I'm just ready to tear my hair out...

I’m so frustrated. I’m trying to install to Microtik routers in my home network (AT&T UVerse). So, here is what I want:
o I have an AT&T router where the fiber comes into my house. I want that router to handle ALL of my DHCP IP address issuing and everything. It puts my devices on 192.168.1.xxx.
o I want each of the Microtik routers to be somewhere in my house and to function as BRIDGES, and really I only want them providing nice radio strength in that part of the house.
o I do NOT want the Microtik routers giving out 192.168.88.xxx address to devices that connect using them. When this happens NOTHING WORKS.

I am specifying “Bridge” on the quick config page. What am I doing wrong? I want these things to be entirely transparent except for radio service.

Thanks in advance - if someone can tell me what to do here I’ll appreciate it SO MUCH. If I can’t figure this out soon I’m sending them back and trying another product.

Kip

So get its competing DHCP server out of the way, then. The fastest way is to give this CLI command:

/ip/dhcp-server/disable 0

There’s a GUI alternative, and if you want to be really thorough you will remove it entirely, including the DHCP network definition and the IP pool it was configured to use.

You will doubtless also want to add a DHCP client so the AP gets an IP in the Uverse router’s scheme.

At this point, everything should start working as you expect.

I am specifying “Bridge” on the quick config page.

Yes, and that’s what you’re getting. Your mistake is assuming “bridge” means the same thing to you as it does to the MikroTik employee who wrote that piece of Quick Set. What it gives you is a perfectly valid implementation of the “bridge” concept; it merely isn’t your preferred concept.

Neither is wrong; both have their purposes.

Your best bet is to begin understanding what Quick Set does and not assume its defaults are wrong, but at worst mistargeted to your particular situation and preferences. Once you know what it does, you can adjust what it gives to suit. That’s the beauty of RouterOS; you aren’t locked into someone else’s web UI configuration interface, along with their ideas of what it is you need.

Ultimately, you will need to get past Quick Set regardless, if you remain in the RouterOS ecosystem. It’s fine for initial setup, but it can’t do everything.

Well, I don’t doubt that it can be done (WebFig looks like it could do anything, up to and including launching a moon mission). But it seems wildly out of reason to expect people to wade through that much complexity for such a simple standard configuration. I’m looking at it, but it is NOT intuitive and very few of the online recipes I can find apply to webfig - they mostly seem to focus on winbox (I wish Microsoft Windows would just roll over and die a slow miserable death).

It isn’t meant to be intuitive. It’s meant to be powerful.

Great power comes with great responsibility, including a willingness to learn the tool’s capabilities lest you end up causing more damage than handicraft.

As for the “Windows” thing, WinBox runs just fine under Wine.

To be frank, though, I administer my RouterOS boxes more often by SSH instead. I mainly use WinBox when I need more of a “dashboard” UI, with lots of preconfigured windows tiled just so, taking over nearly my whole screen.

Like any powerful tool, RouterOS rewards study far out of proportion to the time you put into it.

Find QuickSet tab on WebFig. There is an option to disable DHCP service.

“DHCP server: Normally, you would want automatic IP address configuration in your home network, so leave the DHCP settings ON and on their defaults.”
https://help.mikrotik.com/docs/display/ROS/Quick+Set#:~:text=DHCP%20server%3A%20Normally%2C%20you%20would%20want%20automatic%20IP%20address%20configuration%20in%20your%20home%20network%2C%20so%20leave%20the%20DHCP%20settings%20ON%20and%20on%20their%20defaults.

Ok, I am still working on this. I found a “simple procedure” that claims it will use Webfig to get the router into a simple access point setup. These are the steps:

1. Start up with the reset sequence and connect to the router at 192.168.88.1
2. Go to Bridge > Ports tab > click on + to add ether1 to the bridge
3. Go to IP > DHCP Server and delete defined one.
4. Go to IP > DHCP Client and delete defined one.
5. Go to Routing > BFD and disable defined “all” entry by double-clicking on it and pressing Disable button (cannot be deleted!).
6. Optionally remove defined pool line(s) e.g. 192.168.88.10-192.168.88.254 however it won’t affect bridge function on it’s own.
7. Reboot MikroTik device [Turn Off Power, Turn On

That’s it - the claim is that it will come back up as a simple access point. However, I’m not finding this to work. I did reboot using the Webfig option, though - not by hard power cycling. So, questions:

1. Is it critical that I power cycle at the end by unplugging and plugging the power cord, rather than via software?
2. The router comes up in the WispAP mode initially - do I need to switch it to something else with QuickFig before doing these steps?
3. This doesn’t seem to include steps to keep Webfig accessible afterward. I found a recommendation to delete firewall rule 4 in order to get that. Is there a better way? And that raises the notion of the firewall - this is an internal router and I don’t think I need firewall protection at all. How can I get rid of the firewall more completely?

I’m really hoping this procedure is at least close and that I will “get there soon.” Any advice would be appreciated.

Finally, I can also access the terminal - would I be better off using it rather than Webfig? I do not consider Winbox an option - I swore off Windows and all things Microsoft years ago; I don’t have a Windows machine and I don’t want one and I really don’t want to fuss with Wine. Surely one of the other methods can get me there?

Thank you guys. Hope you’re headed into a good weekend.

You simply want to setup the routers as AP/Switches.

I will assume your router provides DHCP to devices, single subnet, and the subnet is 192.168.1.0/24
We will assign 192.168.1.10 to the MT router.

/interface bridge
add name=bridge vlan-filtering=no

/interface ethernet
set [ find default-name=ether1 ] name=routerport   comment="connection to main router"
set [ find default-name=ether2 ] 
set [ find default-name=ether3 ] 
set [ find default-name=ether4 ] 
set [ find default-name=ether5 ]  name=emergaccess comment="local access off bridge"

/interface wifi
settings as required

/interface list
add name=MANAGE

/interface bridge port
add bridge=bridge interface=routerport
add bridge=bridge interface=wifi1-name
add bridge=bridge interface=wifi2-name
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4

/ip neighbor discovery-settings
set discover-interface-list=MANAGE

/interface list member
add interface=bridge list=MANAGE
add interface=emergaccess list=MANAGE

/ip address
add address=192.168.1.10/24 interface=bridge network=192.168.1.0
add address=192.168.55.1/30 interface=emergaccess network=192.168.55.0

/ip dns
set servers=192.168.1.1

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

As long as you can access the router you can use Webfig (and terminal) or SSH just fine.
The advantage of Winbox is (among a few minor ones) that it can normally connect to a Mikrotik device both via its IP address and via its MAC address, this latter feature allows for connecting to the router in most of the common cases where a “wrong” setting prevents communication via the IP address (layer3), which - unfortunately it is common enough when fiddling with settings.

Since you are a Linux guy, you shouldn’t have any issues using Mikrotik’s terminal which is very similar to common Linux (or DOS-like) command line.

But even if it bothers you, you should take the time to have Winbox (under Wine) running and working BEFORE disaster happens and you get locked out, it may never happen, still …

Think of the whole stuff as you think of your home door lock, is it better to spend an hour to go to the locksmith and have a copy of your key made (that you will store in some safe place and hopefully never use) or wait until you are locked out at night and need to call some emergency service to enter your home?

Now, the procedure you described is more or less correct, you might still have some unwanted remains (that shouldn’t affect the way the device should work as switch/AP), and no, there is no difference in rebooting initiating the reboot via software vs initiating it by pulling the plug (the latter will create a different log entry, but that’s it).

Compare with this recent, essentially similar, thread:
http://forum.mikrotik.com/t/can-a-powerbox-rb750p-pbr-2-do-this/177353/1

What might be missing is some mechanism giving out the DHCP addresses coming from your AT&T router or some other (needed) “hooking” of the wi-fi interface(s).

You should follow this post (using Webfig instead of Winbox the procedure should be very similar):
http://forum.mikrotik.com/t/forum-rules/173010/1
and provide your configuration export, so that some willing to help member may point out the issues or omissions.

About firewall, the normally most used chain (forward) is unused when the device is configured as switch (so you can disable or remove those rules), but you may want to keep (modifying them in a suitable way) the rules in the input chain to limit and protect access to the device.

As anav just suggested, if you don’t need all the ports, it would be a good idea to keep a port off the bridge for emergency access only.

Its a must when using vlans because configuring a bridge with vlans can be a pain sometimes, router burps at you.
So not just for access when you may render the bridge inoperable by some blunder but an excellent place to config without fear of bridge or vlan consequences

And I appreciate that power very much, and also the fact that these guys are affordable gigabit routers. But, they also offer the “quick” wizard - you’d think that a simple naked, absolutely minimal access point would be one of the items in that list of option. It’s obviously a use case that a lot of people make use of.

Did you really mean “55” in those IP addresses, or did you mean for that to be “88”?

You’re not wrong here. On some models, QuickSet would be able to migrate the config from a “routed” mode to a “bridged” mode. There are “profiles” in QuickSet that have different templates, but not all profiles are on all models.

BUT… what’s particularly annoying is the newer hAPax2 and hAPax3 do NOT have any QuickSet profile that allows changing the default configuration into an “AP Bridge” - which is the mode you’re looking for. On the hAPax things, there is only the “Home AP Dual” profile, so QuickSet isn’t going to help.

While on something like RB5009, the “Ethernet” profile allows setting bridge mode - but that won’t be on a hAP’s:

It’s kinda annoying they don’t offer the same simple way to convert an hAPax into a “bridged AP”. Ironically, on OLDER APs there would a QuickSet mode to do this – it’s only the NEWER AX models that seem to skip this option in QuickSet. So… essentially unwinding the default configuration to remove the DHCP server, set DHCP client on “bridge”, remove ether1 from WAN interface-list, and adding ether1 to the bridge is about all you can to do - as detailed above is about you’re only option.

It can be any subnet you choose. If you find it easier to use .88 since its already on the router, by all means.
Then after change it to whatever you want. Like anything else, never use defaults be it winbox port, wireguard port or anything else.

Well, in the end it was easy. Turns out I CAN just use the Wisp AP QuickSet mode, so long as I plug my external network cable into “NOT PORT 1.” I just plugged it into port 2, and it seems to just be working perfectly. Except I can’t get at WebFig now, but that’s not bothering me a lot at the moment because it’s doing exactly what I wanted it to. The on-board DNS got out of my way, and “everything works.”

I can’t even guess at how many web pages I had to read before I caught on that it might be BAD to plug the external net into the port marked for the external net on the chassis.

So, I wouldn’t mind setting it up again with a tweak to get WebFig available. Any advice on that?

Thanks,
Kip

You could plug into port 1 when you need the access. It is no bad idea to have a port dedicated to management, with management inaccessible from other ports.

You know, I just thought of that myself just before seeing your reply. Yes - it’s not like I need those ports in any particularly major way - the main purpose of these boxes is to get good signal strength around my house.

Thanks!

Well, I take it back. It’s not working properly. This morning I added a breakout board to a Raspberry Pi on my network. It was working great and was online when I re-added the Mikrotik to the network last night, and thought it was “fine.” But to add the breakout board I powered the Pi down, and when I powered it back on it did not re-join my network.

Then I unplugged the Mikrotik from the network and power cycled the Pi, and it showed up immediately. So the Mikrotik is preventing newly powered on devices from acquiring an IP address.

What I did last night that I “thought” made it work was a) reset the Mikrotik, then b) select “Bridge” in the Wisp AP QuickSet page, c) set my SSID and password, and reboot, and finally d) plug the home network in on port 2.

Everything that was already on the network functioned great, and in fact I could switch my laptop back and forth between the Mikrotik net and the main home net, no problem.

So, I’m back to the drawing board. I feel like I’m on the right track, though - surely from here I can use a cable in port 1 to connect to WebFig and make a few further tweaks. Any ideas?

I connected to the router, without the cable plugged in. It did issue me an IP and it was in the 192.168.88 range. So that DNS server is apparently still operative. So when I get the cable I need to connect my notebook to an RJ45 port I’ll go in there and see if I can delete the DNS server and maybe that will make a difference. Will that mean that I’ll then need to assign myself a static IP in the 192.168.88.?? range in order to connect on port 1 thereafter?

I’m betting it somehow assigned the Pi an 88 IP.

Cards on the table; show your config.

Ok, I found that by dropping a firewall rule before setting up WispAP bridge mode and applying, I can raise WebFig after the restart. So now I can tinker and hopefully figure out what’s causing this problem with other devices not getting IP’s / getting wrong IP’s.

I checked after doing this, and the DNS server is disabled in the Mikrotik.

Ok, I think I got it. I misread the screen earlier - the DNS server WAS still running. So I deleted that, and also deleted the associated “pool.” And, I followed step 5 of part 1 here:

https://tehnoblog.org/mikrotik-router-how-to-convert-hap-or-hap-lite-into-ordinary-switch-or-wireless-access-point-bridge/

Restarted and now my Pi can be re-powered and joins the network properly.