Can't Access aAP ac after setting it up.

go4030 · April 14, 2024, 8:48pm

Recommend using ether2 to configure the device OFF Bridge.
Below is an examplle.

Change the ipv4 settings on your desktop or laptop to something like 192.168.36.5 gateway 192.168.36.1

/interface bridge
add ingress-filtering=no name=bridgegym vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface vlan
add interface=bridgegym name=homeVlan vlan-id=12  { mandatory, trusted vlan must be identified in /interface vlan - do not put any other vlans here!! }
/interface list
add name=ADMIN
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce country=canada disabled=no frequency=5500 \
    mode=ap-bridge name=homeWLan security-profile=home_Security skip-dfs-channels=all ssid=NoPain-NoGain wireless-protocol=\
    802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=canada disabled=no frequency=2437 mode=ap-bridge \
    name=mediaWlan rate-set=configured security-profile=media_Security skip-dfs-channels=all ssid=Media \
    supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=yy.yy.yy.yy  master-interface=mediaWlan multicast-buffering=\
    disabled name=HVAC_WLAN security-profile=Cerv_key ssid=machine wds-cost-range=0 wds-default-cost=0 wmm-support=\
    enabled wps-mode=disabled
/interface bridge port
add bridge=bridgegym ingress-filtering=yes frrame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=homeWLan pvid=12
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=HVAC_WLAN pvid=49
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=mediaWlan pvid=40
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/interface bridge vlan
add bridge=bridgegym tagged=ether1,bridgegym untagged=homeWLan vlan-ids=12  { only the trusted vLAN, where the capac gets its ip address is tagged with bridge }
add bridge=bridgegym tagged=ether1 untagged=mediaWlan vlan-ids=40
add bridge=bridgegym tagged=ether1 untagged=HVAC_WLAN vlan-ids=49
/interface list member
add interface=homeVlan list=ADMIN
add interface=emergaccess list=ADMIN
/ip address
add address=192.168.10.84/24 interface=homeVlan network=192.168.10.0  comment="IP of capac on trusted subnet"
add address=192.168.36.1/24 interface=emergaccess network=192.168.36.0 comment="ether2 access off bridge"
/ip dns
set allow-remote-requests=yes servers=192.168.10.1  { Note: Done so all dns requests use trusted subnet } 
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 comment="ensures route avail through trusted subnet gateway"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=x.x.x.x
set api disabled=yes
set api-ssl disabled=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.10.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management

Anav, Thank you! This was very helpful. I got it working. Normal routing is on ether1. Admin access is on ether2 via 192.168.36.1 like you recommened.

I wasnt 100% certain about which parts of the example script “AccessPoint.rsc” at http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 to remove when I added your example script. Attached is my working script. If you see anything obvious I should remove/change/improve/ make more rubust I’d appreciate it.

Thank you again!