Create subnetwork from shared apartment router

Hello, I have MikroTik hap ac2. I am trying to create my sub-network in my studio from a shared apartment router. My aim is to have separate subnetwork within my house, where I can connect to Wifi and have Ethernet connections. I have added a diagram for my clarity on what I am trying to achieve.

mikrotikRouterdiagram721×392 36.7 KB

I am not knowledgeable on RouterOS, so I read the documentation of MikroTik and tried to follow some tutorials and ended up setting up Home AP Dual. But currently I am not receiving any connection, I tried pinging within the terminal of WinBox, and it fails as well.

edit1: Thanks jaclaz for heads up, here is my full configuration

# jan/02/1970 00:02:32 by RouterOS 6.46.8
# software id = ABCD-123
#
# model = RBD52G-5HacD2HnD
# serial number = ABCDEF12345
/interface bridge
add admin-mac=AA:AA:AA:AA:AA:AA auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-08337B wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-08337C \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

No, we need your full configuration, instructions here:

And some details on your physical/logical setup.

Which LAN/IP address(es) has the "Shared Apartment Router" (SAR)?
Does it run a DHCP server?

From what you write you want to have a different subnet for your devices, right?

If this is the case, then the AC2 will need to be configured with a LAN (a bridge with ports ether2-5 and wlan1 and wlan2) and a WAN (ether1 connected to the SAR).

Thank you for the reply. I have updated my post with full configuration. Regarding my physical setup:

• SAR is in the hallway managed by the building, ethernet cable comes from SAR to MikroTik ether1. Ether2 and Ether3 are connected to my devices and phone will connect to Wifi.
• SAR has LAN IP 192.168.1.1, it has DHCP server running. When MikroTik ether1 connects, it gets 192.168.1.26 via DHCP. When PC connects directly to SAR, it gets 192.168.1.14 and internet works fine.
• Yes, I want a separate subnet (192.168.88.0/24) for my devices behind the MikroTik.

So far what I’ve identified is, MikroTik successfully gets IP from SAR (192.168.1.26). MikroTik can ping SAR gateway (192.168.1.1) from terminal inside. MikroTik CANNOT ping 8.8.8.8 or any internet IP and traceroute stops immediately after gateway.

I hope this answers your questions. Thank you.

How did you configure DHCP client on AC2 ?
With or without Use Peer DNS ?

If without: use your own DNS settings on AC2.
If with, you should get DNS settings from SAR. Check IP DNS.

Full config would still be helpful ...

(moved bottom)

It is with Use Peer DNS. I have updated my post by editing and adding full configuration. If that doesn’t work, please let me know and I can comment it. Here is my DNS configuration:

[admin@MikroTik] > /ip dhcp-client print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; defconf
     interface=ether1 add-default-route=yes default-route-distance=1 use-peer-dns=yes 
     use-peer-ntp=yes dhcp-options=hostname,clientid status=bound address=192.168.1.26/24 

[admin@MikroTik] > /ip dns print
                      servers: 
              dynamic-servers: 192.168.1.1,192.168.1.1
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1w
                   cache-used: 34KiB
     gateway=192.168.1.1 dhcp-server=192.168.1.1 primary-dns=192.168.1.1 
     secondary-dns=192.168.1.1 expires-after=23h40m 

This is not default config to my knowledge.

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0

Should be interface=bridge.

Upload latest long-term with putting this file on root on Files menu.
https://download.mikrotik.com/routeros/6.49.18/routeros-arm-6.49.18.npk

after reboot, go to system/routerboard and Upgrade the firmware, then, without reboot,
go to system/reset configuration and select only "keep user configuration" and "Reset Configuration"...

After reboot the routerboard is exactly configured as your need, do not touch nothing,
except go on wireless and set on 2 wlans the SSID
and on security profiles / default profile set the password.

Do not use QuickSet, never.

Now you are exaggerating a bit, no ? Downgrade ?
Also, Quickset can have its use but only after full reset. Never again afterwards.

Downgrade???

# jan/02/1970 00:02:32 by RouterOS 6.46.8

6.49.18 is the last long-term...

and the user 6.46.8?

Oops, my mistake ! Didn't see that version there.
In that case you are fully correct to move to the suggested version.

The default configuration on 6.48.7 and up is identical to the user need, is better no trust at all QuickSet...

What the OP needs to know that even if he puts his own network behind the router, all this traffic eventually has to come out his WAN which is then on the LAN of the shared router. Its not like if he has a direct private line to the internet.

Thanks for the detailed explanation. I followed the steps to upgrade and reset. Unfortunately, I still can’t connect to the internet on Wifi or any Ethernet. Also, I can’t ping the 8.8.8.8 within the terminal still (Not entirely sure if this is relavant).

I am re-posting my full configuration after doing the steps you mentioned. I haven’t touched the QuickSet.

# jan/02/1970 00:10:54 by RouterOS 6.49.18
# software id = AAAA-AAAAA
#
# model = RBD52G-5HacD2HnD
# serial number = ABCDEF12345
/interface bridge
add admin-mac=AA:AA:AA:AA:AA:AA auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTikA wireless-protocol=\
    802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa2-pre-shared-key=123asdqwess
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

If you go to terminal and use
ip address print

What do you get ?

And you are sure ether1 is connected via cable to SAR ?

You must login, or in the past, you login your pc for use internet?

I get:

 #   ADDRESS            NETWORK         INTERFACE                                           
 0   ;;; defconf
     192.168.88.1/24    192.168.88.0    bridge                                              
 1 D 192.168.1.26/24    192.168.1.0     ether1 

I double checked the connection. ether1 is connected via cable to SAR. I also checked if cable is working properly, but when I directly connect cable to my PC’s ethernet port, I can access the internet.

and results of /ip rou pri; /ip dns pri ?

For me it's the main router that blocks everything because it doesn't recognize the MAC or IP...

using wifi of SAR what IP get the PC/smartphone?

[admin@MikroTik] > /ip rou pri
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.1.1               1
 1 ADC  192.168.1.0/24     192.168.1.26    ether1                    0
 2 ADC  192.168.88.0/24    192.168.88.1    bridge                    0

[admin@MikroTik] > /ip dns pri
                      servers: 
              dynamic-servers: 192.168.1.1,192.168.1.1
               use-doh-server: 
              verify-doh-cert: no
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1w
                   cache-used: 64KiB

No I haven’t logged in. Previously someone else came to set this up for my studio and I had this working for years. Recently, I changed where my MikroTik and PC are located within my room. After setting everything up, I think MikroTik went to default mode or something, as nothing was able to re-connect. I also don’t have any login credentials for the login to SAR.