Hey Guys,

I want my WLAN1 to connect to Wireless at a cafe and obtain DHCP etc... then I would connect to WLAN2 as the AP.

I cannot seem to get WLAN1 to work, I get errors about it being a "Slave" when I try to configure WLAN1 for DHCP Client, and also I can connect to 2G Wireless but then it drops.

Can anyone help?

Thanks!!

\

mar/17/2022 15:46:29 by RouterOS 6.49.4

software id = ESBQ-D6KZ

model = RBD52G-5HacD2HnD

serial number = F66B0F49497F

/interface bridge
add admin-mac=DC:2C:6E:62:01:4C auto-mac=no comment=defconf name=bridge
add name=protonvpn_blackhole protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=auto ssid=Institute-2g
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=Hrvatska5g wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=Genki-Cellular supplicant-identity=MikroTik
/ip ipsec mode-config
add connection-mark=under_protonvpn name="ProtonVPN mode config" responder=no
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name="ProtonVPN profile"
/ip ipsec peer
add address=us.protonvpn.com exchange-mode=ike2 name="ProtonVPN server" profile="ProtonVPN profile"
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name="ProtonVPN proposal" pfs-group=none
/ip pool
add name=dhcp ranges=192.168.89.10-192.168.89.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=wlan1 list=WAN
/ip address
add address=192.168.89.1/24 comment=defconf interface=bridge network=192.168.89.0
/ip dhcp-client
add comment=defconf interface=ether1
add disabled=no
/ip dhcp-server network
add address=192.168.89.0/24 comment=defconf dns-server=10.1.0.1 gateway=192.168.89.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.89.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.89.0/24 list=under_protonvpn
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=under_protonvpn passthrough=yes src-address-list=under_protonvpn
add action=mark-routing chain=prerouting new-routing-mark=protonvpn_blackhole passthrough=yes src-address-list=under_protonvpn
add action=change-mss chain=forward connection-mark=under_protonvpn new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1375
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="ProtonVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="ProtonVPN mode config" peer="ProtonVPN server" policy-template-group=ProtonVPN username=DtYVxn4rMF6ZG2il
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal="ProtonVPN proposal" src-address=0.0.0.0/0 template=yes
/ip route
add disabled=yes distance=1 gateway=protonvpn_blackhole routing-mark=protonvpn_blackhole
add disabled=yes distance=1 gateway=192.168.88.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/Denver
/system identity
set name=Tardis
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Basically you want to use the Device to GET WIFI on one WLAN (lets say the 2.5ghz WLAN) (like a client) and then use the 5ghz WLAN to distribute for your use in the apartment (like an AP).
Should be very doable. In essence one is using the 2.5 ghz as WIFI WAN.

Step 1 - Setup 2ghz wifi to connect properly with Establishment WIFI. SSID, password etc…
Step2 - Setup IP DHCP CLIENT interface=WLAN name, use default route yes,
Step3 - Setup Bridge on the device.

++++++++++++++++++++++++++++++++++++++
/ip dhcp-client
add comment=defconf interface=ether1
I think you want WLAN name here!!!

/ip route
add disabled=yes distance=1 gateway=protonvpn_blackhole routing-mark=protonvpn_blackhole
add disabled=yes distance=1 gateway=192.168.88.1
If you stated ADD Default route in IP DHCP client you dont need to add one here.

/tool mac-server
set allowed-interface-list**=LAN**
Set to NONE, the mac-server by itself is not encrypted and thus should not seen as a viable vehicle for router access.

Hi Anav,

Thank you for the help, it's working now but something is still wrong.
I cannot connect over HTTP to the router on 192.168.88.1 but I can ssh okay.

I think it must be Firewall related, I've tried rebooting. Does anything stick out to you?

/ip service print
Flags: X - disabled, I - invalid

NAME PORT ADDRESS CERTIFICATE

0 XI telnet 23
1 XI ftp 21
2 www 80
3 ssh 22
4 XI www-ssl 443 none
5 api 8728
6 winbox 8291
7 api-ssl 8729

/export hide-sensitive

mar/17/2022 18:39:00 by RouterOS 6.49.5

software id = ESBQ-D6KZ

model = RBD52G-5HacD2HnD

serial number = F66B0F49497F

/interface bridge
add admin-mac=DC:2C:6E:62:01:4C auto-mac=no comment=defconf name=bridge
add name=protonvpn_blackhole protocol-mode=none
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=Hrvatska5g wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=Genki-Cellular supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=Institute-2g supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=auto security-profile=Institute-2g ssid=Institute-2g
/ip ipsec mode-config
add connection-mark=under_protonvpn name="ProtonVPN mode config" responder=no
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name="ProtonVPN profile"
/ip ipsec peer
add address=us.protonvpn.com exchange-mode=ike2 name="ProtonVPN server" profile="ProtonVPN profile"
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name="ProtonVPN proposal" pfs-group=none
/ip pool
add name=dhcp ranges=192.168.89.10-192.168.89.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
/ip address
add address=192.168.89.1/24 comment=defconf interface=bridge network=192.168.89.0
/ip dhcp-client
add disabled=no
add disabled=no interface=wlan1
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.89.0/24 comment=defconf dns-server=8.8.8.8 gateway=192.168.89.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.7.7.1
/ip dns static
add address=192.168.89.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.89.0/24 list=under_protonvpn
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=under_protonvpn passthrough=yes src-address-list=under_protonvpn
add action=mark-routing chain=prerouting new-routing-mark=protonvpn_blackhole passthrough=yes src-address-list=under_protonvpn
add action=change-mss chain=forward connection-mark=under_protonvpn new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1375
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="ProtonVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="ProtonVPN mode config" peer="ProtonVPN server" policy-template-group=ProtonVPN username=DtYVxn4rMF6ZG2il
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal="ProtonVPN proposal" src-address=0.0.0.0/0 template=yes
/ip route
add disabled=yes distance=1 gateway=protonvpn_blackhole routing-mark=protonvpn_blackhole
add disabled=yes distance=1 gateway=192.168.88.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/Denver
/system identity
set name=Tardis
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Not sure why you missed this on my first post??
/ip dhcp-client
add comment=defconf interface=ether1
I think you want WLAN name here!!!

/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN

Ether 1 is not providing you any WAN???
add interface=wlan1 list=WAN

Hi Anav,

I wanted to have ether1 as an alternative, so that if I physically connected ether1 to an Internet connection then it would act as the WAN, if unconnected then WLAN1 would act as the WAN.

But I deleted ether1 from the dhcp-client and also the interface list WAN and with a reboot I can access via HTTP again

That fixed it, you are the MAN, thanks

Updated config - for future forum readers.

/interface bridge
add admin-mac=DC:2C:6E:62:01:4C auto-mac=no comment=defconf name=bridge
add name=protonvpn_blackhole protocol-mode=none
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=
ap-bridge ssid=Hrvatska5g wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=Genki-Cellular supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=Institute-2g supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=auto security-profile=Institute-2g ssid=Institute-2g
/ip ipsec mode-config
add connection-mark=under_protonvpn name=“ProtonVPN mode config” responder=no
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=“ProtonVPN profile”
/ip ipsec peer
add address=us.protonvpn.com exchange-mode=ike2 name=“ProtonVPN server” profile=“ProtonVPN profile”
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name=“ProtonVPN proposal” pfs-group=none
/ip pool
add name=dhcp ranges=192.168.89.10-192.168.89.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
/ip address
add address=192.168.89.1/24 comment=defconf interface=bridge network=192.168.89.0
/ip dhcp-client
add disabled=no interface=wlan1
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.89.0/24 comment=defconf dns-server=10.1.0.1 gateway=192.168.89.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.7.7.1
/ip dns static
add address=192.168.89.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.89.0/24 list=under_protonvpn
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new disabled=yes
in-interface-list=WAN
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=under_protonvpn passthrough=yes src-address-list=under_protonvpn
add action=mark-routing chain=prerouting new-routing-mark=protonvpn_blackhole passthrough=yes src-address-list=under_protonvpn
add action=change-mss chain=forward connection-mark=under_protonvpn new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1375
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate=“ProtonVPN CA” eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=“ProtonVPN mode config” peer=
“ProtonVPN server” policy-template-group=ProtonVPN username=DtYVxn4rMF6ZG2il
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=“ProtonVPN proposal” src-address=0.0.0.0/0 template=yes
/ip route
add disabled=yes distance=1 gateway=protonvpn_blackhole routing-mark=protonvpn_blackhole
add disabled=yes distance=1 gateway=192.168.88.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set winbox disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/Denver
/system identity
set name=Tardis
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN