My network is managed by a 4011. To this I would like to connect three MikroTik hAP ax lite as APs (one for each floor of the building). All APs will be connected directly to the router via cable.
I tried to put them into ap mode by pressing more than five seconds, but the router still does not see it any hAP ax lite. What am I doing wrong? :]
Ultimately would like all APs to distribute wifi, but also be able to connect computers to them, by cable. On cable would be the availability of the full link and wifi would be limited. If it can be done as follows - no computer is connected on the cable then wifi has the whole link. And if a computer is on, so that the speed available to wifi drops to 250mb, for example.
What Ros version does RB4011 use ?
Should be preferably at least 7.13, best even 7.18.2.
Do you have capsman configured via wifi menu ? Not wireless capsman… should be via wifi.
Firmware version is 7.18.2.
I don’t have CAPsMAN under wifi, only on wireless. Should I reset configuration with CAPS Mode tick on? And if so, I understand that my existing settings will be erased and before setting CAPS, I will have to set them again?
Capsman is to be configured on the controller. I assume that will be RB4011 ?
Under the wifi menu, you do all the setup. There is no separate capsman part as it used to be in the past. It’s all integrated with wifi setup.
But since you mention wireless … is that RB4011 a version with wifi ?
AX Lite devices are to be setup in CAPS mode.
Config is then done on the controller and pushed towards CAPS devices.
I suggest that you forget capsman and simply setup the wifi in each ax lite as you are doing now.
How many vlans do you need on your network? ( often= # of SSIDs, home users, guest users, IOT devices etc. + managment vlan or one can use home vlan as trusted ! )
@holvoetn - I have 4011 without wifi.
My setup is like that: ISP fiber → ont → 4011 → 3 hAP ax lite (one for each floor).
I want to each hAP act as AP plus connect to it pc by cable to (due to the fact that I have one outlet per floor, and I want to have a pc connected by cable).
@anav - It seems to me that using home vlan as a trust will be ok, especially since I live in a not very populated area.
To summarise - should I go CAPS mode or wifi? Which option will give me the settings I want (switching between APs, ability to limit wifi transfer)?
holvo has those answers.
If you want flexibility but to waste many hours and turn your hair gray or lose it go with capsman.
If you want your network to work in 15 minutes, dont use capsman.
anav, have you ever used capsman ?
It can also be setup in 15 minutes when you know what you do.
Seamless switching between APs, requires capsman.
Limiting wifi transfer is a separate thing which has little to do with capsman. You could use queues for that on each AP.
@erlinden Thank you, but instruction from both topics on help.mikrotik.com are just wall of text without screens how to do it ui (veeeeery beginner friendly, no doubt xD). Topic with working config is same nightmare for beginner to be honest. Nevertheless, I got through part of it and the command that doesn’t work is this one:
Even apart from understanding what I’m doing (I’ll stress again, neither the microtik help topic nor the cited configuration topic are beginner-friendly), I have no idea if this setup will work with my previous router setup. Just as I don’t know if this setting will reflect my desired settings. But let’s get on with it - I want to get wifi working at all. At most then I’ll try to set it up somehow better.
Like I said pokolo provide your config on the 4011 and one ax lite and I will provide you with a working config of both for vlans and wifi, without capsman… if not, then bashing your head against a brick wall must be your idea of fun!
FIRST STEP add Offbridge settings, and do all vlan configuration from this safe spot. ( using port 9). Recommend this for all devices…
added Management Interface List entity
3 Removed duplicate IP Pool
Assume 3 vlans, one is management vlan (all devices get IP address on this vlan) / Trusted VLAN (like home users) / Guest or IOT Vlan
Since RB4011 has two groupings of ports, put the first five ports together same bridge, moved WAN port to 6.
Normally for PPPOE one does NOT use ip dhcp client OR an ip address for WAN.
Changed ppoe peer dns server to NO. Reason it appears you want users to go via 1.1.1.1 and not ISP..
STEP1:
To work on vlans as it can get sticky when applying vlans or trying to change from default to your steup, its best to do so from a safe spot. Saves much grief!
So use an off bridge port for the configuration and also as an emerg access port on the device at any time…
Associated config entries ( remove ETHER9 from the bridge in /interface bridge port settings) :
/interface ethernet
set [ find default-name=ether9] name=OffBridge9
/ip address
add address=192.168.77.1**/30** interface=OffBridge9 network=192.168.77.0 comment=“Offbridge and Emerg access”
/interface list member
add interface=OffBridge9 list=TRUSTED
Note: to access the router simply configure your PC/laptop with IPV4 settings of 192.168.77.2 and via username and password you should have access.
model = RB4011iGS+ { major changes/mods only }
# serial number =
/interface bridge
add name=bridge1 vlan-filtering=no { change this to YES, as the very end of config }
/interface ethernet
set [ find default-name=ether9] name=OffBridge9
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether6 name=pppoe-out1 \
use-peer-dns=no user={user}
/interface vlan
add interface=bridge1 name=vlan10-home vlan-id=10
add interface=bridge1 name=vlan30-guest vlan-id=30
add interface=bridge1 name=vlan99-mgmt vlan-id=99
/interface list
add name=WAN
add name=LAN
add name=MGMT
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254 comment="home"
add name=dhcp_pool1 ranges=192.168.99.2-192.168.88.254 comment="management"
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254 comment="guest"
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan10-home name=dhcp0
add address-pool=dhcp_pool2 interface=vlan30-guest name=dhcp2
add address-pool=dhcp_pool1interface=vlan99-mgmt name=dhcp1
/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 comment="trunk to axlite1"
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether2 comment="trunk to axlite1"
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether3 comment="trunk to axlite1"
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether4 pvid=10 comment="home pc"
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether5 pvid=10 comment="home printer"
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface list member
add interface=pppoe-out1 list=WAN
add interface=ether6 list=WAN
add interface=vlan10-home list=LAN
add interface=vlan30-guest list=LAN
add interface=vlan99-mgmt list=LAN
add interface=vlan99-mgmt list=MGMT
add interface=OffBridge9 list=MGMT
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1,ether2,ether3 untagged=ether4,ether5 vlan-id=10
add bridge=bridge1 tagged=bridge1,ether1,ether2,ether3 vlan-id=30,99
/ip address
add address=192.168.88.1/24 interface=vlan10-home network=192.168.88.0
add address=192.168.30.1/24 interface=vlan30-guest network=192.168.30.0
add address=192.168.99.1/24 interface=vlan99-mgmt network=192.168.99.0
add address=192.168.77.1/30 interface=OffBridge9 network=192.168.77.0
/ip dhcp-server network
add address=192.168.30.0/24 dns-server=1.1.1.1 gateway=192.168.30.1
add address=192.168.88.0/24 dns-server=1.1.1.1 gateway=192.168.88.1
add address=192.168.99.0/24 dns-server=1.1.1.1 gateway=192.168.99.1
/ip dns
set server=1.1.1.1
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=MGMT
add action=drop chain=input comment="drop all else" disabled=yes { enable this rule at the very end }
++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat enabled=no { enable if required or remove }
add action=accept chain=forward comment="admin to all vlans" in-interface-list=MGMT out-interface-list=LAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
Stab at hapaxlite (using port 4 as offbridge port and trunk port from router using ether1)
THE WIFI settings are not here but are left up to you.
Setup offbridge4 port first and then do the work from that location.
model = hap ax lite
# serial number =
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4] name=OffBridge4
/interface vlan
add interface=bridge1 name=vlan99-mgmt vlan-id=99
/interface list
add name=MGMT
/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 comment="trunk to router"
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether2 pvid=10 comment="home pc"
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether3 pvid=10 comment="home pc"
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=wlan1 pvid=10 comment="home wifi"
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=wlan2 pvid=30 comment="guest wifi"
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface list member
add interface=vlan99-mgmt list=MGMT
add interface=OffBridge4 list=MGMT
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2,ether3,wlan1 vlan-id=10
add bridge=bridge1 tagged=ether1 untagged=wlan2 vlan-id=30
add bridge=bridge1 tagged=bridge1,ether1 vlan-id=99
/ip address
add address=192.168.99.2/24 interface=vlan99-mgmt network=192.168.99.0
add address=192.168.77.1/30 interface=OffBridge9 network=192.168.77.0
/ip dns
set server=192.168.99.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.99.1
/ip dns
set server=192.168.99.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
anav - Thank you for your support, but I am struggling to make it work.
To better outline my connection, perhaps I will state what it looks like:
As I understand it, I start with the setting I posted earlier? That was the settings I also obtained on this forum.
I ask because I first typed (X) and then went to the first set of commands and lost the internet. I had to restore the previous setting.
I’ll go through it again in the days and post where I have errors and after which command I lose internet.
I setup this in ui, by delete * (no idea if this correct).
I couldn’t add this via the terminal, so I added the list from the ui.
Again from the terminal I could not do this, but the vlan filtering was disabled from the ui.
I dealt with this by deleting ‘frame-types=admit-only-vlan-tagged’ and then adding this in the ui.
Should I turn this on after doing all the commands in the second set of code? Because I did it after the first set of commands and it cut off my internet completely. I also could not log on to the router in any way
At this point a factory reset kicked in and I’m at square one.
