Hi.
I have HEX as my primary network, PPPoE, DHCP, etc. I have a Redmi AX6 in AP mode connected via cable to the Redmi AX5, forming a Mesh network. The AX6 is connected to HEX.
The problem is that when I'm connected via Wi-Fi on the AX6 and go to the AX5, the internet works fine. However, when I return to the AX6, the internet stops working and then comes back after a while. The connection doesn't drop in any way, but the internet doesn't work. I believe something is blocking the return path on the Mikrotik.
Does anyone have any tips? Thanks in advance.
You would probably better ask this question on the Redmi forum.
Why is the AX5 not connected to the hEX?
infabo
October 10, 2025, 8:05am
3
Maybe that is a requirement for cabled backhaul between these two mesh APs to be directly connected to each other.
Hence the question. Still, MESH implies wireless backhaul.
infabo
October 10, 2025, 8:15am
5
I only know these TP-Link Decos and they are advertised as the typical "mesh" product. They can have a cable and/or wireless backhaul. IIRC some models even both at the same time.
Because it's a Mesh network, the AX6 and AX5 are connected to each other, forming a single mesh network. I only need to connect one of them to the HEX, but the Mikrotik blocks the internet when I leave a point and after returning to that point. So the problem isn't with Redmi; the connection never drops, but I still lose internet. After some research, I found something about ARP in Mikrotik, but I haven't found the correct configuration yet.
In that case…show us the config:
/export file=anynameyoulike
Remove serial and post between Preformatted text tags by using the </> button.
And I agree…marketing totally s*cks, especially when it comes to “Mesh“.
# 2025-10-10 07:50:36 by RouterOS 7.20
# software id = Q3V6-LX3A
#
# model = E50UG
# serial number =
/interface bridge
add name=bridge-rede-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-fibra-giga
set [ find default-name=ether2 ] name=ether2-rede-local
set [ find default-name=ether3 ] name=ether3-rede-local
set [ find default-name=ether4 ] name=ether4-rede-local
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-fibra-giga name=\
pppoe-cliente-giga user=
/interface wireguard
add listen-port=51820 mtu=1420 name=wg-vps
/ip pool
add name=dhcp_pool0 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge-rede-local lease-time=1w30m \
name=dhcp1
/interface bridge port
add bridge=bridge-rede-local interface=ether2-rede-local
add bridge=bridge-rede-local interface=ether3-rede-local
add bridge=bridge-rede-local interface=ether4-rede-local
/ip neighbor discovery-settings
set discover-interface-list=none
/interface wireguard peers
add allowed-address=10.10.10.1/32 endpoint-address=138.132.207.7 \
endpoint-port=51820 interface=wg-vps name=vps persistent-keepalive=25s \
public-key="cxwAgTzza3of5bHWjowgT3ouDoV7wJDouZOP9Bd1snx="
/ip address
add address=192.168.10.1/24 interface=bridge-rede-local network=192.168.10.0
add address=10.10.10.2/24 interface=wg-vps network=10.10.10.0
add address=192.168.18.2/24 interface=ether1-fibra-giga network=192.168.18.0
/ip dhcp-client
add default-route-tables=main disabled=yes interface=ether5 use-peer-dns=no \
use-peer-ntp=no
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=10.10.10.1
/ip firewall address-list
add address=192.168.10.244 list=rede-suporte
/ip firewall filter
add action=accept chain=input comment=\
"ACEITA CONEX\D5ES ESTABELECIDAS OU RELACIONADAS" connection-state=\
established,related
add action=accept chain=input comment="ACEITA LAN DO MIKROTIK" in-interface=\
bridge-rede-local
add action=accept chain=input comment="ACEITA REDE SUPORTE" src-address-list=\
rede-suporte
add action=accept chain=input comment="ACEITA 50 PACOTES DE ICMP POR SEGUNDO" \
limit=50,5:packet protocol=icmp
add action=add-src-to-address-list address-list=pre-rede-suporte \
address-list-timeout=5s chain=input comment=\
"PEGA IP PARA PRE REDE SUPORTE" dst-port=5738 protocol=tcp
add action=add-src-to-address-list address-list=rede-suporte \
address-list-timeout=4h chain=input comment="PEGA IP PARA REDE SUPORTE" \
dst-port=7258 protocol=tcp src-address-list=pre-rede-suporte
add action=drop chain=input comment="DROP GERAL"
add action=accept chain=forward comment="Forward established/related" \
connection-state=established,related
add action=accept chain=forward comment="ACEITA LAN DA WAN" src-address=\
192.168.10.0/24
add action=accept chain=forward comment="ACEITA LAN DO WIREGUARD" \
src-address=10.10.10.0/24
add action=accept chain=forward comment="Allow DNS to Pi-hole" dst-address=\
10.10.10.1 dst-port=53 protocol=udp src-address=192.168.10.0/24
add action=accept chain=forward comment="Allow DNS TCP to Pi-hole" \
dst-address=10.10.10.1 dst-port=53 protocol=tcp src-address=\
192.168.10.0/24
add action=drop chain=forward comment="DROP FORWARD" connection-state=""
add action=accept chain=output comment="ACEITA NTP" dst-port=123 \
out-interface=pppoe-cliente-giga protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment=MASQUERADE out-interface=\
pppoe-cliente-giga
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes
set winbox port=6470
set api disabled=yes
set api-ssl disabled=yes
/ipv6 dhcp-client
add default-route-tables=main interface=pppoe-cliente-giga pool-name=pool-v6 \
request=prefix use-peer-dns=no
/ipv6 firewall filter
add action=accept chain=input comment="Allow established/related input" \
connection-state=established,related
add action=drop chain=input comment="Drop invalid input" connection-state=\
invalid
add action=accept chain=input comment="Allow ICMPv6 (ping, ND, RA)" protocol=\
icmpv6
add action=accept chain=input comment="Allow DHCPv6 client replies" dst-port=\
546 protocol=udp src-port=547
add action=drop chain=input comment="Drop all other WAN IPv6 input" \
in-interface=pppoe-cliente-giga
add action=drop chain=input comment="Drop all other IPv6 input"
add action=accept chain=forward comment="Allow established/related forward" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid forward" \
connection-state=invalid
add action=accept chain=forward comment="Allow ICMPv6 forwarding" protocol=\
icmpv6
add action=accept chain=forward comment="Allow IPv6 traffic from WAN to LAN" \
in-interface=pppoe-cliente-giga
add action=accept chain=forward comment="Allow IPv6 traffic from LAN to WAN" \
out-interface=pppoe-cliente-giga
add action=drop chain=forward comment="Drop all other IPv6 forward"
/system clock
set time-zone-name=America/Sao_Paulo
/system ntp client
set enabled=yes
/system ntp client servers
add address=a.ntp.br
/system package update
set channel=testing
Two things you can change:
/interface bridge
add name=bridge-rede-local
To:
/interface bridge
add name=bridge-rede-local disabled=no auto-mac=yes protocol-mode=rstp comment=defconf;
(where you can change auto-mac=yes to admin-mac=00:11:22:33:44:55 → change to correct MAC Address and protocol-mode=rstp to protocol-mode=none)
And
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge-rede-local lease-time=1w30m \
name=dhcp1
To:
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge-rede-local lease-time=8h \
name=dhcp1
At least give it a try.
I made the suggested changes, but to no avail.
EDIT:
Thanks! Since I didn't know what else to do, I used your question from the other post about why not connect the AX5 directly to the HEX. I connected the AX5 directly to the HEX and initially it worked correctly, and the Mesh network was unaffected. The only problem is that the AX6, which is in AP mode, doesn't appear in Leases, only the AX5. Thanks again.