So I have an 951G-2HnD as main router, and now I wanted to extend the wifi range to put a 951Ui-2HnD to the network as an AP. I configured it via the quick set as PTP Bridge AP. Everything works perfectly fine, except that I cannot connect to the 951U anymore, only if I directly connecting to the port2, and calling it by Mac address. If I am coming from the other router, it doesn’t find it. I am clearly missing something, but wasn’t able to figure out what. Do I have to add a new bridge with the port1 MAC address? How? This first bridge got created automagically. Or the firewall eating the connection?
# jan/02/1970 00:14:00 by RouterOS 6.46.4
# software id = THQV-7K46
#
# model = 951Ui-2HnD
# serial number = 4AC702DF0908
/interface bridge
add admin-mac=D4:CA:6D:BE:0F:E3 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=Mmmmmrgrgrgl wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=ether2 name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan1 list=LAN
/ip address
add address=192.168.88.2/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip dhcp-client
add comment=defconf interface=bridge
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.88.1
/ip dns static
add address=192.168.88.2 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.88.1
/system routerboard settings
set cpu-frequency=750MHz
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Okay, I reseted the config, and didn’t use quick setup. I set the AP, everything works fine if I set DHCP-client. If I try to give static IP, the router itself cannot reach the update and the time server, as I didn’t find out how to set gateway and DNS. Any tips?
Gateway: /ip route add dst-address=0.0.0.0/0 gateway=
The dst-address is optional in this case, the value in my example is default. If you want to set specific route to some network, then use of this part is mandatory.
DNS: /ip dns set allow-remote-requests=no servers=
Setting allow-remote-requests toggles the ability of clients to use router as DNS resolver. In typical home network it is usually set to yes, but then appropriate firewall rule has to block DNS requests originating from internet (default firewall rules on SOHO devices do that). Failing to do so makes router open for some DNS attacks and abuses. In case when device is used simply as switch/AP it’s more than sensible to set this parameter to no as in my example.
Thank you, it works fine. It’s ok the do no remote requests, as the clients asking the router anyway, this settings was required only for the AP itself, he doesn’t need to share the knowledge.
You already had this rule /ip route add distance=1 gateway=192.168.88.1
in your configuration…
That makes me wonder how exactly you solved the problem by adding a rule that was already there ?
Also, this rule is not needed if we want to access our device locally from within our LAN…
@zacharias: read post #5 … OP posted his current config without default route and explained he needed it for ROS upgrades and access to external NTP servers, etc.
Indeed it was, but you advised OP to reset to no config in post #4 and OP followed your advice.
The problem with newbies is that they don’t see nor understand things until they manage to capture some knowledge. I remember times when I was in the same boat as well regarding ROS. Now I recognise lack of knowledge on my part
