Hello,
I’ ve bought a Mikrotik cAP ax and connected it via ethernet cable to hAP Lite RB941-2ND. I want to use it as an access point in order to extend WiFi in my house. It emits WiFi signal however connected devices show: no internet connection. How should I configure it to gain internet access?
Hello, can you export your configuration ? Does your devices get IP address via DHCP ?
Unfortunately I don’t know how to answer your question, but here is my configuration:
/interface bridge
add admin-mac=[…] auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=[…]
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac
configuration.country=Poland .mode=ap .ssid=MikroTik-501812 disabled=no
security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac
configuration.country=Poland .mode=ap .ssid=MikroTik-501813 disabled=no
security.authentication-types=wpa2-psk,wpa3-psk
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1
use-peer-dns=yes user=[…]
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=
invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed”
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=
out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment=“defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=
33434-33534 protocol=udp
add action=accept chain=input comment=
“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500
protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=input comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=
“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=
invalid
add action=drop chain=forward comment=“defconf: drop packets with bad src ipv6”
src-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: drop packets with bad dst ipv6”
dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1”
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=500,4500
protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=forward comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=
“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
source=”\r
\n :if ([system leds settings get all-leds-off] = "never") do={\r
\n /system leds settings set all-leds-off=immediate \r
\n } else={\r
\n /system leds settings set all-leds-off=never \r
\n }\r
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Right now you have a “LAN” side with ether2 and wifi1 and wifi2 in a bridge, and a “WAN” side configured as pppoe connection on ether1.
What is the configuration of the hAP Lite RB941-2ND?
Which ports are you using to connect the two devices (like ether1 on the Cap Ax and ether 3 on the hAP lite)?
What is your ISP connection? (I presume a xDSL or similar trough a ISP modem/router connected to the hap Lite, but it is not clear form the information you provided)
Please when posting a configuration, enclose it in the “code” tags, see here:
http://forum.mikrotik.com/t/forum-rules/173010/1
as it will be much more readable.
Well, it is a shame that Mikrotik does not have a quickset profile for this very common scenario: dumb AP. It is the most common - especially for a CAP ax.
I would reset configuration again and tick the “no default configuration” checkbox. After first boot up this device can be configured manually by using Winbox. Just needs to configure wifi1/wifi2, add a bridge, add all ports to it. connect lan cable on eth1 to your HAP and enable dhcp client on eth1 and you are done.
easy peasy…
For a one flat subnet 192.168.1.0/24 and 192.168.1.10 assigned to capax, looks like.
…
/interface bridge
add name=bridge vlan-filtering=no
/interface ethernet
set [ find default-name=ether1 ] name=eth1-router comment="connection to main router"
set [ find default-name=ether2 ] name=emergaccess comment="local access off bridge"
/interface wifi
settings as required
/interface list
add name=MANAGE
/interface bridge port
add bridge=bridge interface=eth1-router
add bridge=bridge interface=wifi1-2Ghz-name
add bridge=bridge interface=wifi2-5GHz-name
add wlans as required....
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface list member
add interface=bridge list=MANAGE
add interface=emergaccess list=MANAGE
/ip address
add address=192.168.1.10/24 interface=bridge network=192.168.1.0
add address=192.168.55.1/30 interface=emergaccess network=192.168.55.0
/ip dns
set servers=192.168.1.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
If your talking with vlans, and no capsman (with capsman no clue)
Trusted vlan, where capax gets its IP address from is 192.168.10.0/24
Only trusted vlan is identified and needs bridge tagged.
…
/interface bridge
add ingress-filtering=no name=bridgegym vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface vlan
add interface=bridgegym name=homeVlan vlan-id=12 { mandatory, management vlan must be identified in /interface vlan - do not put any other vlans here!! }
/interface list
add name=management
/interface wireless { as required }
/interface bridge port
add bridge=bridgegym ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 comment="from router"
add bridge=bridgegym ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=homeWLan pvid=12
add bridge=bridgegym ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=HVAC_WLAN pvid=49
add bridge=bridgegym ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=mediaWlan pvid=40
/ip neighbor discovery-settings
set discover-interface-list=management
/interface bridge vlan
add bridge=bridgegym tagged=ether1,bridgegym untagged=homeWLan vlan-ids=12
add bridge=bridgegym tagged=ether1 untagged=mediaWlan vlan-ids=40
add bridge=bridgegym tagged=ether1 untagged=HVAC_WLAN vlan-ids=49
/interface list member
add interface=homeVlan list=management
add interface=emergaccess list=management
/ip address
add address=192.168.10.84/24 interface=homeVlan network=192.168.10.0 comment="IP of capax on trusted subnet"
add address=192.168.36.1/30 interface=emergaccess network=192.168.36.0 comment="ether2 access off bridge"
/ip dns
set allow-remote-requests=yes servers=192.168.10.1 { Note: Done so all dns requests use trusted subnet }
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 comment="ensures route avail through trusted subnet gateway"
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.10.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management
That should be default configuration on AP… Then it would be pretty much plug and play…