I am not sure if this is the correct forum, if not, please move this topic accordingly.
I am also new to MikroTik devices in general.
All the IPs mentioned in here are on the same local network and I will shorten them - 10.0.0.1 = xx.1 etc.
I need to install MikroTik cAP ac as a basic access point in our company, but I got stuck at connecting it to the internet. Public network traffic is all routed through xx.252. Also, only devices with local IP up to xx.100 have internet access, the rest of the range does not. I assign these IPs manually, the rest is using DHCP.
Winbox is used for setup.
I tried setting the AP up using Quick Set as WISP AP. I have set up all the wireless settings no problem. Other settings follow.
Needless to say, the WiFI network does not show up.
So I have set up a Wireless table, set up as “ap bridge”. Once I have set the SSID, it appeared on my phone and I was able to log in with the password I set up in Quick Set. I did not have any connection though.
I tried pinging all the IPs and also some webs using the terminal and all were successful.
What I think I need is to pass the connection from the AP itself to the WLAN set up in the WinBox.
My goal is to get an AP with both 2,4GHz and 5GHz, custom SSID and WPA2 authentication.
Hi Evelas,
I have two capAC in my home so I an help.
I also use Wisp-AP with no problem.
What is the main router you are using and what kind of traffic do you have flowing to and fro the capac (any vlans??)
Diagrams help.
Also post your latest capac config
/export hide-sensitive file=yourconfigmar06
Our main router is MT RB 3011 UiAS-RM (xx.252), this part of the network is just for connecting to the internet, without access to our internal network. We use it only for public/guest WiFi and also some debugging. There is no other speciality traffic.
If you want to configure your cAP ac as accesspoint, you shouldn’t configure a DHCP server on it. If you create a bridge and add all interfaces to it (like you did), all devices will get the IP address from the corporate DHCP server (as well as the cAP ac if you define a DHCP client).
Two additional tips: don’t use 40MHz bandwidth on the 2G radio, select channels manually.
Provide both configs and by that I mean not google drive (not accessible by all)
After downloading both files to your PC (I use notepadd ++)
Copy and paste them into the thread.
Use the black square with white brackets above (same line as Bold and Underline) to highlight the pasted bit and it will code up and shorten the text field.
I exported this today. I only changed the date to 8th (no changes were made in the config). I also tried exporting yesterday’s config, but I got the same file.
# mar/08/2019 06:49:43 by RouterOS 6.44
# software id = 6NY0-H0MW
#
# model = RouterBOARD cAP Gi-5acD2nD
# serial number = ADCB0AD96ED1
/interface bridge
add admin-mac=74:4D:28:13:CE:4E auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
"PPCZ 2,4GHz" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=\
ap-bridge ssid=PPCZ wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=profile1 \
supplicant-identity=""
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=10.66.81.43-10.66.81.254
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/ip address
add address=10.66.81.40/24 interface=ether2 network=10.66.81.0
add address=10.66.81.41/24 disabled=yes interface=ether1 network=10.66.81.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge
/ip dhcp-server network
add address=10.66.81.0/24 gateway=10.66.81.41 netmask=24
/ip dns
set servers=10.66.81.7
/ip route
add distance=1 gateway=10.66.81.252
/system clock
set time-zone-name=Europe/Prague
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
Good day,
I understand your frustration, but clearly all the configs are from the cap as evidenced by the model# - 4 lines down from the top and the same MAC address etc etc etc.
I think what you are doing is getting all your configs from the capac and thus simply using a file name that is not reflective of the unit you are actually getting the config from.
The file name can be anything but you are identifying the wrong device in your file name. In other words you need to go into the RB3011 via winbox to download the file.
Easy to do if rushed or tired.
..
Changes recommended. CHANGE of plans, read through this and then reset to default and start from scratch(clean). Its to messy to fix.
(1)/interface bridge
add admin-mac=00:0C:42:5B:12:B8 auto-mac=no comment=
"created from master port" name=bridge1 protocol-mode=none vlan-filtering=yes
Note: Do this as the LAST STEP in config changes and make sure you are using SAFEMODE in winbox.
(2) Get rid of these rules.........
/interface ethernet switch port
set 0 default-vlan-id=0 vlan-mode=fallback
set 1 default-vlan-id=0 vlan-mode=fallback
set 2 default-vlan-id=0 vlan-mode=fallback
set 9 default-vlan-id=0 vlan-mode=fallback
set 10 default-vlan-id=0 vlan-mode=fallback
(3) Modify these rules to........
/interface bridge port
add bridge=bridge1 interface=ether3 ingress filtering=yes admit-only-vlan-tagged
add bridge=bridge1 interface=ether2 ingress filtering=yes admit-only-vlan-tagged
add bridge=bridge1 interface=ether4-lan ingress filtering=yes admit-only-vlan-tagged
Note: Understand eth5 is not on the bridge and is a separate LAN
Note: The WAN normally is not part of the bridge.
(4) Modify
/ip address
add address=77.48.206.11/29 interface=WAN-ether1 network=77.48.206.8
add address=77.48.206.10/29 interface=WAN-ether1 network=77.48.206.8 (okay this is for your home lan)
add address=192.168.0.252/24 interface=bridge1 network=192.168.0.0 (okay this is for your home lan)
add address=10.66.81.252/24 interface=vlan81 network=10.66.81.0
add address=10.66.82.254/24 interface=vlan82 network=10.66.82.0
add address=10.66.83.252/24 interface=vlan83 network=10.66.83.0
add address=10.66.84.254/24 interface=vlan84 network=10.66.84.0 Note: only one subnet can be associated with the bridge!!!!
YOU HAVE NOT IDENTIFIED ANY VLANS????????????????????????
(5) Horrible rules get rid of .............. see (6) before doing so!!!
add action=accept chain=input dst-address=77.48.206.11 dst-port=8291
protocol=tcp src-address-list=admin
add action=accept chain=input dst-address=77.48.206.10 dst-port=8291
protocol=tcp src-address-list=admin
(6) replace FIRST though with
add chain=input action=accept in-interface=LAN source-address-list=adminaccessonly
add firewall address list allowed PCs list=adminaccessonly
(ip services -winbox server - also limit access here appropriately)
(tools -winbox mac - also limit access here appropriately
(note: recommend disable any telnet access)
(7) I dont know what the heck this rule does so get rid of it.
in/out-interface matcher not possible when interface (WAN-ether1) is slave - use master instead (bridge1)
(8) Add to the end of the input chain rules.
action=drop chain=input comment="Drop all else"
(9) Okay these are all horrible LOL, great imagination but yuckkkkk
Firstly you dont use forward rules to replace dst nat rules. Secondly you cannot port forward the same destination port to the same server port more than once.
You only should have one general rule to allow all port forwardings through the firewall.
add chain=forward action=accept connection-state=new connection-nat-state=dst-nat
comment="allow port forwarding"
If you want to allow traffic from LAN to WAN
then clearly state in-interface and source address and out interface,
Not sure what you are attempting by such rules (?? add action=accept chain=forward src-address=10.66.81.9 ?? )
(10) Add last rule to forward chain
action=drop chain=forward comment="Drop all else"
(11) You are missing the default rules such as those that concern established related etc.........................
My recommendation is to set router to defaults and start from scratch and just do the subnets bridge and vlans first and then add more layers like ipsec.......
