Would anyone be so kind as to help with this simple setup for mAP lite please?
It is a tiny access point, that has only two interfaces: 1 wifi and 1 ethernet port.
It will be constantly connected to my home network wifi.
I’d like it to pass any traffic from wifi / LAN, to any device that will be connected through the ethernet port.
Basically, I would like it to work similarly to unmanaged switch connected to LAN.
# dec/23/2022 13:54:33 by RouterOS 7.6
# software id = K6BA-06RU
#
# model = RBmAPL-2nD
# serial number = NNNNNNNNNNNN
/interface pwr-line
set [ find default-name=pwr-line1 ] disabled=yes
/interface bridge
add admin-mac=NN:NN:NN:NN:NN:NN auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=NNNNNNNNNNNN disabled=no distance=indoors frequency=auto installation=\
indoor ssid=NNNNNNNNNNNN wireless-protocol=nv2-nstreme-802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp ranges=192.168.88.3-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge ingress-filtering=no interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=wlan1 list=LAN
add interface=ether1 list=LAN
add interface=bridge list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip dhcp-client
add interface=bridge
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=NNNNNNNNNNNN
/system ntp client
set enabled=yes
/system ntp client servers
add address=europe.pool.ntp.org
/system scheduler
add interval=1w name=auto-upgrade on-event="/system package update\r\
\ncheck-for-updates once\r\
\n:delay 3s;\r\
\n:if ( [get status] = \"New version is available\") do={ install }" \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=dec/25/2022 start-time=03:30:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Just to be specific:
Although it’s currently getting IP from DHCP I’m unable to connect to it via Winbox using IP address. Only MAC connection works. How to fix that?
NTP Client is unable to connect. Ping 8.8.8.8 is not working. How to fix that?
How to configure it so it will work just like a LAN switch for device connected via ether1 port? My gateway is 192.168.0.1.
For the setup displayed above, do I need Firewall at all? Can I remove ALL rules?
You can start off by removing complete firewall section on mAP.
Also remove/disable DHCP server, PC4 should obtain IP address from main DHCP server. Set wireless mode to “station-bridge”. If possible, get rid of wpa-psk and tkip settings (keep wpa2-psk and aes-ccm).
Also unset the limitation to access router via MAC only from LAN, everything is LAN in your case.
Do yourself a favour and don’t install new ROS version from scheduler … some come out as very bad and if you insist, be prepared to netinstall your device ocassionally.
Thank you! I have applied all the rules and recommendations above, apart from:
“unset the limitation to access router via MAC only from LAN” - I was not sure where to configure it.
Unfortunately after setting wireless mode to “station bridge” I lost access to it - it’s no longer visible for WinBox.
I will try connecting via ethernet.
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
.
Right. I overlooked that you were still using mAP as AP. You need to configure SSID and PSK that matches main AP’s settings. That would allow mAP to connect (wirelessly) with AP and the rest of network.
Use winbox, connect to ether port and click MAC address … this makes working IP setup on mAP unnecessary.
Paste this on terminal directly, without { at start and } at end:
/ip neighbor discovery-settings
set discover-interface-list=static
/tool mac-server
set allowed-interface-list=all
/tool mac-server mac-winbox
set allowed-interface-list=all
/ip firewall filter
remove [find where dynamic=no]
/ip firewall nat
remove [find where dynamic=no]
/ip pool
remove [find]
/ip dhcp-server
remove [find]
/ip dhcp-server network
remove [find]
/ip address
remove [find where disabled=yes]
/ip dns static
remove [find]
/ip dns
set allow-remote-requests=no
/interface list member
remove [find]
/interface list
remove [find where builtin=no]
/interface bridge
set bridge comment=“” auto-mac=no admin-mac=[/int ethernet get ether1 mac-address] protocol-mode=none
{
/interface bridge port
remove [find]
add bridge=bridge interface=ether1
add bridge=bridge interface=wlan1
}
/ip cloud
set update-time=no
/system package update
set channel=stable
/ip service
set api disabled=yes
set api-ssl disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
/system clock
set time-zone-autodetect=no
And after that, /export again the config here.
About your script for “auto-upgrade” immediately to just released firmware, you probably can’t do bigger shit…
/interface lte apn
set [ find default=yes ] ip-type=auto use-network-apn=yes
/ip settings
set max-neighbor-entries=16384
/ipv6 settings
set max-neighbor-entries=16384
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512
After that, must be fixed this:
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n wireless-protocol=nv2-nstreme-802.11
Is better disable old “B” selecting 2ghz-g/n and the wireless protocol must be 802.11 only.
Final considerations:
Now is all OK, but I do not know if the hAPax2 work on ap-bridge mode because wifiwave2 do not support 4MAC mode.
Ah, indeed @rextended is right about 4-address mode with wifiwave2 driver. OP might have to revert to “station-pseudobridge” wireless mode instead. That comes with its share of problems though. Not running DHCP client on mAP will make it slightly better (you can always use MAC connection to do the management).
Wireless itf used for connecting to other AP should be in station.
If any virtual interface is going to be defined on that same mAP Lite (for whatever reason), it should be in bridge.
That’s how it works on my device connected to a hAP AC3 with wiwifave2.
But … AC2 ? That doesn’t run wifiwave2.
You mean AX2 ?
I don’t have any ax2 device to do some test,
but probably creating an EoIP tunnel between lite wlan1 in station mode and inside the ax2 in ap mode, can it pass the traffic like an ethernet cable?
No mind, the instructions are for the hAP lite which has less memory than my ac2.
AX2 needs to be in AP mode (my AC3 running WW2 is also in AP)
mAP Lite needs to be in station-bridge mode. Then scan for network on wireless interface of mAP, select SSID of ax2 and connect.
Make sure your security settings are ok on map and specified for that wireless interface.
