Hello,
so I got my shiny mAP lite and want to set it up as “dumb” access point in my existing LAN.
Using the “WISP AP” quick set, in bridge mode it works, I can use it as access point.
But I am unable to access the management interface.
Which setting do I need to make to allow connecting from my LAN to the management web interface (or ssh or Winbox) ?
You did use mode Bridge for that Quick Set ? (edit: yes, you did …)
If it really needs to be a dumb access point operating in the same network as the ethernet part, simply remove all firewall rules and that should do it.
Or add a rule which explicitly allows access to Winbox port (default TCP/8291 unless you changed it) and put that rule on input chain before any drop rule.
I confirm used bridge mode in the Quick Set WIPS AP profile.
The mAP is receiving an IP address from my local LAN DHCP server, and works fine as AP. Only, I can not connect to the web interface nor via ssh or Winbox.
It seems like, when I use Quick Set, I can not in the same time use “Advanced” mode and adapt any setting without losing the settings established by Quick Set.
Does this mean I should abandon Quick Set and perform all the settings manually in “Advanced” mode ?
I assume you are trying via LAN/ethernet port ? That entry is blocked for now.
If you connect to the wifi channel of that device, you should be able to get in, I would think ?
Webfig (web interface) or Winbox.
And then you can adjust firewall rules as explained above.
As for Quickset: only use it ONCE after reset to default, never again once you changed settings.
It can do funny things with very unexpected results.
Alternative: clean reset that device, no config (easiest done using Winbox and PC connected to that device).
Setup your wireless interface.
Ethernet and wireless interface connected to bridge
DHCP client on bridge.
Nothing else.
Yes, I try to connect via ethernet, via the address my DHCP server assigned to the device.
Since WLAN and LAN are bridged on the mAP, I have only one way to connect, which is the LAN-ip.
I will try to do it manually then. Thanks for your suggestions in any case!
Hopefully one day will be a Quick Set profile for this IMHO very common use-case. If the device is connected in bridge mode to a LAN I see no point in blocking the management web-interface, and essentially locking the user out.
Yes, that same LAN IP but did you try to connect your laptop using the wifi interface from mAP Lite ?
It should work then. You’re not coming in via the ethernet port but via the wireless port.
You have to keep in mind mAP Lite is a bit an odd device only having 1 wireless radio and 1 ethernet port.
Getting access to it sometimes require upfront planning when doing modifications.
Can’t count anymore how many times I already had to clean reset it because I locked myself out 
OR you can try using Winbox via MAC:
Because there was something nagging me, I have pulled a mAP Lite out of the cabinet.
Reset to default config
Quickset (… shivers …) to WISP AP - Bridge Mode.
Connected laptop to wifi signal from mAP Lite.
I could not get in via IP Winbox nor Webfig !
Which is odd because there is only a drop !LAN rule and wireless is considered LAN.
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
But MAC access via Winbox worked.
Added input/accept rule for port 8291, moved the rule before the input/drop rule and then Winbox works. Both from LAN and wireless.
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
Removed (actually disabled) all firewall rules (they are not needed anyhow in this setup) and webfig also works. Both options.
Some more things to do, remove or disable nat/masquerade rule. Not needed.
Clean up WAN/LAN interfaces lists, just in case (esp. if you choose to keep firewall rules in place).
So I was almost correct.
Clean reset and start from there is the most efficient option, then there are no unused bits and pieces of config left which might bother you later.
Very good test/report, so I think that we can draw a line between:
Yeah but it’s still odd you need to explicitly allow it.
It should accept everything coming from LAN. No ?
Even Webfig should have been allowed when I came in via wireless interface.
But it didn’t.
Likely it is this issue:
Don’t think so. At least not from how understand things should work ?
IP in my case was assigned to bridge via ethernet and I was connected via wlan.
But this snippet from the post just below the one you linked to, deserves repeating over and over again
Sure, not so casually it is Rule #4.
Thank you @holvoetn: Using MAC access (I did initially not know that was possible) I could access the mAP and modify the firewall.