Hi all, I recently got as a gift the Mikrotik HAP AC2 and I would like to ask for your help, since I’m fairly new to Mikrotik capabilities. (sorry if my terminology is not correct...)

I have a modem/router conected to the internet, which assigns ip addresses to devices from 192.168.1.2 an on...(this modem/router is located in room A). In room B I used to have a simple router (Netgear) to split access to three other devices (TV, computer, home theater), all of which got ip address 192.168.1.xxx. In room C I have a media player that got the ip address 192.168.1.xxx. Now the problem: I replaced the Netgear router in room B with the Mikrotik (which suited me, because I got it working as an AP (wireless internet in room B was terrible). Now the three devices (TV, computer, home theater) are all behind the Mikrotik, getting ip addresses 192.168.88.xxx and they are no longer accessible (especially the computer) either from the media player in room C nor from the Remote Desktop Access from a tablet connected to the modem/router wireless network (if I connect the tablet to the Mikrotik wireless network, then the Remote Desktop Access works - obviously, since it also gets an ip 192.168.88.xxx).

So the question is how to make things transparent again i.e. the media player (behind the modem/router LAN accessing the computer behind the Mikrotik LAN)?

Thank you in advance for any help!

Maxx

Ideally, MikroTik will manage the whole network becoming the firewall of your network etc.

But a simple way to solve your current problem is:
create a bridge to disable the Mikrotik DHCP server

put interface from other Router on bridge1 and wlan1 on bridge1

Your "TV etc" devices will now receive IP 192.168.1.X being in the same broadcast domain.

Dear Leonardo thank you for your reply!

Since I’m quite inexperienced, could you elaborate a bit more on your response (i.e. how to create the bridge and interfaces?)?

Thanx once again!

If this was a consumer router you would simply set the router into AP (wifi mode) and plug everything in and it would work.
If it was a tad older or didn't have that now commonly built in feature, you would still be able to achieve the same functionality with a little tweaking that most people can do on their own
The instructions mirror what the above newer routers are doing behind the scenes.
https://www.dslreports.com/faq/11233

The text will give you a taste of what you are trying to accomplish on the hAP AC2. You only want to use the switch, access point capabilities of the gift.
You probably want to assign ether 1-5 to a bridge including the WIFI. Assign the interface a LANIP within the subnet provided by the modem router (assign a static IP to it).
I think it would be done under /ip address. Cant help with the wifi cause Im not there yet but will have to learn that soon.

I fear the gift you were given was actually a cruel joke as now you will actually have to apply some brain matter and time to learn how to program these routers.
There is no EASY shortcut.

Hi,

As anav said, giving you a Mikrotik is a bit of a cruel joke and quite possibly they gave it to you because they couldn't make it work.

Your starting problem is that I suspect you have the hAP set up as an internet access router with DHCP etc.

Assuming you have winbox access, I would sstart by looking a tthe quick set configurations that will give you a base starting point to use the hAP as more of a switch plus access point. The quick set menu is right at the top in the left menu bar. I would perhaps look at the home AP dual as a starting point.

Please ensure you have a backup of the current configuration before you change it (so that you can always return to your current working config) and you will need to accept that you may have to tinker a little bit to get to where you need to be.

I have a number of hAP's that I use as wireless access points at various places around the house and they are totally transparent to the core network (or networks in my case as I have mulitple SSID's for internal and guest). If it helps I can post some config, but you will need to accept that Mikrotik is not a plug and play solution, things might get worse before they get better and that you are embarking on a journey that will require you to learn about networking.

Hi diddie, funny you should say that. I have two cAP ACs sitting in a box and will need to program them on my HEX, so any configs appreciated and even more so if you have lets say a home wifi and a guest wifi!!!

Hey Anav,

No guarantee that this is best practice etc. I'm not a Mikrotik expert by any stretch of the imagination and I'm happy to be told that this is not recommended by someone who is, but the below is working for me and I hope it helps you

My wireless interfaces are managed by CAPsMAN, but all of the settings are there and it should be enough. If not, shout and I'll look at the CAPsMAN config and try to pick out anything that might be overriding local config. The one thing I can't see at a quick glance which is definately set by CAPsMAN is that the VLAN ID (CAPsMAN Data Path) on the Home and Master SSID's is set to 100 and for the Guest to 300. You may need to add code to set those. The other overrides from CAPsMAN should all be about securtiy, frequencies etc. which is your choice.

The reason why I did it this way was it was the only way I could get the switch chip working alongside the VLAN's with hardware offloading, obviously apart from the wireless interfaces which won't use the switch chip.

The only other thing that I seem to recall was that I had to add the Master interfaces into the bridge for CAPsMAN. You will probably not need to do this if you are managing it locally.

I'm still playing with which interfaces need IP addressses and moving the management onto VLAN 200 with a different subnet, so apologies if the IP Address on each VLAN interface is confusing.

Ether1 is the trunk back to the CRS, the others are local access ports.

Shout if you have any issues

Diddie thank you for your reply. I'm starting to believe that this gift was a joke (or someone really hated me... )! You're right, I've initially setup the hAP as "Home AP dual", but every time I try to change any setting from the more advanced menu (i.e. firewall, interfaces etc)., something goes wrong and I end up hard-resetting the device. It would be of great help If you could "guide" me through the changes I have to make in order to solve the above issue....

Thanx!

Diddie thank you for your reply. I'm starting to believe that this gift was a joke (or someone really hated me... )! You're right, I've initially setup the hAP as "Home AP dual", but every time I try to change any setting from the more advanced menu (i.e. firewall, interfaces etc)., something goes wrong and I end up hard-resetting the device. It would be of great help If you could "guide" me through the changes I have to make in order to solve the above issue....

Thanx!

Believe me when I say, once you get the hang of how Mikrotik works, you will not have enough words to thank whoever gave you this gift

Hi Max,

I hope shortening your username is not an offence . I'll have a go at describing a simple setup through Winbox. I'm not a Mikrotik expert and I'm happy to be corrected by anyone that is. This works for me, but is not neccesarily best practice. Hopefully I haven't made any miktakes or ommisions when walking through the config, but there is always the possibility

This might be a long post, but I'll take one of my hAP's out of play and work through reconfiguring it step by step using Winbox to keep it as simple as possible. I am debating whether cap might be a better starting point, but let's go with the Home AP dual and see.

I'm going to assume you will give your Mikrotik box a static IP address as then you will always know where it is. Setting it up with a dynamic address is easier in that some of the later config, such as setting DNS is not required, but I dind it harder to manage if I don't automatically know what ip address the Miikrotik is on. Other people will do it differently, it's your choice.

You may have to change your local computer IP address settings at points on the way through this, depending on whether you use dynamic addressing or static. I didn't becasue I was using dynamic and always picked up a dhcp address.

Making sure that the network cable is plugged into the Mikrotik in a port other than 1 (this will come up as internet straight after the config), go into Winbox and making sure you have a backup of the current config, reset the configuration (use the system / reset configuration option) without ticking any of the boxes.

I then connected my laptop straight to the hAP and I can see the hAP on 192.168.88.1 and connected via Winbox. I got a message about default config and just said ok.

I then went into quick set and selected Home AP Dual and filled in the wireless details incl password, set the Internet address as automatic and for the local network I gave it a static address in the main home range (ensuring that it wasn't within any the DHCP pool which in your case will be allocated by your main router). I unclicked firewall router, DHCP Server and NAT as you won't use any of these for an access point.

Then you can connect back to the main network and plug your Mikrotik back in where it belongs. Just as a note of caution though, to be 100% safe, avoid plugging anything to ether1 at this stage until we have finished the config.

back into Winbox again and you should now see the Mikrotik on the network on the address you gave it. Effectively, it should now be doing everything you want it to do and will be behaving as a switch, with the wireless bridged onto the switch, will be on the network within your normal ip address range and will not be handing out 192.168.88.1 addresses. Any addresses for equipment connected to this switch should now be handed out by your main router.

This unfortunately is with one exception. Port ether1, still thinks it is a port to the Internet. So to be able to use port 1 to plug anything into, a little further config is required.

So now you will go into bridge over in the menu on the left, and then select the tab that says ports. Click on the + button and add ether1 into the bridge with default settings.

Then go to the IP menu on the left and to the sub menu that is addresses. You will see your static IP address in here. Double click on it to open it up and change the interface from in my case (ether 2) to be bridge.

The next few of steps will probably not be required if you have set the IP address dynamically, athough you will need to move the dhcp client up onto the bridge, but if you have used a static IP address then they will be needed for the Mikrotik box to have internet access.

Go to IP and DHCP Client, highlight the default entry and click the - (minus) button to delete the default config entry. This is getting a dynamic entry for ether1 for internet which you don't want anymore.

Go into IP and DHCP server, select the Networks tab and delete the default entry using the - button.

Go into IP and then pool and again use the - button to delete the default pool

Go into the IP menu again and this time the sub menu route. Click the + button in the window that comes up, type the address of your main router into the gateway field and hit ok. This gives the Mikrotik access to the internet to ensure that it can get updates etc.

Go to IP again and this time to DNS. Enter your DNS servers, probably from your ISP into the Servers field. You can get multiple addresses in here by using the up down arrows to the right of the box. I have my own primary and secondary DNS servers and so in the config I post these will be local addresses. Yours will need to be those supplied by your ISP.

Go into IP then firewall and delete all entires in the Filter rules, NAT and Mangle tabs apart from the special built in rules which I don't think it will let you delete. As this is internal you shouldn't need any firewall rules.

That should now be it. I can't fully test this as it conflicts with the VLAN's on my network and if I changed it to allow me to test, then the config wouldn't be any use to you. However, using port 1 as the uplink to my main switch, I can connect to the internet through the LAN ports. I can connect via WiFi and browse the internet from my phone and DCHP from the DHCP server is coming through properly, so IP addresses are autmatically assigned. As a last test the Mikrotik box can connect to the internet and run for example a trace route to google successfully. Hopefully you should now be fully working, enjoying a beer and be proud that you have managed to mess around with network configuration and live to tell the tale.

The config that this has generated is very simple after all of that work and is listed below, but if you wanted use it as config will need changing for your IP/MAC addresses etc.

Hope this helps in some way. Now to restore my hAP back to a working state

Diddie thanx for the reply! The good news is that your help was extremely valuable and I managed to setup the hAP as you mentioned (I didn't do the part about the ether1 port, as I don't have more than 2 devices I want to plug in the network). Everything worked smoothly and all the devices under the Mikrotik hAP got IP addresses in the 192.168.1.xxx range.

BUT.....

I still have two problems! The first is that when I initially configure the Mikrotik outside of my LAN (meaning that it does receive an IP address 192.168.1.xxx) I can access the settings from 192.168.88.1. When I plug the Mikrotik in my network (and all receive IP address 192.168.1.xxx), the setup page (i.e. 192.168.88.1) stops working. I'm guessing this has something to do with my modem/router's firewall settings???

The second issue I have is this: on Mikrotik's ports I have a HTPC and a SmartTV (both get correctly IP addresses 192.168.1.xxx). In another room I have a media player (again 192.168.1.xxx) that has access to the HTPC's drives (for media streaming) over LAN. I also connect to the HTPC through an iPad (with Microsoft's Remote Desktop Management app) over WiFi. Although the media player finds the HTPC and has access, I lost the ability to connect to the HTPC via Remote Desktop, as it seems to be unable to find it....(in my previous configuration, where I had a simple switch, everything worked great)....what am I doing wrong here (or in other words, is the Mikrotik blocking somehow the Remote Desktop management???)

Thanx once again for your help...!!!

Hi Max,

You should go back and follow the instructions around the ether 1, they weren't really optional. Added to thet, you might at a later stage forget that ether1 is not configured, plug something in and swear lots because it isn't working .

I did try to keep it simple and so didn't really explain all of the implications of not following the steps to fix ether1 onwards, but for example for the step -

"Then go to the IP menu on the left and to the sub menu that is addresses. You will see your static IP address in here. Double click on it to open it up and change the interface from in my case (ether 2) to be bridge."

This moves the IP address allocated to the hAP away from jsut the ether2 port and up onto the bridge so that you can access the hAP configuration page from all ports. Without doing this, it will be likely (I haven't tested it) that you can only see the hAP config page from a device or network plugged into ether2.

There will be other steps that may equally have side effects if you don't follow all of the steps through. Leaving the firewall rules in place for example may in certain circumstances limit connectivity and stop the hAP functioning as a switch and not putting the default route in will stop you upgrading the hAP over the Internet at a later point.

If you follow the rest of the steps through then you should be fine in most if not all cases.

For the issue of not getting the setup page on 192.168.88.1, after you did the quickset and put in the static ip address for the network, you shouldn't be able to get to the setup page on 192.168.88.1 anymore. It should now be on the address you gave it during the quickset (192.168.1.xxx). As per the previous point though, without following all of the steps through you might not be able to get to the setup page other than through ether2.

If you move it back local to your PC againg, plug into ether2, you should be able to get to the setup page on the 192.168.1.xxx address and then complete the rest of the steps.

Glad you've made some good progress and if you can finish all of the steps then let me know how that is looking, I'm happy to help further if you are still having issues.

OK Diddie, lets start the troubleshooting....in you step: “I then went into quick set and selected Home AP Dual and filled in the wireless details incl password, set the Internet address as automatic and for the local network I gave it a static address in the main home range (ensuring that it wasn't within any the DHCP pool which in your case will be allocated by your main router). I unclicked firewall router, DHCP Server and NAT as you won't use any of these for an access point.”, when I change the network address from the default 192.168.88.1 to e.g. 192.168.1.88 and hit “apply configuration”, the Mikrotik in no longer accessible from either ethernet port (ofcoure not using ethernet1) nor from a wifi connection. What am i doing wrong?

OK Diddie, lets start the troubleshooting....in you step: “I then went into quick set and selected Home AP Dual and filled in the wireless details incl password, set the Internet address as automatic and for the local network I gave it a static address in the main home range (ensuring that it wasn't within any the DHCP pool which in your case will be allocated by your main router). I unclicked firewall router, DHCP Server and NAT as you won't use any of these for an access point.”, when I change the network address from the default 192.168.88.1 to e.g. 192.168.1.88 and hit “apply configuration”, the Mikrotik in no longer accessible from either ethernet port (ofcoure not using ethernet1) nor from a wifi connection. What am i doing wrong?

Make your changes in safe mode! Then when you lose connectivity a reboot gets you back to the point of where you were at prior to the change, so nothing is lost up to that point.

Again playing whackamole with config changes will take us a long time to fix.
go to your terminal,
/export hide-sensitive file=configreview (or any name you wish).

Go to files, find the file name and download to your computer,
use noteapp ++ and then copy and paste here

Anav's advice is really good!

The only quick question I'd have is that when you hit apply configuration in the quickset having set the Mikrotik address to 192.168.1.88, we are also turning off the DHCP server on the Mikrotik. If you are connected directly to the Mikrotik and nothing else, you will no longer get a dynamic address on your PC and will have to set one manually on your PC.

I mentioned this in the first post - "You may have to change your local computer IP address settings at points on the way through this, depending on whether you use dynamic addressing or static"

What I meant was that as you won't get a dynamic IP address from the Mikrotik anymore and possibly you are not connected to your main network to get an ip address from your main router, so you may have to set a static IP address on your PC temporarily. This would be for example 192.168.1.87 with a subnet mask of 255.255.255.0 to ensure you are on the same subnet as the Mikrotik.

Alternatively, if you plug the Mikrotik direct into your main router and also your PC direct into the main router, your PC should get a dynamic IP address in the correct range direct from the router and the Mikrotik should already in the right range. If you do plug your Mikrotik into the main router, start with ether2 on the Mikrotik, and if that doesn’t work, try 3, 4 & 5 in turn.
Failing that, I think Anav’s advice is the best next step

I literally spent an hour walking through configuring one of my own hAP's as I wrote the instructions to make it as accurate and easy as possible, and I promise it did work at the end Either I've missed something in the instructions (entirely possible) or the description is not coming across to you clearly enough.

A config view will give us the opportunity to explain corrections as to the why, there is only so much value in rote directions without understanding the why....

OK Diddie, lets start the troubleshooting....in you step: “I then went into quick set and selected Home AP Dual and filled in the wireless details incl password, set the Internet address as automatic and for the local network I gave it a static address in the main home range (ensuring that it wasn't within any the DHCP pool which in your case will be allocated by your main router). I unclicked firewall router, DHCP Server and NAT as you won't use any of these for an access point.”, when I change the network address from the default 192.168.88.1 to e.g. 192.168.1.88 and hit “apply configuration”, the Mikrotik in no longer accessible from either ethernet port (ofcoure not using ethernet1) nor from a wifi connection. What am i doing wrong?

Make your changes in safe mode! Then when you lose connectivity a reboot gets you back to the point of where you were at prior to the change, so nothing is lost up to that point.

Again playing whackamole with config changes will take us a long time to fix.
go to your terminal,
/export hide-sensitive file=configreview (or any name you wish).

Go to files, find the file name and download to your computer,
use noteapp ++ and then copy and paste here

Here is my configuration BEFORE I connect the Mikrotik to my network (before it get 192.168.1.xxx address)

# jan/02/1970 00:04:16 by RouterOS 6.42.3
# software id = V5SA-2XHC
#
# model = RBD52G-5HacD2HnD
# serial number = 8FDE08254A6F
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=greece disabled=no distance=indoors frequency=auto mode=ap-bridge \
ssid=MikroTik-2G wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-Ceee country=greece disabled=no distance=indoors frequency=\
auto mode=ap-bridge ssid=MikroTik-5G wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
/system routerboard settings
set silent-boot=no

After connecting the Mikrotik to the network, I can no longer access Webfig (192.168.88.1)...HTPC is connected to ether2 (the PC I'm accessing Webfig) and network to ether4

Well you should still be able to get to winbox via the mac address etc......
But you have not setup the router for your network.

Where is the IP pool, the IP DHCP server, the DHCP network etc for your network 192.168.1.xxx ??
Ideally you create that network and then remove the .88.1 one after all is in place.

Also ensure you change admin name to something else for access and put in password etc.........

Also looks like your src-nat rule is disabled???

Also you have no INPUT chain firewall rules???

That’s the problem, when I plug in the network cable connected to my modem/router, I can no longer log-in to Webfig and make changes...

Now, after the initial setup, all devices connected to the Mikrotik (i.e. HTPC and SmartTV) work OK and they have access to netwirk and internet...

How can I connect to Mikrotik webfig if 192.168.88.1 doesn’t work???

Did you try plugging the PC in to ether 2 etc. as suggested - "plug your Mikrotik into the main router, start with ether2 on the Mikrotik, and if that doesn’t work, try 3, 4 & 5 in turn"

192.168.88.1 will not work anymore. When you type the IP address into quickset, you are changing it away from 192.168.88.1. You need to use the address that you give it in quickset. I think you said you were using 192.168.1.88.

If you are using winbox, it should be found automatically. If you are using webfig, you will need to type http://192.168.1.88 (or whatever address you typed into quickset.

I use winbox not webconfig so i am of no help on this one.