Dead MikroTik Community,

im here again, to ask

I encounter (again) an error i cant fix or troubleshoot the good way.

I have a main router (without wifi, its a hEX) with 2 vlans, one with and one without DHCP.
I have 3 AP-s (hap mini) with tagged vlans (1 and 2) -> so that i can have a real guest wifi.
The internal wifi has no dhcp in the router, there is a server who does the job and the guest wifi is an other subnet and the router(mikrotik hex) does the job.

So far so good, but after a while i dont have internet access and some ppl who joined the wifi(guest -> vlan2) have no problem, but others when the join there is no internet, mostly they dont get an IP address. But my notebook (today) did this: internet, everything is totally superduper but after a while i get restricted internet acces, there is the yellow triangle on my wifi signal(windows10 ntoebook).

I would upload my cfg-s, with with i have a good vlan for the wired clients, but the wifi just wont work id like, so please analyze it if you have a lil' time and tell me where to begin troubleshooting or you guys/girls just simply see the problem i dont see.

Thank you in advance!

My cfg:

Router(main, without wifi)

mar/21/2018 22:45:54 by RouterOS 6.41.3

software id =

model =

serial number =

/interface bridge
add disabled=yes fast-forward=no name=bridge_vlan2
/interface ethernet
set [ find default-name=ether3 ] name=ETH3
set [ find default-name=ether4 ] name=ETH4
set [ find default-name=ether5 ] name=ETH5
set [ find default-name=ether2 ] name=LAN-ETH2
set [ find default-name=ether1 ] name=WAN-ETH1
/interface vlan
add interface=LAN-ETH2 name=vlan1 vlan-id=1
add interface=LAN-ETH2 name=vlan2 vlan-id=2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool1 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool2 ranges=192.168.3.100-192.168.3.150
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=vlan2 lease-time=8h name=
dhcp1
/interface bridge port
add bridge=bridge_vlan2 interface=vlan2
add bridge=bridge_vlan2 interface=ETH4
add bridge=bridge_vlan2 interface=ETH3
/ip address
add address=192.168.13.1/24 interface=vlan1 network=192.168.13.0
add address=192.168.3.1/24 interface=vlan2 network=192.168.3.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=WAN-ETH1
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=192.168.3.1,8.8.8.8 gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.13.0/24 comment="Ez a csoport a localsupport" list=
localsupport
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
/ip firewall filter
add action=drop chain=input comment="DNS kulso keres TILTASA TCP" disabled=
yes dst-port=53 in-interface=WAN-ETH1 protocol=tcp
add action=drop chain=input comment="DNS kulso keres TILTASA UDP" disabled=
yes dst-port=53 in-interface=WAN-ETH1 protocol=udp
add action=accept chain=input comment=
"Accept established and related packets" connection-state=
established,related disabled=yes
add action=drop chain=input comment="Drop invalid packets" connection-state=
invalid disabled=yes
add action=drop chain=input comment=
"Drop all packets which are not destined to routes IP address" disabled=
yes dst-address-type=!local
add action=drop chain=input comment=
"Drop all packets which does not have unicast source IP address"
disabled=yes src-address-type=!unicast
add action=accept chain=forward comment=
"Accept established and related packets" connection-state=
established,related disabled=yes
add action=drop chain=forward comment="Drop invalid packets"
connection-state=invalid disabled=yes
add action=drop chain=forward comment=
"Drop new connections from internet which are not dst-natted"
connection-nat-state=!dstnat connection-state=new disabled=yes
in-interface=WAN-ETH1
add action=drop chain=forward comment="Drop all packets from public internet w
hich should not exist in public network" disabled=yes in-interface=
WAN-ETH1 src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to
internet which should not exist in public network" disabled=yes
dst-address-list=NotPublic in-interface=LAN-ETH2
add action=drop chain=forward comment="Drop all packets from local network to
internet which should not exist in public network" disabled=yes
dst-address-list=NotPublic in-interface=vlan1
add action=drop chain=input comment="WINBOX eleres csak ebbol az alhalozatbol
engedelyezett - 192.168.13.0/24" disabled=yes dst-port=8291 protocol=tcp
src-address-list=!localsupport
add action=accept chain=forward comment=
" Forward packets which belong to natted connection are accepted"
connection-nat-state=dstnat connection-state=established,related
disabled=yes in-interface=WAN-ETH1
add action=drop chain=forward comment=
"Drop new connections from internet which are not dst-natted"
connection-nat-state=!dstnat connection-state=new disabled=yes
in-interface=WAN-ETH1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN-ETH1 src-address=
192.168.13.0/24
add action=masquerade chain=srcnat out-interface=WAN-ETH1 src-address=
192.168.3.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=Router


and the cfg of the AP's:

model = RouterBOARD 931-2nD

serial number =

/interface bridge
add fast-forward=no name=WifiETH1_bridge
add fast-forward=no name=vlan2_bridge
/interface ethernet
set [ find default-name=ether1 ] name=ETH1
set [ find default-name=ether2 ] name=ETH2
set [ find default-name=ether3 ] disabled=yes name=ETH3
/interface vlan
add interface=ETH1 name=vlan1 vlan-id=1
add interface=ETH1 name=vlan2 vlan-id=2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=
allowed mode=dynamic-keys name=internalPW supplicant-identity=""
wpa2-pre-shared-key=thisisthepassword1
add authentication-types=wpa2-psk eap-methods="" management-protection=
allowed mode=dynamic-keys name=vendegPW supplicant-identity=""
wpa2-pre-shared-key=thisisthepassword2
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=hungary disabled=no
frequency-mode=regulatory-domain mode=ap-bridge security-profile=
internalPW ssid=TestSSID wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=CE:2D:E0:14:E8:32
master-interface=wlan1 multicast-buffering=disabled name=wlan2
security-profile=vendegPW ssid=TestSSID-Guest wds-cost-range=0
wds-default-cost=0 wps-mode=disabled
/interface bridge port
add bridge=vlan2_bridge interface=wlan2
add bridge=vlan2_bridge interface=vlan2
add bridge=WifiETH1_bridge interface=wlan1
add bridge=WifiETH1_bridge interface=vlan1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=AP3



Thank you in advance! Im loosing hair already :S

There are unsolved issues with the DHCP server on VLANs and bridges in 6.41.x.
Downgrade to the bugfix version (6.40.7) and everything will probably work flawless.

I will try tomorrow, thank you really much for your time and response! I’ll mark this as answer, as soon i can say, this was the problem.

Thank you

An issue with dhcp server attached to a bridge was reported in the 6.42rc topic and it is not clear to me whether it affects 6.41.x as well. I have not encountered that issue myself, and I have bad experience with attaching IP address and dhcp server to slave interfaces (member ports of a bridge). So I don’t like in your hEX configuration that the IP address and dhcp server for the subnet in vlan2 are attached to interface vlan2 which is a member of a bridge, I would attach them to interface bridge-vlan2 instead.

In any case, as you say the issue occurs after some time, I’m afraid it is not a configuration one. So I would recommend you to create one supout.rif file when everything is all right, and another one when it becomes bad, and send both to support@mikrotik.com with a reference to this topic.

Other than that, if I were to deploy the network you describe, I would definitely activate CAPsMAN on the hEX and let the three APs become cAPs (c=controlled). It is not likely to resolve your issue with DHCP, but it simplifies the management as you do everything on the hEX (so there is a risk that you forget the login and password to the APs )

Thank you, but now i collected all the mikrotik AP-s and placed a single cheap and old tplink router and now everything works fine… i think i cannot allow myself and the companies i work with this kind of un-stableness. Basic things like dhcp client and dhcp server should work flawless… I like mikrotik, but in the last time, because of a not properly working firmware (or maybe missconfiguration with the “slave” dhcp server) i had so much trouble, and this takes too much money and time.