I have access point with really simple basic config here.
# 2025-01-02 12:03:43 by RouterOS 7.16.2
#
# model = wAPG-5HaxD2HaxD
/interface bridge add admin-mac=*** auto-mac=no comment=defconf name=bridge
/interface vlan add interface=ether1 name=mgmt vlan-id=999
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface list add name=MGMT
/interface wifi channel add band=2ghz-ax disabled=no name=2g skip-dfs-channels=10min-cac width=20/40mhz
/interface wifi channel add band=5ghz-ax disabled=no name=5g skip-dfs-channels=10min-cac width=20/40/80mhz
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=ap01
/interface wifi configuration add country=Ukraine disabled=no mode=ap name=cfg1 security=petfood ssid=ap01
/interface wifi set [ find default-name=wifi1 ] channel=2g configuration=cfg1 configuration.mode=ap disabled=no
/interface wifi set [ find default-name=wifi2 ] channel=5g configuration=cfg1 configuration.mode=ap disabled=no
/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=wifi1
/interface bridge port add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings set discover-interface-list=MGMT
/ipv6 settings set disable-ipv6=yes
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface list member add interface=mgmt list=MGMT
/interface list member add interface=ether1 list=MGMT
/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-client add add-default-route=no interface=mgmt use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes cache-size=4096KiB servers=9.9.9.9,149.112.112.112 use-doh-server=https://dns.quad9.net/dns-query verify-doh-cert=yes
/ip dns adlist add ssl-verify=no url=https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
/ip dns static add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input dst-port=22,80,8291 in-interface-list=MGMT log-prefix="==" protocol=tcp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/system clock set time-zone-name=Europe/Kiev
/system identity set name="AP 01"
/system note set note="Attention! Internet trafic on ether1 and NOT on vlan999[mgmt]!!!"
/system routerboard settings set auto-upgrade=yes
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=MGMT
My vlan is getting its own IP address, I can ping it, but all of sudden I have no access to AP. No web\winbox\ssh at all on vlan interface, but everything works on ether1. Sniffer can see incoming packets.
Looks like I’m too close to see clearly. What should I check?
It’s okay. It give internet to completely isolated office branch, that use only wifi, so putting one AP as router looked better idea than making separate vlan for it. Also I got some problems configuring AX capsman, because capsman filtering was removed from ax, so I made it standalone.
Now on ether1 it has main office network as WAN and management vlan. So I need it to have internet from office network, and manage it through vlan.
I put ether1 in MGMT interface list just to finish configuring, because if I remove it, I lose access to AP through office network, and has no access through vlan. Users in LAN woud have no access to AP management copletely, and access will be removed by firewall after end of configuring.
Simplify, have main router provide all vlans and rules etc.
Use wapAX simply as a switch AP, the objective of giving one branch of office isolated access to internet is accomplished.
This simply means a vlan only for them and the MT device gets an IP address from the trusted vLAN.
ONE BRIDGE, rest vlans, done!
Use one port as on off bridge port for configuration purposes safe, and easy place to recover from any issues later as well.
Will assume trusted subnet is vlan999 with lanip 192.168.99.0/24
Will assume isolated office subnet is vlan88 with lanip 192.168.88.0/24
Step One: add ether2 settings below, and then continue config changes from ether2 ( plug in laptop with IPV4 settings 192.168.55.2 and your in )
Clean, simple easy, works!!.. ( and best of all NO phucking capsman )
/interface bridge
add admin-mac=*** auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=OffBridge2
/interface vlan
add interface=bridge name=mgmt999 vlan-id=999
/interface list
add name=MGMT
/interface wifi channel
add band=2ghz-ax disabled=no name=2g skip-dfs-channels=10min-cac width=20/40mhz
add band=5ghz-ax disabled=no name=5g skip-dfs-channels=10min-cac width=20/40/80mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=ap01
/interface wifi configuration
add country=Ukraine disabled=no mode=ap name=cfg1 security=petfood ssid=ap01
/interface wifi
set [ find default-name=wifi1 ] channel=2g configuration=cfg1 configuration.mode=ap disabled=no
set [ find default-name=wifi2 ] channel=5g configuration=cfg1 configuration.mode=ap disabled=no
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 comment="trunk from router"
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=wifi1 pvid=88
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=wifi2 pvid=88
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-id=999
add bridge-bridge tagged=ether1 untagged=wifi1,wifi2 vlan-id=88
/ipv6 settings set disable-ipv6=yes
/interface list member
add interface=mgmt999 list=MGMT
add interface=OffBridge2 list=MGMT
/ip address
add address=192.168.99.X/24 interface=mgmt999 network=192.168.99.0 { where X is the assigned IP to the wapax on the trusted subnet }
add address=192.168.55.1/30 interface=OffBridge2 network=192.168.55.0
/ip dns
set servers=192.168.99.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.99.1
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/system clock set time-zone-name=Europe/Kiev
/system identity set name="AP 01"
/system note set note="Attention! Internet trafic on vlan88 and NOT on vlan999[mgmt]!!!"
/system routerboard settings set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
By the way this past weekend I bought two boxes of chocolate, one from Kyiv and one from KharKiv…
It must be managed only through 10.0.0.0/24 from PCs in different networks alowed by main router firewall rules. No access from other networks. Now it is temporarily managed from PC in 192.168.1.0/24. I have a bunch of SwOs devices similarly managed without any problems.
