Connectivity issues between Router and AP

RouterOS Beginner Basics
1

I’m having a strange connectivity issue with one of my two access points. Basically, it can’t talk to, or through, the router. This means no internet connectivity, so NTP doesn’t work, auto updates don’t work, etc. The network topology is pretty straight forward:

Router (MikroTik hAP ac) - 192.168.1.1
|
+--eth0--> uplink
+--eth2--> AP2 (wAP ac) - 192.168.1.21
+...
+--eth5--> AP1 (wAP ac, over PoE) - 192.168.1.20
+...

AP1 and AP2 have virtually identical configurations, aside from hostnames.

What doesn’t work:

  • AP1 cannot ping Router
  • AP1 cannot ping IPs on the internet (ex 8.8.8.8 )

What does work:

  • AP2 can ping the Router and reach the internet
  • AP2 can ping AP1 and vice versa
  • My laptop, connected via AP1 or AP2, can ping both access points

Troubleshooting tried:

  • Double checked AP1 and AP2 configs to ensure no differences.
  • I setup firewall rules to log input and output ICMP on the router. The logs looked the same when both APs ping the router.
  • Firewall rules on AP1 log outgoing pings, but no incoming responses. So, it appears that somehow data is lost coming from the router to the AP?
  • I thought maybe a bad ARP table on the router could do this, but the router has the right MAC for AP1’s ethernet interface.

.. and really, I have no more ideas… any help greatly appreciated.

2

Can you post the outputs of the following CLI commands on the router:
/interface export hide-sensitive
/ip export hide-sensitive

3

The configs are up here: https://gist.github.com/akostibas/3fc10c98e7db568219e9f1945281ca14

4

I suspect it could be a NAT issue.
IMO, only the WAN router should have NAT enabled, and NAT on the attached devices should be disabled.
So, it could be an issue on that device OR it could be an issue on the AP1 device itself.

And: “/ip export” should have exported also the routes, but it’s missing in your upload (btw, you can also use the Attach File button at bottom of the posting).

Sorry, I don’t have these devices, so maybe someone else here has better insight in these devices.

And: recently there was a similar case where someone couldn’t get access to the MikroTik download servers from inside his device (for software update checking).
The somehow mystery solution was just this: adding the following firewall rule to the very first position in the input chain:
add action=accept chain=input connection-state=established,related
In your FW it’s in the 2nd position, so just try it out :slight_smile:, even if it looks IMHO illogical that this could be the cause or the solution.

5

Okay my points, in summary your config is all over the map and needs to be simplified and cleaned up greatly.

  1. Recommend you follow this reference to setup your vlans and wifi router.
    http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

  2. Use a separate vlan for the main network 192.168.1.1 just call it vlan100 for example.
    That way the bridge is not involved in DHCP etc makes it clean and simple…

  3. Use default firewall rules only for now, once the rest of your config is complete and working we will adjust those accordingly

  4. In wireless setup we do not put in the vlan information.

  5. In bridge port (ingress) we identify trunk ports and access ports (as per the reference). Also don’t put in duplicates of the WLAN, should only be three!!

  6. will need bridge vlan filtering rules (egress)

  7. In interface lists, you have way too many I would dump them all and start with what you only need and I only see need so far for three (default wan, lan and a new one)
    suggest using existing LAN list and create one more for the non-home use… Will come in handy when making firewall rules.
    vlan100=LAN
    vlan2=LAN
    vlan10=LAN
    vlan2=Untrusted
    vlan10=UNtrusted

  8. Suggest making up an address list consisting of assets you as the admin will use to access the router - will also come in handy making fw rules.
    add address = IP(your desktop) list=adminaccess
    add address= IP (laptop) list=adminaccess
    add address=IP (ipad) list=adminaccess

6

Thanks for the thorough review, I’ll go over all of these recommendations!

It’s no surprise to me that the config is a bit of a mess. It has grown over the years as I’ve learned and experimented on the device.