Wifi connects, but no internet

Hi all.

I recently purchased a HAP AX2 to replace my ISP router which was overwhelmed by my network. I tried to set it to bridge mode, but discovered it’s locked out, so I ended up disabling DHCP server on it and using the HAP as a switch+AP. Firewall on the HAP is now disabled but the one on the ISP router is still enabled, while I sort things out.

Right now wired devices get internet and IPs within the intended LAN, but if I ping google from Winbox it timeouts so the following diagram gets me lost as I don’t understand where the real issue is.

This is the output of export hide-sensitive:

# 2025-03-29 22:32:09 by RouterOS 7.12.1
# software id = ZF9I-JHNR
#
# model = C52iG-5HaxD2HaxD
# serial number = HG409R84B8V
/interface bridge
add admin-mac=D4:01:C3:29:DF:84 auto-mac=no name=bridge
/interface list
add name=LAN
/interface wifiwave2 channel
add band=5ghz-ax disabled=no name=ch-5 skip-dfs-channels=10min-cac width=20/40/80mhz
add band=2ghz-ax disabled=no name=ch-24 width=20mhz
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes name=wifisecprofile wps=disable
/interface wifiwave2 configuration
add country=Spain disabled=no mode=ap name=wificonfig security=wifisecprofile ssid=MTDS
/interface wifiwave2
set [ find default-name=wifi1 ] channel=ch-5 configuration=wificonfig configuration.mode=ap disabled=no name=wifi5 security=wifisecprofile
set [ find default-name=wifi2 ] channel=ch-24 configuration=wificonfig configuration.mode=ap disabled=no name=wifi24 security=wifisecprofile
/ip pool
add name=dhcp_pool1 ranges=192.168.2.128-192.168.2.244
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge name=dhcp1
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether1
add bridge=bridge ingress-filtering=no interface=wifi5
add bridge=bridge ingress-filtering=no interface=wifi24
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge list=LAN
/ip address
add address=192.168.2.254/24 interface=bridge network=192.168.2.0
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=*2000010
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=all
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Madrid
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Change your gateway to .254

DHCP server is the HAP, at .254
WAN gateway is the ISP router, at .1

Setting both to .254 kills the connectivity for the wired clients.

Your network makes no sense. If you want the MikroTik to work as switch/AP, do:

Remove default settings
Create bridge, add all interfaces to it
Configure wifi as you did
Add DHCP client to bridge

Let your ISP’s router handle DHCP

Now I started from scratch, all interfaces to bridge (ether1-4, and both wirfi), IP address to the switch on .254 so it’s accesible, DHCP server on WISP so a client linked to the bridge. With same setup for wifi as first post, a laptop and my phone both connect successfully (they get IP and show up as connected), but still no internet.

I’m gonna return this AX2 as the returns period is almost due and get a MT with no wifi and a separate AP.

You might want to share your current config again. There must be a reason why it’s not working. Can clients ping the WISP router? And can they ping 1.1.1.1?

Getting two devices is probably making it more complex. And be aware that, while using the WISP router there is no reason to get a second router. Well, unless…it always depends on what you want.

Yeah, in theory I don't need another device... but the WISP is so lacking in power that I need to reboot it daily because it hangs periodically. My provider doesnt allow using my own gear directly or switching theirs to bridge mode so I need to bodge a way out. I also want to play with VLANs, as I'm no longer confortable with the IoTs at home being on the same network as everything else.

I already reset and wrapped the AX2 for shipping, config is not available anymore

Thank you for your attempts at helping me anyway

/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
Change to correct subnet

You know this is a static DNS entry?

The best thing you can do is take one port off the bridge and do your config from there, a safe spot.

1. Take ether5 off the bridge at /interface bridge port

2. Make the following additions/mods

/interface ethernet
set [ find default-name=ether5] comment=OffBridge5
/interface list member
add interface=OffBridge5=LAN ( and trusted if you have a management interface list )

/ip address
add address=192.168.77.1/30 interface=OffBridge5 network=192.168.77.0

3. Now you can plug in your laptop to ether5, change your ipv4 settings to 192.168.77**.2** and using winbox access the router as per normal.

4. Now you can start configuring your router for vlans such as guest, home, iot, media, anything else, and any other vlans aka printer vlan, or spouses work vlan, or kids vlan etc.. THe idea being you dont want vendor equipment and work and home mixing with anything else,just internet access, etc…

This is a good link to read first for vlans.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1