I am a little confused by the interfaces and labeling on the hAP ac³. The “Internet” port (where I am supposed to plug the cable coming from the ATL) is not PoE-out (it is actually PoE-in). The PoE-out is on “LAN” port 5, i.e. not for “Internet”.
So, following that nomenclature, I connected the ATL to the “Internet” port without using the PoE-out functionality of the hAP ac³ (I used the PoE injector of the ATL for the ATL, thus ending up with 2 DC adapters total).
The result is: I have Internet connection only through the WiFi. I can’t get any Internet connection on any of the LAN ports of the hAP ac³ and I can’t find documentation on that.
What I would like is to:
Use the PoE-out functionality of the hAP ac³ (Ethernet port 5) to power the ATL
Be able to “get Internet” from that same PoE-out port 5 (from the ATL)
Be able to use Internet (NAT) in the LAN through both the Ethernet ports of the hAP ac³ and WiFi
Still be able to use another (non-PoE powered) device as a “Internet source” whenever required (i.e. unplug ATL’s cable and plug another Ethernet, non-PoE, cable on port 5). I don’t want to damage that other device because it does not support PoE.
Have proper firewall protection, considering the changes from the default settings, needed for the above
This is valid for default configuration, which treats ether1 as WAN and rest considered as LAN.
Ports don’t have fixed role in MikroTik, and you can remove ether5 from bridge, add ether1 to the bridge (if you want LAN on it), and also rework the rest of configuration (swap all ether1 and ether5 use).
Port shuffling, and bridging, might have performance impact, if they aren’t wired to the same switch, which is not the case for hAP ac³, which has all ports wired to the same switch chip, see Block Diagram in specs (Support & Downloads section).
This is weird. With default configuration, wireless interfaces and LAN ports are be bridged, being on single L2 broadcast domain and the same subnet, and you should have the same connectivity between all of them, and the same internet access.
Can you please post the config you’re running - (possibly ID/MAC redacted) output of the /export command in CLI?
This needs only to swap each use and occurrence of ether1 and ether5 in the default configuration. If nothing else is changed, and no occurrence is missed, then the firewall protection and everything should work the same, as for default config, just roles of the ports are swapped.
MikroTik devices with passive PoE-out by default don’t turn on PoE-out. They do some resistance testing of connected device, and based on this, decide to turn on the passive PoE-out. More details PoE-out docs.
This detection doesn’t work reliably in a way, that it under certain circumstances doesn’t power on even valid passive PoE-in devices. I had issues with PoE-out from RB260GSP combined with long cables. And, with PoE-out from hAP ax² even with short cables. Sometimes, unplug and re-plug of device, which is to be powered via PoE, helps. This can be overridden to enable PoE-out always, which still seems to do some checks, actually. However, it has risk of harming connected non-PoE-in device.
Thank you very much.
Huge apologies for the late reply. I have been through some serious personal trouble.
Everything seems to work fine now. I still need to learn more about how to secure further the whole system.
BTW, as an owner of the hAP ac³ - do you have any experience with OpenWRT (IIUC it is supported)? Any readings/threads you would recommend? I am a fan of DNSCrypt (which AFAIK OpenWRT does support but RouterOS does not).
I am rather interested in comparison with OpenWRT in general first, as it is FOSS unlike RouterOS. I found this other thread which seems more suitable for this discussion.