hAP ac lite + SXT LTE6 kit, passthrough does not work well

Debeselis · March 2, 2025, 11:42am

Hello,
Figure is my configuration:

Here’s the SXT LTE6 kit configuration:

# 2025-03-02 08:38:06 by RouterOS 7.18
# software id = xxx
#
# model = SXTR
# serial number = xxx

/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""

/interface lte apn
set [ find default=yes ] passthrough-interface=net passthrough-mac=auto \
    use-peer-dns=no
	
/interface vlan
add interface=ether1 name=man vlan-id=2
add interface=ether1 name=net vlan-id=3

/ip dhcp-client
add interface=man

/system note
set show-at-login=no

/system clock
set time-zone-name=xxx/xxx

Here’s the AP ac lite configuration:

# mar/01/2025 16:40:03 by RouterOS 6.49.18
# software id = xxx
#
# model = RB952Ui-5ac2nD
# serial number = xxx

/interface bridge
add name=bridge

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge interface=man

/interface list
add name=LAN
add name=WAN

/interface list member
add interface=bridge list=LAN
add interface=net list=WAN

/interface vlan
add interface=ether5 name=man vlan-id=2
add interface=ether5 name=net vlan-id=3
	
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 band=2ghz-b/g/n channel-width=\
    20/40mhz-Ce country=xxx disabled=no distance=indoors mode=ap-bridge \
    security-profile=myWifi ssid=xxx wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=3 band=5ghz-a/n/ac \
    channel-width=20/40/80mhz-XXXX country=xxx disabled=no distance=\
    indoors mode=ap-bridge security-profile=myWifi ssid=xxx \
    wireless-protocol=802.11
	
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=myWifi \
    supplicant-identity=MikroTik wpa2-pre-shared-key=xxx

/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0

/ip dhcp-client
add disabled=no interface=net use-peer-dns=no

/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge lease-time=30m name=\
    dhcp1	

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=8.8.8.8,9.9.9.9 gateway=192.168.88.1

/ip dns
set servers=8.8.8.8,9.9.9.9

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" in-interface=net \
    protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=net port=\
    8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=net port=22 \
    protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=net
add action=fasttrack-connection chain=forward comment=\
    "fast-track for established,related" connection-state=established,related
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
    "drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
    connection-state=new in-interface=net

/ip firewall nat
add action=masquerade chain=srcnat out-interface=net
		
/ip neighbor discovery-settings
set discover-interface-list=LAN
	
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.88.0/24

/ip ssh
set strong-crypto=yes

/system clock
set time-zone-name=xxx/xxx

/system routerboard settings
set auto-upgrade=yes

/tool bandwidth-server
set enabled=no

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

Everything works only when I block the interface VLAN man in hAP ac lite. When I unblock it, the connection to the hAP ac lite sometimes starts to drop and the connection to it disappears, no longer pings, unavailable via WinBox, no internet, although the SXT LTE6 kit manages fine all the time.
So I have some questions:

Where might the problem be?
The SXT LTE6 kit interface VLAN net doesn’t have a DHCP client, but gets an additional external IP address. This must be the case when using passthrought?
Maybe then I need to delete the DHCP client on the SXT LTE6 kit on the interface VLAN man. Maybe the IP address would be obtained from the DHCP server hAP ac lite anyway?
Can I upgrade the RouterOS version to 7.18 for hAP ac lite?
Thanks.

anav · March 2, 2025, 8:26pm

Is your question, in general what is the best way ( simple and secure ) using the SXT LTE6 kit to capture the required LTE signal from the provider and pass on the connection to the next MT device, where the MT device is acting as the main router??

Debeselis · March 3, 2025, 3:16pm

Yes, we can say that, because the current configuration seems to me to be in a loop somewhere (I can’t figure out where). I also want to keep the option to connect to the SXT LTE6 kit.

jaclaz · March 3, 2025, 3:55pm

Yes.
Should you?

It is debatable, the issue is that the hap ac lite has a very little amount of storage space, only 16 Mbyte, and it will be almost completely used by the RoS 7.18.
With simple configurations, no or few scripts, etc. the device will work just fine, but you must be prepared to netinstall as often there is not enough space to do a “normal” upgrade, and you may fall in this kind of issues:
http://forum.mikrotik.com/t/echo-system-error-critical-could-not-save-configuration-changes-not-enough-storage-space-available/181580/1

So, if there are actual reasons to update to 7.x, you can do it, but if there aren’t you can stay on 6.x just fine.

If you are not going to use the Wifi, you will have more than enough space without the drivers, BTW

Debeselis · March 3, 2025, 7:42pm

I saw on the interface VLAN man ipv6 packets. I entered additional lines in the SXT LTE6 kit:

/ipv6 settings
set disable-ipv6=yes

I don’t notice the problem anymore. I will notice it longer. I haven’t found how to disable IPv6 on hAP ac lite.

KiwiBloke · March 4, 2025, 6:07am

I always understood that if you put a LTE device in pasthrough mode, you effectively prevent any further configuration on that device. Meaning that the device merely passes through internet data to a WAN port of an external router which then handles all the config like VLANs, DHCP, DNS, etc… Am I mistaken?

Debeselis · March 4, 2025, 3:01pm

VLANs can also be used to leave management in place. Passing passthrough on one VLAN and leaving management on the other. As shown in the figure. And it works, only after a while the router stops working until you disconnect the management channel. Stop working means that it no longer responds to PING, there is no internet, although the management channel is always working when connected and the LTE device is reachable.
But as soon as you disconnect the management channel or the LTE device itself, the router comes to life instantly, as if it had never stopped.

Debeselis · March 4, 2025, 3:02pm

[/code]

I don’t notice the problem anymore. I will notice it longer. I haven’t found how to disable IPv6 on hAP ac lite.
[/quote]

Disconnecting IPv6 did not help. The problem persists.

Debeselis · March 9, 2025, 6:58am

Everything works. All I had to do was enable vlan-filtering:

/interface bridge
add name=bridge vlan-filtering=yes