mAP lite / reset / ping 192.168.88.1 via ETH-Port

I will buy a mAP lite. Before starting to configure I want to have a reliable way to start over as often as I want from the beginning. The Idea to start over from scratch is:

1. Reset the mAP lite (unplug, press and hold reset-button, plug power in, release reset-button)
2. ssh from my host with ip 192.168.88.2 to 192.168.88.1 (hopefully to mAP lite) and cat my config to the command line interface

Now I am not sure, if the default config does allow that (is 192.168.88.1 configured on the eth port as default), because I read that on devices with only 1 eth port (like mAP lite), this port will be used to connect to pppoe and will not have the IP assigned)

Has anybody personal experience if this will work?

Default map lite will have dhcp client on ether 1 as WAN.
This also means default firewall will block you from access.

Bridge as LAN with 192.168.88.1 address and wifi interface connected to bridge.
Dhcp server for .88.0/24 range is also on bridge.

Having only 1 ether port makes this indeed a tricky bugger when testing/toying.
I have had my share of clean install and/ or netinstall with those ones ( I have multiple and still use them) .

As often happens I may be wrong, and de gustibus non disputandum est, but, unless you really-really need the tiny size of the mAP lite, the "normal" mAP, and its two ethernet ports, seems to me a much more "flexible" device.

The lite version Is a fantastic device, but with very limited uses, and the default access after reset via wifi only Is IMHO a nuisance.

You can replace the default configuration however, not exactly for the faint of heart, but there Is anyway netinstall in case of need.

Thank You for this info. So instead of setting my own IP to 192.168.88.2 I will run dhclient on my lancard to get an IP from mAP lite. Then because of the firewall I think only port 80 or 443 will be open to connect to 192.168.88.1 or will ssh also be possible.

The other way would be to connect via wlan. Maybe this is easier.

But in either case I would like to run “/system reset-configuration” as my first command. But this would kill my connection. So if I am connected with wlan, I would have to stop dhcp and firewall on ether1 and make sure that an IP is set on ether1. I have to find the commands to do this.

I only have RouterOS - RouterOS - MikroTik Documentation

1. I can not find a command to disable the firewall (does somebody know it?)
   /ip firewall
2. I can not find a command to disable dhcp (does somebody know it?)
3. To add an IP I can try:
   /interface bridge add name=bridge1
   /interface bridge port add interface=ether1 bridge=bridge1
   /ip address add address=x.x.x.x/24 interface=bridge1

Is there another better documentation? Also the bot could not find a way to disable or flush the firewall. The bot says: “I don’t know the answer to this question based on the provided documentation.”

If your local PC is connected to the LAN side of mAP Lite, you can access the device however you want.
SSH, WInbox, web, ... whatever.

For next steps, it might be best to decide what exactly you want to do.
When I reset a mAP Lite to no-config, I connect my laptop to etherport. That way I can access the device.
Usually I create then the master wifi interface I need to have but ALSO a slave interface with different SSID/security.
That interface I keep off bridge and in LAN interface list so I can use it to access the device via Winbox/MAC (doesn't even need IP, just wifi access and MAC).

But quite some steps depend on where you want to go.
As indicated a regular mAP is a bit easier since it has 2 ether ports, one you can keep off bridge for such setup cases.
With mAP lite you need to be a bit more pro-active in your thinking and setup.

There is NO "other way".

You can ONLY connect to a map lite "out of the box" via wifi.

Winbox (preferrably v3) is advised to connect to it, see here why:

Here are some generic instructions:

If you explain what you want to use the map lite for, we can assist you with the needed commands.

There is no command to "disable" firewall (as a whole), you can EITHER place an "accept all" rule as first rule (thus bypassing all the following rules) OR delete (or disable) one by one all the firewall rules

dhcp (client or server) can be disabled just fine, in Winbox (GUI) it is easy to enable or disable anything you just select the item and then click on the check marks top left in the window.

If you are more a CLI kind of guy, it is possible as well with commands, though it is a little bit more tricky (the selection of the correct item/object on which the command is to be executed).

You need to list the items, with the print command.
The output will show you a "number" for each item.
Then you apply the command to the item number.
Since numbers may change, you always need to run the print command to get the proper number immediately before running the command.
Alternatively you can use the [find] syntax but it is often more complex to implement on command line (it is more suited to scripts), an example is here:

I have choosen mAP lite, because I need an Access Point.

What an Access Point means is described in help.mikrotik.com → Wireless → Wifi → Overview:
“Access point → are "bridge" devices, which are connected to the router using an Ethernet cable, they are not firewall protected, and they have DHCP-server functionality disabled (they "bridge" DHCP requests from the router to AP's clients).”

This means on my linux server I will answer DHCP requests to the WiFi clients, that are connected via the Access point. Also on my linux server I will run the firewall.

I have chosen the mAP lite, because I only need one ether port (additional ether ports would cost Watt and would not be used), and because “mAP lite” has “AP” in the name.

For me a simple AP would work that way:

1. It asks via dhcp-request over ether port for his IP Address
2. I can connect over ether lan via http or ssh to this IP Address and configure the WiFi
3. Thats all. Now I can see dhcp-requests from the WiFi clients on my server

It is no problem for me if the AP does not work exactly as I described before. But with “mAP lite”

• I only could connect to the admin interface via WiFi.
• I was not able to remove the installed Firewall. I could never connect to the admin interface via Ether.
• As soon as I configured the wanted IP Address of the AP and I saw dhcp-requests from WiFi clients I was not able any more to connect via http to the admin interface over WiFi.

I believe it woud have worked with the normal mAP with two ether ports. And probably it also would have worked with the CAP mode, but I would have needed an additional mikrotik Router for this.

So the only solution I found is to send my mAP back to the vendor and try an AP from another vendor. I will wait until Monday before sending it back, if I find no other solution.

By the way, I will not try a solution that requires non-open-source tools like WinBox on a Windows Installation. I also will not try any smartphone app (as long as it is not a open source smartphone like librem5).

If you simply want to use it as an AP (which is now the first time you mention this):

• make sure it's in default config (reset to factory default)
• connect to the device via wifi / web acces (no passwd needed for Wifi SSID, access = admin/blank)
• Quickset - WISP AP
  -- Bridge mode
  -- automatic address acquisition
  -- set Wifi as needed for your usage

Done.

More seasoned users will avoid using Quickset like the plague but for some cases it has its uses.
Like this one.

Well, you could have used ssh, if you are so open source hardcore.

Or webfig, (of course using an open source browser).

As said there are no particular issues in configuring a mAP lite as an access point as you wish, the only nuisance is that the initial connection needs to be done from the wifi.

I have already tried what you said, but it does not work.

When I do it this way I can not access the admin interface any more. For example to change my wifi password, or to change the wifi country defaults.

What you say may work if there is an additional ether port, but not with only one ether port. The firewall will only allow to ping via the ether port (no ssh, no http).

Also if it would have worked, I would have tried additional config like a guest wlan with a vlan. And I am sure I would have some more ideas.

I just DID it with a mAP Lite lying here next to me.
Connected my S25 to the wifi network and it connects and can use internet.
But accessing the device itself seems to be a problem indeed. Just a minute...

edit: it seems firewall rules are still active when using that quickset, while they shouldn't.
edit2: access via winbox is zero problem. But since you're refusing to use it ... I don't understand why. It's a Mikrotik tool.

@holvoeth
But what is the problem (on first connection) with disabling firewall rules?

@bschu
Can you reset your device and post the default configuration?

Besides:

First I have compiled and tried mactelnet from git.

To get the MAC with arp -a , I first do some ping of the configured address.

root@adsl-bookworm:~/src/mactelnet# ping -c3 192.168.3.6
PING 192.168.3.6 (192.168.3.6) 56(84) bytes of data.
64 bytes from 192.168.3.6: icmp_seq=1 ttl=64 time=0.425 ms
64 bytes from 192.168.3.6: icmp_seq=2 ttl=64 time=0.400 ms
64 bytes from 192.168.3.6: icmp_seq=3 ttl=64 time=0.416 ms

--- 192.168.3.6 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2033ms
rtt min/avg/max/mdev = 0.400/0.413/0.425/0.010 ms
root@adsl-bookworm:~/src/mactelnet# arp -a | grep 192.168.3.6
huawei.bs.de (192.168.3.66) auf <unvollständig> auf ethwlan
wlan.bs.de (192.168.3.6) auf 04:f4:1c:b6:b8:2e [ether] auf ethwlan
root@adsl-bookworm:~/src/mactelnet# mactelnet 04:f4:1c:b6:b8:2e
Login: admin
Password:
Connecting to 4:f4:1c:b6:b8:2e...Connection failed.

I have also tried the both macs from the label:
E01: 04:F4:1C:B6:B8:2D
W01: 04:F4:1C:B6:B8:2F

All failed. Also macping gets timeouts. Maybe UDP is also blocked.

I think if mactelnet would work, then also ssh or http would work.

No that is not true. MAC ping/telnet/winbox are unaffected by the RouterOS firewall. No /ip address or /ipv6 address configuration are required on the RouterOS device.

However, if your Linux machine has firewall rules active, you might need to add some exceptions, see:

ok first I have changed my firewall rules → no success

then I have stopped my firewall for the short test → no success

then I thought the problem might be that my machine is only a kvm connected to the hostmachine with macvtab. So I have than started my old pc and connected the mAP lite to a separate lancard on my old pc with a crossed lan-cable.

I have seen that there is already a debian package for mactelnet and installed mactelnet-client instead of compiling the source on my old pc.

The separate lan on my old pc has now IP 192.168.3.2/24. The mAP lite has IP 192.168.3.6.

I can ping mAP lite:

root@oldpc:~# ping -c3 192.168.3.6
PING 192.168.3.6 (192.168.3.6) 56(84) bytes of data.
64 bytes from 192.168.3.6: icmp_seq=1 ttl=64 time=0.324 ms
64 bytes from 192.168.3.6: icmp_seq=2 ttl=64 time=0.299 ms
64 bytes from 192.168.3.6: icmp_seq=3 ttl=64 time=0.297 ms

--- 192.168.3.6 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2028ms
rtt min/avg/max/mdev = 0.297/0.306/0.324/0.012 ms

 No firewall is started.

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

macping works

root@oldpc:~# macping -c 3 04:f4:1c:b6:b8:2d
4:f4:1c:b6:b8:2d 56 byte, ping time 0.73 ms
4:f4:1c:b6:b8:2d 56 byte, ping time 0.68 ms
4:f4:1c:b6:b8:2d 56 byte, ping time 0.67 ms

3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.67/0.69/0.73 ms
root@oldpc:~# macping -c 3 04:f4:1c:b6:b8:2e
4:f4:1c:b6:b8:2e 56 byte, ping time 0.74 ms
4:f4:1c:b6:b8:2e 56 byte, ping time 0.67 ms
4:f4:1c:b6:b8:2e 56 byte, ping time 0.66 ms

3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.66/0.69/0.74 ms
root@oldpc:~# macping -c 3 04:f4:1c:b6:b8:2f
4:f4:1c:b6:b8:2f 56 byte, ping time 0.63 ms
4:f4:1c:b6:b8:2f 56 byte, ping time 0.59 ms
4:f4:1c:b6:b8:2f 56 byte, ping time 0.63 ms

3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.59/0.62/0.63 ms

mactelnet fails

root@oldpc:~# mactelnet 04:f4:1c:b6:b8:2f
Login: admin
Password:
Connecting to 4:f4:1c:b6:b8:2f...Connection failed.
root@oldpc:~# mactelnet 04:f4:1c:b6:b8:2d
Login: admin
Password:
Connecting to 4:f4:1c:b6:b8:2d...Connection failed.
root@oldpc:~# mactelnet 04:f4:1c:b6:b8:2e
Login: admin
Password:
Connecting to 4:f4:1c:b6:b8:2e...Connection failed.

It does not work. I think if you have seen that the firewall on your PC is important. It is also possible that the firewall on mAP lite can prevent the access.

And I think this is enough work and time for me that I spent to the mAP lite.
Maybe as @holvoetn said: “it seems firewall rules are still active when using that quickset, while they shouldn't.“ this is the problem.

Maybe the next release of the mikrotik software could fix that (not for me, but for the next customer)

Well, the next customer will likely use Winbox, at least once, temporarily, to setup the device in such a way that it works also with IP access.

But any reason why you won't use webfig (just after a reset)?

I just tried the MAC-telnet client above from GitHub, compiled from source from release v0.6.3, and mactelnet fails to connect too. macping works like you experienced.

WinBox in on the same Linux installation in MAC WinBox mode has no problem connecting to the same router (CHR test installation). And I've reset that CHR installation so that there is absolutely no firewall rules.

It looks like the tool is no longer compatible with the recent RouterOS versions.

Do you have another RouterOS device on the same layer 2 network? If yes, you can connect to that device, then from that device's terminal, run

/tool mac-telnet host=XX:XX:XX:XX:XX:XX

to try to connect to the mAP lite. If it works, then the problem is definitely the opensource client.

Someone posted a new opensource implementation today, but it require .NET 10 (and the .NET SDK if you want to compile)

MacTelnet implementation for .NET 10 (KC.MacTelnet) - RouterOS / General - MikroTik community forum

I haven't tried that yet.

I'd guess that mac-telnet package for debian and mac-telnet from GIThub link posted previously are the same thing. And they don't work to connect ROS devices since around 6.45 ... around that time, authentication for mac-telnet was significantly changed (because previously it was weak and vulnerable) and "open source" implementations don't exist. MT doesn't provide mac-telnet CLI to be run on 3rd party OSes, only inside ROS (to connect to another ROS device).

As to easy "AP only" configuration: unfortunately there isn't a QuickSet profile which would make device a simple wifi_AP-to-ethernet bridge (with DHCP client running for remote management). While it is most certainly possible to configure device in such manner, it can be overwhelming for users not familiar with RouterOS. So I'd say that for those users, selecting a different vendor might be the best way forward.

I have a TP-Link TL-WR802N (which is a very similar device to the map Lite), though I only used is as client, it works just fine.

And - seemingly - it can run OpenWRT:
https://openwrt.org/toh/tp-link/tl-wr802n_v4

This is what I do all the time. But I can only use it one time. Then the firewall prevents access from ether and from wifi.