Problems accessing wAP G-5HacT2HnD

GmbH · January 7, 2019, 9:27pm

Hello,

I have configured wAP G-5HacT2HnD as a simple dual AP (via QuickSet, Home AP Dual) and I’m having problems accessing admin interface. The AP has IP 192.168.1.50 from LAN side, 192.168.2.1 from WiFi - when connecting via WiFi both addresses are working, from LAN side I can only ping 192.168.1.50 but cannot access it.

Is there something obvious what should I change / check?

I would also like to know what is the difference between router and bridge configuration in QuickSet WISP AP? In latter, the only way to access AP is via Winbox and MAC address.

Thank you,
Best Regards,

mkx · January 8, 2019, 9:23am

From wAP’s point of (default) router config, the wired connection is not LAN but rather WAN. And by default management connections from WAN are prohibited.

If you want to make wireless to be a full part of your (wired) LAN, then you should reconfigure your wAP ac unit to (non-WISP) bridge mode … so it will become a simple AP. I don’t think there’s a Quckset option for that, the easiest way might be to reset with no config, connect with winbox via MAC and create minimum config:

create bridge, add wireless and ether1 to it
set IP address to bridge (either statically or start DHCP client on it)
setup both wireless interfaces (set country, SSID, PSK, …)

GmbH · January 9, 2019, 11:36pm

I’ve created minimum config, bridge receives proper IP, WLAN is working, but again I cannot access the admin interface (works only via Winbox/MAC) - it is the same situation as in QuickSetup with WISP & bridge configuration.

So how can I bring up admin interface on bridge / ethernet?

Thank you,
Best Regards,

mistry7 · January 10, 2019, 6:58am

Dies it have an IP from your LAN side?

mkx · January 10, 2019, 7:19am

Post full configuration (output of /export hide-sensitive) and enclose it in [ code] … [ /code] environment for better readability.

GmbH · January 10, 2019, 11:52am

Here is my configuration:

# jan/02/1970 13:07:50 by RouterOS 6.43.8
# software id = *
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = *
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] loop-protect=on name=ether
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=poland default-authentication=no default-forwarding=no disabled=no \
    distance=indoors frequency=auto frequency-mode=regulatory-domain mode=\
    ap-bridge name=wlan-2GHz ssid=* wireless-protocol=802.11 wps-mode=\
    disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee \
    default-authentication=no default-forwarding=no disabled=no distance=\
    indoors frequency=auto mode=ap-bridge name=wlan-5GHz ssid=* \
    wireless-protocol=802.11 wps-mode=disabled
/interface list
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge interface=ether
add bridge=bridge interface=wlan-2GHz
add bridge=bridge interface=wlan-5GHz
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/interface list member
add interface=bridge list=LAN
add interface=ether list=LAN
/interface wireless access-list
add interface=all mac-address=*
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no inte
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Bridge interface gets from DHCP a correct IP 192.168.1.50, and I would like to have an access to admin interface via that IP - from LAN & WLAN. Any other obvious misconfiguration? Is that a “proper” configuration for a simple AP in home environment?

mkx · January 10, 2019, 12:09pm

As this is not internet router, you should disable /interface detect-internet, it sometimes causes weird misbehaviour. I’m not sure that /interface wireless access-list needs anything in it, seems you’re not doing any ACL stuff.

Other than that setup looks fine for a simple AP.

GmbH · January 10, 2019, 12:48pm

I’ve disabled /interface detect-internet - nothing changed.

On /interface wireless access-list I have several MAC addresses which are allowed to connect to WLAN - both WLAN interfaces have default-authentication=no default-forwarding=no, so I assume that any MAC which is not on the list won’t connect to WLAN even with a valid password.

mkx · January 10, 2019, 1:23pm

… which weren’t in your posted config. Which makes me wonder if there’s something else which might interfere with access to wAP from LAN.

I’m sure you did restart wAP plenty of times … sometimes there are some intermittent connectivity woes which go away after a restart.

Exiver · January 10, 2019, 1:42pm

There is a problem with your configuration.

You added the wifi and the lan port to your bridge “bridge”

/interface bridge
add name=bridge
[...]
/interface bridge port
add bridge=bridge interface=ether
add bridge=bridge interface=wlan-2GHz
add bridge=bridge interface=wlan-5GHz
[...]

Everything correct until here. Next we cant see on which interface your DHCP client is listening (seems like the line is cut in your pasted config):

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no inte

Should be the bridge since dhcp shouldnt be able to run on a slave interface.

Next thing ( i think these settings are creating the non reachability from LAN):

/interface list member
add interface=bridge list=LAN
add interface=ether list=LAN
[...]
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Please make sure you either use all of the slave interfaces in your interface list “LAN” (for example: ether1, wlan1, wlan2) or chose only the bridge, since all of the devices are already members of that bridge..

GmbH · January 10, 2019, 2:57pm

Yes, the cut out part had a bridge interface, and bridge interface gets the correct IP address

Next thing ( i think these settings are creating the non reachability from LAN):

/interface list member
add interface=bridge list=LAN
add interface=ether list=LAN
[...]
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I’ve corrected this - on interface list LAN there is only a bridge and I’ve removed mac-server settings. Here is a current configuration:

# jan/02/1970 17:14:23 by RouterOS 6.43.8
# software id = *
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = *
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] loop-protect=on name=ether
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=poland \
    default-authentication=no default-forwarding=no disabled=no distance=indoors frequency=\
    auto frequency-mode=regulatory-domain mode=ap-bridge name=wlan-2GHz ssid=* \
    wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee \
    default-authentication=no default-forwarding=no disabled=no distance=indoors frequency=\
    auto mode=ap-bridge name=wlan-5GHz ssid=* wireless-protocol=802.11 wps-mode=\
    disabled
/interface list
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge interface=ether
add bridge=bridge interface=wlan-2GHz
add bridge=bridge interface=wlan-5GHz
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
/interface wireless access-list
add interface=all mac-address=*
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw

Although no changes in accessing admin interface.

Exiver · January 10, 2019, 4:25pm

Okay thats weird but maybe export hide-sensitive doesnt print everything interesting.

Can you please provide the output for

/ip service export
and
/ip firewall export

Please make sure you hide anything containing personal stuff like serial number of the router and so on.

GmbH · January 10, 2019, 10:30pm

Here are requested settings:

/ip service export

# jan/03/1970 00:33:08 by RouterOS 6.43.8
# software id = *
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = *
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/ip firewall export

# jan/03/1970 00:33:27 by RouterOS 6.43.8
# software id = *
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = *

It seems that it started to work - after several reboots I’ve noticed that AP is not getting assigned IP - the MAC address has changed. So I’ve searched a bit, and now I’ve assigned a static admin-mac to bridge interface. After couple of reboots I can access admin interface via assigned IP without problems.

Case closed - thank you!
Best Regards,

Goozling · January 12, 2019, 7:10am

I just bought an “Mikrotik wAP ac”[0] to figure out how well the hardware is. The data sheet and the price look promising. I would love to have OpenWrt/LEDE support for this access point but have not yet ported any device to OpenWrt/LEDE. So I might need some help. Also I heard that sysupgrade is broken for ar71xx-mikrotik.

My final plan is to use this device in my local Freifunk community for places where we need a outdoor access point.

I’ll provide pictures and more documentation when I have the device in my hands (planned for in 16h).