hAP ac lite - internet access only when connected by ethernet, not wirelessly

I have an hAP ac lite (RouterOS v6.49.10) with dual WLAN (2.4GHz + 5GHz). The hAP ac lite is setup as Home AP Dual on the WebFig Quick Set page. I have long had a Groove (RouterOS v6.49.10) connected to ether5 (POE out). It has worked fine, for many years. I have always been able to connect wirelessly to the Groove, and to the internet (when the Groove finds a wifi internet connection), over either wlan1 or wlan2. I liveaboard my boat and use this setup to connect laptop, smart tv, etc.

I wanted to add a 4G LTE modem. I obtained a new Netgear LM1200 with a Verizon 46 SIM. The LTE modem connects with no problem. I connected the LTE modem to ether1 on the hAP ac lite. Per several sources (I believe including the RouterOS manual), I made sure that the Bridge on the hAP lite includes only ether2, ether3, ether4, ether5, wlan1, and wlan2 – not ether1. I setup DHCP client using interface ether1, and the status shows as bound and shows the IP address for the LTE modem. So it appears that internet connection exists between the LTE modem and the hAP ac lite.

When I connect my laptop to the hAP ac lite using an ethernet cable plugged into ether2, I get internet access.
But when I disconnect the ether2 ↔ laptop connection, and connect my laptop wirelessly to wlan1 or wlan2, I cannot get internet.

I’ve read as much as I can understand in the RouterOS manual. I can use WebFig and a terminal. But I cannot figure out what the problem is here or how to fix it. Any help would be GREATLY appreciated!

(I tried to attach to this post the supout.rif file created with WebFig, but I receive an error message saying Invalid File Extension.)

Better to export your config so we can have a look.
supout.rif is only for Mikrotik Support.

Terminal
/export file=anynameyouwish hide-sensitive
Move file to your computer
Edit contents to remove serial number or any remaining public info (Wan IP, secret keys, …)
Post contents between code quotes for easier readability.

Hi holvoetn, thanks for the tip. Below is the config export. Note that 192.168.88.2 is the Groove, which is showing as disabled; that’s on purpose for now to make sure that the only active internet connection is through the LTE modem. (After I get this immediate problem solved; I’m going to have to figure out how to configure failover from Groove as primary to LTE modem as secondary, but that’s a subject for a different thread.)

# sep/14/2023 01:39:27 by RouterOS 6.49.10
# software id = XRE0-SJ3C
#
# model = RB952Ui-5ac2nD
# serial number = [////////////]
/interface bridge
add admin-mac=74:4D:28:6E:6B:F3 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise="10M-half,10M-full,100M-half,100M-f\
    ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid="Tallawah 2GHz" station-roaming=enabled wireless-protocol=\
    802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid="Tallawah 5GHz" station-roaming=\
    enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=[//////////] \
    wpa2-pre-shared-key=[//////////]
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.3/24 comment=defconf interface=ether2 network=\
    192.168.88.0
add address=192.168.88.3/24 interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.3 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,208.67.222.222
/ip dns static
add address=192.168.88.3 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=yes distance=1 gateway=192.168.88.2
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

When your laptop connects to wireless of hap ac lite, does it get an IP address ?

Why twice the same address ? You should fix that.

/ip address
add address=192.168.88.3/24 comment=defconf interface=ether2 network=
192.168.88.0
add address=192.168.88.3/24 interface=bridge network=192.168.88.0

Adding:
remove that address assignment on ether2. I think it should solve your issue.
That’s definitely not default config AFAIK.

Well, I don’t know what happened or how to explain this, but I didn’t change any settings since posting last night, and left everything connected the way it was. That is, LTE Modem > ether1; ether2 via eithernet to laptop. Last night that was the only way that I could get internet access on the laptop, not by connecting wirelessly to either wlan1 or wlan2.

This morning, I could not get any internet, although I could see from looking at the hAC ap lite through RouterOS that it was receiving. Out of frustration, I disconnected the cable from ether2 to the laptop, thinking I would just plug it back in and see if that restored the connection. Once I unplugged it, the laptop automatically connected to wlan2 wirelessly and I have internet connectivity. Which wasn’t happening last night.

??

Repeat.

As I noted, it was working. Then I disconnected the laptop from the wireless connection (by leaving and taking it with me to a meeting). When I came back, and it reconnected to wlan2, it was back to not getting internet, even though I could go into the hAP ac lite and see the internet traffic at ether1.

So I did what holvoetn suggested: I disabled that address assignment on ether2.

Now I both have no internet (right now the LTE modem is plugged directly into the laptop ethernet) and I can’t access the hAP ac lite, either wirelessly or by connecting ether2 to the laptop – both of which were working before. I tried connecting one of the other LAN ports (ether3 and ether4), but I can’t access the hAP ac lite that way either.

Any ideas how to at least regain access to the hAP ac lite??

Using winbox you should be able to connect via MAC address.

Odd how a double assigned address results in things working ?

Thanks, holvoetn. I’m on a Macbook Air laptop and don’t have Winbox installed (or Boot Camp). I’ve been accessing the Groove and hAP ac lite through the Chrome browser window using WebFig. Is there any way to do it that way? Or do I have to find a Windows computer and run Winbox?
(I set them up using Winbox originally on a Windows computer I no longer have.)

Can Groove ROMON in to hap ac lite ?

Once you get in, remove 1 ether port from bridge and give it fixed IP for mgmt access.

Can Groove ROMON in to hap ac lite ?

I don’t know what this means or how to do it. I’m a layperson whose only knowledge of networking is very basic (mostly what I’ve tried to figure out from reading RouterOS).

Since we have your config a bit further up, it might be easier to simply reset to factory settings then.
It will also allow us to set things up properly so both wlan and LTE modem can be configured as WAN devices.

Plan ?

I powered off and on the hAP ac and now I can connect to it, both when connected by cable to ether2 and wirelessly over wlan.
I confirmed that the former double address at ether2 is inactive.

But now it’s back to the original status. That is, I can get internet only when connected by ethernet cable to the hAP ac, not when trying to connect wirelessly to wlan, even after editing that ether2 address.

Let me ask this: What would happen if ether1 was added to the bridge? Would that perhaps address this issue of not being able to connect to the internet (coming into ether1) via wlan? Or would that screw things up worse?

I ask because it occurred to me that ether5 is setup as WAN (the Groove is connected there, so internet was coming into ether5) and it’s always been one of the ports included in the bridge, without any problems.

I don’t know if that makes sense. Maybe the connection from the Groove to ether5 is not an incoming internet connection over WAN, unlike the internet coming into ether1 from the LTE modem.

Any WAN port should be off bridge.
If you use another port for internet access, that should normally be treated as WAN too.
In your case that would be ether1 and ether5 then.
Otherwise your default firewall will not function properly (treating a WAN port as LAN and then everything/everyone can potentially access your internal devices).

Can you post latest config again ?
I’ll have a more thorough look at it.

In the mean time:
since you can access the device again:

• remove a free ether port from bridge
• make a new DHCP pool (10.0.10.2-10.0.10.5)
• make a new DHCP server attached to that ether port, network specified as 10.0.10.0/24, gateway 10.0.10.1
• attach address to that ether port 10.0.10.1/24

Remove your ethernet cable from hap and attach to earlier handled port.
Verify your laptop gets an IP address from that pool and you can connect using webfig (10.0.10.1).

That should allow to avoid the mishap we had earlier.

So I think I mostly successfully did what you suggested. I used ether4, and when I connect my laptop via ethernet to ether4, it is getting IP address 10.0.10.2 See screenshot:

But I’m not able to access the hap by WebFig. (at http://10.0.10.1/webfig/#Quick_Set).

I’ve pasted my updated config file below:

# sep/14/2023 14:04:53 by RouterOS 6.49.10
# software id = XRE0-SJ3C
#
# model = RB952Ui-5ac2nD
# serial number = [////////////]
/interface bridge
add admin-mac=74:4D:28:6E:6B:F3 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise="10M-half,10M-full,100M-half,100M-f\
    ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid="Tallawah 2GHz" station-roaming=enabled wireless-protocol=\
    802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid="Tallawah 5GHz" station-roaming=\
    enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dchp2 ranges=10.0.10.2-10.0.10.5
add name=dhcp_pool2 ranges=10.0.10.2-10.0.10.5
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dchp2 disabled=no interface=ether4 name=dhcp2 src-address=\
    10.0.10.1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.3/24 interface=bridge network=192.168.88.0
add address=10.0.10.1/24 interface=ether4 network=10.0.10.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.3 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,208.67.222.222
/ip dns static
add address=192.168.88.3 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=yes distance=1 gateway=192.168.88.2
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Forgot, we need to add the free port to the LAN interface list.
Or obviously it will be blocked when being used (since it’s nothing right now).

/interface list member
add comment=defconf interface=ether4 list=LAN

First let’s see we can get the mgmt access in orde before we do anything else.
Don’t want you to become spooked again needlessly

BTW now I see something else:
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=
all wan-interface-list=all

Disable please (after mgmt access is ok). For most users this brings more problems then good.

Done. Thanks! I can now access the hap at 10.0.10.1 using WebFig.

/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=
all wan-interface-list=all

Disable please (after mgmt access is ok). For most users this brings more problems then good

What’s the method to disable? I note that on WebFig there is an option to set each of these to “none” but it appears to me that might be different than disabling.

Thanks again for the help thus far.

Webfig - interfaces
Detect internet
Set all to none.

That’s indeed how it should be done.

That’s indeed how it should be done.

Done. Thanks!

Now that mgmt access is sorted, looking forward to anything you spot on the original issue. Thanks!