hAP Lite, recoverable??

Hello all,
(I had an enquiry a few days ago http://forum.mikrotik.com/t/management-access-to-ptp-link/181492/1 may be background but that is sorted with a new unit working fine now).
Can I recover my old (2019 purchase) unit?
I do not have a Windows machine available without going borrowing…
SO I got Winbox 4 on my M1 mini, disconnect ethernet M1<>hAP <> www) & connect to internet via the new hAP wifi for reference etc and..
connect Ethernet cable from M1 mini to Ether 2 (and then ether5) of the old unit.
This old unit had at least 5 resets of various and all done when I was trying to get it working 12(?) days ago but none seems to get me a wifi interface back and hence I purchased a new unit and focussed on that.

NOW WinBox 4 sees 2 devices, the new and the old 2019 hAP Lites.
Winbox connects fine to the new unit…
If I try to connect to the old 2019 unit there is a short delay and a red error message

ERR could not connect. MacConnection syn timeout

Wireshark shows a few interactions so there is some sort of life…
I’m not sure what is the most readable output but from a brief look this text export format may be OK:

QUESTION1: WHAT SHOULD I TRY NEXT?
Q2: can I do that from an Apple M1 mini or is windows / Linux required? If so is a VM running in UTM workable (Win 11 or Llnux)?

If you need more packets or different diagnostic infos please suggest away.

Thanks in advance!

No.     Time           Source                Destination           Protocol Length Info
      1 0.000000       Routerboardc_2c:e2:5f Spanning-tree-(for-bridges)_00 STP      60     RST. Root = 32768/0/b8:69:f4:2c:e2:5b  Cost = 0  Port = 0x8005

Frame 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
IEEE 802.3 Ethernet 
Logical-Link Control
Spanning Tree Protocol

No.     Time           Source                Destination           Protocol Length Info
      2 0.497709       0.0.0.0               255.255.255.255       CAPWAP-Control 62     CAPWAP-Control - Unknown Message Type (0x10010000)

Frame 2: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
Ethernet II, Src: Routerboardc_2c:e2:5b (b8:69:f4:2c:e2:5b), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255
User Datagram Protocol, Src Port: 51259, Dst Port: 5246
Control And Provisioning of Wireless Access Points - Control

No.     Time           Source                Destination           Protocol Length Info
      3 0.497823       EquipTrans_04:00:02   Multitech_00:00:00    802.11   60     Association Request, SN=0, FN=0, Flags=........, SSID=Wildcard (Broadcast)

Frame 3: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: Routerboardc_2c:e2:5b (b8:69:f4:2c:e2:5b), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
LWAPP Encapsulated Packet
IEEE 802.11 Association Request, Flags: ........
IEEE 802.11 Wireless Management

No.     Time           Source                Destination           Protocol Length Info
      4 1.718640       0.0.0.0               255.255.255.255       DHCP     342    DHCP Discover - Transaction ID 0x1d0eb0c6

Frame 4: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits)
Ethernet II, Src: Routerboardc_2c:e2:5b (b8:69:f4:2c:e2:5b), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255
User Datagram Protocol, Src Port: 68, Dst Port: 67
Dynamic Host Configuration Protocol (Discover)

No.     Time           Source                Destination           Protocol Length Info
      5 2.001366       Routerboardc_2c:e2:5f Spanning-tree-(for-bridges)_00 STP      60     RST. Root = 32768/0/b8:69:f4:2c:e2:5b  Cost = 0  Port = 0x8005

Frame 5: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
IEEE 802.3 Ethernet 
Logical-Link Control
Spanning Tree Protocol

No.     Time           Source                Destination           Protocol Length Info
      6 4.003525       Routerboardc_2c:e2:5f Spanning-tree-(for-bridges)_00 STP      60     RST. Root = 32768/0/b8:69:f4:2c:e2:5b  Cost = 0  Port = 0x8005

Frame 6: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
IEEE 802.3 Ethernet 
Logical-Link Control
Spanning Tree Protocol

No.     Time           Source                Destination           Protocol Length Info
      7 6.005682       Routerboardc_2c:e2:5f Spanning-tree-(for-bridges)_00 STP      60     RST. Root = 32768/0/b8:69:f4:2c:e2:5b  Cost = 0  Port = 0x8005

Frame 7: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
IEEE 802.3 Ethernet 
Logical-Link Control
Spanning Tree Protocol

No.     Time           Source                Destination           Protocol Length Info
      8 6.087126       Apple_3e:4b:8e        Broadcast             ARP      42     Who has 169.254.255.255? Tell 169.254.104.22

Frame 8: 42 bytes on wire (336 bits), 42 bytes captured (336 bits)
Ethernet II, Src: Apple_3e:4b:8e (14:98:77:3e:4b:8e), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)

No.     Time           Source                Destination           Protocol Length Info
      9 6.910687       0.0.0.0               255.255.255.255       DHCP     342    DHCP Discover - Transaction ID 0x1ca90fc3

Frame 9: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits)
Ethernet II, Src: Apple_3e:4b:8e (14:98:77:3e:4b:8e), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255
User Datagram Protocol, Src Port: 68, Dst Port: 67
Dynamic Host Configuration Protocol (Discover)

If you got a version above 7.13 on there, you need might need to install the “wireless” package if the interface is missing.

hAP Lite doesn’t support the “wifi” drivers and menu. Only the old wireless ones.


EDIT: apparently i got confused an the device isnt working at all?

If there’s ROS7 on there, you might need to let it sit for 10 Minutes before trying to connect. At least my hap lite is like that with 7.15.3 on there

I think it has 6.49.10 (both from my notes of the update and from the WinBox 4 info).
I have left it for 23 hours right now.
During the urgent “get me back online” hours I may have only given it a few minutes before trying a different reset…

Yes, this device is almost completely NOT working but there are some Ethernet packet exchanges as captured in my first post above…

I also found useful info on bricked/deficient units on MKT forum:

Another random bit of generic advice is to use a new power adaptor that meets the voltage and power requirements of hAP ac². The quality of the output of power adaptors decreases over time as the capacitors in them dry out and lose their filtering capacity.

As for assessment of the state of the router itself, a good guide is the behavior of the USR LED when you connect the power and press the reset button - if it first lights up, then flashes once per second for about 5 seconds, then lights stead again for another 5 seconds, and then switches off, there is a chance that the at least the bootloader is OK; you can try with pressing the reset button before connecting power (which activates the backup bootloader) and pressing it right after connecting power (which activates the primary bootloader). If none of these ways you get the proper sequence of USR LED behaviors, I’m afraid it needs replacement; if you can get to the end of the sequence but the device does not show up in the list of devices in netinstall once you release the reset button, it makes sense to use the dumb switch in between and double-check you have disabled all the other Ethernet adaptors on the PC running the Netinstall.

I think the light patterns are as they should be, I do not have a dumb switch other than an old Dlink or Belkin wifi router.

I do not think I have what is required to do a Netinstall unless an old Windows NT server could be dragged from its hiding place somewhere (but could probably borrow something newer…)

Try simplifying things first.

Disconnect the old hap lite from your network.

Connect to it (try ports 2-4) directly connected to your computer, disable the wifi on your computer .
Still same MAC connection error?

Try with a dumb switch between the hap lite and your computer. Your old router will be fine, usually they have 4 lan ports that are to all effects a dumb switch, only take care to disable the dhcp server on this old router.
Still same MAC connection error?

Try resetting the hap lite (using the reset button).
Still same MAC connection error?

It could also be an issue of Winbox 4, you can try the winbox-mac (which uses a Winbox 3.41 inside wine):
https://github.com/nrlquaker/winbox-mac

Then, the following attempt would be netinstall.
Again, it can work in macOS inside a VM, but the procedure is already finnicky enough using a “native” OS (Linux or Windows) that there is little chance, in case of failure, to know if the device is definitely bricked or something in the VM/setup is “wrong”.

the old hAP lite is and has been fully isolated
It is only connected (ports 2-5, 5 is the PoE port,) I’ll avoid the PoE Eth 5 just in case, by a patch cable to the Ethernet port of M1 mini

If I click :“Refresh” on WinBox 4 connections page top right the new hAPO Lite appears fast, the old unit takes 30s plus.

Quit and restarted WB4.
New hAP appears 1-2 secs, old unit 30+ secs.
Try connect to old unit, now says in red error message area ERR connection refused.
I will take a Wireshark snapshot of just this process but it seems there are management pockets coming out of the hAP before any connect attempt is made…

OK, Limited time before social activities…
Disconnected wifi on M1 mini, disconnected ethernet path to hAP, rebooted hAP and left a few mins,
put on Wireshark , plugged in patch cable ,

M1 had self assigned an IP 169.254.104.22
hAP says it itself is 0.0.0.0

tried WinBox4 : ERR Connection refused
At least something changed.
I can see there are Dropbox LAN probe packets coming from the M1, that makes sense.

I see some IPv6 and IPv4 attempts to get connection with router, but they seem to fail.
I saw hAP saying it had Ether3>Bridge running

Time to post this and go out…

The hap lite has only 4 ports :
https://mikrotik.com/product/RB941-2nD

So, maybe it is a hap ac lite?
https://mikrotik.com/product/RB952Ui-5ac2nD

Not that it changes much.

The Err:Connection refused is normally the firewall not allowing MAC Winbox connection from the port.

I saw hAP saying it had Ether3>Bridge running

WHAT?


After reset ports 2-4 (or 2-5) should be into a bridge and LAN, thus allowing MAC Winbox connection.

The mention of hAP (yes it is AC model) bridge info was in a Wire3shark packet seen from time to time. Here are 2 summaries as text:

26 19.130082 Routerboardc_2c:e2:5d CDP/VTP/DTP/PAgP/UDLD CDP 100 Device ID: MikroTik Port ID: bridgeLocal/ether3

27 19.130217 Routerboardc_2c:e2:5d LLDP_Multicast LLDP 117 MA/b8:69:f4:2c:e2:5b IN/bridgeLocal/ether3 120 SysN=MikroTik SysD=MikroTik RouterOS 6.49.10 (stable) RB952Ui-5ac2nD

But I am still getting connection refused.
Should I worry about the fact the failing hAP says it is on IP 0.0.0.0 while the operational new one is on a regular 192.168.88.1 ?
(the M1 mini is attached to the new hAP by wifi in most tests as it is a bit invasive to other activities to be disconnecting all the time from www)

I am varying the startup sequence between tests as to what the order of actions is. SO my latest test was (for instance):

Next try: 2 Feb, leaving wifi on M1 with hAP on 192.168.88.1 (might clash?): disconnect cable, shut down Enet on M1, boot hAP, plug in cable, start WS, switch on on M1 ENet, save cap as sess7.
Still got self assigned IP on M1, not connected.
Restart WB, slow to see unit1_2019 appear, WinBox connection refused.

Is there a best practice to follow and any specific observations to make at waypoints along the route?

So your hAP ac lite still has some config but seems not all of it. But who knows which part of config still works (or messes with you).

First option is to perform configuration reset … if that one fails, it’s netinstall time. I’m just mentioning reset because of your “mac only” handicap … I’d go straight for netinstall.

Button functions (including reset):
https://help.mikrotik.com/docs/spaces/ROS/pages/24805498/Reset+Button

Netinstall:
https://help.mikrotik.com/docs/spaces/ROS/pages/24805390/Netinstall

I DO have a circa 1999 Windows NT full server box, any chance that would run the netinstall? (if it will boot up at all, and I have to dig it out from behind many other things).
I agree with the sense in your suggestion that netinstall would be much better and have done so many fruitless attempts at various resets already…
PLUS the reset button is a bit offset from the hole so it is quite easy to slip off it if trying to also hold the box etc etc.

The default configuration for these devices is essentially:

1. ether1 out of the bridge and classified as WAN, with a dhcp client running on it
2. ether2-4 (or 2-5) and wlan into the bridge and classified as LAN
3. mac winbox allowed on LAN
4. firewall rule preventing access from anything different from LAN
5. a default address on the bridge of 192.168.88.1
6. a dhcp server on bridge giving out addresses in the 192.168.88.0/24 range
   
   
   If, for whatever reason, your device lost or changed items #2, #3 and/or #4 of that configuration, winbox will see it but not be able to connect to it.

Since you got an APIPA address and Winbox sees the device as 0.0.0.0 clearly items #5 and #6 are not working/running, but it is fine nothing to worry, it could have simply lost that part of the configuration.

All in all the device seems functional (since winbox sees it and wireshark cathches that multicast on ether3/bridge).

In theory a reset should restore the initial configuration, hence it is the thing to try first, and if it doesn’t work then you will have to go the trouble of netinstalling.

Again, stop fiddling with connecting the device to anything else but your PC (directly or through a dumb switch), connecting it to your existing network in the best case won’t change anything, in the worse it will create conflicts, if your other ap is 192.168.88.1, the default configuration (if you manage to restore it via reset or netinstall) will create an IP conflict, and you will have also two dhcp servers on the network.

NT (server) was a great OS (I had one of those running for more than 20 years 24/7), but I doubt that it can run netinstall or can run some recent version of Linux because of the limited resources.

You’ll have to press that button to get your device into netinstall mode … and that involves prolonged depression of button. So you can start practicing

As to netinstall machine: if you have access to a x86 laptop (regardless OS), you can try to boot it off a live linux USB stick … with second stick containing netinstall for linux executable. Since you’ll boot it off USB and that doesn’t touch built-in drive, you could even borrow such machine (e.g. from unsuspecting neighbour).

IS there a way to place netinstall files on USB drive (FAT I assume), plug into hAP AC Lite and then set it to default install from there (I have no communication to issue any commands as yet).

No.

I want to say a big THANK YOU for all the patient help and support so far…

(I’m not giving up yet as I hate ditching old gear that probably works).
I hope this also helps someone else in a similar situation and hope to be able to post an update with a final outcome (ideally success!).

Any info on what happens if I initiate a reset or netinstall and have to give up for some reason or power goes off…
And if I start netinstall and hit a snag are there best and worst ways out of this? (ie just power off OR never just power off if…)?

I don’t think that there will be issues (but you never know).
Of the two the reset might be (in theory) more prone to failure if a blackout occurs while doing it (because of possible write errors on the flash chip).
The netinstall essentially is telling the Ros bootloader to boot from an external server (the computer running netinstall) instead of the built-in flash chip.
And there are two bottloaders, the main one and the spare one, so it is improbable that anything not reversible can happen, the bootloader itself is not overwritten.
In case of a snag in netinstall I would wait a few minutes (maybe the netinstall seemingly froze but it is actually worlkng) and then power off the router