go4030
April 13, 2024, 7:26pm
1
I’m using a cAp ac with RouterOS 6.49.13.
I followed this excellent guide to make an Access Point with VLANS. I works great. http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
However, after configureing the device as an access point I can’t get into the router anymore with Webfig or Winbox. I’m locked out. The computer that I’m using to access the cAP ac is 10.2.10.50 / VLAN 10. I suspect the issue has something to do with my computer not being in the correct IP range or VLAN to access the AP, but I cant figure it out.
Attached is my complete .rsc file. I’d really appreciate some help figuring this out.
I think these configs may be the issue but I’m not certain…
#######################################
# IP Addressing & Routing
#######################################
# LAN facing AP's Private IP address on a BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.3/24 interface=BASE_VLAN
Thank you.
anav
April 13, 2024, 7:36pm
2
Recommend using ether2 to configure the device OFF Bridge.
Change the ipv4 settings on your desktop or laptop to something like 192.168.36.5 gateway 192.168.36.1
/interface bridge
add ingress-filtering=no name=bridgegym vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface vlan
add interface=bridgegym name=homeVlan vlan-id=12 { mandatory, trusted vlan must be identified in /interface vlan - do not put any other vlans here!! }
/interface list
add name=ADMIN
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce country=canada disabled=no frequency=5500 \
mode=ap-bridge name=homeWLan security-profile=home_Security skip-dfs-channels=all ssid=NoPain-NoGain wireless-protocol=\
802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=canada disabled=no frequency=2437 mode=ap-bridge \
name=mediaWlan rate-set=configured security-profile=media_Security skip-dfs-channels=all ssid=Media \
supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=yy.yy.yy.yy master-interface=mediaWlan multicast-buffering=\
disabled name=HVAC_WLAN security-profile=Cerv_key ssid=machine wds-cost-range=0 wds-default-cost=0 wmm-support=\
enabled wps-mode=disabled
/interface bridge port
add bridge=bridgegym ingress-filtering=yes frrame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=homeWLan pvid=12
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=HVAC_WLAN pvid=49
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=mediaWlan pvid=40
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/interface bridge vlan
add bridge=bridgegym tagged=ether1,bridgegym untagged=homeWLan vlan-ids=12 { only the trusted vLAN, where the capac gets its ip address is tagged with bridge }
add bridge=bridgegym tagged=ether1 untagged=mediaWlan vlan-ids=40
add bridge=bridgegym tagged=ether1 untagged=HVAC_WLAN vlan-ids=49
/interface list member
add interface=homeVlan list=ADMIN
add interface=emergaccess list=ADMIN
/ip address
add address=192.168.10.84/24 interface=homeVlan network=192.168.10.0 comment="IP of capac on trusted subnet"
add address=192.168.36.1/24 interface=emergaccess network=192.168.36.0 comment="ether2 access off bridge"
/ip dns
set allow-remote-requests=yes servers=192.168.10.1 { Note: Done so all dns requests use trusted subnet }
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 comment="ensures route avail through trusted subnet gateway"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=x.x.x.x
set api disabled=yes
set api-ssl disabled=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.10.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management
Have you tried through Winbox using the MAC address (which can hopefully be found in discovered)?
anav
April 14, 2024, 12:15pm
4
Also use safemode when implementing config changes. After about 15-20 seconds, without any issues undo safe mode, to keep the changes and then turn it back on.
go4030
April 14, 2024, 8:27pm
5
Thanks. I did try this but it did not work.
go4030
April 14, 2024, 8:48pm
6
Recommend using ether2 to configure the device OFF Bridge.
Change the ipv4 settings on your desktop or laptop to something like 192.168.36.5 gateway 192.168.36.1
/interface bridge
add ingress-filtering=no name=bridgegym vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface vlan
add interface=bridgegym name=homeVlan vlan-id=12 { mandatory, trusted vlan must be identified in /interface vlan - do not put any other vlans here!! }
/interface list
add name=ADMIN
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce country=canada disabled=no frequency=5500 \
mode=ap-bridge name=homeWLan security-profile=home_Security skip-dfs-channels=all ssid=NoPain-NoGain wireless-protocol=\
802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=canada disabled=no frequency=2437 mode=ap-bridge \
name=mediaWlan rate-set=configured security-profile=media_Security skip-dfs-channels=all ssid=Media \
supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=yy.yy.yy.yy master-interface=mediaWlan multicast-buffering=\
disabled name=HVAC_WLAN security-profile=Cerv_key ssid=machine wds-cost-range=0 wds-default-cost=0 wmm-support=\
enabled wps-mode=disabled
/interface bridge port
add bridge=bridgegym ingress-filtering=yes frrame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=homeWLan pvid=12
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=HVAC_WLAN pvid=49
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=mediaWlan pvid=40
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/interface bridge vlan
add bridge=bridgegym tagged=ether1,bridgegym untagged=homeWLan vlan-ids=12 { only the trusted vLAN, where the capac gets its ip address is tagged with bridge }
add bridge=bridgegym tagged=ether1 untagged=mediaWlan vlan-ids=40
add bridge=bridgegym tagged=ether1 untagged=HVAC_WLAN vlan-ids=49
/interface list member
add interface=homeVlan list=ADMIN
add interface=emergaccess list=ADMIN
/ip address
add address=192.168.10.84/24 interface=homeVlan network=192.168.10.0 comment="IP of capac on trusted subnet"
add address=192.168.36.1/24 interface=emergaccess network=192.168.36.0 comment="ether2 access off bridge"
/ip dns
set allow-remote-requests=yes servers=192.168.10.1 { Note: Done so all dns requests use trusted subnet }
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 comment="ensures route avail through trusted subnet gateway"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=x.x.x.x
set api disabled=yes
set api-ssl disabled=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.10.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management
Anav, Thank you! This was very helpful. I got it working. Normal routing is on ether1. Admin access is on ether2 via 192.168.36.1 like you recommened.
I wasnt 100% certain about which parts of the example script “AccessPoint.rsc” at http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 to remove when I added your example script. Attached is my working script. If you see anything obvious I should remove/change/improve/ make more rubust I’d appreciate it.
Thank you again!
anav
April 14, 2024, 9:06pm
7
Yes.
Major omission! Without this you will not be able to reach the AP for config purposes through normal networking ( winbox on base vlan etc…)/interface list member
Minor omission/ip dns
Personal preference. I always manually write down the untagging on /interface bridge vlans so that they are displayed on an export of the config and to double check against Bridge ports. Also if someone else takes over the config, it will be clearer…
/interface bridge vlan
