Cannot login to Access point from home

Hoov · June 17, 2018, 4:16am

At home I am connected to the access point thru a RB952Ui-5ac2nD-US then thru a Groove-52HPn. I have full internet access. Everything works. But I cannot use winbox or even a browser to login to the access point. It will not even respond to a ping from the CLI in either device. Yet I can go over to the tower and connect thru the access point directly and get right in using winbox, or even tiki-app. The access point is a RBMetal2SHPn. I have checked the firewall on all three devices and there is nothing blocking it. I can go to any other customers residence and login thru winbox into that access point. This problem only occurs thru my bridge and router. We use two IP ranges, 10.100 for the infrastructure and 10.110 for the clients. If I hook directly to my bridge and give my computer a 10.100 address it connects. The same holds true for my router. But with the 10.110 range I can login to every other network device in the system with no problem. I have checked thru the firewall, and even disabled the rules and it makes no difference. Does anyone have any idea what might be causing the problem in this access point?

CZFan · June 17, 2018, 2:22pm

Sounds like you might have a routing problem.

Can you provide output of “export hide-sensitive”?

Hoov · June 17, 2018, 7:21pm

I did do a bit of editing, I removed the serial number of the radio, the last half of the MAC address's that are shown, and the SSID. The rest is as is.

This is the Access Points file.

jun/16/2018 19:57:15 by RouterOS 6.42.2

software id = H9BB-RW43

model = Metal 2SHPn

serial number = xxxxxxxxxxxxxx

/interface bridge
add fast-forward=no name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n default-authentication=no
disabled=no frequency=2442 mode=ap-bridge ssid=radio1
wireless-protocol=802.11
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server

DHCP server can not run on slave interface!

add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no
interface=ether1 name=defconf
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 hw=no interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether1 list=discover
add interface=bridge1 list=discover
add interface=wlan1 list=mac-winbox
add interface=ether1 list=mactel
add interface=wlan1
/interface wireless access-list
add mac-address=64:D1:54:
add mac-address=64:D1:54:
add mac-address=68:72:51:
add mac-address=68:72:51:
add mac-address=C0:D9:62:
add mac-address=CC:2D:E0:
add mac-address=28:C6:3F:
add mac-address=AC:5F:3E:
add mac-address=E0:98:61:
add mac-address=5C:51:4F:
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=ether1
network=192.168.88.0
add address=10.100.0.7/24 interface=wlan1 network=10.100.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=bridge1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.100.0.7 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related"
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid

in/out-interface matcher not possible when interface (wlan1) is slave - use master instead (bridge1)

add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface=wlan1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related

in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge1)

add action=drop chain=input in-interface=ether1
/ip route
add distance=1 gateway=10.100.0.1
/system clock
set time-zone-name=America/Detroit
/system identity
set name="Radio1 AP"
/system routerboard settings
set silent-boot=no
/system watchdog
set watchdog-timer=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

This is my Bridge,

jun/17/2018 12:07:53 by RouterOS 6.42.3

software id = 82VZ-G38A

model = Groove 52HPn r2

serial number = xxxxxxxxxxxx

/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce
disabled=no frequency=2412 mode=station-bridge radio-name="My CPE"
ssid=LSBB@coville.2 wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool0 ranges=10.110.0.2-10.110.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/system logging action
set 1 disk-lines-per-file=1
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1
/interface list member
add interface=wlan1 list=WAN
add interface=ether1 list=LAN
/ip address
add address=10.110.0.5/24 interface=ether1 network=10.110.0.0
/ip dhcp-client

DHCP client can not run on slave interface!

add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.110.0.0/24 gateway=10.110.0.1
/ip dns
set servers=71.10.216.1,1.1.1.1,1.0.0.1
/ip route
add distance=1 gateway=10.110.0.1
/snmp
set contact=e-mail address location=Home src-address=10.110.0.5
/system clock
set time-zone-name=America/Detroit
/system identity
set name="My CPE"
/system logging
set 0 action=disk
set 1 action=disk
set 2 action=disk
set 3 action=disk
/system ntp client
set enabled=yes primary-ntp=198.58.105.63 secondary-ntp=208.75.88.4
/system ntp server
set broadcast=yes broadcast-addresses=10.110.0.5 enabled=yes manycast=no
/system routerboard settings
set auto-upgrade=yes silent-boot=no
/system scheduler
add interval=6h name=ReloadNTP policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=may/18/2018 start-time=18:44:43
/system script
add name=ReloadNTP owner=lsbb policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{
\r
\n:local ntpServer "pool.ntp.org"\r
\n:local primary [resolve $ntpServer]\r
\n:local secondary [resolve $ntpServer]\r
\n/system ntp client set primary-ntp $primary\r
\n/system ntp client set secondary-ntp $secondary\r
\n}"
/system watchdog
set watchdog-timer=no

Thanks for any help you can give me.

Hoov · June 18, 2018, 5:03pm

Any idea’s would be appreciated.

rodney465 · June 18, 2018, 8:43pm

I had the same problem and gave up hope then i my issue got resolved cause my subnet mask were 255.255.255.0 and i changed it to 255.255.255.224 then it work please note i got a /27 range hope it works for you

Hoov · June 18, 2018, 10:57pm

Did you just have to change it in the two radio’s? Do you know why this worked? It appears you made the range smaller. I really do not have that choice.

Hoov · June 18, 2018, 11:12pm

One other thing that makes this crazy, there are other access points in the network that I can get into. One at 10.100.0.6 and one at 10.100.0.8 and I can login to both of them with no problem. So to me that makes me think there is nothing wrong with the network configuration or routes. There is a switch between the backhaul radio and the access point that I can only login to for 15 or 20 seconds before I am kicked off. These are the only two problem children in the entire network.

2frogs · June 18, 2018, 11:38pm

Well, there is a lot wrong with that config, but a possible cause for your troubles is the IP is on the wlan interface instead of the bridge.

/ip address add address=10.100.0.7/24 network=10.100.0.0 interface=bridge1

Hoov · June 19, 2018, 12:21am

I only heard of RouterOS and Mikrotik a bit over a month ago when I started working with my startup ISP. They had started using Ubiquiti products and they know that firmware. So we are starting wayyy behind the eight ball. I am still figuring all this out, so any pointers you can give me would be appreciated.

Hoov · June 19, 2018, 1:28am

Thanks for the suggestion 2frogs, but that did not work.

Hoov · June 21, 2018, 10:12am

Any other idea’s? We are at a loss.

slavisar · September 4, 2019, 9:43am

Maybe I have stumbled upon solution.
I have had the same problem with couple of Disc lite5.
After setting device as ap-bridge, it becomes invisible to winbox and ping.
Station side, I could connect to bridge-ap only by MAC.
AP side wise, ap-bridge was completely invisible.
Comparing setups I have found that interface list of station-bridge is fine but interface list of bridge-ap misses “bridge”.
Add mannualy “bridge” and set as LAN.
After that, ap-bridge is fully available from both sides by IP or MAC.