Hello everyone!
Started out using Mikrotik hEX S as a replacement for my firewall (was using opnsense as a VM in proxmox but I found myself not utilizing it that much and wanted something more simpler).
Pretty new to networking, so please - bare with me. I tried searching this forum, reading wiki to make as much as I can on my own but I find myself in a place where what I have is kind of working but I am unsure if I done it the right way.
What I need to achieve:
Connect two hAP ax3 wirelessly, to work as a range extender in order to:
- (main reason) connect my main pc from the second hax3
- have broader wifi range in the flat
- I am in a situation, where I cannot wire an ethernet cable to the second ax3 (as well as my main pc), so I need to connect the ‘main’ and ‘secondary’ hax3 together so they act as one ‘mesh/ap’. That is actually the sole reason I purchased these ax3 devices, as I needed a way to have a good internet connection (without the possibility to have direct cable to my main PC).
basically this :
[hex S]—[ax3]-( )-[ax3]—[PC]
My setup visualized:
What I tried / achieved so far:
-
I setup the hEX S successfully (hopefully the firewall rules are good) and everything is working fine at the router part
-
at first I thought I need to use the capsman to connect these devices, then I found that hex S and ax3 wont work properly together because the hex S is a different architecture.
-
so I then tried just bridging the connections to the "main’ ax3 - and then use that as the capsman and connect the other, “secondary” ax3 as a CAP.
Was kind of successful with that, but it worked only when the CAP was actually wired, I never got it working wirelessly
so I dismissed the whole capsman setup, factory reset and started again.
From the wiki, I put together that the first, “main” ax3 (which is connected to the router directly via cable) needs to be in AP mode and then I can connect the “secondary” ax3 wirelessly by setting the mode to ‘station-bridge’
https://wiki.mikrotik.com/wiki/Manual:Wireless_Station_Modes
-
the setup is kind of working, what I mean by this is, that my main PC is getting the internet connection as desired but the speeds are not what I am hoping for. I am getting 300-400Mbps (I have a 1000Mbps connection).
-
I initially purchased asus ax3000 v2 and put one in AP mode and paired the second via their mesh system. I am getting 600-700Mbps with that setup (but losing the ability to do vlans and stuff - thats why I would like to have these Mikrotik)
-
I am for some reason only getting the 2ghz wifi network up and running and cannot setup the 5ghz (this is the reason I believe why the speeds are lower). I have some leftover configs of VLANs and IP ranges on the hEX S (I was also trying unify AP’s which I setup and tested but was not satisfied the speeds there) These same VLANs I would like to then use.
-
would like to have a separate VLANs on the “main” ax3 AP (the one which is wired to router) so that I can create different wifi networks (guest, iot, etc..) but as soon as I start a DHCP server there, everything fails and I am not able to get any internet.
My questions
- is this the correct way to approach my problem?
- are the firewall rules good (meaning there is not something really stupid or there is not something crucial missing)
- if I would then want to use VLANs with this setup to segregate the network, where would I set the VLANs up (on hex S [router], ax3 “main” [connected to router]?) I apologize for asking such a detailed questions but I am really lost here.
Config / Versions / Packages:
hAP ax3 - both on 7.15 + installed ‘wifi-qcom’ (7.15) package on both
hEX S - 7.15 + got the ‘wireless’ (7.15) package
hEX S:
# 2024-06-07 22:36:37 by RouterOS 7.15
# software id = UX6N-2IKW
#
# model = RB760iGS
# serial number = HG809Y1Y1NN
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2412 name=channel1
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2472 name=channel11
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2442 name=channel6
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5200 name=\
channel40
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5240 name=\
channel48
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5300 name=\
channel60
/interface bridge
add ingress-filtering=no name="LAN - Local" port-cost-mode=short \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1[WAN]"
/interface wireguard
add listen-port=13249 mtu=1420 name=wireguard1
/interface vlan
add interface="LAN - Local" name=vLAN10-intranet vlan-id=10
add interface="LAN - Local" name=vLAN20-IoT vlan-id=20
add interface="LAN - Local" name=vLAN30-guest vlan-id=30
add interface="LAN - Local" name=vLAN254-mgmnt vlan-id=254
/caps-man datapath
add bridge="LAN - Local" name=datapath1
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=security1
/caps-man configuration
add country="czech republic" datapath=datapath1 mode=ap name=cfg1 security=\
security1 ssid=omgwtflol_X
/interface list
add name=admin
add name=WAN
add name="Guest + IoT"
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_lan ranges=192.168.0.50-192.168.0.199
add name=dhcp_intra ranges=192.168.10.100-192.168.10.200
add name=dhcp_IoT ranges=192.168.20.100-192.168.20.200
add name=dhcp_guest ranges=192.168.30.100-192.168.30.200
add name=dhcp_mngmnt ranges=192.168.254.100-192.168.254.200
/ip dhcp-server
add address-pool=dhcp_lan interface="LAN - Local" lease-time=8h name=dhcp_lan
add address-pool=dhcp_intra interface=vLAN10-intranet lease-time=8h name=\
dhcp_intra
add address-pool=dhcp_IoT interface=vLAN20-IoT lease-time=8h name=dhcp_IoT
add address-pool=dhcp_guest interface=vLAN30-guest lease-time=8h name=\
dhcp_guest
add address-pool=dhcp_mngmnt interface=vLAN254-mgmnt lease-time=8h name=\
dhcp_mgmt
/port
set 0 name=serial0
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface="LAN - Local"
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1 name-format=\
prefix name-prefix=omg_
/interface bridge port
add bridge="LAN - Local" ingress-filtering=no interface=ether2 \
internal-path-cost=10 path-cost=10
add bridge="LAN - Local" ingress-filtering=no interface=ether3 \
internal-path-cost=10 path-cost=10
add bridge="LAN - Local" ingress-filtering=no interface=ether4 \
internal-path-cost=10 path-cost=10
add bridge="LAN - Local" ingress-filtering=no interface=ether5 \
internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set rp-filter=strict
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge="LAN - Local" tagged="ether5,LAN - Local" vlan-ids=10
add bridge="LAN - Local" tagged="ether5,LAN - Local" vlan-ids=20
add bridge="LAN - Local" tagged="ether5,LAN - Local" vlan-ids=30
add bridge="LAN - Local" tagged="ether5,LAN - Local" vlan-ids=254
/interface list member
add interface=ether4 list=admin
add interface="ether1[WAN]" list=WAN
add interface=vLAN254-mgmnt list=admin
add interface=vLAN20-IoT list="Guest + IoT"
add interface=vLAN30-guest list="Guest + IoT"
add interface=vLAN10-intranet list=LAN
add disabled=yes interface="LAN - Local" list=LAN
add interface=ether5 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.50.2/32 comment="Pixel 6" interface=wireguard1 \
name=peer1 public-key="VUPLaVQNSMRsADp/rPDfPAW0u67oQhvJGAZy0L+FF1k="
add allowed-address=192.168.50.3/32 comment=macOS interface=wireguard1 name=\
peer2 public-key="sY/hQuH/8lD1nBiXY+3+kHXUxP6L8fa7ukTBqqPKXic="
/ip address
add address=192.168.0.1/24 interface="LAN - Local" network=192.168.0.0
add address=192.168.20.1/24 interface=vLAN20-IoT network=192.168.20.0
add address=192.168.30.1/24 interface=vLAN30-guest network=192.168.30.0
add address=192.168.254.1/24 interface=vLAN254-mgmnt network=192.168.254.0
add address=192.168.10.1/24 interface=vLAN10-intranet network=192.168.10.0
add address=192.168.50.1/24 interface=wireguard1 network=192.168.50.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface="ether1[WAN]" use-peer-dns=no
/ip dhcp-server lease
add address=192.168.0.3 client-id=\
ff:d4:1c:3a:3e:0:1:0:1:2c:f4:c0:9d:e:a0:d4:1c:3a:3e mac-address=\
0E:A0:D4:1C:3A:3E server=dhcp_lan
add address=192.168.0.2 client-id=\
ff:ca:53:9:5a:0:2:0:0:ab:11:4f:cc:9d:2c:5c:80:dd:6c mac-address=\
CA:D4:91:CC:9B:7B server=dhcp_lan
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.254.0/24 gateway=192.168.254.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=192.168.0.2
/ip firewall address-list
add address=192.168.0.0 list=LAN
add address=192.168.10.0 list=LAN
add address=192.168.20.0 list=LAN
add address=192.168.30.0 list=LAN
add address=192.168.254.0 list=LAN
/ip firewall filter
add action=drop chain=input comment="Deny Access to Router from Guest + IoT" \
in-interface-list="Guest + IoT"
add action=drop chain=forward comment="Isolate Guest + IoT from LAN" \
in-interface-list="Guest + IoT" out-interface-list=LAN
add action=accept chain=input comment="Allow winbox access from Local" \
dst-port=8291 in-interface="LAN - Local" protocol=tcp
add action=accept chain=forward comment="Debug - allow LAN communication" \
dst-address-list=LAN src-address-list=LAN
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=input comment="drop everything else" disabled=yes \
in-interface="ether1[WAN]"
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1[WAN]"
add action=dst-nat chain=dstnat comment=ProxMox dst-port=8006 in-interface=\
"ether1[WAN]" protocol=tcp to-addresses=192.168.0.20 to-ports=8006
add action=accept chain=srcnat ipsec-policy=out,none out-interface=\
"ether1[WAN]"
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.0.0/24,192.168.10.0/24,192.168.254.0/24 port=2202
set api disabled=yes
set winbox address=192.168.0.0/24,192.168.10.0/24,192.168.254.0/24
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=mtk_Home
/system logging
add topics=script
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system ntp client servers
add address=ntp.nic.cz
/system scheduler
add interval=1m name="pi-hole fallback" on-event="# CONFIGURE:\r\
\n\r\
\n# Find the DHCP client for the interface \"ether1[WAN]\"\r\
\n:local dhcpClientId [/ip dhcp-client find interface=\"ether1[WAN]\"]\r\
\n:log info \"DHCP client ID: \$dhcpClientId\"\r\
\n\r\
\n# Configure the PiHole DNS server\r\
\n:local piHoleDNS 192.168.0.2\r\
\n\r\
\n# Configure the Cloudflare DNS\r\
\n:local cloudFlareDNS 1.1.1.1,1.0.0.1\r\
\n\r\
\n\r\
\n# Set the server to check against\r\
\n:local queryDomain \"www.google.com\"\r\
\n\r\
\n# VARIABLES:\r\
\n# CF 1st DNS\r\
\n:local cloudFlareDNS1 [:pick \$cloudFlareDNS 0]\r\
\n\r\
\n# Get the DNS server from /ip dns\r\
\n:local dnsServer [/ip dns get servers]\r\
\n:log info \"DNS servers: \$dnsServer\"\r\
\n\r\
\n# Get the use-peer-dns value\r\
\n:local usePeerDns [/ip dhcp-client get \$dhcpClientId use-peer-dns]\r\
\n:log info \"use-peer-dns value: \$usePeerDns\"\r\
\n\r\
\n\r\
\n# If current dns server = pihole server check if it is working\r\
\n:if (\$dnsServer = \$piHoleDNS) do={\r\
\n :log info \"Resolving \$queryDomain with DNS server \$piHoleDNS\"\r\
\n :do {\r\
\n\t\t:resolve \$queryDomain server=\$piHoleDNS\r\
\n :if (\$usePeerDns = true) do={\r\
\n #if for some reason 'use-peer-dns' is set to true (meaning t\
he ISP dns is used, set it to false since pihole dns is working)\r\
\n /ip dhcp-client set \$dhcpClientId use-peer-dns=no\r\
\n }\r\
\n } on-error={\r\
\n # If its not working, try resolving with one of the Cloudflare D\
NS \r\
\n :do {\r\
\n :resolve \$queryDomain server=\$cloudFlareDNS1\r\
\n :log info \"Failed to resolve \$queryDomain with PiHole, set\
ting DNS to Cloudflare DNS\"\r\
\n /ip dns set servers=\$cloudFlareDNS\r\
\n } on-error {\r\
\n\r\
\n :if (\$dhcpClientId != \"\") do={\r\
\n :log error \"Failed to resolve \$queryDomain with Cloudf\
lare, setting DNS to router (ISP) DNS\" \r\
\n /ip dhcp-client set \$dhcpClientId use-peer-dns=yes\r\
\n } else={\r\
\n :log error \"DHCP client with interface 'ether1[WAN]' no\
t found. Failed to set DNS to default router values.\"\r\
\n }\r\
\n }\r\
\n\r\
\n }\r\
\n} else={\r\
\n # Check if PiHole server can resolve google.com\r\
\n :log info \"DNS is CF, trying to resolve \$queryDomain with DNS serv\
er \$piHoleDNS\"\r\
\n :do {\r\
\n\t\t:resolve \$queryDomain server=\$piHoleDNS\r\
\n # If it resolves set the DNS server back to the only pihole addr\
ess\r\
\n\t\t/ip dns set servers=\$piHoleDNS\r\
\n /ip dhcp-client set \$dhcpClientId use-peer-dns=no \r\
\n } on-error={\r\
\n # check if the DNS is ISP default, if yes try to resolve with Cl\
oudFlare DNS \r\
\n :if (\$usePeerDns = true) do={\r\
\n :do {\r\
\n :resolve \$queryDomain server=\$cloudFlareDNS1\r\
\n :log info \"Failed to resolve \$queryDomain with PiHole,\
\_setting DNS to Cloudflare DNS\"\r\
\n /ip dns set servers=\$cloudFlareDNS\r\
\n /ip dhcp-client set \$dhcpClientId use-peer-dns=no \
\_\r\
\n } on-error {\r\
\n :log error \"Failed to resolve \$queryDomain with PiHole\
\_and Cloudflare, DNS stays with ISP default (use-peer-dns=yes).\"\r\
\n }\r\
\n } else={\r\
\n :do {\r\
\n :resolve \$queryDomain server=\$cloudFlareDNS1 \r\
\n :log info \"Failed to resolve \$queryDomain with PiHole,\
\_DNS stays with Cloudflare.\"\r\
\n } on-error {\r\
\n :log error \"Failed to resolve \$queryDomain with PiHole\
\_and also Cloudflare, DNS change to ISP default (use-peer-dns=yes).\"\r\
\n /ip dhcp-client set \$dhcpClientId use-peer-dns=yes\r\
\n } \r\
\n }\r\
\n }\r\
\n}\r\
\n" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2024-06-06 start-time=18:24:24
/system script
add dont-require-permissions=no name=script1 owner=y policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local wanInterfaceName \"ether1[WAN]\"\r\
\n:local wanInterfaceId [find interface=\$wanInterfaceName]\r\
\n\r\
\n# Get the DNS server from /ip dns\r\
\n:local dnsServer [/ip dns get servers]\r\
\n:log info \"DNS servers: \$dnsServer\"\r\
\n\r\
\n# Extract the first DNS server\r\
\n:set toAddresses [:pick \$dnsServer 0]\r\
\n:log info \"First DNS server: \$toAddresses\"\r\
\n\r\
\n# Find the DHCP client for the interface \"ether1[WAN]\"\r\
\n:local dhcpClientId [/ip dhcp-client find interface=\"ether1[WAN]\"]\r\
\n:log info \"DHCP client ID: \$dhcpClientId\""
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=admin
/tool mac-server mac-winbox
set allowed-interface-list=admin
“main” ax3 (wired to hEX S router:
# 2024-06-07 22:46:32 by RouterOS 7.15
# software id = 7PB3-GXTX
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HFE099V1XN2
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wifi datapath
add bridge=bridge1 disabled=no name=datapath1
/interface wifi security
add disabled=no name=sec1
/interface wifi configuration
add channel.band=5ghz-ax .frequency=2300-7300 .width=20/40/80mhz country=\
Czech datapath=datapath1 disabled=no name=5ghz security=sec1 ssid=\
CAPsMAN_5
add channel.band=2ghz-ax .frequency=2300-7300 .width=20mhz datapath=datapath1 \
disabled=no name=2ghz security=sec1 ssid=CAPsMAN2
add channel.band=5ghz-ax .frequency=2300-7300 .width=20/40/80mhz country=\
Czech datapath=datapath1 disabled=no name=5ghz_v security=sec1 ssid=\
CAPsMAN5_v
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax configuration=5ghz \
configuration.mode=ap .ssid=omgwtflol_x5 disabled=no security.ft=yes \
.ft-over-ds=yes
set [ find default-name=wifi2 ] configuration=2ghz configuration.mode=ap \
.ssid=omgwtflol_x2 datapath=datapath1 disabled=no security.ft=yes \
.ft-over-ds=yes
/ip pool
add name=dhcp ranges=10.20.0.3-10.20.0.254
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether1
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=bridge1 \
package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=5ghz \
radio-mac=00:00:00:00:00:00 slave-configurations=5ghz_v supported-bands=\
5ghz-n
add action=create-dynamic-enabled disabled=no master-configuration=2ghz \
radio-mac=00:00:00:00:00:00 supported-bands=2ghz-n
/ip address
add address=192.168.0.170/24 interface=bridge1 network=192.168.0.0
/ip dhcp-client
add interface=bridge1
/ip dhcp-server
add address-pool=dhcp disabled=yes interface=bridge1 name=dhcp1
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=10.20.0.0/24 dns-server=10.20.0.1 gateway=10.20.0.1 netmask=24
/ip dns
set servers=192.168.0.1
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=mkt_ap_MAIN
/system note
set show-at-login=no
“secondary” ax3 :
# 2024-06-07 22:46:59 by RouterOS 7.15
# software id = JHDU-IU1L
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HFE095BG90E
/interface bridge
add name=bridge1
/interface wifi datapath
add bridge=bridge1 disabled=no name=datapath1
/interface wifi security
add disabled=no name=sec1
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=2300-7300 \
.width=20/40/80mhz configuration.country=Czech .mode=station-bridge \
.ssid=omgwtflol_x5 datapath=datapath1 disabled=no security=sec1 \
security.ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .frequency=2300-7300 \
.width=20mhz configuration.mode=station-bridge .ssid=omgwtflol_x2 \
datapath=datapath1 disabled=no security=sec1 security.ft=yes .ft-over-ds=\
yes
/interface bridge port
add bridge=bridge1 interface=wifi1
add bridge=bridge1 interface=wifi2
add bridge=bridge1 interface=all
/ip settings
set ip-forward=no
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=bridge1 \
package-path="" require-peer-certificate=no upgrade-policy=none
/ip dhcp-client
add interface=bridge1
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=mkt_ap_2nd
/system note
set show-at-login=no
Thank you!
