L22UGS-5HaxD2HaxD Layer 3 a standalone access point

I am installing a new standalone access point (AP) in the company network to enable wireless connections on a specific subnet.

I’m questioning the IP addressing? How do I assign a static IP to the device and yet it continue to distribute IP’s via the subnet DHCP?

My second ask is for any commentary on the configuration. I am new to the mikrotik ecosystem. I’ve been setting up a company network using routers and switches. This is the first and only access point.

The device is powered using the OEM power supply. It will use PoE in the final install. Our current climate has the thermometer hovering around -30 Celsius. Are there any ‘gotchas’ I need to be aware of? I would like to minimize my time outside up on the cherry picker getting the device working.

The device connects to the network via wired ether1. The AP bridge is configured for a DHCP client. Interfaces wifi1, wifi2 & ether1 are ports on the bridge. The bridge receives an IP and all clients that connect to the AP receive an IP from the same subnet.

In the attached configuration I have assigned a static IP to the ether1 interface. The device now has two IP’s. The bridge IP assigned from DHCP client and the static assigned. How would you configure the device to use only one IP and provide the DHCP IP’s to AP clients?

[admin@SeedPlant_AP] > export
# 2026-01-26 12:43:51 by RouterOS 7.21.1
# software id = FXHL-A29B
#
# model = L22UGS-5HaxD2HaxD
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface wifi channel
add band=5ghz-ax frequency=5180 name=5GHZ::CH36 width=20mhz
add band=5ghz-ax frequency=5200 name=5GHZ::CH40 width=20mhz
add band=5ghz-ax frequency=5220 name=5GHZ::CH44 width=20mhz
add band=5ghz-ax frequency=5240 name=5GHZ::CH48 width=20mhz
add band=5ghz-ax frequency=5745 name=5GHZ::CH149 width=20mhz
add band=5ghz-ax frequency=5765 name=5GHZ::CH153 width=20mhz
add band=5ghz-ax frequency=5785 name=5GHZ::CH157 width=20mhz
add band=5ghz-ax frequency=5805 name=5GHZ::CH161 width=20mhz
add band=5ghz-ax frequency=5825 name=5GHZ::CH165 width=20mhz
add band=5ghz-ax disabled=no frequency=5180,5200,5220,5240 name=5GHZ::UNII-1 width=20mhz
add band=5ghz-ax disabled=no frequency=5745,5765,5785,5805,5825 name=5GHZ::UNII-3 width=20mhz
add band=5ghz-ax disabled=no frequency=5180,5200,5220,5240,5745,5765,5785,5805,5825 name=5GHZ::NON-DFS width=20mhz
add band=2ghz-ax frequency=2412 name=2GHZ::CH1 width=20mhz
add band=2ghz-ax frequency=2437 name=2GHZ::CH6 width=20mhz
add band=2ghz-ax frequency=2462 name=2GHZ::CH11 width=20mhz
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=2GHZ::AUTO width=20mhz
/interface wifi
set [ find default-name=wifi1 ] channel=2GHZ::AUTO channel.band=2ghz-ax .frequency=2412,2437,2462 .skip-dfs-channels=10min-cac .width=20mhz comment=seedplant_2G configuration.country=Canada .mode=ap .ssid=\
    seedplant_2G disabled=no name=wifi1_2G security.authentication-types=wpa2-psk,wpa3-psk .encryption="" .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel=5GHZ::NON-DFS channel.band=5ghz-ax .frequency=5180,5200,5220,5240,5745,5765,5785,5805,5825 .skip-dfs-channels=10min-cac .width=20mhz comment=seedplant_5G \
    configuration.country=Canada .mode=ap .ssid=seedplant_5G disabled=no name=wifi2_5G security.authentication-types=wpa2-psk,wpa3-psk .encryption="" .ft=yes .ft-over-ds=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wifi1_2G
add bridge=bridge comment=defconf interface=wifi2_5G
/ip address
add address=192.168.2.42/24 comment=AP_interface interface=ether1 network=192.168.2.0
/ip dhcp-client
add comment=defconf interface=bridge
/system clock
set time-zone-name=
/system identity
set name=SeedPlant_AP

WHICH IP?
The static one?

Disable the DHCP client on bridge.
What happens?

OK that was simple J, ( give me a minute while I wipe the egg off my face as I feel like an idiot), the AP has the assigned static IP and AP clients are getting DHCP IP’s.

I added the static IP to ether1 but never thought removing DHCP client would give me the results. I figured if I removed the client there would be no DHCP. I should be satisfied with it works but how is DHCP provided to the clients?

Well, there is somewhere on the network one (and hopefully only one) DHCP server.
DHCP are lazy (but diligent) bastards, they do nothing until they are asked (respectfully) an IP address lease, by some DHCP client.
When this happens, the DHCP server serves one.
So everything Is initiated by the (many) DHCP clients on the network, these are insistent buggers that continuously attempt to find a DHCP server all over the network until they find It and get their lease.
They are so avid in their quest that (on many Operating Systems) if they cannot find a DHCP server, they invent their own address (APIPA).
Disabling the single DHCP client on the AP only prevents that AP (actually the bridge on It) from getting a Dynamic address, all the other clients will be active on the network, and communication to the DHCP server happens at a higher than L3 (IP) level, obviously, as It needs to happen before the IP address Is requested and leased.

Anyway, the static IP address should be assigned to the bridge, not to ether1, ether1 - since It Is part of the bridge - has some less dignity. I.e. that IP address should be only reachable from a device physically connected to ether1.

Can you elaborate why assign the address to the bridge instead of the interface? It is working on the interface.

When any ROS interface is made bridge port, it's made as layer 2 entity (on ethernet level). And it looses capability of acting as interface (layer 3 entity) ... that capability is then carried by bridge interface. This fact is not made apparent in UI, but things can misbehave if one doesn't respect that.

The thing is that bridge has multiple "personalities" and the way UI is built, those personalities seem to be interleaved (but in practice, when somebody knows what they are, it's easy to distinguish between them). A long time forum member @sindy wrote a tutorial, trying to explain all of them: RouterOS bridge mysteries explained ... beware it's heavy reading but I recommend to read and try to understand never the less.

As I see it - but remember that my comparisons are often very simplified - you have a given number of interfaces on your Mikrotik, they are normally "self standing", i.e. ether1, ether2, etc.

If you have 192.168.2.42 assigned to ether1, the address is that of the single interface and only of that interface.
ether2 - that has no IP address assigned - is not reachable at L3 level.

When you assemble them into a bridge is like if you put them in a semi-transparent "box".

What you can "see" and "touch" now it is not anymore the interfaces, but the box containing them, but with some good lighting and squinting a little bit, you can see the singe interfaces inside it.

On the box there is - printed in large friendly letters - the name of the box (i.e. "bridge1"), but besides identifying this box by its name, you also need to reach it via IP.

So, you assign an IP to the box hand writiing on it (say) 192.168.2.43.

This address makes everything inside the box to be reachable at that address.
It doesn't matter if the cable is physically connected to ether1 or ether2, and without any other change, if you remove from the bridge ether1 and add to it ether3, ether3 would become functionally equivalent to what ether1 was doing before.

I know you mention it’s running on POE but thought I’d just mention incase it’s passive on a long run, those things need 11+ volts to run.

Yes, the device will be PoE for power. This week I am doing some sighting evaluations, using a 100ft of CAT5 cable to determine an optimal location for yard coverage. My plan is to use the power supply and PoE adapter supplied. I am making the assumption if that works, I’m golden for the install.

Can you help me understand your description “passive on a long run, those things need 11+ volts” ?

In this use case, since the AP has only one interface, assigning it to the bridge provides no benefit. Unless it is best practice to assign IP’s to a bridge to maintain consistency.

MikroTik’s flexibility in configuration reminds me of foray into Perl programming language in 2008. For two years I was immersed in the language use by the support team. “There is more than one way to do it.” What is best is what is consistent for our environment. We would like you to code Perl this way.

Yes and no, it is clearer, but not really something that is strictly needed.

Assigning the IP to the bridge, means that the bridge (and all interfaces part of it) are reachable at that IP address, assigning an IP to a port part of the bridge allows accessing that port only.

There are also some effects on the DAc routes created.

When/IF you will need some features needing an IP address on the bridge, they won't work, it is a choice, if it works in your case, it works , when/if you will need something else, it probably won't.

The generic issue with PoE is the voltage level, the lower it is (at power source) the more it will be reduced by the resistance of the length of cable.

The L22UGS-5HaxD2HaxD-15S per specs, want at least 11W and 18-28V.

helipos posted that in practice it also works at a lower voltage, around 12V (this may be good to know if - say - you want to power one from battery+solar panel or similar, typically in the 11-14V range).

With "plain" PoE, you start with 24V (the power supply provided with the thingy is a 1.2 A one) if the cable is an "average" Cat5E, you have no issues up to 100 m, for the 11/12W the device may require without attachments, on the device side you would have around 18.5 V, within specs.

In any case, you should always use a calculator like:
https://www.poetexas.com/poe-calculator/
http://poe-world.com/Calculator/poe-calc.php
to make sure that the device get at least the minimum voltage it requires and the power supply has enough Amperes.

Your AP having two IPs is like a Morse transmitter sending dots from one channel and dashes from another — the message gets through, but the network doesn’t know which signal to follow.
Once you bind everything to the bridge and let DHCP speak from a single source, the whole setup clicks into one clear, readable code.

Which is fine, since the AP has only one IP address (assigned to ether1 instead of the bridge to which ether1 belongs).

Sorry I actually got mixed up with another device so not quite the problem I was thinking, This device your looking at however is a bit different.

This link is for the specs. POE input is wanting 18-28 V so that’s your input range. On a long cable there will be voltage drop, just need to ensure your staying in that range. A active POE system is likely wanting to run 48V down the cable and fry the unit. Your option then is a passive POE injector running from a 24v plugpack.

Yeah that was me getting confused with another device. I’d ignore that..

Actually APs have usually at least two interfaces[*]: upstream interface (most often that's an ethernet interface) and wifi interface. And if AP device is realky only running as WiFi access point, this means that traffic transparrently fliws between these two interfaces ... and most transparrent way of doing it is to have a bridge spanning those two interfaces.
If device is acting as router between wired and wireless, then bridge is not needed ... but it's not transparrent any more, both sides (wired and wireless) will belong to different IP subnets etc.

Then there comes management IP address. If mabagement is done in-band (e.g. without having VLANs), then it'll be in the same subnet as all other devices. Since bridge makes L2 connection, there is no proper way on IP layer to limit management connectivity to ony wired port. One can play with L2 features (bridge filters, using IP firewall for bridge traffic) though.
Mind that AP doesn't need IP address other than for management (and ROS offers winbox over MAC connectivity which works without device having IP address).

[*] Most Mikrotik AP devices in SoHo class come with more than two ports: mostly they come with 2 or 5 ether ports and 2 or 3 wifi interfaces (one per frequency band supported) ... even if one doesn't want to enable ethernet ports (other than upstream one), there will be 2 wifi and upstream ethernet port to be bridged.

You are correct in indicating there are usually two interfaces. On this unit there is a physical ethernet and a SFP cage.

The location on site for the AP is where there once was a point-to-point end device that is no longer used. The location has a CAT6 cable plumbed and a metal stack for mounting.

Ideally I would like to have an out of band management interface using the SFP but that would add more cost to the project.

There is the widely discussed thing with ap interfaces that they cease to be "running" when no client is connected. If an address is directly assigned, that address is lost in these cases. If the address is attached to the bridge, this does not happen.

Because the ap interfaces are usually attached to a bridge, I think the least amount of surprising behavior occurs if the bridge is included, even when not necessary.

(Of course, disable-running-check can be used...)

Great insight thanks. Bridge assignment it is.