[SOLVED] ROS 7.21.3 hAP AC Virtual AP in Bridge, no dhcp, no ping, no traffic

kavirondo · February 13, 2026, 9:55pm

Hello,

Many thanks in advance for any help.

I am trying to achieve something increadibly simple, but cant see what I am doing wrong.

Objective:

Add a second SSID called House Number 9 to my hAP AC access point, and have it bridged to the existing LAN where it will get DHCP from the OPNsense firewall. hAP AC works only as a layer 2 access point. No CapsMan. I do NOT want VLAN segregation.

My config:

The virtual AP wlan3 is configured and set master to wlan1 to provide 2ghz wifi.

The virtual AP wlan3 is added to the bridge br_sw0

Wlan1 and Wlan2 (physical radios) are also added to Br_sw0

Computers and phones can successfully connect to wlan1 and wlan2 and they receive IP address and can access internet.

The problem:

Devices can connect just fine to the Wlan3 virtual AP and I see them in the registration list.

Devices connected to wlan3 virtual AP do NOT get dhcp

Devices connected to wlan3 virtual AP can NOT ping the gateway or internet when configured with manual static IP

If I remove the wlan3 from the bridge and configure an ip address on it, then devices registered to wlan3 CAN ping the access point.

The problem seems to be in the bridge, which is not forwarding correctly. I do not have, and do not want any vlans. Bridge filtering is off.

Many thanks.

Alex

Config is below:

# 2026-02-14 00:53:33 by RouterOS 7.21.3
# software id = CACY-ZECW
#
# model = RB962UiGS-5HacT2HnT
# serial number = 8A7708150FC4
/interface bridge
add admin-mac=CC:2D:E0:E0:28:AE auto-mac=no comment=defconf name=br_sw0 \
    priority=0x5000
/interface ethernet
set [ find default-name=sfp1 ] advertise=\
    10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=Ol-Osowan \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name="House Number 9" \
    supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=kenya disabled=no frequency=auto installation=indoor mode=\
    ap-bridge security-profile=Ol-Osowan ssid=Ol-Osowan wireless-protocol=\
    802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40mhz-Ce \
    country=no_country_set disabled=no frequency-mode=manual-txpower \
    installation=indoor mode=ap-bridge security-profile=Ol-Osowan ssid=\
    Ol-Osowan wireless-protocol=802.11
add disabled=no mac-address=CE:2D:E0:E0:28:B5 master-interface=wlan1 name=\
    wlan3 security-profile="House Number 9" ssid="House Number 9" wps-mode=\
    disabled
/ip smb users
set [ find default=yes ] read-only=no
/snmp community
set [ find default=yes ] addresses=::/0,0.0.0.0/0 name=house-number-9
/disk settings
set auto-media-interface=ether1 auto-smb-sharing=yes
/ip smb
set domain=WORKGROUP enabled=no
/interface bridge filter
# no interface
add action=drop chain=forward in-interface=*B
# no interface
add action=drop chain=forward out-interface=*B
add action=drop chain=forward in-interface=wlan3
add action=drop chain=forward out-interface=wlan3
/interface bridge port
add bridge=br_sw0 comment=defconf interface=ether1 internal-path-cost=10 \
    path-cost=10
add bridge=br_sw0 comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=br_sw0 comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=br_sw0 comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=br_sw0 comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=br_sw0 comment=defconf interface=sfp1 internal-path-cost=10 \
    path-cost=10
add bridge=br_sw0 ingress-filtering=no interface=wlan1
add bridge=br_sw0 interface=wlan2
add bridge=br_sw0 interface=wlan3
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all lldp-mac-phy-config=yes lldp-max-frame-size=\
    yes lldp-vlan-info=yes
/ip settings
set ip-forward=no rp-filter=strict tcp-syncookies=yes
/ipv6 settings
set forward=no
/interface ovpn-server server
add mac-address=FE:E6:45:0B:FA:B9 name=ovpn-server1
/interface wireless cap
set bridge=br_sw0 discovery-interfaces=br_sw0 interfaces=wlan1,wlan2
/ip dhcp-client
add interface=br_sw0
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set www-ssl certificate=mikrotik-ssl disabled=no tls-version=only-1.2
set api-ssl certificate=mikrotik-ssl tls-version=only-1.2
/ipv6 nd
set [ find default=yes ] advertise-dns=yes
/snmp
set contact= enabled=yes location=\
    "Guest House Master Bedroom Cupboard" trap-generators=\
    temp-exception,interfaces,start-trap trap-interfaces=all trap-target=\
    192.168.128.5 trap-version=2
/system clock
set time-zone-name=Africa/Nairobi
/system identity
set name=APGhouse
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set enabled=no
/tool romon
set enabled=yes

kavirondo · February 13, 2026, 9:59pm

OK, having just pasted this, I saw this bridge filter item.

I remove those entries and now everything works.

I have never used the bridge filter feature before, why is this now the default setting for a new Virtual AP?

Anybody know when that change was introduced?

kavirondo:

/interface bridge filter
# no interface
add action=drop chain=forward in-interface=*B
# no interface
add action=drop chain=forward out-interface=*B
add action=drop chain=forward in-interface=wlan3
add action=drop chain=forward out-interface=wlan3

lurker888 · February 13, 2026, 10:09pm

I was just going to point out that the bridge firewall is the problem.

This isn't and never was the default configuration. I think you mean that you added it via the QuickSet (wizardy) interface as a guest wifi interface. For that setup, yes, that is the default.

Just a quick aside: generally everyone that has worked with Mikrotiks for some time will tell you not to use it. It is with good reason. If you do decide to use it, use it only once following a fresh reset, and never again.

The reason these "drop forward" rules make sense in a specific context is that usually the Mikrotik is typically also the router (there is no OPNsense in that alternate universe), and thus that is the gateway. In this scenario, in the bridge filter, the packets to and from the Internet go through the input and output chains, and only packets that would go to (or come from) other bridge ports (other ssids or wired ports) would traverse forward. By blocking these, the isolation between guaest and home users is achieved.

This is obviously not your situation, so this is all just some "might as well be aware" stuff for you.

jaclaz · February 13, 2026, 10:16pm

Also, always check for asterisks in the configuration, see point #21:

GP & CSA for Mikrotik devices

Your configuration shows that you ran quickset twice, a blatant infringement of Rule #4:
The twelve Rules of Mikrotik Club

kavirondo · February 13, 2026, 10:23pm

Thank you very much. I learned a lot