HAP ac2 and station mode

RouterOS Beginner Basics
1

Hello,

I am trying to setup my hap unit as station to my isp router.
I can connect to the wifi, have internet behind hap but for some reason when I am trying to ping the device from a pc that is on the main network I cant.
The problem seems to be that mikrotik doesn’t respond on my arp requests and the arp cache of my main pc doesn’t have an entry for the hap.

Pinging 192.168.2.254 with 32 bytes of data:
Reply from 192.168.2.10: Destination host unreachable.
Reply from 192.168.2.10: Destination host unreachable.
Reply from 192.168.2.10: Destination host unreachable.
Reply from 192.168.2.10: Destination host unreachable.

Ping statistics for 192.168.2.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),



Interface: 192.168.2.10 — 0x3
Internet Address Physical Address Type
192.168.2.1 8c-68-c8-e7-b3-62 dynamic
192.168.2.48 54-35-30-c6-c9-c9 dynamic
192.168.2.230 18-a6-f7-12-f7-c7 dynamic
192.168.2.231 00-21-b7-53-15-a8 dynamic
192.168.2.232 00-1f-3f-c3-e5-90 dynamic
192.168.2.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.102.18 01-00-5e-7f-66-12 static
239.255.255.250 01-00-5e-7f-ff-fa static

Same time my main gateway can ping hap

PING 192.168.2.254 (192.168.2.254): 56 data bytes
Reply from 192.168.2.254: bytes=56 ttl=64 time=1.4ms seq=0
Reply from 192.168.2.254: bytes=56 ttl=64 time=1.6ms seq=1
Reply from 192.168.2.254: bytes=56 ttl=64 time=1.4ms seq=2
Reply from 192.168.2.254: bytes=56 ttl=64 time=1.4ms seq=3

— 192.168.2.254 ping statistics —
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 1.4/1.4/1.6 ms

Its arp table has an entry for the hap

192.168.2.254 48:8f:5a:1f:90:42 Available LAN

If I ping from a hap my main pc then I can ping it back.

[admin@MikroTik] > export hide-sensitive  
# aug/30/2020 19:39:52 by RouterOS 6.47.2
# software id = R3ZV-IZ4K
#
# model = RBD52G-5HacD2HnD
# serial number = CB380C19D06F
/interface bridge
add admin-mac=48:8F:5A:1F:90:3D auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-1F9041 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=greece disabled=no distance=indoors frequency=auto installation=indoor ssid=Vodafone_5G-05374 wireless-protocol=nv2-nstreme-802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf disabled=yes interface=wlan2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=wlan2 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=192.168.88.0
add address=192.168.2.254/24 interface=wlan2 network=192.168.2.0
/ip dhcp-client
add interface=wlan2
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,new,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.2.1
/system clock
set time-zone-name=Europe/Athens
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Any help would be great.

2

You have a bridge with all the interfaces in it, including WLAN2, but you have a separate interface list called WAN, which you use for your NAT masquerade rule. That doesn’t sound correct.

3

The entry for WLAN2 is disabled, should I completely remove it?

4

add address=192.168.88.1/24 comment=defconf interface=> ether1 > network=192.168.88.0

IP address MUST be on the bridge, not on ether1 !

And you should ping 192.168.88.1 from the LAN side.

5

Changed the aforementioned settings but nothing changed.

[admin@MikroTik] > /export hide-sensitive  
# aug/31/2020 20:12:00 by RouterOS 6.47.2
# software id = R3ZV-IZ4K
#
# model = RBD52G-5HacD2HnD
# serial number = CB380C19D06F
/interface bridge
add admin-mac=48:8F:5A:1F:90:3D auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-1F9041 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=greece disabled=no distance=indoors frequency=auto installation=indoor ssid=Vodafone_5G-05374 wireless-protocol=nv2-nstreme-802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=wlan2 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.2.254/24 interface=wlan2 network=192.168.2.0
/ip dhcp-client
add interface=wlan2
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,new,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.2.1
/system clock
set time-zone-name=Europe/Athens
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
6

What do you mean by “nothing changed”? This means your client device, connected to the hAP ac2 , getting IP address and gateway from that DHCP server (192.168.88.1) , cannot ping the gateway 192.168.88.1? That PING to its own gateway is the ultimate basic IP communication! What is the IP address of your client ? 192.168.88.x/24 ??

Did I overlook something in the Firewall ? The 3th rule already allows the ICMP/Ping input. Should work.


If your test PC is on the WAN side of the hAP ac2 , by having IP address 192.168.2.10, then the fact that you cannot ping the hAp ac2 (192.168.2.254) is because they are not in the same (bridged) network. or that client-isolation is enabled on that 192.168.2.0/24 network. The main gateway is not limited by the client isolation, the clients cannot speak to each other. In Mikrotik terms this means that in the wifi interface at the main gateway “forwarding” is not enabled by default, or in the access-list entry specific for the client forwarding is not enabled.There is nothing the hAP ac2 config can do about this.

If the main gateway (192.168.2.1) has to route between 2 interfaces, then the subnets must be different.

7

The layout of my network is

ISP Router (192.168.2.1, just what they have provided to me a ZTE CPE) → Local lan (Ethernet and Wifi clients) → HAP AC2 in station mode and on 192.168.2.54 → Ethernet clients on 192.168.88.x
Pretty basic and quite common.

HAP (192.168.2.254) and the gateway (192.168.2.1) can ping each other fine.
If I try to ping HAP from my pc (192.168.2.10) it doesn’t work.
If I try to ping my mobile phone that sits on the same wifi as HAP. From my understating everything is on the same bridge and that there isn’t a client isolation.
From my pc I try to ping HAP and because there isn’t an entry in the ARP table it requests via broadcast the MAC-IP association from the corresponding endpoint.
The HAP doesn’t respond to the broadcast messages and the ping fails.
If I ping from HAP my pc then everything works fine because my PC responds to HAPs ARP requests and both ends cache an entry.
That’s all cool and dandy until I reboot the pc.
Check snip for wireshark.
mikrotik-arp-broadcast-fail.JPG
Is a firewall rule needed to allow such traffic?

8

If I try to ping my mobile phone that sits on the same wifi as HAP. ->>>>> ??? Ping from where and what is the outcome of that ping? The PC is connected to ethernet on the ZTE?
From my understating everything is on the same bridge and that there isn’t a client isolation.->>>>>>>>> I can’t make that conclusion yet. Check the ZTE if you have access.
From my pc I try to ping HAP and because there isn’t an entry in the ARP table it requests via broadcast the MAC-IP association from the corresponding endpoint. ->>>>> Yes.
The HAP doesn’t respond to the broadcast messages and the ping fails. ->>> That’s a too fast conclusion. Either the ARP request did not reach the hAP, the hAP did not answer, or the answer did not reach the point where you snif the network. At least check the traffic at the hAP interface. The Mikrotik has all the tools to do that.

ARP requests/responses are not executed at the IP level (3). The IP/firewall normally will not handle that. It’s something at the interface level. It can be misconfigured there.