hAP ax3: change default internet port ether1 to ether2

RouterOS Beginner Basics
1

Hello,

Total beginner here. I just bought hAP ax3. I have connected it to internet via ether1 port and it works fine. Now I realized that I will have to connect cAP ax via ether1 as this is the only port that has PoE to power it (cAP ax) up. So I thought that I will just connect internet cable to ether2 and keep ether1 for cAP ax. Unfortunately internet does not work anymore.

Can you please help me and explain what I need to change in config so that hAP ax3 would connect with internet over ether2?

2

Connect PC to ether3
Connect using Winbox
Change Interface List WAN → remove ether1, add ether2
Change Interface list LAN → remove ether2, add ether1
Change bridge ports → remove ether2, add ether1
IP DHCP Client: change client to ether2
And that should be it.

Reboot router to be sure (firewall will otherwise remember for a while old connection settings and things might not work right away).

If that doesn’t work, please provide more info on how your AX3 is connected to ISP device and maybe also export of config.

3

Befor you follow these steps (which are explained quit well!):

The eth1 is a PoE in port, you will have to connect the cAP AX to eth5 of the hAP AX3 to have it powering the cAP AX.

4

The ether1 is PoE-Out on the Ax3:
https://mikrotik.com/product/hap_ax3

PoE-out
Details
PoE-out ports Ether 1
PoE out Passive PoE
Max out per port output (input 18-30 V) 0.625 A
Max total out (A) 0.625 A
Total output current 0.625
Total output power 15

The AC3 has it on port 5:
https://mikrotik.com/product/hap_ac3

PoE-out
Details
PoE-out ports Ether5
PoE out Passive PoE
Max out per port output (input 18-30 V) 0.5 A
Max total out (A) 0.5 A

5

The hidden point here, is that before you start configuring anything have a plan.
The plan should start with a detailed network diagram ( and in this case would have shown the issue prior to changes on the router).

6

I knew that :laughing:
One of the comments I had when I first got AX3.

I have some installations with AC3 powering other stuff and all of a sudden it was changed to ether1 with AX3.

This is the key thing to look for:
POE IN and POE OUT and 2.5G, all on ether1.

2024-11-21_17-26-40.jpg
2024-11-21_17-26-40.jpg280×201 10.7 KB

7

Thanks for the instructions!!!

This is my current, default MikroTik setup:
MT_BRIDGE.jpg
No LAN entries with ether1 or ether 2. Shall I delete the marked line with ether1?

MT_INTLIST.jpg
No entry for ether1. Shall I just delete that marked entry for ether2?

MT_IDDHCP.jpg
DHCP Client is not enabled and points to ether1. Shall I change to ether2 and enable it?

8

My appologies, I have never seen that eth1 is a combined port.

Change ether1 to ether2

No entry for ether1. Shall I just delete that marked entry for ether2?

Change ether2 to ether1

DHCP Client is not enabled and points to ether1. Shall I change to ether2 and enable it?

Yes

9

My appologies, I have never seen that eth1 is a combined port.

Yep :slight_smile: , and of course which port has PoE IN is not specified on the Ax3 page, probably it is left as an exercise for the reader.

The sad news (OT but not much) are that this sloppy way to document devices and their features is becoming very common, the last few days I had to fight (and for the moment I lost, but it isn’t over yet :wink: ) with a SHARP TV which had on paper (ok, mistake of the seller, the original SHARP product page is actually accurate) an audio out port for earphones, but once it arrived it has none, audio out is via coaxial (ok) but physically on the device one of the HDMI ports is marked HDMI/ARC and this is nowhere written, not on the brochure, not on the technical details page, not on the manual, not on the “Technical leaflet in the accessories bag”. I do have a DAC, but I am missing a RCA/Coaxial cable. I ordered anyway also an ARC audio extractor device to see if the HDMI/ARC actually works.

10

One more question - I do not have to change anything in Quick Set? Right now that MAC Address seems to point to ether1:
MT_QS.jpg

11

Never ever touch QuickSet (unless the device is reset to defaults).

12

It did not work. Here is my setup after applying these changes:
MT_IDDHCP2.jpg
MT_BRIDGE2.jpg
MT_INTLIST2.jpg
I took a look at IP addresses (after the changes) and is this OK?
MT_IP3.jpg
MT_IP2.jpg
MT_IP1.jpg
And it seems it automatically replaced IP addresses on the QuickSet view:
MT_IP4.jpg
Internet provider instructed me that the Internet IP should be 10.221.215.2

Shall I change some more settings to make it working?

13

I did use it for the initial setup of the router. I have just entered these values here and applied the settings:

MT_INITIAL.jpg
MT_INITIAL.jpg461×540 35.4 KB

14

The advice Is to NOT touch anymore Quickset, not even for viewing its current settings.
Is time you start evolving from absolute beginner, read this post:
http://forum.mikrotik.com/t/forum-rules/173010/1
and follow the instructions and post your full configuration.
There is something “wrong” in the IP address you have on ether1 (being now part of the bridge it should not have an own IP) which might or might not be part of the issue but depending on how It was assigned (via Quickset) It could have set something else.

15

First of all, instead of web interface download WINBOX and use it for configuration, it is much more efficient than webUI.
Second thing, to avoid mismatch, on your place I would rather use ETH5 as WAN port, instead of ETH2.
In such, you will always know that 1-4 is LAN and 5 WAN :wink:

16

I think I managed to set it up. I have reset the config and started from sratch via winbox (no Quick Set this time).
I have set it up on ether5.
So I changed the following:
Interface List WAN → replaced ether1 with ether5
bridge ports → replaced ether5 with ether1
IP DHCP Client: change client to ether5

I have also added the internet provider required setup (IP address, gateway).
It seems to work fine.
Can you please check the setup if I am missing something or maybe I can improve anything?

# 2024-11-22 06:19:30 by RouterOS 7.16.1
# software id = 
#
# model =
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi configuration
add country=Poland disabled=no name=cfg1 security.authentication-types=\
    wpa2-psk,wpa3-psk ssid=gromek
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration=cfg1 configuration.mode=ap \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration=cfg1 configuration.mode=ap \
    disabled=no security.ft=yes .ft-over-ds=yes
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether5 list=WAN
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg1
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.221.215.2/24 interface=ether5 network=10.221.215.0
/ip dhcp-client
add comment=defconf interface=ether5
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.221.215.1 routing-table=main \
    suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Warsaw
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :foreach iface in=[/interface/wifi find where (configuration.mode=\"a\
    p\" && disabled=no)] do={\r\
    \n     /interface/wifi wps-push-button \$iface;}\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
17

It looks mostly fine to me :slight_smile: , the only thing you should re-check is:

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.221.215.2/24 > > interface=ether5 > > network=10.221.215.0
/ip dhcp-client
add comment=defconf > interface=ether5

ether5 has both a static address and a dhcp client running.

Open a terminal and issue the command:

/ip address print

cannot say if ether5 gets two addresses or not, in any case (and your ISP modem/router settings are involved in this) if there is a DHCP server running on the ISP modem/router you don’t need the static address or viceversa, if there is no DHCP server running you can remove or disable the dhcp client.

If you do not need all 4 ports in the bridge a common advice is to keep a port (unused) outside of the bridge for emergency connection, but it is of minor relevance.

18

Thanks a lot for checking!


Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS            NETWORK       INTERFACE
;;; defconf
0   192.168.88.1/24    192.168.88.0  bridge   
1   10.221.215.2/24    10.221.215.0  ether5   
2 D 10.221.215.118/24  10.221.215.0  ether5

After disabling DHCP client it shows like this:

Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS          NETWORK       INTERFACE
;;; defconf
0 192.168.88.1/24  192.168.88.0  bridge   
1 10.221.215.2/24  10.221.215.0  ether5
19

Yep, but you probably should do the reverse.

Remove the static address and let the DHCP client run.
Since the DHCP server is managed (I believe) by your ISP if they change it (for whatever reason) to another subnet your static assigned address will become m00t.
Moreover the DHCP server will provide other data (DNS) and it will (should) add a default route (which being dynamic should have distance 0 normally have distance 1, i.e. have the maximum a rather high priority), as well in case of changes your static settings may become invalid.

Try checking “as is” the command:

/ip route print

then
re-enable the dhcp client (leave the static address enabled) and check the routes again.

If you have a dynamic route with distance 0 1, you can disable the static one you have and then disable also the static address of ether5, as everything will be managed by the DHCP server on the ISP modem/router.

EDIT: corrected wrong distance on dhcp originated routes

20 



Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS      GATEWAY       DISTANCE
0  As 0.0.0.0/0        10.221.215.1         1
  DAc 10.221.215.0/24  ether5               0
  DAc 192.168.88.0/24  bridge               0






Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#      DST-ADDRESS      GATEWAY       DISTANCE
0  As+ 0.0.0.0/0        10.221.215.1         1
  DAd+ 0.0.0.0/0        10.221.215.1         1
  DAc+ 10.221.215.0/24  ether5               0
  DAc+ 10.221.215.0/24  ether5               0
  DAc  192.168.88.0/24  bridge               0

I should delete this AP address, that I have added manually? So this one here?

MT_IP.jpg
MT_IP.jpg348×357 18.4 KB