Hi.Winbox can't connect to hap ax lite.
Change cable don't work.run as admin don't work.off firewall don't work.
Router OS ver 7.20.1/Winbox ver 3.43
Any idea?
What port did you connect to on the router?
8291.and it's enable.
a question: can be hap ax lite work as repeater and AP together?I mean give net from three mode with wifi and share balanced net to other devices.
It have only 2.4ghz ax wifi.
I mean what ethernet port do you use.
Do you access the router in another way now? Is it running default config or has it been doctored with?
I don’t know that, you need to wait for replies from others.
Is the router in its default state?
Which Ethernet port are you using?
Is the router visible in winbox?
Are you trying IP or MAC address?
What message do you see from Winbox?
Default state=No , use router for Aggregation net,so I change options
Use Ethernet 4 connect to PC, and no change options of this port.
Is the router visible in winbox? what do u mean?
Log in with MAC.
Winbox message: couldnot connect to router.
No need to post same question multiple times.
I have answered in your other thread.
Spoiler: yes.
Since you changed options, is it not possible your problem is there ?
What did you change ?
Reset to default ( you will have to anyhow).
Remove 1 ether port from bridge (not WAN).
Use it to connect using Winbox/mac.
And when making changes again, use safe mode.
By “visible” I meant can you see it in the Neighbors display of Winbox so you could select it by IP or MAC, or are you typing in the MAC?
Have you looked at Winbox error messages for clues? Your error message is there. It sounds like either mis-configuration of the router or simply you have not adjusted the MAC for the port number.
Have you ever downloaded your configuration after making changes? If so, please paste it here between code </> tags, with confidential information removed.
No, can't see in Neighbors.
Wait a minute ...
And how did you make that screenshot ?
You accessed the device then ? You used web access ?
PS masking last octet of a 192.168.88.0 subnet is rather useless. That's a private range. Nobody is able to use that from outside your network.
Create full config of device:
terminal
export file=anynameyouwish
Move file to PC.
Edit, remove serial number, remove passwds, public IP if applied
post contents back between < / > quotes.
Ye,it is web access.but winbox has a better and faster user interface.always want to configure the router with it.
Ok.i go and download my config and paste here.
# 2025-10-20 07:40:41 by RouterOS 7.20.2
# software id = WSCG-J71K
#
# model = L41G-2axD
# serial number = xxxxxxxxxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:D8 auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=\
10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik disabled=\
no name=wifi-1 security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
.ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/routing table
add disabled=no fib name=havi max1
add disabled=no fib name=havi max2
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether2
add bridge=bridge comment=defconf disabled=yes interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wifi-1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether3 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add add-default-route=no comment=defconf default-route-tables=main interface=\
ether1
# Interface not active
add add-default-route=no default-route-tables=main interface=ether2
# Interface not active
add add-default-route=no default-route-tables=main interface=ether3
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=\
8.8.8.8,8.8.4.4,1.1.1.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=bridge \
new-routing-mark=havi max1 per-connection-classifier=\
both-addresses-and-ports:3/0
add action=mark-routing chain=prerouting in-interface=bridge \
new-routing-mark=havi max2 per-connection-classifier=\
both-addresses-and-ports:3/1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.70.1 \
routing-table=xxxxxxx suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.70.2 \
routing-table=xxxxxxx suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
serial number removed.MAC Address xxxxxxxx.maybe the problem is “add admin-mac=xx:xx:xx:xx:xx:D8 auto-mac=no”
xxxxxxxD8 is ether2.
i use xx:xx:xx:xx:DA in winbox with cable CAT6 for connect to router.it is ether4. how to set admin mac?
Unless I missed something, you have zero interfaces in your LAN list ?
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether3 list=WAN
Then how do you expect to access via LAN ?
You can not.
There is a firewall rule to drop anything not coming from LAN for input. Nothing in LAN, so you always get dropped. Simple.
Add ether4 as member of LAN and use that one to connect.
Or add explicit accept rule on input for port 8291 but personally, I DO NOT do that for anything other then LAN or VPN.
Why do you have 3 WAN ports ? This makes me think you have to provide a LOT more info on the surrounding context of this device and how you want to access it.
I'm not very familiar with WAN and LAN, what exactly they do. How to add explicit accept rule on input for port 8291?need for ether4.
3 others need to connect modem.
You have to imagine the router as a wall (guess why the thing that filters packets in and out is called a firewall).
This side of the wall there is LAN (Local Area Network), imagine it as "inside, home, safe".
The other side of the wall there is WAN (Wide Area Network), imagine it as "outside, dangerous, here be lions".
A firewall controls what can exit the LAN and access the WAN and viceversa what from WAN can access LAN.
Mikrotik firewall (the default firewall set of rules that are default on SOHO devices) makes use of interface lists, essentially you categorize each interface as belonging to a group (list) depending on its function.
If you have all your interfaces categorized as WAN, you won't have access from them to the router, for winbox (that uses the Mikrotik proprietary mac-winbox conneciton protocol), you have these two entries:
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
that ONLY allow connection from an interface categorized as LAN.
In firewall (/ip firewall filter) you have this rule:
/ip firewall filter
...
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
...
that prevents access to the router (input) to anything coming from interfaces NOT categorized as LAN.
So you need to explicitly categorize ether4 as LAN, i.e. add to these:
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether3 list=WAN
the line:
add interface=ether4 list=LAN
P.S.: As holvoetn noted below, if ether4 is part of the bridge, it loses some of its independent characteristics, so you may want to take it out of the bridge or set the whole bridge as LAN (as it is normally/by default)
With all due respect ... you did add two additional ports to WAN, so you knew why ?
But you can not tell the difference between LAN or WAN ?
Add ether4 to LAN list as indicated but ... that will not solve your problem completely since you have ether2/3/4 and wifi-1 all connected to bridge.
Something does not add up here.
Adding ether4 to LAN will allow you to access the device via Winbox/Mac.
Do you also require that port to provide DHCP to the connected PC ?
Because then you need other changes.
I am still wondering why 3 WAN ports are used ? For what purpose ?
Again, we need more info on what you are planning to do.
If you do not give that info, we can not help you to indicate where what change is needed.