Hi there!
I am struggeling a bit to configure wifi on a MT AP.
Its my first wifi setup on a MT… so bare with me
Let me paint you a picture of what i am trying to achieve:
Router ↔ ethernet2 (WAN) on wAP AC
wAP wireless1 ↔ Wireless Network 1
wAP wireless2 ↔ Wireless Network 2
i don`t intend to bridge, unless its mandatory.
Internet uplink works: i was able to update the wAP to the latest stable version.
I can connect to the SSID assigned to wireless1.
I get a DHCP lease from the right dhcp server (also runs on wAP AC), gateway and DNS get set: Looking good.
HOWEVER:
I cant ping the ip address assigned to wlan1.
I cant reach any destination on the internet.
I didnt bother to continue on wlan2 since i could not get wlan1 to work. So, the config is unfinished.
Here is my current config:
# may/07/2024 14:14:17 by RouterOS 6.49.15
# software id = SOMETHING
#
# model = RBwAPG-5HacD2HnD
# serial number = SOMETHING
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] name=ether2-UPLINK
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=SOMETHING supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n bridge-mode=disabled country=switzerland disabled=no frequency=2427 mode=ap-bridge name=wlan1_2_4_GHz security-profile=SOMETHING ssid=\
SOMETHING_Charging_Front wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=switzerland frequency=auto name=wlan2_5_GHz security-profile=SOMETHING ssid=SOMETHING_Charging_Front_5GHZ wireless-protocol=802.11
/ip pool
add name=WLAN_2_4_GHZ ranges=192.168.66.1-192.168.66.100
add name=WLAN_5_GHz ranges=192.168.67.1-192.168.67.100
/ip dhcp-server
add address-pool=WLAN_2_4_GHZ disabled=no interface=wlan1_2_4_GHz lease-time=1d name=server2_4GHZ src-address=192.168.66.254
add address-pool=WLAN_5_GHz disabled=no interface=wlan2_5_GHz lease-time=1d name=server5_GHZ
/interface bridge filter
# in/out-bridge-port matcher not possible when interface (wlan2_5_GHz) is not slave
add action=drop chain=input dst-port=68 in-interface=wlan2_5_GHz ip-protocol=udp mac-protocol=ip
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether2-UPLINK list=WAN
add interface=wlan1_2_4_GHz list=LAN
add interface=wlan2_5_GHz list=LAN
/ip address
add address=192.168.66.254 interface=wlan1_2_4_GHz network=192.168.66.0
add address=192.168.67.254 interface=wlan2_5_GHz network=192.168.67.0
/ip dhcp-client
add disabled=no interface=ether2-UPLINK
/ip dhcp-server network
add address=192.168.66.0/24 dns-server=192.168.66.254 gateway=192.168.66.254 netmask=24
add address=192.168.67.0/24 dns-server=192.168.67.254 gateway=192.168.67.254 netmask=24
/ip firewall filter
add action=accept chain=forward connection-state=established,related,untracked
add action=fasttrack-connection chain=forward connection-state=established,related,untracked
add action=accept chain=input dst-address=192.168.66.254 src-address=192.168.66.0/24
/ip firewall nat
add action=masquerade chain=srcnat dst-address=!192.168.66.254 out-interface=ether2-UPLINK out-interface-list=WAN src-address=192.168.66.0/24 src-address-list=""
/system clock
set time-zone-name=Europe/Zurich
/system identity
set name=MikroTik_AP1
Some help would be highly appreciated I am pretty sure i didn`t understand something and configured it wrong
Is the MT AP acting as a router?
Giving out dhcp, routing etc and the upstream router is solely being used as a WAN source, providing a private IP on its LAN to the MT device??
I dont use ip forward, not familiar…
Also you state you would prefer not to use bridge, so what makes you think you can throw in a bridge filter ( advanced setting ) without any bridge ???
Lets stick to simple and what works please.
(1) Get rid of bridge filter!
(2) What is your intent for firewall rules? Its sparse and unclear??
do you want any users on regular router to be able to config the AP
do you want any users on the mT to be able to config the AP
recommend default firewall rules for the most part.
(3) NAT Rule needs work keep it simple. /ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
perhaps if you can explain why your rule was so overcooked, it would help you explain real requirements.
(4) For routing did you select default-route=yes in IP DHCP client??
Better if you know what IP the upstream router is giving you just disable the dhcp client
give the router its IP address on ether2 and then create route manually add dst-address=0.0.0.0/0 gateway=gatewayofMainRouterSubnet routing-table=main
He wants two different subnet for wifi, NOT subnets from the main router.
Using the MT device as a router is the WAY. You need a siesta or a coffee erlinden take you pick
I really dont want to bridge ether2 with wlan1&2 IF i can avoid it.
Subnet ether2(WAN): 10.0.0.32/30
Subnet for wlan1: 192.168.66.0/24 - MT as gateway 192.168.66.254
Subnet for wlan2: 192.168.67.0/24 - MT as gateway 192.168.67.254
Subnet for WAN is some weird passthrough option from a Zyxel device.
It uses 10.0.0.32/30 where 10.0.0.32 is zyxel, 10.0.0.33 is MT. All traffic is routed to 10.0.0.33
(Internet connectivy works from MT, i was able to update firmware, i am able to perform dns lookups, i can reach internet hosts via icmp(ping).)
So the zyxel is a modem router or just a modem?? Will assume very little if any protection afforded by zyxel. Bridge Filter removed. No need to add a bridge.
/ip dhcp-client
add disabled=YES interface=ether2-UPLINK /ip firewall filter { order is important ! } add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment=“Drop all else” { put this rule in last so you dont lock yourself out }
+++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment=“Drop all else” /ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN /ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
Well, the zyxel is something i am not very familiar with. Its “given” as existing infra.
Firewall on zyxel is turned off (according to manual), passthrough mode is enabled.
I kind of expected a public ip via DHCP (on the MT) when set to passthrough but that seems to be wrong: 10.0.0.33 it is.
I`ve implemented the changes you recommended, except the default route and static ip for ether2.
The ip for ether2 is assigned from zyxel via dhcp to MT.
Also, the default route is already there.
internet access from MT works.
BUT:
I still cant ping 192.168.66.254 (ip address from ether2) from a client connected to wifi (SSID bound to wlan1).
DNS seems to work as well on the client, i am now able to resolve names.
# may/07/2024 16:46:41 by RouterOS 6.49.15
# software id = SFAT-7XQX
#
# model = RBwAPG-5HacD2HnD
# serial number = HFA09B57CZ7
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] name=ether2-UPLINK
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=SOMETHING supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n bridge-mode=disabled country=switzerland disabled=no frequency=2427 mode=ap-bridge name=wlan1_2_4_GHz security-profile=SOMETHING ssid=\
SOMETHING_Charging_Front wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=switzerland frequency=auto name=wlan2_5_GHz security-profile=SOMETHING ssid=SOMETHING_Charging_Front_5GHZ wireless-protocol=802.11
/ip pool
add name=WLAN_2_4_GHZ ranges=192.168.66.1-192.168.66.100
add name=WLAN_5_GHz ranges=192.168.67.1-192.168.67.100
/ip dhcp-server
add address-pool=WLAN_2_4_GHZ disabled=no interface=wlan1_2_4_GHz lease-time=1d name=server2_4GHZ src-address=192.168.66.254
add address-pool=WLAN_5_GHz disabled=no interface=wlan2_5_GHz lease-time=1d name=server5_GHZ
/interface bridge filter
# in/out-bridge-port matcher not possible when interface (wlan2_5_GHz) is not slave
add action=drop chain=input dst-port=68 in-interface=wlan2_5_GHz ip-protocol=udp mac-protocol=ip
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether2-UPLINK list=WAN
add interface=wlan1_2_4_GHz list=LAN
add interface=wlan2_5_GHz list=LAN
/ip address
add address=192.168.66.254 interface=wlan1_2_4_GHz network=192.168.66.0
add address=192.168.67.254 interface=wlan2_5_GHz network=192.168.67.0
/ip dhcp-client
add disabled=no interface=ether2-UPLINK
/ip dhcp-server network
add address=192.168.66.0/24 dns-server=192.168.66.254 gateway=192.168.66.254 netmask=24
add address=192.168.67.0/24 dns-server=192.168.67.254 gateway=192.168.67.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=Europe/Zurich
/system identity
set name=MikroTik_AP1
Fantastic!.
Yes you can enable the IP DHCP client, and also select default-route= yes, and then remove the IP address and the manual route, comes to the same thing!
However, you appear to be not listening, and keep running into a stone wall. Do you like the pain??
Please remove your bridge filter its nonsensical /interface bridge filter
add action=drop chain=input dst-port=68 in-interface=wlan2_5_GHz ip-protocol=udp mac-protocol=ip
The router is even telling you dont be silly… /interface bridge filter # in/out-bridge-port matcher not possible when interface (wlan2_5_GHz) is not slave
add action=drop chain=input dst-port=68 in-interface=wlan2_5_GHz ip-protocol=udp mac-protocol=ip
First of all: thanks for your help, its highly appreciated.
“However, you appear to be not listening, and keep running into a stone wall. Do you like the pain??”
I disagree: I listen, i gave it a thought and heck, even spotted an error in your config.(wan isn´t /24 its /30!) So i do “listen” (read).
About that bridge filter:
I never added that bridge filter in the first place and i thought its something automatic, possibly because i disabled wlan2.
I deleted that now, seems to be a leftover after “quick set”. (tried that first before i decided to better do it manually.)
It did not affect all the testing i did with wlan1 since […]in-interface=wlan2_5_GHz[…]
About DHCP Client:
I gave it a little thought, and here is why I decided to keep it on dhcp: If zyxel decides to change the address range or something during/with an firmware update it doesnt matter because dhcp will just hand out the new subnet/ip in that system to MT.
The MAIN Problem, and that was my mistake, was that i didnt write the IP in CIDR notation and left out the subnet.
Thats what caused my issues, at least from my understanding.
I am pretty sure i didn`t understand something and configured it wrong 