MikroTik AP without DHCP - integrate in existing subnet

RouterOS Wireless Networking
1

It seems what i’m trying is not as straightforward as i thought it was.

I’m trying to set up an MikroTik cAP ac as a bare Wifi-AP. There is already a (non-)MikroTik router serving DHCP so the MikroTik should only serve as an access-point in the same subnet.

I tried following those instructions but both solutions don’t work as there’s no WiFi-signal after the reboot.

How can i make this thing run as a simple WiFi-AP?

2

Fastest way is resetting the routerboard to blank settings, then applying the required ones, turning the routerboard into a wired/wireless switch.

To do so:

1.- System > Reset Configuration: enable Keep User Configuration if you want to keep your admin user and password, and enable No Default Configuration, in order to start from a “blank” router configuration.

2.- Log into router using Winbox Neighbors tab (click on its Mac address field)

3.- Open a new terminal and copy & paste this config:

/interface bridge add name=bridge1

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=dynamic-keys name=secure supplicant-identity=MikroTik wpa2-pre-shared-key=YOURSSIDPASSWORD

/interface wireless
set [ find default-name=wlan2 ] band=2ghz-b/g/n disabled=no frequency=auto installation=indoor mode=ap-bridge security-profile=secure ssid=YOURSSID wireless-protocol=802.11
set [ find default-name=wlan1 ] band=5ghz-a/n/ac disabled=no frequency=auto installation=indoor mode=ap-bridge security-profile=secure ssid=YOURSSID wireless-protocol=802.11

/interface bridge port add bridge=bridge1 interface=all

/ip dhcp-client add interface=bridge1

/system identity set name=Mikrotik.AP

This will turn your mikrotik into a “wired/wireless” switch, that will get an IP (for management, upgrades, etc) from the main LAN router DHCP.

That’s all required.

After this config is applied you can go to the wireless interfaces and tune them to your liking (modes, channel, width, etc) via WinBox.

3

Thank you pukkita!

For those looking for a solution without messing in the terminal i found a easy solution on this page:
https://tehnoblog.org/mikrotik-router-how-to-convert-hap-or-hap-lite-into-ordinary-switch-or-wireless-access-point-bridge/

4

Thank you! This did the cAP ac switch part as a charm!

I have issues though while trying to set up an isolated Guest virtual wlan access .

I 1st figured the need to replace the interface=all in

/interface bridge port add bridge=bridge1 interface=all

with an explicit list of each and every interface (ether 1, wlan1, wlan2) to be able to set a slave (guest) wlan under wlan1.

I also set a DHCP server to serve the guest segment 10.10.10.0/24

The problem is that setting the guest-bridge (10.10.10.0/24) to NAT through Out interface lan-bridge doesn’t work and a connected device cannot get Internet access.under guest-wlan. It gets IP # and is allowed in the network, but that’s all of it.

5

There are two ways of doing it and you managed to mix them both. They are:

  1. keep using cAP as simple switch/AP, but in this case you have to go with VLANs.
    The benefit is that all L3 (IP, DHCP server, …) configuration remains to be on router (in a simple SOHO use case), also all guest traffic will be strictly separated from LAN traffic up to the main router. The drawback is that you have to introduce VLANs in much of your LAN infractructure (which might be over the top for some LAN admins).
  2. set up cAP in a hybrid configuration where for LAN cAP remains configured as switch/AP, but for guest it’s router. This means that guest wireless interface (wifi2) is not part of bridge, it is rather used as stand-alone interface, it has all the L3 setup attached (IP address, DHCP server with address pool and what not). As to NAT you can either run it on cAP (for guests this means double NAT, but that usually isn’t a problem) or you can keep using main router NAT (in this case you have to add a static route on main router towards guest subnet using cAP as gateway)
    The benefit is that you don’t have to change any of L2 configuration on the rest of your network. The (big) drawback is that guests will easily be able to access your LAN (and blocking that is one of main reasons to introduce guest network in the first place). The relatively complex L3 setup of cAP is another drawback of this way of doing it.

If you decide to look into VLAN stuff, here’s link to a very nice tutorial on VLANs in ROS, I believe your use case is covered as well.

6

Using the Ros Device as an AP/switch only…
See the example here.
https://forum.mikrotik.com/viewtopic.php?t=182276

As noted if you want to do something separate on the CAPAC it gets more complex quickly.

7

Thank you @pukkita, this worked without any problems once I got the cAPAX to take it.

  • Note: If you copy and paste the code, into a cAP_AX, the wireless comes back disabled, but once you establish wired connection you can go back in and enable the wireless and configure SSID, etc.

This set up will work just fine until I get a managed switch for multiple VLANS.

[www]—>[pfsense]—>[dumb_switch]—[cAP AX AP]

Cheers!
:smiley:

8

Logical.
Legacy wifi settings are completely different from wifiwave2.

9

I’m trying to do this on a new cAP ax, but the second line has an issue. There isn’t a wireless interface, but there is a wifiwave2. Is there an updated set of instructions for this?

10

I will repeat for clarity…

11

Try this (copy-paste from previous script and adjusted for wifiwave2, you still need to change settings in accordance with your country/required security/…)

/interface bridge add name=bridge1

/interface/wifiwave2
set wifi1 disabled=no configuration.country=Latvia configuration.ssid=MikroTik security.authentication-types=wpa2-psk,wpa3-psk security.passphrase=8-63_characters
set wifi2 disabled=no configuration.country=Latvia configuration.ssid=MikroTik security.authentication-types=wpa2-psk,wpa3-psk security.passphrase=8-63_characters

/interface bridge port add bridge=bridge1 interface=all

/ip dhcp-client add interface=bridge1

/system identity set name=Mikrotik.AP
12

Thanks, it looks like that worked perfectly!

# 2023-11-01 18:51:51 by RouterOS 7.11.2
# software id = WU0A-I8IJ
#
# model = cAPGi-5HaxD2HaxD
# serial number = HEG08MMG27J
/interface bridge
add name=bridge1
/interface wifiwave2
set [ find default-name=wifi1 ] configuration.country="United States" \
    .hide-ssid=no .manager=local .mode=ap .ssid=JPInternal disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] configuration.country="United States" .mode=\
    ap .ssid=JPInternal disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk
/interface bridge port
add bridge=bridge1 interface=all
/ip dhcp-client
add interface=bridge1
/system clock
set time-zone-name=America/New_York
/system identity
set name=cAPax01
/system note
set show-at-login=no