Hi.
I am new to RouteOS and it is somewhat overwhelming.
There are two of RBwsAP-5Hac2nD in a wireless bridge setup. One was setup using the "PTP Bridge AP" quick set, the other using "PTP Bridge CPE" quick set. All interfaces in one bridge. The wireless bridge uses Nv2
The bridge works just fine. I can ping anything from everywhere except ip cameras behind the bridge. Ping says host unreachable after a few timeouts.
All the cameras work just fine when connected to the rest of my network (when not behind the bridge)
My Laptop, when connected in the same no-name POE switch as cameras, can ping everything including cameras. The RBwsAP-5Hac2nD (that is connected to no-name-switch) can ping the laptop, but cannot ping cameras.

Client isolation is disabled (at least I think it is)
Got exactly the same setup working with LHG 5nD and 911G-5HPnD no problem.
There has to be some important checkbox I know nothing about, or some basic piece of information I miss.
Took me 2 weeks (literally) of googling to gather my courage and ask fellow humans.
Please point me to the right direction.

note ethernet1 is disabled (only for poe) and ethernet2 is used for data transfer. (using only ehternet1 bears same result)

Camera-side RBwsAP-5Hac2nD export

sep/09/2020 18:54:27 by RouterOS 6.47.3

software id = 6FY5-MAZB

model = RBwsAP-5Hac2nD

serial number =

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn country=russia3 disabled=no
frequency=2467 mode=ap-bridge ssid= wireless-protocol=802.11
wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyn country=russia3 disabled=no
frequency=5700 installation=outdoor mode=station-bridge nv2-preshared-key=
<not_posting_my_password_in_the_internets> nv2-security=enabled ssid=<SECRET_NV2_SSID> wireless-protocol=nv2
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=
dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=<not_posting_my_password_in_the_internets>
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 interface=wlan2
add bridge=bridge1 disabled=yes interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add interface=wlan2 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=wlan1 list=LAN
/ip address
add address=192.168.0.11/24 interface=bridge1 network=192.168.0.0
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=192.168.0.100-192.168.0.120 list=cameras
/ip route
add distance=1 gateway=192.168.0.1
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=<camera_side>

>
> Other-side RBwsAP-5Hac2nD export
>
> ```text
# sep/09/2020 18:58:21 by RouterOS 6.47.3
# software id = ZMHZ-9QVJ
#
# model = RBwsAP-5Hac2nD
# serial number = <serial>
/interface bridge
add name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] band=5ghz-onlyn country=russia3 disabled=no frequency=5700 mode=ap-bridge nv2-preshared-key=<not_posting_my_password_in_the_internets> nv2-security=enabled ssid=<SECRET_NV2_SSID> tdma-period-size=1 \
    wireless-protocol=nv2 wps-mode=disabled
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=<not_posting_my_password_in_the_internets>
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/ip address
add address=192.168.0.10/24 interface=bridge1 network=192.168.0.0
/ip dns
set allow-remote-requests=yes servers=192.168.0.1
/ip route
add distance=1 gateway=192.168.0.1
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=<other_side>

There is nothing wrong in this config, that I can lay my finger on. Except for the cabling and the “no Name PoE Switch” which are not check-able here. Is that link operational ? (No Name PoE Switch ↔ 192.168.0.11)

However there are some traces of firewall usage. (WAN and LAN interface list, ip firewall address-list for camera’s)
These current settings are not active as everything is bridged. But might have been a problem in the past.
For the default firewall and default authorizations, everything should be in the LAN interface list for this setup. No: your ether1 and WLAN2 are not WAN! But it doesn’t matter here. The interfaces are slave interfaces as ports of the bridge, so the bridge, as master interface, should be in the LAN list, when that interface list is used in the config.

Hello,

I think the nv2 bridge is not playing here but I am not sure that I understand very well your issue.
When you ping from one PC (192.168.0.50) to 192.168.0.110 (Camera) you get an answer
But when you ping from 192.168.0.11 (Router) you dont get an answer
This ethernet camera, the router and the PC are all in the same poe switch and with link, Am I right?
Do you have something else in the same POE Switch to test the same ping?
This does not seems to me to be a problem with the Mikrotik router
The port in the 192.168.0.11 router which is connected to the POE Switch is in the Bridge1?

Regards,
Damián

–

So focused on getting the config right got me ignoring that. Yes, it was cabling and the switch. Apparently it does matter alot where the router is pluged on the no-name PoE Switch. When plugging my laptop to run ping I did use the correct port. Access points that are used in my other setup do have their own PoE injector and power supply so they are pluged to the correct port that does not have PoE injection on it.
Thank you guys for breaking my tunnel vision by pointing out there might be nothing majorly wrong with my config. That helped alot!