Access Mikrotik LAN devices: MAC access OK IP access Noy

davidreaton · August 31, 2024, 4:37pm

Strange situation I’ve encountered in the last few weeks: I have Many Mikrotik APs on my main LAN (hAP AC and CAP AC), All 15 are provisioned by CAPsMan. All the APs have Static IPs outside the main LAN pool. When I connect my laptop to the LAN via ethernet, I can see the main router (CCR 2004-16), and I can winbox into all the devices using their IP addresses. If I connect this same laptop to the LAN using WiFi, I can access the router, but not the Mikrotik APs. I If scan for neighbors on winbox, I see all the devices with their MAC and correct IP addresses. I CAN connect via MAC address, but cannot connect via IP.

One other oddity - I also have 3 60G devices on the LAN, and I CAN connect to them using their IP addresses.

ALL devices are using ROS 17.5.3

Additionally, when I remotely connect to the router using WireGuard, I can see and access all the devices using their respective IPs.

Summarizing:

When using wired connection to the LAN, I can see and access all mikrotik APs by their IP addresses.
When wirelessly connected to the LAN, I cannot connect to these same APs using their IP addresses. I CAN connect using their MAC addresses. However, I CAN connect to the 60G devices using their IP addresses.
When I remote connect to the router using WireGuard, I can connect to all the devices using their IP addresses.

What’s up? Ring any bells? Have I missed something? Router and AP config are attached.

My Thanks and Regards,
Dave
hAP_AC.rsc (5.21 KB)
IP_MAC.rsc (20.4 KB)

jaclaz · August 31, 2024, 5:29pm

The “Typical_AP.rsc” is the configuration for a CRS326-24G-2S+ (which I doubt is a typical AP )

davidreaton · August 31, 2024, 6:33pm

You are correct, sir. The correct AP file is attached.
hAP_AC.rsc (5.21 KB)

neki · August 31, 2024, 7:44pm

Did you try to disable firewall? Your firewall rules are complete mess…

…and you posted your wireguard keys

davidreaton · August 31, 2024, 7:50pm

Tx for the tip. I’ll change the keys. looks like ‘export hide-sensitive’ doesn’t apply to WG.

I had no problem with IP access a few weeks ago. I don’t know what’s changed.

davidreaton · September 1, 2024, 1:35pm

Now that I’ve corrected my mistakes, and help from the community?

neki · September 1, 2024, 4:08pm

Did you try to disable all firewall rules? And why do you have so many bridges on your devices?

davidreaton · September 1, 2024, 6:59pm

Tx: I’ll try your firewall suggestions.

davidreaton · September 6, 2024, 3:57pm

Firewall settings made no difference. Here’s something I noticed. After I power cycle of the router, the ARP table (stored in volatile RAM), is rebuilt. All the LAN mikrotik devices are classified as ‘reachable’ and I can access them by WiFi. After a minute or so, they’re classified as ‘stale’. The stale entries should still be valid, but these devices are now NOT reachable over WiFi. They ARE reachable on the wired LAN.

2 Bridges, one for LAN one dedicated to the HVAC equipment.

Tx for any help or suggestions.

davidreaton · September 7, 2024, 10:05pm

Final update.

Using Winbox over WiFi, I can’t connect by IP address to other Mikrotik devices on the main LAN. I CAN connect by MAC address. I then tried connecting by IP in a web browser, and this WORKED fine. I tried connecting via IP using the new WInBox (v4), and this also WORKED, too. Is the old Winbox the source of my problems?