Greetings from Australia.
I’ve received a Mikrotik hAP ax S today, this is my first time setting up a Mikrotik.
I have winbox access to router connected to my pc via ether2
I’m trying to get the router to connect to my phones wifi AP and share the internet connection to the routers ethernet ports and via the routers wifi AP capabilities.
I’m a bit over my head and was hoping someone could suggest some way about it ?
Thank You.
Here’s some more details.
Factory reset router.
System > Reset Configuration ( All Default ) > Reset Configuration
First time Login I reset admin password
I’ve updated routerOS
System > Packages > Check for Updates
Current version : hAP ax S / 7.21.1 (stable)
Made a config backup
Files > Backup ( Set new name, don’t encrypt ( This saves a lot of time when I want to start over ))
I think I may have explained myself incorrectly, I want to access my phones wifi and share that connection from the router’s own ap, not a repeater. I hope I explained that correctly.
From this vanilla config I have tried.
Quick Set
the quick set menu has 1 option “Home AP Dual” I thought there might of been some other options in there that matched my goals but no such luck 
A google search has lead me to many similar guides, I will link this one for its detail and clarity.
https://www.makeitcloudy.pl/how-to-configure-mikrotik-as-wifi-client-with-iphone-hotspot/
Exclude the Wi-Fi interface from the bridge - Bridge -> Ports -> Delete the Wi-Fi interface (wlan1)
Include the Ether1 interface in the bridge - Bridge - Ports -> Open ether5 -> Copy -> Change the interface in the new dialog to ether 1 -> OK (this will cause that all your ethernet ports can be used to connect devices, with stock configuration the ether1 is being used as the uplink) - within our scenario we use the wlan1 as the uplink
Adjust which is the WAN port - Interfaces -> Interface list - WAN -> wlan1 (with stock it is ether1, it needs to be changed for the wlan1, as it plays the uplink role) Wireless -> WiFi interfaces -> wlan1 -> Mode - Station
Connect the Wi-Fi interface as a client to the Wi-Fi network (in our case it is the mobile hotspot from your mobile) - Wireless -> WiFi interfaces -> wlan1 -> Scan -> find the WiFi network and press Connect. ( Once I see the SSID I want to connect to I have to click STOP, then click CONNECT )
When I click on “Connect” There is a red message “not running”
Clicking Connect causes the winbox gui to blink but has no other effect I can see.
Please excuse my inexperience, I’m assuming this means the interface wlan1 is not running.
An examination of > Interfaces
Shows
The issue with the connect error is actually quite simple:
The scan MUST be running (don't press stop) to be able to use the connect button.
Keep in mind it will not ask for your PSK. You must set that yourself at security
I've noticed something new in the Quick Set Screen > Local Clients list
2nd item is my PC connected to router via ether3
1st item is new I think, the mac address matches my phone. So it looks like something is happening.
Are you just trying to extend the hotpot network via ethernet?
Or, are you trying to use create a new LAN that just uses the phone's Wi-Fi hotspot?
Unforentently, newer models don't have QuickSet modes to help with with either case. So nothing here is automatic.
You were close when you messing with the "Scan" option, as that's how you get the channel information. But the Wi-Fi does have a password set on your phone, you need to go thte "Security" tab and add the phone password there, then on the wifi interface set the security profile to use the one you created. The wifi interface needs to be in station-bridge mode.
Once Wi-Fi connects, then the answers to first question in my post come up. If you want to bridge, then disable the DHCP server on "bridge" and then add DHCP client on bridge — this will "bridge" the Wi-Fi hotspot to ethernet (without routing, ethernet device will get IP from phone). Ether1 remain avaiable for future hardline internet, so just leave it alone (or remove more configuration and add ether1 to bridge).
If you want the router to route, so device on ethernet get IP addresses from the MikroTik. You still connect the Wi-Fi using "Scan" and connect the password to interface, but use "station" mode on wifi interface instead of station-bridge. And you remove the wifi interface on /interface/bridge/port, then add the wifi interface as WAN in /interface/list, and add DHCP client on the wifi interface. The will make the hotspot be tried more like anyother internet connection. It will has create what's called a "double NAT", which may not matter given the phone is alredy NATed (so not missing a public IP which the typical problem with a double NAT).
Now if you plug your phone in via USB. It should just work without doing anything with Wi-Fi....
Essentially, your phone "emits" wifi and this wifi is connected (through the phone sim or e-sim) to the internet. right?
Now, does your phone emit wifi on the 2.4 GHx or on the 5 GHxz band (or both and you can select it?
Loosely the 2.4 GHz means "slow but strong", 5 GHz means "fast but weak".
If you keep your phone in another room from where your hap Ax S is, probably it makes sense to use the 2.4 GHz radio to connect to the phone and the 5 GHz to re-transmit.
If instead the phone stands near the Mikrotik, the opposite might be better.
Anyway, one of the two radios needs to be set as AP, the other in one of the possible station (station is the word used in Mikrotik to say "client".
If you want to have a bridge (think of it as a switch) with that radio interface, the ethernet interfaces and the other radio together (everything is "LAN"), you want to use mode "station-pseudobridge" (station-bridge is only possible if the AP is another MIkrotik), if you want to have the radio connected to the phone as WAN and the ethernet interface and the other radio as LAN, you want to use mode "station" (you will have in this case double NAT, but this is rarely a problem).
If you use mode=station-pseudobridge you will likely need to disable RSTP on the bridge.
Quickset should ONLY be run ONCE and ONLY from a reset to default configuration.
You could also use your phones usb port and plug it into the usb port on the Hap AX S and then use the tether function on your phone. Your phone will then act as a modem for the Hap AX S.
Thanks for the input itimo01
I've tried again with your method, please see here
I've noticed something else.
WIFI > Security Tab
can show different selected "Authentication Types"
than
Wifi > Wifi Tab > dbl click wifi1 > Security Tab
selected "Authentication Types"
interesting, perhaps these are "wifi presets configs" vs "wifi interface configs" ?
this has lead me to help.mikrotik.com/docs > wireless > wifi
WIFI > Security Tab > now shows
WIFI > WIFI Tab > wifi1 from list > now shows
/ WIFI / WIFI Tab / wifi1 / Status Tab
Shows Status : authorised
I'm not sure how that's relevant as the time stamp is about 6 hours old my local time.
/ quick config / local clients ( pic )
Seems like a connection is happening
/ new terminal / ping 8.8.8.8 / no route to host
The usual way to exchange information about a configuration is (instead of pictures) an export. please provide one, instructions here:
this way we can see ALL your settings.
USB tethering to phone was my original preferred method
I wanted:
When Samsung Galaxy A22 phone is connected to Mikrotik hAP ax S USB por usb port I observed
I think I understand.
/ WIFI / Security Tab / New
Defines wifi security authentication preset
/ WIFI / WIFI Tab / wifi1 / Security Tab / Security
lets me assign a security preset to that interface.
I have removed the ( "Covid19" Wifi security preset ) and observed ( wifi 1 interface ) security set to unknown.
I setup ( wifi security preset ) again
Assigning only
wifi1 interface security auto set to Covid19
ping 8.8.8.8 from router term "no route to host"
how to I determine the routerOS has authenticated with the phones AP ?
That is odd as I honestly also thought it should charge it too. You may be able to get a cable that allows a wall charger to be used while it's connected in this way. It might be worth a look.
I dont see DHCP client in your screenshot. I guess you need to get ip from your hotspot using dhcp client.
Thank you so much for posting that jaclaz I was just thinking I wish I could export the config to save time 
I observed a few differences in the "Beginner Basics" Steps and the GUI on my router.
Differences humbly shared with respect, not criticism.
-Observed
Would something like this solve your charging problem and enable you to use the data connection at the same time.
So I asked google why cable is not charging phone when connected to usb port on a pc or router and > Make sure Cables are at least rated to USB 3.0 and a wall powered usb hub might help as well.
USB 3.0 Type-A connectors have 9 pins (vs. 4 for 2.0) and often feature an "SS" (SuperSpeed) symbol. Both my cables have 4 pins so seem to be USB 2.0 rated. Which might be my USB tethering phone charging problem.
Officeworks has a usb 3.0 cable for about $20 AUD. I think I will try one out.
https://www.officeworks.com.au/shop/officeworks/p/comsol-usb-a-to-usb-c-usb-3-0-cable-1-2m-white-cocmam12wh
Thanks Pudpoh I'm not sure that would work on its own... Specs on that look like its all USB C to USB C ports.
hAP ax S has a USB A port
Does anyone know if its USB 2.0 or 3.x ?
https://mikrotik.com/product/hap_ax_s#product_specification does not seem to clarify, I am pretty tired though 
Be good to find that out before I $$ on better cable / usb hubs
That item does have very impressive transmission capabilities. I wonder if it would improve performance more just a USB 3.0 cable connection to my phone.
Requested router config
/interface bridge
add admin-mac=00:00:00:00:00:00 auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi2 ] channel.band=5ghz-ax .skip-dfs-channels=
10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-C555A1
disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes
.ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=Covid19
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=
10min-cac .width=20/40mhz configuration.country=Australia .mode=station
.ssid=Covid19 disabled=no security=*1 security.authentication-types=
wpa2-psk,wpa3-psk .encryption="" .ft=yes .ft-over-ds=yes .wps=disable
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=wifi1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute"
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/ IP / DHCP Client
Shows client still set to defconf interface ether1
Changed to ( comment : blank ) , ( interface : wifi1 )
ping 8.8.8.8 from term success !
[admin@MikroTik] > ping 8.8.8.8
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 115 380ms625us
1 8.8.8.8 56 115 53ms947us
2 8.8.8.8 56 115 48ms643us
Windows PC is getting an ip assigned from router ether3 port
Windows CLI
ipconfig
Link-local IPv6 Address . . . . . : fe80::f8aa:c528:c48d:3867%17
IPv4 Address. . . . . . . . . . . : 192.168.88.254
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.88.1
I disabled the wifi connecton from PC to phone AP
PC can still ping 192.168.88.1
PC can still ping 8.8.8.8
PC can still ping google.com
router connected to phone over wifi
router providing ip and internet to windows pc via ethernet
I'm off to get some sleep. Next I'll try to share that internet connection new router AP.
Thanks everyone
About the difference in the dowload configuration windows, maybe you are using the new, hip Winbox 4, while the screenshots were take on good ol' v3, JFYI:
The situation with cables is "strange", while there may well be "charge only" cables, I have never seen "data only" cables.
The USB 2.0 vs. USB 3.0 should make not a difference, unless the Samsung is "picky" and expects a USB 3.0 kind of power negotiation only. In theory a USB C port that is used as power supply (but this is not the case, the USB C port on your phone is a powered device) should "propose" power to the powered device and they would negotiate a voltage (among the many available ones on USB C and an amperage.
Check if you have on Your Samsung something like "fast charging" or "adaptative charging" or similar and try disabling it, newest devices (Samsung but not only) seem to want more "juice" (Amperes) than a normal USB A port can deliver (that is 500 mA if USB 2.0 or 900 mA if USB 3.x, newish USB 3.2 can go up to 1500 mA if I remember correctly).
But Samsung in particular did in the past (with this or that update) make existing charging setup not working anymore, if you go to the Samsung forums there are several reports about this issue.