Stuck in config: winbox and disconnections

RouterOS Beginner Basics
1

Hiya people.

I am at a loss. I really don’t know what to try anymore.

My current setup is rather basic:

Internet ——hap ac3——cap ac

The hap acts as a router the cap as an access point. It should basically just provide access so nothing else should be there.

There are two fundamental problems. And I thing they are somehow related.

  1. I am unable to have winbox access to the cap ac when connected to the wifi. I have changed the port fo winbox in the hap and tried romon but something simpler is happening I think.
  2. The apple devices are not stable in connection. They connects and disconnects repeteadly. I think it has to do with the 5ghz ifaces but I just cannot make sense.


    I attach both config files. Any pointers old be massively appreciated
    base_ap.txt (8.31 KB)
    last_version_clean.txt (7.07 KB)
2

On the cAP:

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

this sets two categories. WAN and LAN (if you prefer outside and inside, dangerous and safe).

But then you have:

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

BUT bridge “bridge” has only ether2 in it (why?) and ether1 has been added to bridge BR1.
That should become:

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=myconf interface=BR1 list=LAN

It makes little sense (to me) to have a bridge with only one port in it, probably it would be better to have ether2 as “self-standing”, removing bridge “bridge” alltogether, but first do the changes above and you should be able to access the cAP from wifi.

Until you have not the bridge “BR1” (comprising wifi interfaces) into list “LAN” the default firewall rule:

add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN

should block any access to the router.
Conversely, if the device is a bridge, firewall “forward” rules make little sense (the “input” ones may still be useful, but they would need to be revised if you want to limit access from some devices in LAN).

Then you have an error on dhcp client on ether1, you should disable or remove it:

/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add comment=defconf interface=ether1
3

Cheers mate.

This was the result of me fighting to get the cap working.

The only goal I have is to have three ssid one for each vlan..

I will give it a go. I’ll put both ether on the bridge remove all firewall rules (this is, after all a bridge as you said) I will then only have a lan interface list and put both ether there and on the bridge.

Let’s see where we fet

4

Last Version ROUTER ( Assuming Office is trusted subnet )

  1. /interface bridge port
    add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
    interface=ether2 pvid=100
    add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
    interface=ether3 pvid=101
    add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
    interface=ether4 pvid=102
    add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether5 comment=“trunk to ap”

  2. /interface list
    add comment=defconf name=WAN
    add comment=defconf name=LAN
    add name=MGMT
    /interface list member
    add comment=defconf interface=ether1 list=WAN
    add interface=oficina-vlan list=LAN
    add interface=domotica-vlan list=LAN
    add interface=casa-vlan list=LAN
    add interface=wg_oveta list=LAN
    add interface=oficina-vlan list=MGMT
    add interface=wg_oveta list=MGMT

/ip neighbor discovery-settings
set discover-interface-list=MGMT

  1. CHOOSE ONE, not both, either IP address for WAN or IP DHCP client.
    /ip address
    add address= comment=“Public IP” interface=ether1 network=
    169.26.26.0
    OR ( not both)
    /ip dhcp-client
    add comment=defconf interface=ether1 use-peer-dns=no

  2. /ip firewall filter
    add action=accept chain=input connection-state=established,related,untracked
    add action=drop chain=input connection-state=invalid
    add action=accept chain=input protocol=icmp
    add action=accept chain=input comment=“Allow wireguard” dst-port=13231
    log-prefix=WIREGARD protocol=udp
    add action=accept chain=input comment=
    “Allow oficina-vlan/MGMT access to all router services”
    in-interface-list=MGMT
    add action=accept chain=input comment=“Users to services” dst-port=53,123
    in-interface-list=LAN protocol=udp
    add action=accept chain=input comment=“Users to services” dst-port=53
    in-interface-list=LAN protocol=tcp
    add action=drop chain=input comment=“drop all else”
    +++++++++++++++++++++++++++++++++
    add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
    add action=accept chain=forward connection-state=established,related,untracked
    add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
    add action=accept chain=forward comment=“wg to LAN” in-interface=wg_oveta out-interface-list=LAN
    add action=accept chain=forward comment=“port fowarding” connection-nat-state=dstnat
    add action=drop chain=forward comment=“Drop all else”

  3. WHY-----> =“syncthing TCP 22000” dst-port=22000
    What service is this??

  4. /tool mac-server
    set allowed-interface-list=none
    /tool mac-server mac-winbox
    set allowed-interface-list=MGMT

  5. Port forwarding rules removed.. as incorrectly formatted.
    add action=dst-nat chain=dstnat comment=Dvr *dst-address=172.123.123.8*
    dst-port=8000 protocol=tcp to-addresses=10.0.0.5 to-ports=8000
    add action=dst-nat chain=dstnat comment=Dvr *dst-address=128.183.183.8 *
    dst-port=554 protocol=tcp to-addresses=10.0.0.5 to-ports=554

ONe needs to put in one of three choices.

a. dst-address=WANIP ( if WANIP is static/fixed )
OR
b. in-interface-list=WAN ( if WANIP is dynamic )
OR
c. dst-address-list=MyWAN ( if WANIP is dynamic but you are running into hairpin nat )

  1. Remove winbox 0.0.0.0
    WHEN YOU HAVE NO ENTRY in the winbox settings, this assumes all addresses
    Suggest at least put in subnet of Office and subnet of wireguard
    set winbox address=192.168.1.0/24,192.168.10.0/24
    OR
    Blank entry.

  2. Add router as NTP Client and NTP server.

======================================================================================
BASE AP ONLY USE ONE BRIDGE !!!

  1. /interface bridge
    add name=BR1 protocol-mode=none vlan-filtering=yes

  2. SSID for virtual 5ghz network for home ( casa ) is wrong, SHOULD BE ssid=casa5

_add comment=casa2 configuration.mode=ap .ssid=casa2 disabled=no mac-address=
DE:2C:6E:14:DE:95 master-interface=wifi1 name=wifi3
security.authentication-types=wpa2-psk .
add comment=casa25 configuration.mode=ap .ssid=casa2 disabled=no mac-address=
DE:2C:6E:14:DE:96 master-interface=wifi2 name=wifi4 _

  1. Your base vlan is incorrect! The management VLAN is 100
    /interface vlan
    add interface=BR1 name=BASE_VLAN vlan-id=100

  2. /interface list
    add name=TRUSTED

  3. THIS IS AN AP…remove IP POOL,

  4. /interface bridge port
    add bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 comment=“trunk to router”
    add bridge=BR1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=wifi1 pvid=100
    add bridge=BR1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=wifi2 pvid=100
    add bridge=BR1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=wifi3 pvid=101
    add bridge=BR1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=wifi4 pvid=101
    add bridge=BR1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=wifi5 pvid=102

7./ip neighbor discovery-settings
set discover-interface-list=TRUSTED

8./interface bridge vlan
add bridge=BR1 tagged=BR1,ether1 untagged=wifi1,wifi2 vlan-ids=100
add bridge=BR1 tagged=ether1 untagged=wifi3,wifi4 vlan-ids=101
add bridge=BR1 tagged=ether1 untagged=wifi5 vlan-ids=102

The untaggings are created dynamically but I like to always add them manually to ensure the OP understands vlan filtering setups and to ensure it shows up on export of config.
The Trusted VLAN needs to be tagged to the bridge.

9./interface list member
add interface=BASE_VLAN list=TRUSTED

  1. The only IP assigned to the ap is the base vlan 100 IP address!
    /ip address
    add address=192.168.1.2/24 interface=BASE_VLAN network=192.168.1.0

  2. REMOVE DHCP CLIENT, DHCP SERVER< DHCP SERVER NETWORK… the AP is NOT a router!

  3. REMOVE static DNS setting keep →
    /ip dns
    set 192.168.1.1

  4. REMOVE FIREWALL FILTER RULES< not a router!

  5. REMOVE NAT Rule not a router

15, Disable ipv6 and remove lists and rules.

16./tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

  1. only need one…
    /ip route
    add distance=1 gateway=192.168.1.1

  2. /system ntp client
    set enabled=yes
    /system ntp client servers
    add address=192.168.1.1

  3. Suggest you rename ether2 if not used as name=OffBridge2
    Removal from bridge I already did.
    give it an IP address
    192.168.55.1/30
    add the interface OffBridge2 to the TRUSTED interface list as a member/
    =========
    Then you should be able to plug in your laptop into ether2 and change ipv4 settings to 192.168.55.2
    and you should be able to configure the AP from there…
    I typically config the cap before placing it at location. If the cap is not easy to get to I run a second wire from ether2 to the closest convenient location (aka a closet etc) so that I can plug in my laptop to modify the config. This is in case something happens on the bridge, one has a separate way to access the device.

5

Thank you so much anav. This must have taken some time.

I really appreciate it.

I have made the changes..things work but there’s a few things I want to try before bothering again.

Quick question. Winbox does not work through wifi o my through ether 2..is this expected?

6

Sorry! Forgot about this!’

syncthing TCP 22000" dst-port=22000
What service is this?

This is for synchthing, a brilliant sync service I use. I have no affiliation but recommend it highly(https://syncthing.net/)

In any case, synchthing uses upnp to open ports and I figured I’d disable that and forward the ports explicitly.