alper
July 19, 2024, 8:45pm
1
Hello,
I have bought the new hap ax3 to replace the wifi AP in the living room, but the config proved to be more difficult than I 'd anticipated.
I have a Linksys router in the living room and I wanted to change it to hap ax3. It currently links the devices there to the rest of the network.
What I’d like to achieve is to have the following setup:
I’ve tried to do it for a few times and simply failed. I was able to get devices behind hap ax3 to reach internet (but for some reason I cannot access other devices on the LAN - no ping, nothing).
If this is something easier and more managable with VLANs, I’m open to that too. I simply want to isolate IoT devices from the rest of the network and maybe free up some broadcast traffic. The WiFi will only be provided by hap ax3 (the rest of the routers will have wifi disabled).
I’m hoping this was clear.
Could you export the config of the hAP ax³ and post it here?
/export file=anynameyouwish (minus sensitive info)
alper
July 20, 2024, 8:47am
3
hello!
thanks for your reply!
I was able to get LANs to work. I’m able to get an IP from the RB2011 and reach the internet and local network. 5GHz also works fine.
However, now, I’m unable to connect to 2ghz network - the one for IoT devices, and I can’t for the life of me figure out what’s wrong
EDIT: weird.. now I can connect to the 2ghz network and get a local IP, but I can’t connect to the internet or local machines. I want this to have its own subnet and reach internet but not the other subnet.
# 2024-07-20 11:42:31 by RouterOS 7.15.2
# software id = 38FB-5HB4
#
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add admin-mac=D4:01:C3:4E:96:7C auto-mac=no comment=defconf name=bridge
add name=bridge-iot
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
configuration.country=Turkey .mode=ap .ssid=wifi5ghz disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-n disabled=no frequency=2300-7300 name=channel1 width=\
20/40mhz-eC
/interface wifi configuration
add channel.band=2ghz-n .frequency=2300-7300 .width=20/40mhz-eC country=\
Turkey disabled=no mode=ap name=iot security.authentication-types=\
wpa2-psk ssid=.wifi-iot-2ghz
/interface wifi
set [ find default-name=wifi2 ] channel=channel1 channel.skip-dfs-channels=\
10min-cac configuration=iot configuration.country=Turkey .mode=ap .ssid=\
.wifi-iot-2ghz disabled=no security.authentication-types=wpa2-psk .ft=yes \
.ft-over-ds=yes
add configuration.mode=ap .ssid=test mac-address=D6:01:C3:4E:96:81 \
master-interface=wifi2 name=wifi3
/iot lora servers
add address=eu.mikrotik.thethings.industries name=TTN-EU protocol=UDP
add address=us.mikrotik.thethings.industries name=TTN-US protocol=UDP
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=iot-pool ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool2 ranges=192.168.10.1-192.168.10.254
add name=rb2011-pool ranges=192.168.1.2-192.168.1.254
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
disabled=yes disabled=yes name=zt1 port=9993
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge-iot comment=defconf interface=wifi2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=bridge-iot list=LAN
/ip address
add address=192.168.10.1/24 interface=bridge-iot network=192.168.10.0
add address=192.168.1.17/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge name=defconf
add interface=bridge name=server1 relay=192.168.1.16 server-address=\
192.168.1.16
add address-pool=iot-pool interface=bridge-iot name=dhcp-iot
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.16 gateway=192.168.1.16 \
netmask=24
add address=192.168.10.0/24 dns-server=192.168.1.17 gateway=192.168.1.17
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=masquerade chain=srcnat out-interface=ether1 out-interface-list=\
WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.1.0/14 gateway=192.168.1.16 \
routing-table=main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Istanbul
/system note
set show-at-login=no
/system ntp client
set enabled=yes mode=broadcast
/system ntp client servers
add address=tr.pool.ntp.org
add address="time.google.com "
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :foreach iface in=[/interface/wifi find where (configuration.mode=\"a\
p\" && disabled=no)] do={\r\
\n /interface/wifi wps-push-button \$iface;}\r\
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
If we consider the default bridge as WAN and the IoT as LAN, change the default bridge to be part of the WAN interface list and remove out-interface=ether1 from the masquerade rule:
/interface list member
set [ find interface=bridge ] list=WAN
/ip firewall nat
set [ find out-interface=ether1 ] out-interface=""
A default route would also be needed:
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1
As for limiting access to the “WAN” network, a drop forward rule would do the trick:
/ip firewall filter
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=192.168.10.0/24
A side question - what is the purpose of the following route:
/ip route
add disabled=no dst-address=192.168.1.0/14 gateway=192.168.1.16 \
routing-table=main suppress-hw-offload=no
alper
July 20, 2024, 12:20pm
5
If we consider the default bridge as WAN and the IoT as LAN, change the default bridge to be part of the WAN interface list and remove out-interface=ether1 from the masquerade rule:
/interface list member
set [ find interface=bridge ] list=WAN
/ip firewall nat
set [ find out-interface=ether1 ] out-interface=""
getting this on the last /set command: ambiguous value of interface, more than one possible value matches input
A default route would also be needed:
/ip route
>
> As for limiting access to the "WAN" network, a drop forward rule would do the trick:
>
> ```text
/ip firewall filter
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=192.168.10.0/24
A side question - what is the purpose of the following route:
/ip route
>
I did the rest as well.
I'm still not getting any internet access on iot wifi :frowning:
Posting new recent config in a new post for simplicity.
EDIT: answer to your side question: I was just trying to find a way to make it work really :frowning: thanks a lot!
alper
July 20, 2024, 12:21pm
6
# 2024-07-20 15:19:03 by RouterOS 7.15.2
# software id = 38FB-5HB4
#
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add admin-mac=D4:01:C3:4E:96:7C auto-mac=no comment=defconf name=bridge
add name=bridge-iot
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
configuration.country=Turkey .mode=ap .ssid=estapitipit2 disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-n disabled=no frequency=2300-7300 name=channel1 width=\
20/40mhz-eC
/interface wifi configuration
add channel.band=2ghz-n .frequency=2300-7300 .width=20/40mhz-eC country=\
Turkey disabled=no mode=ap name=iot security.authentication-types=\
wpa2-psk ssid=estapitipiti2
/interface wifi
set [ find default-name=wifi2 ] channel=channel1 channel.skip-dfs-channels=\
10min-cac configuration=iot configuration.country=Turkey .mode=ap .ssid=\
estapitipiti2 disabled=no security.authentication-types=wpa2-psk .ft=yes \
.ft-over-ds=yes
add configuration.mode=ap .ssid=test mac-address=D6:01:C3:4E:96:81 \
master-interface=wifi2 name=wifi3
/iot lora servers
add address=eu.mikrotik.thethings.industries name=TTN-EU protocol=UDP
add address=us.mikrotik.thethings.industries name=TTN-US protocol=UDP
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip dhcp-server
add interface=bridge name=server1 relay=192.168.1.16 server-address=\
192.168.1.16
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=iot-pool ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool2 ranges=192.168.10.1-192.168.10.254
add name=rb2011-pool ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge name=defconf
add address-pool=iot-pool interface=bridge-iot name=dhcp-iot
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
disabled=yes disabled=yes name=zt1 port=9993
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge-iot comment=defconf interface=wifi2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=WAN
add interface=ether1 list=WAN
add interface=bridge-iot list=LAN
/ip address
add address=192.168.10.1/24 interface=bridge-iot network=192.168.10.0
add address=192.168.1.17/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.16 gateway=192.168.1.16 \
netmask=24
add address=192.168.10.0/24 dns-server=192.168.1.17 gateway=192.168.1.17
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input disabled=yes dst-address=192.168.1.1 \
src-address=192.168.10.0/24
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=\
192.168.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=yes distance=1 dst-address=192.168.10.0/24 gateway=192.168.1.16 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add dst-address=0.0.0.0/0 gateway=192.168.1.1
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Istanbul
/system note
set show-at-login=no
/system ntp client
set enabled=yes mode=broadcast
/system ntp client servers
add address=tr.pool.ntp.org
add address="time.google.com "
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :foreach iface in=[/interface/wifi find where (configuration.mode=\"a\
p\" && disabled=no)] do={\r\
\n /interface/wifi wps-push-button \$iface;}\r\
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
infabo
July 20, 2024, 12:27pm
7
fix your nat rules. srcnat without dst/src won’t work IMHO
alper
July 20, 2024, 12:46pm
8
thanks a lot for your reply.
can you be more specific as to what rule I should be adding?
anav
July 20, 2024, 3:41pm
9
Until you sort out your dual bridge issues, and more so the conflict of treating the bridge like a LAN functioning entity but also a WAN entity, I dont think much progress will be made!
/ip dhcp-serverbridge name=server1 relay=192.168.1.16 server-address=
/interface bridge portbridge comment=defconf interface=ether2bridge comment=defconf interface=ether3bridge comment=defconf interface=ether4bridge comment=defconf interface=ether5bridge comment=defconf interface=wifi1bridge interface=ether1
/interface list memberbridge list=WAN ether1 list=WAN
/ip addressinterface=ether1 network=192.168.1 .0
anav
July 20, 2024, 3:48pm
10
I think the remedy is to be a bit clearer on the planning side.
You have an ISP router that you cannot replace due to internet + other things…
From the diagram it looks like the ISP router gives out a private LAN on 192.168.1.1, in which case, the RB2011 gets an IP address of 192.168.1.16 as its “WANIP” when looking from behind the router.
If so, then why do all the devices behind the MT have the same subnet as that of the ISP router???
anav
July 20, 2024, 3:50pm
11
You also have to decide on the wifi side of the house, how many SSIDs and thus subnets you need.
alper
July 20, 2024, 6:06pm
12
I think the remedy is to be a bit clearer on the planning side.
You have an ISP router that you cannot replace due to internet + other things…
From the diagram it looks like the ISP router gives out a private LAN on 192.168.1.1, in which case, the RB2011 gets an IP address of 192.168.1.16 as its “WANIP” when looking from behind the router.
If so, then why do all the devices behind the MT have the same subnet as that of the ISP router???
hello anav! thank you for taking the time.
Yes, that’s all correct. RB2011 has a local IP (no public IP). I didn’t want to have a different subnet back in the day, and this seemed to work. Now I’d like to be in the same subnet for my eth connected LAN (everyday machines: media player, music streamer, NAS etc) in two separate rooms.
I’m also trying to get 5GHz network in the same subnet, but a separate subnet for 2GHz for IoT devices. I don’t need a guest wifi.
Yes, RB2011 is the DHCP server and it doesn’t do much.
alper
July 20, 2024, 6:07pm
13
You also have to decide on the wifi side of the house, how many SSIDs and thus subnets you need.
two SSIDs - one for daily use 5GHz and one for IoT. I don’t need guest wifi as I don’t share my password.
alper
July 20, 2024, 6:52pm
14
would the following information be of any help?
Rb2011 also has an IP of 192.168.10.65
