First off, I am not a RouterOS guru, I can do the basics & help myself in the most part but am no guru on RouterOS.
The CAP AC WiFi AP I recently installed is ignoring the DNS settings assigned by my network DHCP server configuration. Tried turning off “allow-remote-requests”, adding a DHCP-Relay entry and a few other things but cannot get the CAP to allow the clients to get their DNS config from DHCP.
I am not sure if it is the CAP AC forcing the use of the DNS IP’s that are configured on it (/ip dns print → servers) or if it is stripping the MAC Addresses from the DHCP request. Running tcpdump on my DHCP server, I do not see any of the DHCP requests that come via the CAP AC using the expected MAC address so I suspect that the CAP AC is in fact stripping the MAC Addresses so the DHCP server is assigning the “default” config. I have no idea how to fix this and have not been able to find a solution.
Any assistance getting the CAP AC to honour the network DHCP server config will be greatly appreciated
[admin@ap1.home] > /ip dns print
servers: 10.1.1.1,208.67.222.123,208.67.220.123
dynamic-servers:
use-doh-server:
verify-doh-cert: no
allow-remote-requests: no
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 2048KiB
cache-max-ttl: 1d
cache-used: 27KiB
[admin@ap1.home] > /ip dhcp-relay print
Flags: X - disabled, I - invalid
# NAME INTERFACE DHCP-SERVER LOCAL-ADDRESS
0 dhcp-relay bridge 10.1.1.250 0.0.0.0
[admin@ap1.home] >
My local network setup is pretty simple:
Single network IP range managed by a RaspberryPi (DHCP, DNS, etc)
Old PC as a file server & router backups etc
HAP AC2 (RBD52G-5HacD2HnD) running RouterOS v6.48.6 (long-term) as my boundary router & firewall to the Fibre internet. Does the Internet NAT & port forwarding.
CAP AC (RBcAPGi-5acD2nD) running RouterOS v6.49.10 (long-term) acting as an AP to extend the WiFi coverage (currently standalone as this is the only way I could get it working and I still need to figure out CAPSMAN).
RB433 running RouterOS v6.49.10 (long-term) that I use to learn and test stuff before I break primary devices. I know it is old, it is left over from a defunct community WiFi MAN killed now that we have Fibre readily available.
My DHCP assigns 3 different sets of DNS & predefined client IP’s based on MAC Addresses:
for the family, I use the OpenDNS Family Shield DNS IP’s & local DNS server for LAN devices (EG Printer & file server etc)
for the normal DHCP clients, I use the default of OpenDNS Family Shield DNS IP’s
for work, I use OpenDNS Family Shield DNS IP’s, local DNS & company DNS IP’s (VPN issue fix … crude I know but it works)
Laptops & phones have hardcoded IP’s via DHCP which I use for QOS rules on the HAP AC2
# dec/30/2023 00:10:02 by RouterOS 6.49.10
# software id = MDEQ-9G98
#
# model = RBcAPGi-5acD2nD
# serial number = xxxxxxxxxxxxxx
/interface bridge
add admin-mac=18:FD:74:19:A7:XX auto-mac=no name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country="south africa" disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=PhoenixWiFiSSID2 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country="south africa" disabled=no distance=indoors \
frequency=auto installation=indoor mode=ap-bridge ssid=PhoenixWiFiSSID5 \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
"Pr35h4rEdKey" wpa2-pre-shared-key="Pr35h4rEdKey"
/ip pool
add name=dhcp_pool10.1.1 ranges=10.1.1.200-10.1.1.230
/ip dhcp-server
add address-pool=dhcp_pool10.1.1 interface=bridge lease-time=4h name=\
dhcp-10.1.1 relay=10.1.1.250
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.1.1.252/24 interface=ether1 network=10.1.1.0
/ip dhcp-relay
add add-relay-info=yes dhcp-server=10.1.1.250 disabled=no interface=bridge \
name=dhcp-relay relay-info-remote-id=""
/ip dhcp-server network
add address=10.1.1.0/24 gateway=10.1.1.254
/ip dns
set cache-max-ttl=1d servers=10.1.1.250,208.67.222.123,208.67.220.123
/ip dns static
add address=192.168.88.1 comment=defconf disabled=yes name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping distance=1 gateway=10.1.1.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
/ip ssh
set always-allow-password-login=yes forwarding-enabled=remote
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/system clock
set time-zone-name=Africa/Johannesburg
/system clock manual
set time-zone=+02:00
/system identity
set name=ap1.home
/system note
set note="!! Griffin Family - Authorised Access Only !!\
\n!! Contact : Michael <michael@home.za> !!\
\n!! +27 83 123 4567 !!"
/system ntp client
set enabled=yes primary-ntp=159.138.166.199 secondary-ntp=102.64.113.152 \
server-dns-names=0.ubuntu.pool.ntp.org,1.ubuntu.pool.ntp.org
/system package update
set channel=long-term
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
/tool graphing interface
add interface=bridge
add interface=ether1
add interface=ether2
add interface=wlan1
add interface=wlan2
add allow-address=10.1.1.0/24
/tool graphing queue
add allow-address=10.1.1.0/24
/tool graphing resource
add allow-address=10.1.1.0/24
I have a verbose export as well if you would prefer.
This standalone WiFi AP is the only config I could get working. I am busy reading the CAPsMan docs & desperately wish there was an Idiots Guide to CAPsMan for a simple SME / Home / Home Office setup, so would relish any recommendations, especially integration into the existing WiFi Network.
Thank you. The CAPAC is actively being used so I am testing on my RB433.
I reset the RB433 and selected “Home AP” as “Home AP Dual” is not available. Again tried a number of options but no luck. The device is working and I can connect to it and it sees the network but I am unable to connect the WiFi at all. WiFi authentication appears to succeed but it is not able to obtain an IP and traceroute on the DHCP server shows no connection attempts.
# dec/30/2023 22:18:38 by RouterOS 6.49.10
# software id = IMML-TGJ1
#
# model = 433
# serial number = 213B01AAXXXX
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=10 country="south africa" \
disabled=no frequency-mode=manual-txpower mode=ap-bridge ssid=\
WiFiRB433 wireless-protocol=802.11 wps-mode=disabled
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik wpa-pre-shared-key=zaQ12Wsx \
wpa2-pre-shared-key=zaQ12Wsx
/interface list member
add interface=ether1 list=WAN
add interface=ether1 list=LAN
/ip address
add address=10.1.1.249/24 interface=ether1 network=10.1.1.0
/ip dhcp-relay
add dhcp-server=10.1.1.250 disabled=no interface=ether1 name=dhcp_relay1
/ip dns
set servers=10.1.1.250,208.67.222.123,208.67.220.123
/ip route
add distance=1 gateway=10.1.1.254
/system clock
set time-zone-name=Africa/Johannesburg
/system gps
set set-system-time=yes
/system identity
set name=rb433b
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set bridge1 disabled=yes display-time=5s
set wlan1 disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
/system routerboard settings
set auto-upgrade=yes
/tool user-manager database
set db-path=user-manager
Ahh okay so your not using vlans… and only want to send one flat subnet to the CAPAC ??
/interface bridge
add ingress-filtering=no name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface list
add name=management
/interface wireless
AS REQUIRED assuming names wifi1 and wifi2 (2.4 and 5 ghz)
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=wifi1
add bridge=bridge interface=wifi2
**/ip neighbor discovery-settings
set discover-interface-list=**management
/interface list member add interface=bridge list=management
add interface=emergaccess list=management
/ip address
add address=10.1.1.249/24 interface=Bridge comment=“IP address of capac on subnet”
add address=192.168.55.1/24 interface=emergaccess network=192.168.55.0 comment=“ether2 access off bridge”
/ip dns
set allow-remote-requests=yes servers=10.1.1.254 { Note: Done so all dns requests use subnet }
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.1.1.254 comment=“ensures route avail through subnet gateway”
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=x.x.x.x
set api disabled=yes
set api-ssl disabled=yes
/system ntp client
set enabled=yes /system ntp client servers
add address=10.1.1.254
/tool mac-server
set allowed-interface-list=none
**/tool mac-server mac-winbox
set allowed-interface-list=**management
I sourced a refurbished cAP ac and spent the last day resetting & reconfiguring it; major mission!
I have configured the router as you suggested and while it works, the out come is the same in that it is stripping MAC Addresses from the DHCP requests resulting in the incorrect DHCP configuration being applied.
# jan/01/2024 22:08:53 by RouterOS 6.49.10
# software id = VIZX-79YQ
#
# model = RBcAPGi-5acD2nD
# serial number =
/interface ethernet
set [ find default-name=ether2 ] name=eth2emergaccess
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] country="south africa" disabled=no mode=\
ap-bridge ssid=Phoenix241 wireless-protocol=802.11
set [ find default-name=wlan2 ] country="south africa" disabled=no mode=\
ap-bridge ssid=Phoenix241 wireless-protocol=802.11
/interface list
add name=management1
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=zaQ!@Wsx \
wpa2-pre-shared-key=zaQ!@Wsx
/snmp community
set [ find default=yes ] addresses=10.1.1.0/24 disabled=yes
add addresses=10.1.1.0/24 name=grafted security=private
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=management1
/interface list member
add interface=bridge1 list=management1
add interface=eth2emergaccess list=management1
/ip address
add address=192.168.88.1/24 interface=eth2emergaccess network=192.168.88.0 \
comment="ether2 emergency access off bridge"
add address=10.1.1.240/24 interface=bridge1 network=10.1.1.0 \
comment="IP address of cAPac on subnet"
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d \
servers=10.1.1.250,208.67.222.123,208.67.220.123
/ip route
add comment="ensures route avail through subnet gateway" distance=1 gateway=\
10.1.1.254
/ip service
set ftp disabled=yes
/ip smb
set comment=ap5 domain=HOME
/ip smb users
add name=grafted password=zaQ!@Wsx read-only=no
/snmp
set contact="M G" enabled=yes location=Home trap-community=grafted \
trap-generators=interfaces,temp-exception trap-version=3
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=ap5240
/system ntp client
set enabled=yes
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management1
My network is simple, a single IP C-Class with no vlan tagging. The network DNS, NameD & DHCP services are provided by a Raspberry Pi. I would love to use the RouterOS for NameD & DHCP but it does not allow the level of customisation I need. The internet gateway is a hAP ac2 and the WiFi is access was upgraded from TP Link & Netgear AP’s to use cAP ac’s (ultimately goal is to get cAPsMan working but baby steps) . The DHCP worked 100% with the generic AP’s.
Do not understand about DHCP requests…
The Cap is not acting as a router solely as an AP switch and has no Firewall rules, no DHCP functionality… or anything…
Since you use pi for DNS, assuming that you direct your users to PI already so why did you deviate on the setup provided?
Assuming pi server is .250?? /ip dns
set allow-remote-requests=yes cache-max-ttl=1d
servers=10.1.1.250,208.67.222.123,208.67.220.123
it should be as presumably you direct all 10.1.1.0/24 subnet ( all users to PI somewhere else… ) on the MAIN router and devices etc. and there in lies the problem.
The capac is sending everything over the subnet gateway. How are you directing all subnet users to your PI on the MAIN router, whatever you are doing there should work for all CAPAC attached wifi devices…
Ensure you do this and see the results. /ip dns
set allow-remote-requests=yes servers=10.1.1.254
Thank you for all your assistance. I am not sure why I needed to point the DNS to the gateway (hAP ac2) which other than being the gateway to the internet, does not provide services to the local network. I tried reading up on the RouterOS DNS options and still not sure (hence the delayed response - I wanted to understand not just blindly do)
Changing the cAPac “/ip dns” to a single IP pointing to the gateway did not resolve the issue unfortunately.
When connecting via the cAPac, it obfuscates/changes the MAC address provided in the DHCP request resulting in the incorrect DHCP options being provided.
Connecting via the cAP ac, the Raspberry Pi (DHCP Server) arp table shows the following which is not actual laptop MAC address nor any MAC I can find on the cAPac:
Connecting via the Netgear AP, arp table shows the following which is the actual laptop WiFi MAC Address and therefore the correct DHCP options are obtained:
But a question: are you sure it’s not your wireless device doing it? All recent iOS and android devices (including Samsung) by default use “anonymized” MAC addresses when connecting to yet-unknown wireless networks and one has to toggle to use device MAC address (that setting is per SSID).
From your configuration export it looks like that your cAP ac (wave2 device) is still on the v6 line of RouterOS. With v7.13 it got a nice software refresh. Therefore the first thing to do is to Netinstall (there is a Mikrotik YouTube video about it) the current stable RouterOS v7 version on your device. It is an ARM based equipment, therefore you’ll need the routeros-7.13-arm.npk and the wifi-qcom-ac-7.13-arm.npk packages from the extra packages (this one is to be uploaded via VinBox after the Netinstall). There are some hoops to jump trough tough during the process:
after downloading the required files (routeros-7.13-arm.npk ; all_packages-arm-7.13.zip ; netinstall64-7.13.zip or netinstall-7.13.tar.gz) connect your computer to a simple (not smart/managed aka dumb) switch, and the Eth1 port of the cAP ac to the same switch.
Make a photo of the label (containing its MAC address among other things) on the cAP ac as it may come handy down the road.
After the successful Netinstall if the cAP ac is powered with PoE than connect a second patch cable to its Eth2 port, otherwise remove the patch cable from Eth1 port of the cAP ac and connect it to its Eh2 port.
Log in to the cAP ac with WinBox. After that in the right side panel select System / RouterBOARD and click on the Upgrade button, than on the OK one.
In the right side panel select System / Reboot and click on the Yes button, than wait for the reboot of the cAP ac.
Log in to the cAP ac with WinBox. After that in the right side panel select Files, than click on the Upload button and find the wifi-qcom-ac-7.13-arm.npk file which you have extracted from the all_packages-arm-7.13.zip file and upload it.
In the right side panel select System / Reboot and click on the Yes button, than wait for the reboot of the cAP ac.
Log in to the cAP ac with WinBox. After that in the right side panel select System / Packages and make sure that you have two packages in the Package List namely: routeros and wifi-qcom-ac.
In the right side panel select System / Reset Configuration and tick the CAPS Mode and Do Not Backup checkboxes and make sure that the other two are not checked. Than click on the Reset Configuration button.
After the cAP ac restarted log in to the cAP ac with WinBox. Click OK to apply the default configuration and change the admin user’s password.
You may log out from the cAP ac, than disconnect it and also your computer from the simple switch. Connect your computer to the switch port it was connected previously and connect the Eth1 port of the cAP ac to the switch/router port where you will intend to use it on the long run.
Check in your DHCP server what address it has assigned to the cAP ac.
Read trough the new WiFi part of the documentation to have an overview about the basics of the configuration options.
You may apply the below quick fix configuration before dwelling deeper (like upgrading both the HAP AC2 and RB433 with the above described method of Netinstall to v7.13 in order to make central management of WiFi and roaming possible with the new CAPsMAN which can be found under the WiFi in the right side panel and /interface/wifi in the terminal.
Thank you. Selecting “Phone Mac” for the specific SSID fixed it for the phone. Resetting my laptop wifi (delete everything & recreate) seems to have fixed it as well; thank you greatly for everyone’s assistance.
As for running RouterOS7, I tried that on my refurbed cAPac and ended up jumping through major hoops to revert back to V6 as it was just too different, I could not get the WiFi working and really wanted to fix the first “issue” before creating a whole new one. Now that the problem has been resolved, I will follow the guidance and give V7 a try again
