I’ve been using Mikrotik HAP lite APs for a few years, no major issues once I got me head around it. However, I’ve been struggling with getting the HAP AX2 working with a similar configuration. I’m trying to use it as a simple ap bridge, however clients like my Samsung S23 try and fail to connect.
I’m old school so tend to use terminal for configs, however I have tried using webfig to generate configs to see if I am missing something and incorporate that into my config, its first time I have configured 5 or 2 GHz-ax on Mikrotik. Here’s the config so far. its is based upon a working hap-lite config from a bridge perspective and have tried it in the same switch port to hopefully eliminate an issues however the hap-lite OS version is quite a bit behind so many things may have changed in the interim. I have tried removing various filtering etc. to no effect.
# 2024-12-08 13:38:26 by RouterOS 7.16.2
# software id = GVPW-XG05
#
# model = C52iG-5HaxD2HaxD
# serial number = HGN09KRM1JH
/interface bridge
add name=bridge1 protocol-mode=none
/interface vlan
add interface=bridge1 name=mgmt-vlan vlan-id=48
/interface list
add name=BASE
/interface wifi channel
add band=2ghz-ax name=ch-2ghz
add band=5ghz-ax name=ch-5ghz
/interface wifi security
add authentication-types=wpa2-psk ft=yes ft-over-ds=yes name=wifi1-auth wps=disable
add authentication-types=wpa2-psk ft=yes ft-over-ds=yes name=wifi2-auth wps=disable
/interface wifi configuration
add channel.skip-dfs-channels=10min-cac .width=20/40/80mhz country="United Kingdom" mode=ap name=wifi1-conf security=wifi1-auth ssid=non-guest
add channel.skip-dfs-channels=10min-cac .width=20/40mhz country="United Kingdom" mode=ap name=wifi2-conf security=wifi2-auth ssid=guest
/interface wifi
set [ find default-name=wifi1 ] channel=ch-5ghz configuration=wifi1-conf disabled=no
set [ find default-name=wifi2 ] channel=ch-2ghz configuration=wifi2-conf disabled=no
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=8
add bridge=bridge1 interface=ether2 pvid=32
add bridge=bridge1 interface=ether3 pvid=16
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=24
/ip neighbor discovery-settings
set discover-interface-list=BASE
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=32
add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=16
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=48
add bridge=bridge1 tagged=ether1 untagged=wifi1 vlan-ids=8
add bridge=bridge1 tagged=ether1 untagged=wifi2 vlan-ids=24
/interface list member
add interface=mgmt-vlan list=BASE
/ip address
add address=192.168.48.9/24 interface=mgmt-vlan network=192.168.48.0
/ip dns
set servers=192.168.48.33
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add distance=1 gateway=192.168.48.1
/system clock
set time-zone-name=Europe/London
/system identity
set name=Barn-AP
/system logging
set 0 topics=wireless,debug
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=uk.pool.ntp.org
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
Logging wireless.debug doesn’t reveal much, I get messages like “C8:2A:DD:A5:73:55@wifi2 associated, signal strength -33” followed swiftly by “C8:2A:DD:A5:73:55@wifi2 disassociated, connection lost, signal strength -34”
The packet sniffer occasionally spots a DHCP request, but usually the client fails on authentication, only occasionally does it fail on “can’t get IP address”. The fact that the failure changes occasionally makes me think it is struggling a bit to connect so maybe wifi configuration is wrong. I have tried with minimal configs before adding dfs and width settings etc. all to no avail. I’ve checked and double checked passphrases, remove wpa3 so it just wpa2.
I’ve been trying various things for a couple of days now so I though I would share my pain and see if anybody can spot the probably obvious error before I get the lighter fluid out
Well… yes I did, however I removed it while trying to get the router to become an AP, once it starts doing its thing I will put that config back. VLAN filtering is not likely to be the issue with clients not being able to connect to the AP.
I knew that was a bad idea however I did re-enable vlan filtering on the bridge and lost management connectivity and no change in wireless connectivity. Probably my mistake in the config somewhere as I have been fiddling with it somewhat.
Before I did this I did downgraded OS and firmware to 7.14.3. I reset the box back to factory(again!) and connected via MAC using winbox.
Now I can get to 192.68.88.1 via my phone wifi with the default config, that didn’t work with the latest “stable” code.
The VLAN set up is one I use on all my other APs and have no issues getting DHCP addresses. This is one of mine from a Hap-lite running 6.x OS code. Yes I will upgrade at some point!
As I said, the following works fine on the HAP lite, looks like quite a few things have changed in the latest OS.
Now I know I can connect via wireless in the default set up, I’ll give it another go. my central RB3011UiAS is my DHCP server for the above and works fine, just need to get it working with the new box.
Access-point/Switch. All routing is done on my central router. I intend to use the Hap ax2 for both wired and wireless clients as per the HAP lite config.
Here’s the config of the central internal router, this isn’t my broadband router, not that should matter, that is a different make etc.
I use Zyzel GS1900-24 switches with trunk interfaces to both the Mikrotik 3011 and APs, they work fine, are cheap and are passively cooled so not noisy in the office. I haven’t implemented different rules for the different VLANs yet, that’s on my todo list, but effectively stuff like my IOT will be on a separate VLAN with very little access to other VLANs. I should be retired soon so will have time to inker more.
It is a long time since I configured the central router, and I did plagiarise quite a few configs from the forum, but I believe the general idea is so that you can control access between bridges. I’m sure there is probably a better way, there always is with networking. My background is Juniper/Cisco/Arista/FTOS(now Dell) with a bit of Cumulus/Sonic but I am mainly a manage now so very rusty. I don’t touch wifi in my day job. I am warming to the Mikrotik CLI but I do find it hard going at times!
However, if the 3 bridges on the 3100 is the problem with the hap ax2, why do all the hap-lite APs work with the same VLAN set up? I plugged the AX into the same port as an Hap-lite and the wireless didn’t work, but I didn’t test the wired, so I think that is my next step.
Listent to the experts who understand the config process and how they interrlate (vice copy and pasting).
On each device use the off bridge process to conduct the vlan filtering configurations, saves one much grief.
Update each device to 7.16.2, if you do it manually you need to go to 7.12.1 first then 7.16.2
Then ensure the requirements are clearly stated for us to understand
a. identify all users/device, (internal, external, admin)
b. identify all the traffic required including vpns, port forwarding etc.
c. identify the management or trusted vlan.
d. a network diagram always helps.
Then the main router 3011? can be configured followed by the rest of the devices.
I reloaded the config line by line, adding the tip about a non-bridge interface and now it works
I had a warm feeling as soon as I applied vlan-filtering to the bridge and I still had management connectivity.
One thing I did notice is that when I applied ingress filtering to the bridge port, it didn’t show up in the config, only if you print detail.
I must have made some small error, I will try and do a diff later but the config tends to move around a bit so maybe not that easy.
Here’s the working config, I’ve got a few tweaks to do to ntp etc. however I’m pleased its working on the wifi side, I will check the wired side later, work is getting in the way
In terms of upgrading the other components and finishing off the filters between VLANs, I definitely want to do that still. I bought a spare second hand RB3011 so will use that, my kids will hate me if I screw up the house network for days. I have a network diagram and will start a new thread soon. Thanks for your help.
Why one bridge instead of multiple ? Well how I understand it, and I’m not a network professional by any means, is that bridge is simply a network switch done in software and in ROS on most of the devices that is offloaded to the switch chip so with one bridge you have HW offload.
But with multiple bridges you are losing HW offload capability and you relie on CPU to do the dirty work and this is where you loose performance because your CPU have to handle all the data.
Also with multiple bridges you are creating multiple separate L2 domains(basically creating more and more switches) and then you use VLAN to create more networks. You can use one bridge and create vlans you need, they are isolated on L2 and with firewall rules you can isolate them on L3.
If I wrote something wrong someone will correct me.
I don’t disagree with any of your statements in theory, however CPU on the RB3011 is averaging about 2%, but that may be because we don’t have a lot of traffic. Also the RB3011 has two switches,
Work/life/kids/dogs/retirement has got in the way since I first deployed the RB3011 and the various APs so I have forgotten some of the rationale behind the design but it was loosely based on a design from this forum. I used to have the typical home network with one big internal subnet. The plan was to split that out into several discrete networks so guest and IOT, i.e. untrusted networks can be separated from trusted networks with filtering, but I haven’t quite finished that yet. Retirement is looming so I will have more time.
Here’s a high level diagram
And a little more detail
Note there is no redundancy, one failure and it all falls in a heap, so the intention is add redundant components at some stage, hence why I bought a second hand RB3011 recently.
Rather than discuss this in a wifi thread, I’ll post in a more suitable thread soon
I finished off the AP config and tested the wired ports, all good now. Now I know they work I’ll buy a couple more as I had a couple of hap-lite die a while ago. One of them was is in an outbuilding and ants had set up home in it, probably nice and warm in winter Not sure what happened to the other one but that was in my wife’s workshop so anything could have happened to it…
# 2024-12-09 18:39:18 by RouterOS 7.14.3
# software id = GVPW-XG05
#
# model = C52iG-5HaxD2HaxD
# serial number = HGN09KRM1JH
/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=non-guest disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.mode=ap .ssid=guest disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface vlan
add interface=bridge1 name=mgmt-vlan vlan-id=48
/interface list
add name=BASE
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=24
add bridge=bridge1 interface=ether2 pvid=16
add bridge=bridge1 interface=ether4 pvid=16
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=8
add bridge=bridge1 interface=ether3 pvid=16
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=48
add bridge=bridge1 tagged=ether1 untagged=wifi1 vlan-ids=8
add bridge=bridge1 tagged=ether1 untagged=wifi2 vlan-ids=24
add bridge=bridge1 tagged=ether1 untagged=ether2,ether3,ether4 vlan-ids=16
/interface list member
add interface=mgmt-vlan list=BASE
/ip address
add address=192.168.48.9/24 interface=mgmt-vlan network=192.168.48.0
add address=192.168.65.1/29 interface=OffBridge5 network=192.168.65.0
/ip dns
set servers=192.168.48.33
/ip route
add distance=1 gateway=192.168.48.1
/system clock
set time-zone-name=Europe/London
/system identity
set name=Barn-AP
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=uk.pool.ntp.org
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
Probably my mistake in the config somewhere as I have been fiddling with it somewhat.
