AP client and VLAN config issue

RouterOS General
1

Hey folks!
I am trying to configure hap AC^2 as depicted below:

  • vlan13 is management one;
  • vlan821 is vocated to provide access to ISP-1.
    Hap should act as a regular switch for 821.
    An issue is that client devices can’t reach 192.168.1.0 network.

/interface bridge
add ingress-filtering=no name=bridge-main priority=0x9000 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-trunk
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-Ce \
    disabled=no frequency=2447 frequency-mode=superchannel \
    installation=outdoor name=wlan-2.4GHz ssid=Keenetic-7307 vlan-id=821 \
    wireless-protocol=802.11 wps-mode=disabled
/interface vlan
add interface=bridge-main name=SWMGMT vlan-id=13
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-2.4GHz pvid=821
add bridge=bridge-main frame-types=admit-only-vlan-tagged interface=\
    ether1-trunk
add bridge=bridge-main frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=821
/interface bridge vlan
add bridge=bridge-main tagged=bridge-main,ether1-trunk vlan-ids=13
add bridge=bridge-main tagged=ether1-trunk untagged=wlan-2.4GHz,ether2 \
    vlan-ids=821
/ip address
add address=10.10.13.246/24 interface=SWMGMT network=10.10.13.0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.10.13.254 routing-table=main \
    suppress-hw-offload=no
2

Probably your setup won’t ever work if top-left AP router is not Mikrotik. WiFi standard doesn’t provide mode for true wireless bridge between wired parts of network. Different vendors implemented different extensions around it but are not compatible, even WDS (which is supposed to be standard) doesn’t work always. There are some convoluted ways of doing it on MT but they are not ideal …
So if the green LAN doesn’t really extend to the top-left side (and that device solely acts as jump between WAN and point-to-point wireless link), then you could use hAP ac2 as router (including NAT and possibly firewall) and use wireless interface as WAN. That setup is fine and according to standard because that wireless link will only see hAP ac2’s MAC address on it’s right side … just the way expected in standard “AP to client” setup.

3

That AP router is not Mikrotik. Configuration with hAP ac2’s wireless interface as WAN works.
Thanks for the reply!