Hi everyone,
I’m new to MikroTik and router configurations, and I’m trying to set up my hAP ac2. My goal is to link:
Ether1 to WLAN1, and
Ether5 to WLAN2.
Each Ethernet port will connect to the modem with separate LAN cables. I’ve done some tests but haven’t achieved the results I wanted.
Any advice or guidance would be greatly appreciated. Thanks in advance for your support!
Assuming near default config.
A quick and dirty solution.
I would create 2 additional bridges.
bridgeWL1 and bridgeWL2
Both with protocol-mode=none (no rstp)
Then in bridge ports add ether1 to bridgeWL1 and move WLAN1 to bridgeWL1
and also move ether5 and WLAN2 to bridgeWL2
Remove the ip dhcp-client from ether1.
Remove or disable ether1 from the WAN interface list. (Probably not strictly required, it is only applicable when routing)
Then enable fast forward on these 2 new bridges.
Sorry, don’t know if it actually works with WLAN interfaces attached to the bridges…
Alternatively, it may be possible to do this with hardware switch rules on the Hap AC2, after an amount of trial and error.
No, switch chip in this case would not help. It only kicks in when passing traffic directly between two ethernet ports and that’s what @OP doesn’t want (as far he explained in opening post). Yes, it would be possible to use single bridge, with VLAN tagging (so a vast complication compared to two “plain” bridges). And since all traffic to/ftom wifi interface has to be handled by CPU anyway (also all the bridge processing), using two bridges vs. using single bridge doesn’t add or save any CPU processing. Even more, adding VLANs to bridge actually adds slight processing overhead, so using VLAN-aware bridge is in this case slightly worse.
When it comes to two bridges: by all means only set IP address on single interface … the one you’d like to use for management. If you want to have remote management, then it’s one of bridges. Evrn better would be to use one of remaining 3 ethernet ports.
If you set IP address to more than one interface, then AP becomes router and you’ll have to make some effort to block routing.
Hi thank for your replies
For the moment I’m running on 2 bridges one for each wlan with 2 sets of ip for each wlan that’s working fine.
The wlan1 is the for accessing the interface.
The problem i have for the moment is that the ether1 and 5 are working like backup for each other
For example all the traffic go to ether5 in the middle of traffic i disabled the port and all te traffic immediately goes to ether1 and vice-versa
Or when is a load spike both bridges and ether 1and 5 share the some load
I try this in a middle of speed test enabling and disabling the port several times, no timeout and connection loss at all.
Hi,
You probably shouldn’t have ip addresses on these 2 bridges/interfaces.
That should be handled by the modem, which would have a dhcp server on it.
@Dangles: post (sanitized and anonymized) output of /export … so we can see what exactly is configured.
Hi
you are suggesting to remove te dhpc from the bridge for wlan2 because the dhcp works different ip when connected to wlan1 and different for the wlan 2
How can i separate wlan2 to get only from the Ether5?
Based on the original question,
You should have NO dhcp (server or client) or ip address on either bridgeWL1 or bridgeWL2.
However this does make it difficult to manage.
If these 2 bridges and attached interfaces are the ONLY connected interfaces on the router, you can probably add a dhcp client to ONE of
the bridges. If you have the other 3 ports connected in any way, I recommend you don’t add this dhcp client. But manage it via the other connection(s).
I would put the dhcp client on the bridgeWL1 bridge. (2.4GHz Radio traffic should be slower than the 5GHz radio)
And also disable fast forward on this bridge.
It is basically the default configuration just the bridge for and dhcp fot the other wlan the ip sharing works fine
I try using vlan on bridge with tagging ether5
Or using ehter5 like an interface for vlan and some other tests but no result
Basically on a speed on 5g wlan2 test if the total is 120mbps 100is on the ether5 and 20 on ether1
# 2025-04-07 23:04:32 by RouterOS 7.12.1
# software id = KGAX-M1JK
#
# model = RBD52G-5HacD2HnD
# serial number = D7160D1F87A8
/interface bridge
add admin-mac=08:55:31:D1:E2:02 auto-mac=no comment=defconf name=bridge
add name=bridge5
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-D1E206 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik-07 wireless-protocol=\
802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=Dhcp5 ranges=192.168.99.10-192.168.99.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=6h name=defconf
add address-pool=Dhcp5 interface=bridge5 lease-time=6h name=dhcp1
/caps-man manager
set ca-certificate=auto certificate=auto
/interface bridge nat
add action=accept chain=srcnat out-interface=wlan2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1 \
trusted=yes
add bridge=bridge5 ingress-filtering=no interface=wlan2 pvid=5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether5 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.99.1/24 interface=bridge5 network=192.168.99.0
/ip dhcp-client
add comment=defconf interface=ether1
add interface=ether5
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Tirane
/system note
set show-at-login=no
/system package update
set channel=development
/system routerboard settings
set cpu-frequency=716MHz
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=ether5 name=1 trigger=always
add interface=ether1 name=traf1 trigger=always
Hi.
What you got at this point (without descibing too much your current configuration):
So it will behave as you described with ports 1 and 5.
Do you need and what for interfaces ether2, ether3, ether4?
How exactly should it behave - devices connected to wlan1 should go out through ether1 and the devices connected to wlan2 should go out through ether5?
How should it behave when ether1 is down? All communication from wlan1 isn’t working? The same for ether5 and wlan2?
Hi,
Given the routed configuration you have.
A possible option is:
You could create an ip vrf (eg. vrf5)
And attach to it the interfaces bridge5, wlan2 and ether5.
That might work.
Sorry I know little about vrfs.
Hi
Thanks for the suggestion the vrf did the job .