cAP Lite as a "Dumb AP"

RouterOS Wireless Networking
1

SOLUTION:
WispAP quickset mode

Hello all!

A friend of mine has given me a Mikrotik cAP Lite and I want to add a wireless network to my OPNsense lab, thus I am posting here. I am struggling getting my head around converting the AP into a ‘dumb’ AP of sorts, one without VLAN tagging, a DHCP server (OPNsense will provide the leases) and how I would administer the AP on MGMT network while it is transmitting the LAN/WLAN network.

This is a rudimentary network diagram:

OPNsense Box
eth0 - WAN
eth1 - LAN 192.168.0.1/24 DHCP
eth2 - WLAN 192.168.0.1/24 (Clients connected to this are on 192.168.0.1/24 - DHCP provided by OPNsense - Webfig access on 192.168.99.1?)
^^^^ This is the cAP lite
eth3 - MGMT 192.168.99.1/24 DHCP

I’m pretty new to mikrotik hardware, and router OS but have read the manual. I just need some pointers as to what I should be disabling and how to prevent lockouts. Thanks in advance and have a nice day!

P.S.The lab does not have VLAN tagging yet, but I would also like to know how to implement that. If you have any guides to this or recommendations while keeping the AP as dumb as possible, please let me know!

2

Basis steps:

  • use Winbox for access since it allows MAC access if you mess up IP settings
  • remove all firewall rules on filter and NAT tabs (this will prevent your lockout already)
  • all ports to bridge except ether2
  • IP address of device connected to bridge (don’t forget route settings then!) or DHCP client to bridge (like you want, use fixed DHCP assignment on your router so it always gets the same IP)
  • setup wireless
  • make sure those wireless interfaces are also added to bridge
  • setup ether2 like you want (own IP address etc etc)
3

OPTION 1 - DUMB AP, single SUBNET> Static IP address assigned to caplite is 192.168.0.X,

/interface bridge
add name=bridge1
/interface list
add name=TRUSTED
/interface bridge port
add bridge=bridge1  interface=ether1  comment="connected to upstream router"
add bridge=bridge1 interface=wifi1
add bridge=bridge1 interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge1 list=LAN
/ip address
add address=192.168.0.[size=150][b]X[/b][/size]/24 interface=bridge1 network=192.168.0.0
/ip dns
set server=192.168.0.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.0.1
/ip service
set winbox address=192.168.0.0/24
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

OPTION SMART AP (two vlans) --------- address assigned to caplite on managment network is 192.168.99.Y, management vlan is 99, wifi vlan 10

/interface bridge
add name=bridge1   van-filtering=yes  { added at the very end }
/interface vlan
add interface=bridge1 name=Mgmt-V99  vlan-id=99
/interface list
add name=TRUSTED
/interface bridge port
add bridge=bridge1  ingress-filtering-yes  frame-type=admit-only-vlan-tagged interface=ether1  comment="trunk to router"
add bridge=bridge1  ingress-filtering-yes  frame-type=admit-only-priority-and-untagged interface=wifi1 pvid=10
add bridge=bridge1  ingress-filtering-yes  frame-type=admit-only-priority-and-untagged interface=wifi2 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge1  tagged=ether1  untagged=wifi1  vlan-id=10
add bridge=bridge1  tagged=bridge1,ether1  untagged=wifi2  vlan-id=99
/interface list member
add interface=Mgmt-V99 list=TRUSTED
/ip address
add address=192.168.99.[size=150][b]Y[/b][/size]/24 interface=Mgmt-V99 network=192.168.99.0
/ip dns
set server=192.168.99.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.99.1
/ip service
set winbox address=192.168.99.0/24
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
4

Very similar approach to above except I tend to factory reset without a default configuration and then:

  1. Add a bridge
  2. Add all ports to the bridge (wired & wireless)
  3. Add DHCP client to bridge
  4. Add security profile for Wi-Fi
  5. Configure 2G and 5G wireless

Only disadvantage of this approach as setting up the Wi-Fi from default can be a bit involved.