";\
    \n};\
    \n\
    \n# Get the previousIP from the ipstore.txt file\
    \n:global previousIP value=[/file get [find where name=ipstore.txt ] value\
    -name=contents];\
    \n\
    \n# Compare previousIP with actualIP\
    \n# If not the same, update duckdns.org with the new actualIP\
    \n# Update ipstore.txt with the new actualIP\
    \n:if (\$previousIP != \$actualIP) do={\
    \n   :log info message=(\"DuckDNS: try to Update DuckDNS with actual IP \"\
    .\$actualIP.\" -  Previous IP is \".\$previousIP);\
    \n   \
    \n   /tool fetch mode=https keep-result=yes dst-path=duckdns-result.txt ad\
    dress=[:resolve www.duckdns.org] port=443 host=www.duckdns.org src-path=(\
    \"/update\?domains=*&token=*\
    ip=\".\$actualIP);\
    \n   \
    \n   /delay delay-time=5;\
    \n \
    \n   :global lastChange value=[/file get [find where name=duckdns-result.t\
    xt ] value-name=contents];\
    \n   :global previousIP value=\$actualIP;\
    \n   /file set ipstore.txt contents=\$actualIP;\
    \n \
    \n   :if (\$lastChange = \"OK\") do={:log warning message=(\"DuckDNS: upda\
    te successfull with IP \".\$actualIP);};\
    \n   :if (\$lastChange = \"KO\") do={:log error message=(\"DuckDNS: failed\
    \_to update DuckDNS with new IP \".\$actualIP);};\
    \n} else={\
    \n   :log info message=(\"DuckDNS: no update required. Actual IP: \".\$act\
    ualIP);\
    \n}"
add dont-require-permissions=no name="DUCKDNS Update CussangyISP" owner=admin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="# Get the actual public IP from the bridge_PUB interface\
    \n:global actualIP value=[/ip address get [find where interface=br_WAN_ISP\
    ] value-name=address];\
    \n\
    \n# Remove the subnet from the result, so only the IP is left\
    \n:global actualIP value=[:pick \$actualIP -1 [:find \$actualIP \"/\" -1] \
    ];\
    \n\
    \n# If there is no ipstoreISP.txt file yet, create it\
    \n:if ([:len [/file find where name=ipstoreISP.txt]] < 1 ) do={\
    \n   /file print file=ipstoreISP.txt where name=ipstoreISP.txt;\
    \n   /delay delay-time=2;\
    \n   /file set ipstoreISP.txt contents=\"0.0.0.0\";\
    \n};\
    \n\
    \n# Get the previousIP from the ipstore.txt file\
    \n:global previousIP value=[/file get [find where name=ipstoreISP.txt ] va\
    lue-name=contents];\
    \n\
    \n# Compare previousIP with actualIP\
    \n# If not the same, update duckdns.org with the new actualIP\
    \n# Update ipstoreISP.txt with the new actualIP\
    \n:if (\$previousIP != \$actualIP) do={\
    \n   :log info message=(\"DuckDNS: try to Update DuckDNS with actual IP \"\
    .\$actualIP.\" -  Previous IP is \".\$previousIP);\
    \n   \
    \n   /tool fetch mode=https keep-result=yes dst-path=duckdns-result.txt ad\
    dress=[:resolve www.duckdns.org] port=443 host=www.duckdns.org src-path=(\
    \"/update\?domains=*&token=*\
    ip=\".\$actualIP);\
    \n   \
    \n   /delay delay-time=5;\
    \n \
    \n   :global lastChange value=[/file get [find where name=duckdns-result.t\
    xt ] value-name=contents];\
    \n   :global previousIP value=\$actualIP;\
    \n   /file set ipstoreISP.txt contents=\$actualIP;\
    \n \
    \n   :if (\$lastChange = \"OK\") do={:log warning message=(\"DuckDNS: upda\
    te successfull with IP \".\$actualIP);};\
    \n   :if (\$lastChange = \"KO\") do={:log error message=(\"DuckDNS: failed\
    \_to update DuckDNS with new IP \".\$actualIP);};\
    \n} else={\
    \n   :log info message=(\"DuckDNS: no update required. Actual IP: \".\$act\
    ualIP);\
    \n}"
This is the config of one of the AP's:
Code: Select all
# 1970-01-03 06:25:36 by RouterOS 7.13
# software id = MHHK-5B35
#
# model = C52iG-5HaxD2HaxD
# serial number = HE908RF0ESY
/interface bridge
add admin-mac=48:A9:8A:92:7B:F0 auto-mac=no comment=defconf name=bridgeLocal \
    port-cost-mode=short
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: Cussangy, channel: 5500/ax/Ceee
set [ find default-name=wifi1 ] configuration.country=France .manager=capsman \
    .mode=ap datapath=capdp disabled=no
# managed by CAPsMAN
# mode: AP, SSID: Cussangy, channel: 2417/ax/Ce
set [ find default-name=wifi2 ] configuration.country=France .manager=capsman \
    .mode=ap datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10 pvid=60
add bridge=bridgeLocal comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10 pvid=60
add bridge=bridgeLocal comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10 pvid=60
add bridge=bridgeLocal comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system identity
set name=APBureauCussangy
/system note
set show-at-login=no
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 5500
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: hap AX² as CAP not reachable via winbox/IP

Tue Dec 26, 2023 11:13 pm

And where is the static IP you mentioned in your first post on that cap config ?
I see a DHCP client on bridgelocal but no static IP.

In your drawing you indicate a trunk from AX2-router-ether3 to ether1 of cap.
But cap only listens to VLAN with pvid=1 since there is nothing else configured (1 = default VLAN).

I assume you want to use VLAN60 ?
In that case, following modification is needed on caps-config:

Add VLAN interface with pvid=60:
/interface vlan
add interface=bridgeLocal name=VLAN60 vlan-id=60

Change DHCP client from interface BridgeLocal to VLAN60

Change discovery interface for caps from BridgeLocal to VLAN60
set discovery-interfaces=VLAN60

I still am of the opinion your vlan setup is messy.
One bridge and properly setup is a lot easier.
Top
 
Willi
just joined
Topic Author
Posts: 13
Joined: Sun Dec 24, 2023 4:49 pm

Re: hap AX² as CAP not reachable via winbox/IP

Tue Dec 26, 2023 11:26 pm

Hi Holvoetn,

I followed your instructions and now I can approach the AP via IP.

BTW, the static IP for the AP's is set in the router, not in the AP's.

I thank you very much!

Have a nice day,
Willi
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests
  4. RouterOS
  5. Wireless Networking