How to access Mikrotik in Bridge mode with Netbox?

RouterOS General
1

I have setup Mikrotik CAP AC Dual-band Wireless Access Point (RBcAPGi-5acD2nD-US) in bridge mode to use as WiFi access point only.
I have used Quick Set button and select “PTP Bridge AP”, it does all job for me. Physically it connects to my home network over Eth#1. Eth#2 is not connected at all. Everything seems working as expected, except only one inconvenience :slight_smile:.
With Netbox I can connect to it only from Wifi, using MAC, not by IP. But from my main network I cannot connect to it at all, neither using IP or MAC.

Are there any way how to enable ability to connect to it with Netbox from my main network, from Eth#1,

2

[quote=MtHoodlum post_id=893503 time=1637980940 user_id=55480]
Factory reset no defaults.

Set password.

Create a new bridge.

Put all ports on the new bridge.

Configure wireless interfaces.

Put DHCP client on bridge.
[/quote]

Are there any less radical solution?

3

Can you post your config?

/export hide-sensitive file=whateveryouwant
4

Sure. Have removed (put stars instead of) serial number and MAC

# nov/27/2021 17:18:11 by RouterOS 6.49.1
# software id = 7J9R-ZX4R
#
# model = RBcAPGi-5acD2nD
# serial number = DD340F20****
/interface bridge
add admin-mac=**:**:**:**:**:C6 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-2.4GHz wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-5GHz wireless-protocol=\
    802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=ether2 name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge \
    network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=bridge
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf gateway=0.0.0.0 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/system identity
set name="MikroTik WiFi AP"
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
5

OK, I looked at the config on a small screen so I may have missed something but I did notice the following which is likely to cause the issue you noted:

You still have ether1 added to the WAN interface list. This means that anything coming in on ether1 will hit the !LAN DROP rule on the INPUT firewall filter chain.
You need to remove ether1 from the WAN list and add it to the LAN list for starters.

If that doesn’t work you may need to edit some services too, but try that first.

6

I am not really expert in Mikrotiks, do you mean this section and this specific line?

/interface list member
add comment=defconf interface=ether1 list=WAN   <------- this line?
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
7

Yes, thank you so much, it works!
Have edited Interfaces → Interface list in winbox.

/interface list member
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
add interface=ether1 list=LAN

Are there any way how to access it by IP, instead of by mac?

8

Well, it looks like the 192.168.88.1 address has been disabled and a dhcp-client has been assigned to bridge, so your AP should be getting an IP address from your main router.

Can you check what IP address the AP thinks it has, by running:

/ip address print

The IP address for the bridge interface should be on your LAN subnet and have the D for Dynamic flag set. Try accessing that IP in Winbox with the same username and password as you used for MAC address access.

9

Here is what it is:

Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0 X ;;; defconf
     192.168.88.1/24    192.168.88.0    bridge                                   
 1 D 192.168.0.28/24    192.168.0.0     bridge

I do not really understand what should be here. Seems like 192.168.88.0 item is definitely wrong.
My home network is on 192.168.0.XX segment, Mikrotik I am asking for help with is on 192.168.0.28, and this the address I am trying to connect to. Connect by IP is not ok, but by MAC is ok, with the same credentials.

How it appears on main router.

10

Ok, so that is showing the default Mikrotik IP address of 192.168.88.1/24 is disabled, so that is good, and the AP has an address on your network (192.168.0.28/24).

I am not sure what the QuickSet screengrab is for, but based on the above, it should work if you try to access it on 192.168.0.28.
Do you get an error message or does it simply hang?

11

Yes, I got error message, but it is very generic :slight_smile:. There is nothing related to such connection attempt in the log of targeted Mikrotik.

P.S.: ping to 192.168.0.28 is OK.

BTW, I see different fonts for ether interfaces, ether2 is in italic, ether1 is normal, see picture. What does it mean?

12

Okay this is dirt simple…
Going back to your config and requirements.
ACCESS POINT ONLY.
Reset the Access point to default and select wisp mode for example TOP LEFT of quickset menu… the only setting to touch in quickset (vice

See use of ether2 ( removed from bridge and what I use to configure the router initially and later if anything buggery happens).
If the AP is easily accessible nothing special needed.
If the AP is going to be put in a hard to reach place then run an ethernet cable from ether2, to a location you can access more readily.
Using a laptop to access ether2, is the trick.


/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface bridge
add name=bridge
/interface list
add name=control
/interface wireless security-profiles
/interface wireless
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=WLAN1
add bridge=bridge interface=WLAN2
/ip neighbor discovery-settings
set discover-interface-list=control
/interface list member
add interface=bridge list=control
add interface=emergaccess list=control
/ip address
add address=192.168.88.x/24 interface=bridge network=192.168.0.0 This is the IP address of the access point in effect.
add address=192.168.5.2 interface=emergaccess network=192.168.5.0
/ip dns
set servers=192.168.88.1
/ip route
add distance=1 gateway=192.168.88.1
/tool mac-server mac-winbox
set allowed-interface-list=control

Done, none of the rest is needed if not being a router.

In terms of process, access ether1 and from 192.168.88.1 perspective and then configure ether2 as per the above (dont forget to remove from bridge if automatically included).
Then switch IPv4 of laptop or desktop to 192.168.5.5 for example and access the AP from ether2 and configure the rest as per the above.
From then on, the ap will be accessible on your one network from anywhere and always on ether2 directly.

13

Thank you for your answer, but it seems to be overkill for me, AP seems like working as expected, I have only problem with minor convenience thing - accessing to AP for managing purpose (from Winbox) by IP instead of by MAC.I would not reconfigure whole thing for such small trick, looking for less radical solution. Thank you, anyway. will look on your config, may be it will give me some hints.