I recently purchased both a wAP ax WiFi Router (wAPG-5HaxD2HaxD-US) and a RB5009UG+S+IN Router Board.
I am using a ARRIS Surfboard S34 DOCSIS 3.1 Multi-Gigabit Cable Modem.
I am new to networking but not to computers.
The reason I bought two, or the plan, was to further isolate and have individual control between my Ethernet connected computers and my WiFi connected devices. Primarily in VLAN setup, general monitoring, and hard reboot isolation.
First, I set up the WiFi router and was able to get WiFi access. Then, I went to set up the Router Board but this is where my issues began.
I originally had each Router connected to the modem as it has two ports. I learned that despite it having two ports this was not the most optimal as I only have one ISP provided IP address. My provider is Comcast Xfinity.
After the two routers conflicting and causing each other to not provide internet access depending on which one booted first I then tried to plug my WiFi router into my Router board to allow it to pass the internet through and allow the Router board to handle address assignment.
Since then, I have not been able to log into the WiFi Router when it is plugged into the Router Board neither through the address I assigned it of 192.168.88.2 nor the one that the Router Board has assigned to it in order to try and change configurations. I can only access it by turning off my Router Board and rebooting the modem.
When the WiFi Router is turned on and plugged into the Modem or the Router Board I can see the WiFi networks but can only connect without internet or not connect at all.
Could someone provide me the proper sequence of steps for allowing my Router Board to pass through internet to the WiFi Router while the WiFi Router can still be logged into separately as the Mikrotik device that it is to manage the various WiFi networks (5Ghz, 2Ghz, and Guest).
I assume I will have to turn the router board back off, plug the WiFi Router into the modem to gain configuration access, and then set it into Bridge mode and turn off DHCP correct? I am just unsure which extra steps the router board will need and if the WiFi router will need anything additionally changed.
If there is a way to have both routers connected to the modem while maintaining internet access without needing to run one through the other. This would allow me to further isolate and ensure no dependency between them in the event that I need to hard reboot one while the other remains functional, especially during all of this setup. However, I do not have the ability to purchase a second ISP IP in my area.
I appear to have bit off more than I can chew as this is my first time setting up my own router system. I have been trying to look for answers online but nothing is ever quite clear or both router instances have wlan / WiFi capabilities in the tutorials.
It seems to me like the first thing you should do is to get Winbox (the dedicated program to manage Mikrotik gear) and use it instead of what you are using now (I presume browser, i.e. webfig). https://mikrotik.com/download
One of the distinctive advantages of Winbox is that it can usually connect to a Mikrotik device through a dedicated protocol that allows to access devices via their MAC (as opposed to their IP).
In many cases (of mis-configuration) the IP may become unreachable, whist MAC access is still possible (but you need to always be careful anyway as it is relatively easy to lock oneself out of even Winbox/MAC access).
Then, follow this: http://forum.mikrotik.com/t/forum-rules/173010/1
and post your current configurations of both the wAP ax and RB5009.
The 5009 should be connected to the MODEM
The HAP should be connected to the 5009
The HAP should be ideally or most simply setup as an AP/Switch with no dhcp responsibilites ( done on 5009 )
when planning the network ensure you have a diagram it will help.
-identify all users/devices (external/internal including admin)
-identify all the traffic required.
Yes, I downloaded Winbox last night and began to use that.
I was following some additional router hardening guides online such as turning off some unnecessary ports.
However, as of waking up I was greeted to more bad news and have spent the last 4 hours trying to troubleshoot to no success.
My router board was no longer getting internet and it was no longer being found on Winbox or my Ethernet network.
When I tried to plug the Mikrotik wap Ax router back in to see if I could get that set back up for some temporary internet while trying to figure out why the router box was no longer working I found that it too was no longer providing internet, could no longer be accessed by Ethernet, and was no longer broadcasting the 5GHz WiFi. Attempting the factory reset procedure of holding down the button until the User LED flashed did not return the device to factory defaults and appears to have bricked it as now not even the default Mikrotik wifi signal shows for it.
I am going to attempt to factory reset the Arris Surfboard Modem S34 too as I am wondering if something happened to that and it is no longer providing internet to said routers.
However, I cannot do this until next weekend as I need my internet for the week to do remote work.
I know it is not my internet connection as when I returned to using the Xfinity Modem + Router everything came back online.
Thanks, yes this confirms for me on the correct order.
However, I had set up the wap first and that now appears to be part of the problem as both devices were trying to act as full routers.
I at one point was able to turn the dhcp off for the wap and had it plugged into the final Ethernet port on the 5009 but even with that the WiFi never came back up nor was I ever able to access it through its port of Winbox again.
Since then I have encountered more issues merely from going to bed and waking up to nothing working (read my previous response post).
Any thoughts from either of you as to why internet would have dropped overnight?
Clearly is is not the internet connection itself from ISP side as I am still getting connections and it is not the Coax cable. Perhaps the Arris Surfboard is what needs the factory reset next? But this would not explain why the wap did not return to factory default and show up as a Mikrotik WiFi access again after the reset button.
Take the extra port off bridge and do all your configuration from there safely.
give the port an ip address, use the ipv4 settings on laptop to access port and router.
Gotcha, I will make sure everything else is unplugged on ethernet except for a spare laptop with WinBox installed.
I am going to factory reset the Modem and the 5009. I had the Modem + 5009 working to give everything Ethernet internet but then everything stopped working this morning. My concern is that it will occur again.
I will work on a full diagram of all devices. I will find somewhere to fully design it up so that I can post it here too. I am going to read over both linked documents and some other guides.
I will not try again until I have that first.
Note: Where you have setup: /interface ethernet
set [ find default-name=etherX ] name=OffBridgeX
/ip address
add address=192.168.77.1/20 interface=OffBridgeX network=192.168.77.0
/interface list member
add interface=OffBridgeX list=LAN
add interface=OffBridgeX list=TRUSTED —> this is for later when designating a management vlan or trusted vlan and create the associated interface list name.
++++++++++++++++++++++++++++++++++++++++++
{ forward chain } add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
**** add additional allow rules here, admin to all vlans, or all users to shared printer etc. ********* add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop all else”
The first is what my current plans are based on physical hardware locations within my place and which hardware I currently have.
This would be the initial end goal although the Windows Computers may be on the same Ethernet port as the Proxmox Server and other Small Computers while attempting to get the Wifi up.
The second is what I would plan for after I get smart managed switches and physically move some hardware around.
I will attempt to get the Arris Modem and Mikrotik Routerboard up and running within the following days. It is hard to work during the week when I have to work remote all day and handle additional projects/activities at night.
If there is anything structure wise that needs to be changed due to my still new understanding of certain aspects, such as vlan position or what should handle the vlans, then please let me know.
A plan is a great start, ensure you capture all the traffic requirements such as vlan to vlan, shared printer etc, ( external incoming, any port forwarding or vpns → at least wireguard so you as admin can remote in to the router )
You need either a trusted vlan ( home ) or create one specific just for management purposes ( all smart devices get an IP on this subnet for example ).
Hello,
I took the time and was able to get my Modem and Mikrotik Routerboard both back up. I set the Routerboard back to defaults and used quick set up which applied some initial firewall rules.
I have since performed some hardening such as disabling unused ports/services, updating passwords, making an admin alt, and more.
Here is a picture of the default firewall settings, which of your previously mentioned firewall rules still need to be added and which defaults should be updated?
My next step is the WiFi router which is where I believe will require the majority of the help. However, I will not be setting that up until tomorrow
I plan to set up vlan only after I can get the WiFi working for my devices.
All vlan devices should not be able to talk to each other as they already have remote website monitors and will have a single rpi on each as a direct hardware monitor when necessary.
Printer wise it will also be handled by the 5GHz network as it is a WiFi model or at the most for wired it is USB based.
I would not want any devices besides my laptop, two windows desktops, and my primary phone to have access to log into the router.
I plan to have the wifi router itself be assigned a vlan to ensure that wifi and its devices are further isolated from being able to see the LAN devices.
I have attempted Wifi Router setup again.
The wifi router appears on WinBox. However, I can only connect to it through the MAC address.
My router board shows an IP for the WIFI router on its side however it is always stuck as unreachable. I attempted to set the WIFI router to be static to make use of 192.168.88.2 since the router is 192.168.88.1. This changed it to say “Permanent” however it still appears to be unreachable.
However, on WinBox the WIFI router sometimes comes up twice. Once as 192.168.0.91 and rarely in addition as 0.0.0.0. However, neither of these IPs ever work for WinBox login, the second one more obvious as to why it would not.
I have tried to assign the WIFI router’s Local Network IP Address for the WIFI router to 192.168.88.2 but this does nothing. I would assume I need to keep the address acquisition set to automatic but perhaps I need to set it to PPPoE or Static and assign to 192.168.88.2?
Additionally, under the Interface tab I can see the the wifi local bridge, ether1, ether2, lo, and the wifi channels. I can see traffic on ethernet1, which is the port to which the router is connected to the router boards port 6. However, the 4 wifi channels (5ghz, 2ghz, and the guest network 5+2) they all show as “no connection to CAPsMAN”.
When I go to set up the Wifi it will state “Action WPS Accept failed, interface must be running.”
When I connect additional ethernet devices to the network my router board will fail to reach or connect to them. These devices will have IPv4 address and Ipv4 DNS Server assignment in line with the WIFI’s automatic gateway assignment of 192.168.10.2 rather than my router board gateway.
I know this because after I unplug the Wifi Router, reboot any devices with this issue, it will have to perform a Network Diagnostic where the problem is “Ethernet doesn’t have a valid IP configuration.” and then I will be able to get ethernet internet access off my router board once again.
What do I need to do on the router board and the wifi router to get it to stop trying to assign IPs to ethernet devices upstream on the router board, stop it from acting as assigning gateway, and to just have it handle the wifi and have the wifi turn on.
Should I put the wifi router onto a vlan first in order to cut it off from seeing the other ethernet based devices and avoid these issues during the initial setup for it?
Is there a place or way I can upload each of the scrubbed router rsc files here for you to review?
I was able to work with the wifi router more and I was able to get its dhcp and dns server to co-operate with the router board in order to prevent those ethernet network collisions.
For some reason the wifi routers automatic/dynamic dhcp and dns were improper and not the same as the router boards. They were other random local IP addresses.
Once you let me know the best way to upload the scrubbed files I will reply. However, I will likely be turning off the wifi router for now and heading to bed soon.
Thanks again for your help.
You can copy and paste those configurations on the board, only, please put them inside “code” tags, the button that looks like a fat dot inside square brackets or as </>, see: http://forum.mikrotik.com/t/forum-rules/173010/1
Most of us simply connect via mac address, just click on the mac address and done.
if you want to use IP address ensure you also put in the port number for winbox. If let to default not required, but I never use the default LOL
# 2024-12-04 23:20:54 by RouterOS 7.16.2
# software id = Z2LI-E6M6
#
# model = RB5009UG+S+
# serial number = #######
/interface bridge
add admin-mac=########## auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=1d name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp port=##
set www disabled=yes
set ssh port=##
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=######
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Here is the wifi router config:
# 1970-01-02 00:36:28 by RouterOS 7.16.2
# software id = 576J-QYRH
#
# model = wAPG-5HaxD2HaxD
# serial number = #######
/interface bridge
add admin-mac=########## auto-mac=no comment=defconf name=bridgeLocal
/interface list
add name=WAN
add name=LAN
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# no connection to CAPsMAN
set [ find default-name=wifi1 ] configuration.country="United States" \
.manager=capsman .mode=ap .ssid=Chromatic-2GHz datapath=capdp disabled=no
# no connection to CAPsMAN
set [ find default-name=wifi2 ] configuration.country="United States" \
.manager=capsman .mode=ap .ssid=Chromatic-5Ghz datapath=capdp disabled=no
add configuration.ssid=Chromatic-IOT disabled=no mac-address=\
########### master-interface=wifi2 name=wifi3
add configuration.ssid=Chromatic-IOT disabled=no mac-address=\
############ master-interface=wifi1 name=wifi4
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/interface bridge filter
# no interface
add action=drop chain=forward in-interface=wifi3
# no interface
add action=drop chain=forward out-interface=wifi3
# no interface
add action=drop chain=forward in-interface=wifi4
# no interface
add action=drop chain=forward out-interface=wifi4
/interface bridge port
add bridge=bridgeLocal comment=defconf disabled=yes interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal interface=wifi3
add bridge=bridgeLocal interface=wifi4
add bridge=bridgeLocal interface=wifi2
add bridge=bridgeLocal interface=wifi1
/interface list member
add interface=ether1 list=WAN
add interface=bridgeLocal list=LAN
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip address
add address=192.168.88.1/24 interface=bridgeLocal network=192.168.88.0
add address=192.168.0.91/24 interface=ether1 network=192.168.0.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server
add address-pool=dhcp interface=bridgeLocal name=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
netmask=24
/ip dns
set servers=75.75.75.75,75.75.76.76
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridgeLocal type=internal
add interface=ether1 type=external
/system note
set show-at-login=no
I am just trying to get the WIFI enabled.
I currently have the WIFI router off since WIFI isn’t turning on anyway and unlike the router board it did not generate firewall rules on smart quick setup.
When router is on it shows as online and I can access it through winbox but no WIFI signals show up on any of my devices for Chromatic-5Ghz, Chromatic-2Ghz or Chromatic-IOT.
Config Changes and Information related to how to get the WIFI started and what firewall rules I should add to the WIFI router are appreciated.
If I can get the WIFI going then I should be good enough on my own and able to close this forum.
Thanks again, between you two / the forums and another friend of mine I’ve been able to learn a lot.
Edit: Just noticing that the WIFI routers clock is wrong. Next time I turn it on I will fix that and see what other system settings and hardening I can do that I have done to the router board already.
