Good morning,
I need some help here. I have a HAP ax2 and had it running for several months. Everything worked fine. Then I made a configuration mistake and restored an old backup, just to learn that I must have changed the Password since the backup was taken and I do not have the old password anymore. Hence I need to redo the configuration from scratch. The configuration is based on this: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 respectively the attached file. I attached my version to this post.
The issue is, that after running the configuration script everything seems to work fine (wifi, etc.), until I try to connect to the router via WinBox. The connection times out. I am sure, that my network works correctly, because I did not change anything and the connection works if I restore my old backup (though I cannot login because I get “wrong user/password”). The pakets arrive with VLAN tag 10 on the router’s ether1.
PS: The router is discovered by WinBox, i.e. it shows up in the Neighbors list with all the field showing correct values.
Please help me spot the error. Thank you very much.
Best regards
Moritz-AccessPoint.rsc (8.64 KB)
Besides the configuration script, post the actual configuration export after you have run that script.
Sure, I hope this is what you were asking for.
I have to say two things about that:
- I had to do the configuration without the very last step (/interface/bridge/set bridge vlan-filtering=yes), because I loose connection after that one.
- I had a look at the configuration export and I have a suspicion, that I might have forgotten to delete the default firewall rules and these are the reason for my troubles. (I didn’t find a way to delete the default configuration and still get access). I will investigate on this one and report back in some minutes.
Reporting Back: Well, what should I say? I am an ID10T. It have been the firewall rules. I will leave this here for everybody after me on this path. May it help you solving these issues. Thank you jaclaz for helping me finding the mistake =)
full.rsc (8.58 KB)
Good that it is solved 
.
Very likely you (or the script) deleted the WAN interface list (why?) and the net result is:
/ip firewall filter
...
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=*2000010
....
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=*2000010
Which may well be the part of the problem.
For next time, this is #21 in the list:
http://forum.mikrotik.com/t/gp-csa-for-mikrotik-devices/182176/1