I am planning to buy the hAP ac² and was wondering if this set up is possible.
My current setup is a linux server running all needed network services with two ethernet ports (eth0, eth1) and a n/g wifi card running in ap mode (wifi0). Currently wifi0 and eth1 are bridged to br0. Eth0 is connected to a bridged modem with a static IP and is providing everyone connection to br0 with all needed for accessing the network and internet.
I would like to upgrade my old wifi to 5ghz and have some trouble finding a network card that can use any available port on my server and also has drivers with ap support. So I was thinking to get the hAP ac² and remove the old card. The new configuration would loose the wifi0 interface, eth0 would still be connected to the modem and eth1 would connect to the hAP.
I would like to know is it possible to configure hAP in a way that it works as a switch and ap, and that still enables my server to take care of everything (ip assignment, firewalling, internet,…) no matter if something is connected to hAP via ethernet or wifi?
So there is no hidden NAT on the wlan where in the end every device is presented under the same ip to my server like I’ve read is the problem with some routers?
You would probably create a bridge setup on the hapac and define your etherent interfaces and any vlans if any.
No need to create new subnets or anything else.
A diagram of what you are thinking would help that would show what subnets you wish to have and how they are distributed
EDIT: I think I was wrong, WISP AP is for a station connection on 5GHz band, use instead Home AP Dual.
I think that if you upgrade it, select “Home AP Dual” in “quickset” and then
set up wifi parameters
select static ip address or dynamic, as desired
untick “Firewall router”
untick “DHCP server”
untick “NAT”
apply configuration
you should end up with what you are looking for, or something that you can customize later easily. You might need to add
ether1 to the bridge, I’m not sure how the default configuration deals with non-DHCP, non-NAT configs and I have no spare
h AP ac^2 to try it.
After that you could use “/ export” in a terminal to check what configuration remains, and work from there…
I have only one subnet 192.168.0.1/27 and I would like to keep the same configuration (if you remove the hAP, the diagram shows my current configuration), only that instead of my server the hAP would provide wlan. The server acts as a gateway, firewall, dhcp and dns server and gives out all the ip addresses.
It seems like what I want, I’m just not sure if the address you mention here is just to access hAPs configuration or will all wifi clients use this IP to talk with the rest of the network? I want my server to assign each ip.
Mikrotik routers are quite flexible. Typically default configurations have a firewalled ether1 as upstream, and a bridge with the rest of the interfaces (wired and wireless) NATted to the IP address in this upstream interface.
You can use (once!) a web tool called “Quickset” to quickly customize and redeploy a default configuration. Or you can work it out it by hand.
If you select a “Home AP Dual” one you get most of what you want. By default, with NAT, DHCP server and firewall ticked, it would be your standard router. If you untick those, I would expect at least that no dhcp-server configuration and no firewall/NAT will be configured.
Possibly there will still be ether1 separate from the bridge, and maybe some ip routes… Never tried that one
If this is the case, you can add ether1 as a port into the bridge (switch) and remove the routes involving ether1…
I’m quite sure that what you want is doable, just that I’m not sure if you will have to tweak the output of this default configuration, but I’m sure you will know how to if you are setting up linux as a router/firewall
Thanks a lot for all the help and information. I just needed to know that it’s possible but you’ve given me plenty more than just that info. As long as it’s doable I’m sure I can make it work (eventually). I’m going to go ahead and place my order.
I can guarantee you right off the bat that it’s doable and that it works fine. I have one in my home configured exactly this way. My WISP company routinely configured every indoor customer WiFi AP this way, including the various models of hAPs, mAPs, cAPs, and SOHO routers.
Absolutely doable. I use this very often. I actually use hAP ac^2 exclusively for all purposes (router, switch+AP, TAP) due to its universal nature and very low price. It simplifies inventory management a lot!
Unfortunately, as you figured out, quickset is not really good for this. I actually covered that earlier.
I would say easiest way to achieve this would be reset config with no defaults and load short’n’simple Switch+DualAP config:
# Switch+DualAP config v1
# model = RouterBOARD D52G-5HacD2HnD-TC
#
# USAGE:
# modify values as needed and save as "init.rsc"
# upload file to your router into "flash" directory
# in command line run /system reset-configuration no-defaults=yes keep-users=yes run-after-reset=flash/init.rsc
{
# !IMPORTANT! modify following values:
local wifiname "yourWifiName"
local wifipass "yourWifiPassword"
# You can modify following config if you know what you are doing:
#wait a while, hopefully all interfaces will be initialized by then
:delay 10
#create bridge, add ports and let it acquire IP from DHCP
/interface bridge add name=bridge1
:foreach k in=[/interface find where !(slave=yes || name~"bridge")] do={
/interface bridge port add bridge=bridge1 interface=[/interface get $k name];
}
/ip dhcp-client
add interface=bridge1 disabled=no
#set up wifi
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=dynamic-keys wpa2-pre-shared-key=$wifipass
/interface wireless
set [ find ] mode=ap-bridge disabled=no ssid=$wifiname wps-mode=disabled frequency=auto
set [ find default-name=wlan1 ] band=2ghz-b/g channel-width=20mhz
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee
# this prevents any routing (L3 forwarding) in case if you set up multiple IP addresses later
/ip settings
set ip-forward=no
}
Please, keep in mind that I intentionally didn’t include any firewall/security measures. That would bloat the script and there is no one universal approach - everyone has their own way.
Important - make sure you are using secure password. Even if its just your network, you shouldn’t have unsecured device on it.
