So recently, I have switched my ISP and they provided me with Mikrotik hAP-AC2 as my previous router-modem was not suitable for bonding.
So I have configured hAP-AC2 according to some guides and it seems to be working well.
However, I also need a secondary device for WiFi signal extension and my main PC connection on the ground floor (please see my schema below).
On my old router (ZTE) I only needed to turn off the DHCP server and assign an address to it + turn on the WIFI (same ssid as primary device) and it was working fine.
But I wanted my secondary device to be as compatible as possible so instead of the old ZTE I have bought used Mikrotik hAP-lite.
I have successfully connected hAP-lite (secondary) into hAP-AC2 (primary) and the internet on my PC connected to hAP-lite (secondary) is working OK.
However, now I have the following issues:
[] hAP-lite (secondary) itself does not seem to be connected to the internet so I cannot update packages via Winbox (System->Packages->Check for update) and the time of the device is not synced… is there an easy way to do it or do you guys recommend to leave it without being connected to the internet at all?
[] sometimes when migrating from F2 to F1 my phone’s WIFI displays exclamation mark (!) and shows “no internet” and I either have to wait 1-2 minutes for it to fix itself or turn WIFI off and back on … is there anything I can do about it, could it be caused by incorrect configuration of either device? As you can guess, this is very annoying…
I am attaching configuration files from both device: secondary_hAP-lite.rsc (1.5 KB) primary_hAP-ac2.rsc (10.8 KB)
I would be very grateful for any advice and if you also find something “nasty” in my configs, please let me know so I can try to correct it.
You didnt mention VLANS but if you go that route this article is very good on detailing devices acting as routers only, routers with wifi, access point-switches, and switches.
In your case you have the second and third cases. http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Didnt see anything off the bat that caught my eye, but when one has more than one bridge i lose the bubble quickly.
I am not in favour of extra bridges when not necessary.
I would have one bridge and two vlans 10 and 20 instead of the bridge separated networks.
Glad this is disabled as it appears to be a friggen huge security leak.
/ip firewall filter
add action=accept chain=input comment=“Allow METRONET mgmt” disabled=yes
src-address=78.110.208.128/25
It’s because it’s not there and that’s the problem. hAP-lite is missing default route and dns. And you can’t blame it on too many bridges, because that device has only one.
Could you please further explain what you mean by that, though?
I have changed the device IP by IP → Addresses but I am note sure what should I do to make this hAP-lite to be able to update itself from the internet and gain correct time.
The device must be able to resolve hostnames, that’s why it need DNS server. And it needs to know how to reach internet, and that’s done using default gateway. So you need this:
/ip dns
set servers=192.168.88.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.88.1
One last question, does this settings make my hAP-lite (secondary) vulnerable in any way? Do I need to setup firewall on it etc.? Or since all traffic is managed by hAP-AC2 (primary) I don’t need to care about it?
Yes, the primary router handles all the firewall rules.
I did not touch firewall rules at all when configuring the hex for a switch or for my capacs when configuring vlans and wifi.
(Just leave whatever default rules are in place and there should be no issues).
To be clear, the switch and access points are not doing any routing.
Your WAN is ether1 / VLAN848 /PPOE_out1 , and the DHCP_client is delivering you the necessary default IP route.
Everything else is LAN ! So I’m surprised with : “add interface=bridge_hoste list=WAN” , as this will set severe limitations on what can be done from there, and will include NAT translation.
The firewall nat rule is correct, but that bridge_hoste should also be in the LAN interface list to my understanding
“/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN”
I do understand the need for limiting access to the bridge_domaci network by routing from bridge_hoste, but that should be another firewall rule.
NTP is missing here. Or just set " update time" enabled.in IP cloud
The “nstreme” lines are probably some leftover … from another setup.
hAP_Lite
As already explained, the DNS and default route is missing (you have no dhcp_client on the bridge here to deliver that, but you could even add one as workaround, and fix the IP address in the DHCP server)
Remove the “b” from “band=2ghz-b/g/n” if you are not using very old b-only client equipment.
general:
Avoid “frequency=auto” in all cases if you can. (and set hAP ac2 and hAp Lite on different channels for 2.4GHz , (use 1,6 or 11 as in hAP Lite)
hAP ac2
[] Changed bridge_hoste to LAN (I did not realize it will be assigned to WAN while doing so)
[] Added firewall rule to drop requests from guest WIFI (forward, src adress 192.168.99.0/24, dst address 192.168.88.0/24, action: drop)
[] Added SNTP
[] Since we do not have any other signals around, changed WiFi settings to 20/40MHz Ce, autofrequency, 2GHz-only-N …everything seems to be working as before
hAP lite
[] Added SNTP
[] Since we do not have any other signals around, changed WiFi settings to 20/40MHz Ce, autofrequency, 2GHz-only-N …everything seems to be working as before
I also tried fiddling with Multicast Helper, Multicast buffering and Keepalive frames. Right now I have all disabled on both device and do not feel any difference. What is the recommended settings here? Shall I just leave it as it is or do you recommend enabling some specific combination?
One more question: If I wanted to also extend the guest wifi on hAP lite, how difficult would it be to separate it to 192.168.99.0/24? Currently, I believe it would be connected to “bridge_domaci” if I understand correctly that everything from hAP lite is assigned to this range 192.168.88.0/24 which is part of “bridge_domaci”.
EDIT: Regarding the nstreme, I have never used it, shall I care about it?
OK well done. Except for the auto frequency, it is better not to trust the auto frequency. And with 20/40MHz in the 2.4 GHz band, you will see that two non-overlapping ranges are not possible. You then better set them to exactly the same (co-channel airtime sharing) , or use 20 MHz only on one of them.
I also tried fiddling with Multicast Helper, Multicast buffering and Keepalive frames. Right now I have all disabled on both device and do not feel any difference. What is the recommended settings here? Shall I just leave it as it is or do you recommend enabling some specific combination?
I have not fully experimented with that one. Multicast helper is about converting slow broadcasts in many fast unicasts per client. Multicast buffering is to help the dormant period of handheld devices. And I believe Keepalive frames is sometimes needed for IOS devices. Not verified or tested. So I leave the helper on default, with buffering enabled.
One more question: If I wanted to also extend the guest wifi on hAP lite, how difficult would it be to separate it to 192.168.99.0/24? Currently, I believe it would be connected to “bridge_domaci” if I understand correctly that everything from hAP lite is assigned to this range 192.168.88.0/24 which is part of “bridge_domaci”.
Expected that one . The hAP_Lite is indeed connected to the ethernetport on bridge_domaci. To bring bridge_hoste to the hAP Lite, the ethernet connection has to be double. (First thought or draft is a second cable , with ethernet port on bridge_hoste … but then we make it virtual on one ethernet cable by using VLAN (a VPN tunnel like SSTP could in theory also solve the puzzle)).
To use VLAN bring all interfaces on one bridge, and then use “untagged+ 1 VLAN”, or “2 tagged VLAN’s” to separate the traffic. For this simple setup you can leave the “domaci” traffic untagged on the bridge, and encapsulate the “hoste” traffic in a VLAN created on the bridge as interface. The IP settings of “bridge_hoste” go to that created VLAN interface.
You can make an easy but ‘dumb-switch’ setup, by just setting the corresponding wireless WLAN interfaces tagged (in the wireless setup) on both AP’s. (There is even no need for a VLAN interface on the hAP Lite, just the VLAN tag on the virtual WLAN)
You can make a ‘smart-switch’ setup, with the possibility to even include some ethernet port on the hAP Lite in the “hoste” network if needed. Be prepared for quite some learning, and head scratching, by following this excellent documentation: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Your case is “access point”. Here the VLAN is delivered untagged to the WLAN interface !!!
Remember to always work in “Safe Mode” in WinBox whenever you (try to) set “vlan-filtering=yes”. Losing all access is quite common in this phase, but you have spare ethernet ports that you could leave out of the setup to experiment in a safe way, by always having access to the AP.
Looking at the main router,
I see you dont allow DNS via the router but you do have DNS servers on the net that you have identified.
Maybe blind but I didnt see an ip route rule?
Other than that nothing obvious
I am used to vlans so these configs seem naked to me LOL.
I noticed this..
/ip dns
set allow-remote-requests=yes servers=192.168.88.1
Which may mean you are sending dns requests from the hapaclite, to the main router but you dont allow the main router to function as DNS server from the lan. Not sure if thats how it will work as the config relationship between the two units is not clear to me.
Don’t forget what comes via the dhcp-client on the WAN interface.
DNS server and Default route are typical added then, and are not visible in the “export”, but in the “print”.
Gives surprises sometimes if you remove or disable the dhcp-client because you finally added a fixed IP address, and forgot about the other dynamic settings.
Unfortunately, I do not understand what do you mean by “I see you dont allow DNS via the router but you do have DNS servers on the net that you have identified.”. I have DNS servers set to 1.1.1.1 and 1.0.0.1 (cloudflare) and in my PC’s ipconfig I can see the following DNS addresses 192.168.88.1, 1.1.1.1, 1.0.0.1; Also when I check hAP-AC2 DNS cache, it is full of information.
“Maybe blind but I didnt see an ip route rule?” could you please elaborate what shall I chage/set?
Should I switch allow-remote-requests=yes to allow-remote-requests=no on my hapaclite?
