Cisco AP does not initiate connection but maintains it

RouterOS Beginner Basics
1

Hi,

I have a hAP ac2 runninf RouterOS 6.49.2. Using help from this forum I have two VLANs. I have a Cisco AP connected on ether2 to extend the wifi range. The MicroTik and the Cisco have identical Wifi AP Names.

My problem is that I am not able to initiate a connection through the Cisco; I first have to move to within range of the Mikrotik and join the network. Once established the Cisco takes over and provides connectivity.

Below is my config.

# feb/08/2022 13:26:25 by RouterOS 6.49.2
# software id = 6HDN-PW96
#
# model = RBD52G-5HacD2HnD
# serial number = C6140D94xxx
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Connected to ISP"
set [ find default-name=ether2 ] comment="Connected to Cisco AP"
set [ find default-name=ether3 ] comment="Connected to LAN Switch"
set [ find default-name=ether4 ] comment="Connected to SRV-ROTOR"
set [ find default-name=ether5 ] comment="Not used" disabled=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=malta disabled=no frequency=2442 mode=ap-bridge ssid=NETNET-AP
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-eCee country=malta disabled=no frequency=5260 mode=ap-bridge \
    ssid=NETNET-AP
/interface vlan
add interface=BR1 name=GUEST_VLAN vlan-id=20
add arp=proxy-arp interface=BR1 name=SOHO_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=\
    xxx
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik wpa2-pre-shared-key=xxx
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Base \
    supplicant-identity=MikroTik wpa2-pre-shared-key=xxx
/interface wireless
add disabled=no mac-address=0A:55:31:2B:xx:xx master-interface=wlan1 name=\
    wlan1-guest security-profile=guest ssid=NETNET-GUEST wps-mode=disabled
add disabled=no mac-address=0A:55:31:2B:xx:xx master-interface=wlan2 name=\
    wlan2-guest security-profile=guest ssid=NETNET-GUEST wps-mode=disabled
/ip pool
add name=SOHO_POOL ranges=192.168.16.20-192.168.16.99
add name=GUEST_POOL ranges=10.0.20.2-10.0.20.254
add name=VPN_POOL ranges=192.168.15.2-192.168.15.99
/ip dhcp-server
add address-pool=SOHO_POOL disabled=no interface=SOHO_VLAN name=SOHO_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
/ppp profile
set *0 use-upnp=no
add local-address=192.168.15.1 name=vpn_profile remote-address=VPN_POOL
set *FFFFFFFE use-upnp=no
/interface bridge port
add bridge=BR1 ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1-guest pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2-guest pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether5 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether4,wlan1,wlan2 vlan-ids=\
    10
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-guest,wlan2-guest vlan-ids=20
/interface list member
add interface=ether1 list=WAN
add interface=SOHO_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=SOHO_VLAN list=BASE
/interface ovpn-server server
set auth=sha1 certificate=cert_export_server.crt_0 cipher=aes256 enabled=yes \
    require-client-certificate=yes
/ip address
add address=xxx.yyy.zzz.aaa/27 comment="Fixed IP provided by ISP" interface=\
    ether1 network=yyy.zzz.mmm.160
add address=192.168.16.1/24 interface=SOHO_VLAN network=192.168.16.0
add address=10.0.20.1/24 interface=GUEST_VLAN network=10.0.20.0
/ip dhcp-server lease
add address=192.168.16.250 client-id=0024.7385.723a-Vlan-interface1 \
    mac-address=00:24:73:85:xx:xx server=SOHO_DHCP
/ip dhcp-server network
add address=10.0.20.0/24 comment="Guest Subnet" dns-server=10.0.20.1 gateway=\
    10.0.20.1
add address=192.168.16.0/24 comment="SOHO Subnet" dns-server=192.168.16.1 \
    gateway=192.168.16.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9,8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN from WAN" dst-port=1194 \
    protocol=tcp
add chain=input comment="Allow all ICMP" protocol=icmp
add action=accept chain=input comment=\
    "Allow Establised and Related Connections" connection-state=\
    established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward comment=\
    "Source: https://forum.mikrotik.com/viewtopic.php\?f=2&t=171682" \
    in-interface=all-ppp out-interface=SOHO_VLAN
add action=accept chain=forward comment=\
    "Source: https://forum.mikrotik.com/viewtopic.php\?f=2&t=171682" \
    in-interface=SOHO_VLAN out-interface=all-ppp
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.16.0/24 src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP dst-address=xxx.yyy.zzz.aaa \
    dst-port=80 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=HTTPS dst-address=xxx.yyy.zzz.aaa \
    dst-port=443 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=SFTP dst-address=xxx.yyy.zzz.aaa \
    dst-port=5552 protocol=tcp to-addresses=192.168.16.5 to-ports=22
add action=dst-nat chain=dstnat comment=Plex dst-address=xxx.yyy.zzz.aaa \
    dst-port=52400 protocol=tcp to-addresses=192.168.16.8 to-ports=32400
add action=dst-nat chain=dstnat comment=BlueIris dst-address=xxx.yyy.zzz.aaa \
    dst-port=8080 protocol=tcp to-addresses=192.168.16.5 to-ports=8080
/ip route
add comment="ISP gateway" distance=1 gateway=ccc.ddd.eee.fff
/ip service
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add comment="IP Address Assigned to user" name=chribonn password=\
    xxx profile=vpn_profile service=\
    ovpn
add name=connie password=yyy profile=\
    vpn_profile service=ovpn
/system clock
set time-zone-name=Europe/Malta
/system identity
set name=RouterSwitchAP
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

Thanks

2

Probably a problem with your INPUT firewall rules with respect to VLAN setup on CISCO or definition of the lists used in firewall.
If you allow in INPUT chain, for debug purpose temporarily, all connections not from WAN (!WAN) for new/estab/related does it work then?
I think your forward chain does work, as well as Input chain from hap itself, thus once connected you can move to Cisco. But probably DHCP / broadcast does not
go through due to firewall rule.

3

@WeWiNet can you please share the INPUT chain rule?

4

Weird so your setup communicates two things.

a. your LAN switch is a ‘dumb’ switch otherwise ether3 would be a trunk port.
and
b. for some unknown reason, the crisco is incapable of accepting two vlans on a trunk and thus you are forced to use a hybrid port setup???
(vlan 10 untagged and vlan11 tagged).

c. WHY Do you let guest VLAN access the router??

add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLAN

Suggesting what you need is the following…
add action=accept chain=input src-address-list=Admin dst-port=winboxport
where firewall address list
add address=IP of admin desktop list=Admin
add address=IP of admin laptop list=Admin
add address=IP of admin ipad list=Admin
etc,

Everyone else needs router service so provide ONLY that
add chain=input action=accept dst-port=53 protocol=tcp in-interface-list=VLAN
add chain=input action=accept dst-port=53 protocol=udp in-interface-list=VLAN
Then drop all !!

d. why have you removed the drop invalid traffic on both input and forward chains they are on the default config??

5

The network has 2 VLANS (10 - Internal and 20 - Guest).

The Cisco can manage traffic for both VLANS provided a connection is established beforehand.

With the exception of ether2 all other wired ports are to handle only VLAN10. Ether2 that is connected to the Cisco needs to handle both VLAN 10 and 20. Not sure I understand why the switch needs to be configured.

Re the other suggestions. I will try them out and report back

6

No worries about the switch was just an observation,
As for the Cisco AP, there should be no pvid on ether2.
No untagging for it, just tagged for vlans 10 and 20 is what I am saying