Page 1 of 1

Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Thu Oct 15, 2020 9:31 pm
by RandomKappaUsr
Hello guys,

So recently, I have switched my ISP and they provided me with Mikrotik hAP-AC2 as my previous router-modem was not suitable for bonding.

So I have configured hAP-AC2 according to some guides and it seems to be working well.

However, I also need a secondary device for WiFi signal extension and my main PC connection on the ground floor (please see my schema below).
scheme.png
On my old router (ZTE) I only needed to turn off the DHCP server and assign an address to it + turn on the WIFI (same ssid as primary device) and it was working fine.

But I wanted my secondary device to be as compatible as possible so instead of the old ZTE I have bought used Mikrotik hAP-lite.

I have successfully connected hAP-lite (secondary) into hAP-AC2 (primary) and the internet on my PC connected to hAP-lite (secondary) is working OK.

However, now I have the following issues:
[*] hAP-lite (secondary) itself does not seem to be connected to the internet so I cannot update packages via Winbox (System->Packages->Check for update) and the time of the device is not synced... is there an easy way to do it or do you guys recommend to leave it without being connected to the internet at all?
[*] sometimes when migrating from F2 to F1 my phone's WIFI displays exclamation mark (!) and shows "no internet" and I either have to wait 1-2 minutes for it to fix itself or turn WIFI off and back on ... is there anything I can do about it, could it be caused by incorrect configuration of either device? As you can guess, this is very annoying...

I am attaching configuration files from both device:
primary_hAP-ac2.rsc
secondary_hAP-lite.rsc

I would be very grateful for any advice and if you also find something "nasty" in my configs, please let me know so I can try to correct it.

Thank you in advance for any feedback.

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Fri Oct 16, 2020 2:33 am
by anav
You didnt mention VLANS but if you go that route this article is very good on detailing devices acting as routers only, routers with wifi, access point-switches, and switches.
In your case you have the second and third cases.
viewtopic.php?f=13&t=143620

Didnt see anything off the bat that caught my eye, but when one has more than one bridge i lose the bubble quickly.

I am not in favour of extra bridges when not necessary.
I would have one bridge and two vlans 10 and 20 instead of the bridge separated networks.

Glad this is disabled as it appears to be a friggen huge security leak.
/ip firewall filter
add action=accept chain=input comment="Allow METRONET mgmt" disabled=yes \
src-address=78.110.208.128/25

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Fri Oct 16, 2020 3:07 am
by Sob
Didnt see anything off the bat that caught my eye, but when one has more than one bridge i lose the bubble quickly.
It's because it's not there and that's the problem. hAP-lite is missing default route and dns. And you can't blame it on too many bridges, because that device has only one. :)

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Fri Oct 16, 2020 4:46 pm
by anav
oopsie, never noticed a missing ip routes....... (better add that to my checklist)!

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Fri Oct 16, 2020 11:33 pm
by RandomKappaUsr
You didnt mention VLANS but if you go that route this article is very good on detailing devices acting as routers only, routers with wifi, access point-switches, and switches.
In your case you have the second and third cases.
viewtopic.php?f=13&t=143620

Didnt see anything off the bat that caught my eye, but when one has more than one bridge i lose the bubble quickly.

I am not in favour of extra bridges when not necessary.
I would have one bridge and two vlans 10 and 20 instead of the bridge separated networks.

Glad this is disabled as it appears to be a friggen huge security leak.
/ip firewall filter
add action=accept chain=input comment="Allow METRONET mgmt" disabled=yes \
src-address=78.110.208.128/25
Hello, thank you for sending me the link, I will check it out.

I created the second bridge to separate Guest WiFi network - is there any better way to do it then?

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sat Oct 17, 2020 12:52 am
by RandomKappaUsr
Didnt see anything off the bat that caught my eye, but when one has more than one bridge i lose the bubble quickly.
It's because it's not there and that's the problem. hAP-lite is missing default route and dns. And you can't blame it on too many bridges, because that device has only one. :)
Hello, thank you for answering!

Could you please further explain what you mean by that, though?

I have changed the device IP by IP -> Addresses but I am note sure what should I do to make this hAP-lite to be able to update itself from the internet and gain correct time.

Thank you in advance for advice.

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sat Oct 17, 2020 1:44 am
by Sob
The device must be able to resolve hostnames, that's why it need DNS server. And it needs to know how to reach internet, and that's done using default gateway. So you need this:
/ip dns
set servers=192.168.88.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.88.1

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sat Oct 17, 2020 2:14 pm
by RandomKappaUsr
The device must be able to resolve hostnames, that's why it need DNS server. And it needs to know how to reach internet, and that's done using default gateway. So you need this:
/ip dns
set servers=192.168.88.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.88.1
Thank you very much!

One last question, does this settings make my hAP-lite (secondary) vulnerable in any way? Do I need to setup firewall on it etc.? Or since all traffic is managed by hAP-AC2 (primary) I don't need to care about it?

Once more thank you and have a pleasant weekend!

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sat Oct 17, 2020 4:56 pm
by anav
Yes, the primary router handles all the firewall rules.
I did not touch firewall rules at all when configuring the hex for a switch or for my capacs when configuring vlans and wifi.
(Just leave whatever default rules are in place and there should be no issues).

To be clear, the switch and access points are not doing any routing.

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sat Oct 17, 2020 5:51 pm
by bpwl
Just some thoughts.

hAP ac2

Your WAN is ether1 / VLAN848 /PPOE_out1 , and the DHCP_client is delivering you the necessary default IP route.

Everything else is LAN ! So I'm surprised with : "add interface=bridge_hoste list=WAN" , as this will set severe limitations on what can be done from there, and will include NAT translation.
The firewall nat rule is correct, but that bridge_hoste should also be in the LAN interface list to my understanding
"/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN"

I do understand the need for limiting access to the bridge_domaci network by routing from bridge_hoste, but that should be another firewall rule.

NTP is missing here. Or just set " update time" enabled.in IP cloud

The "nstreme" lines are probably some leftover .... from another setup.

hAP_Lite

As already explained, the DNS and default route is missing (you have no dhcp_client on the bridge here to deliver that, but you could even add one as workaround, and fix the IP address in the DHCP server)

Remove the "b" from "band=2ghz-b/g/n" if you are not using very old b-only client equipment.

general:
Avoid "frequency=auto" in all cases if you can. (and set hAP ac2 and hAp Lite on different channels for 2.4GHz , (use 1,6 or 11 as in hAP Lite)

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sat Oct 17, 2020 7:41 pm
by RandomKappaUsr
Just some thoughts.

hAP ac2

Your WAN is ether1 / VLAN848 /PPOE_out1 , and the DHCP_client is delivering you the necessary default IP route.

Everything else is LAN ! So I'm surprised with : "add interface=bridge_hoste list=WAN" , as this will set severe limitations on what can be done from there, and will include NAT translation.
The firewall nat rule is correct, but that bridge_hoste should also be in the LAN interface list to my understanding
"/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN"

I do understand the need for limiting access to the bridge_domaci network by routing from bridge_hoste, but that should be another firewall rule.

NTP is missing here. Or just set " update time" enabled.in IP cloud

The "nstreme" lines are probably some leftover .... from another setup.

hAP_Lite

As already explained, the DNS and default route is missing (you have no dhcp_client on the bridge here to deliver that, but you could even add one as workaround, and fix the IP address in the DHCP server)

Remove the "b" from "band=2ghz-b/g/n" if you are not using very old b-only client equipment.

general:
Avoid "frequency=auto" in all cases if you can. (and set hAP ac2 and hAp Lite on different channels for 2.4GHz , (use 1,6 or 11 as in hAP Lite)

Hello and thanks for you advice.

I have changed the following:

hAP ac2
[*] Changed bridge_hoste to LAN (I did not realize it will be assigned to WAN while doing so)
[*] Added firewall rule to drop requests from guest WIFI (forward, src adress 192.168.99.0/24, dst address 192.168.88.0/24, action: drop)
[*] Added SNTP
[*] Since we do not have any other signals around, changed WiFi settings to 20/40MHz Ce, autofrequency, 2GHz-only-N ...everything seems to be working as before

hAP lite
[*] Added SNTP
[*] Since we do not have any other signals around, changed WiFi settings to 20/40MHz Ce, autofrequency, 2GHz-only-N ...everything seems to be working as before

I also tried fiddling with Multicast Helper, Multicast buffering and Keepalive frames. Right now I have all disabled on both device and do not feel any difference. What is the recommended settings here? Shall I just leave it as it is or do you recommend enabling some specific combination?

One more question: If I wanted to also extend the guest wifi on hAP lite, how difficult would it be to separate it to 192.168.99.0/24? Currently, I believe it would be connected to "bridge_domaci" if I understand correctly that everything from hAP lite is assigned to this range 192.168.88.0/24 which is part of "bridge_domaci".

EDIT: Regarding the nstreme, I have never used it, shall I care about it?

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sat Oct 17, 2020 7:43 pm
by RandomKappaUsr
Yes, the primary router handles all the firewall rules.
I did not touch firewall rules at all when configuring the hex for a switch or for my capacs when configuring vlans and wifi.
(Just leave whatever default rules are in place and there should be no issues).

To be clear, the switch and access points are not doing any routing.

Hello, thank you for confirming this.

Just to avoid the doubts, I currently have 0 rules on my hAP_Lite "switch", shall I try import some specific set of basic rules then?

Thank you!

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sat Oct 17, 2020 8:36 pm
by bpwl
OK well done. Except for the auto frequency, it is better not to trust the auto frequency. And with 20/40MHz in the 2.4 GHz band, you will see that two non-overlapping ranges are not possible. You then better set them to exactly the same (co-channel airtime sharing) , or use 20 MHz only on one of them.
I also tried fiddling with Multicast Helper, Multicast buffering and Keepalive frames. Right now I have all disabled on both device and do not feel any difference. What is the recommended settings here? Shall I just leave it as it is or do you recommend enabling some specific combination?
I have not fully experimented with that one. Multicast helper is about converting slow broadcasts in many fast unicasts per client. Multicast buffering is to help the dormant period of handheld devices. And I believe Keepalive frames is sometimes needed for IOS devices. Not verified or tested. So I leave the helper on default, with buffering enabled.

One more question: If I wanted to also extend the guest wifi on hAP lite, how difficult would it be to separate it to 192.168.99.0/24? Currently, I believe it would be connected to "bridge_domaci" if I understand correctly that everything from hAP lite is assigned to this range 192.168.88.0/24 which is part of "bridge_domaci".
Expected that one :-) . The hAP_Lite is indeed connected to the ethernetport on bridge_domaci. To bring bridge_hoste to the hAP Lite, the ethernet connection has to be double. (First thought or draft is a second cable , with ethernet port on bridge_hoste .... but then we make it virtual on one ethernet cable by using VLAN (a VPN tunnel like SSTP could in theory also solve the puzzle)).

To use VLAN bring all interfaces on one bridge, and then use "untagged+ 1 VLAN", or "2 tagged VLAN's" to separate the traffic. For this simple setup you can leave the "domaci" traffic untagged on the bridge, and encapsulate the "hoste" traffic in a VLAN created on the bridge as interface. The IP settings of "bridge_hoste" go to that created VLAN interface.
You can make an easy but 'dumb-switch' setup, by just setting the corresponding wireless WLAN interfaces tagged (in the wireless setup) on both AP's. (There is even no need for a VLAN interface on the hAP Lite, just the VLAN tag on the virtual WLAN)
You can make a 'smart-switch' setup, with the possibility to even include some ethernet port on the hAP Lite in the "hoste" network if needed. Be prepared for quite some learning, and head scratching, by following this excellent documentation: viewtopic.php?f=13&t=143620
Your case is "access point". Here the VLAN is delivered untagged to the WLAN interface !!!!
Remember to always work in "Safe Mode" in WinBox whenever you (try to) set "vlan-filtering=yes". Losing all access is quite common in this phase, but you have spare ethernet ports that you could leave out of the setup to experiment in a safe way, by always having access to the AP.

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sat Oct 17, 2020 8:44 pm
by anav
Post your latest configs
/export hide-sensitive file=anynameyouwish

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sat Oct 17, 2020 9:05 pm
by RandomKappaUsr
OK well done. Except for the auto frequency, it is better not to trust the auto frequency. And with 20/40MHz in the 2.4 GHz band, you will see that two non-overlapping ranges are not possible. You then better set them to exactly the same (co-channel airtime sharing) , or use 20 MHz only on one of them.
I also tried fiddling with Multicast Helper, Multicast buffering and Keepalive frames. Right now I have all disabled on both device and do not feel any difference. What is the recommended settings here? Shall I just leave it as it is or do you recommend enabling some specific combination?
I have not fully experimented with that one. Multicast helper is about converting slow broadcasts in many fast unicasts per client. Multicast buffering is to help the dormant period of handheld devices. And I believe Keepalive frames is sometimes needed for IOS devices. Not verified or tested. So I leave the helper on default, with buffering enabled.

One more question: If I wanted to also extend the guest wifi on hAP lite, how difficult would it be to separate it to 192.168.99.0/24? Currently, I believe it would be connected to "bridge_domaci" if I understand correctly that everything from hAP lite is assigned to this range 192.168.88.0/24 which is part of "bridge_domaci".
Expected that one :-) . The hAP_Lite is indeed connected to the ethernetport on bridge_domaci. To bring bridge_hoste to the hAP Lite, the ethernet connection has to be double. (First thought or draft is a second cable , with ethernet port on bridge_hoste .... but then we make it virtual on one ethernet cable by using VLAN (a VPN tunnel like SSTP could in theory also solve the puzzle)).

To use VLAN bring all interfaces on one bridge, and then use "untagged+ 1 VLAN", or "2 tagged VLAN's" to separate the traffic. For this simple setup you can leave the "domaci" traffic untagged on the bridge, and encapsulate the "hoste" traffic in a VLAN created on the bridge as interface. The IP settings of "bridge_hoste" go to that created VLAN interface.
You can make an easy but 'dumb-switch' setup, by just setting the corresponding wireless WLAN interfaces tagged (in the wireless setup) on both AP's. (There is even no need for a VLAN interface on the hAP Lite, just the VLAN tag on the virtual WLAN)
You can make a 'smart-switch' setup, with the possibility to even include some ethernet port on the hAP Lite in the "hoste" network if needed. Be prepared for quite some learning, and head scratching, by following this excellent documentation: viewtopic.php?f=13&t=143620
Your case is "access point". Here the VLAN is delivered untagged to the WLAN interface !!!!
Remember to always work in "Safe Mode" in WinBox whenever you (try to) set "vlan-filtering=yes". Losing all access is quite common in this phase, but you have spare ethernet ports that you could leave out of the setup to experiment in a safe way, by always having access to the AP.
Thank you very much, I will try to configure it during free time but yea, it looks like a big challenge for me :-D

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sat Oct 17, 2020 9:22 pm
by RandomKappaUsr
Post your latest configs
/export hide-sensitive file=anynameyouwish
Hello, please find attached.

I have changed the names to English so it is more understandable...

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sat Oct 17, 2020 10:16 pm
by anav
Looking at the main router,
I see you dont allow DNS via the router but you do have DNS servers on the net that you have identified.

Maybe blind but I didnt see an ip route rule?
Other than that nothing obvious


I am used to vlans so these configs seem naked to me LOL.
I noticed this..
/ip dns
set allow-remote-requests=yes servers=192.168.88.1

Which may mean you are sending dns requests from the hapaclite, to the main router but you dont allow the main router to function as DNS server from the lan. Not sure if thats how it will work as the config relationship between the two units is not clear to me.

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sat Oct 17, 2020 11:21 pm
by bpwl
"Maybe blind but I didnt see an ip route rule?"

Don't forget what comes via the dhcp-client on the WAN interface. :-)
DNS server and Default route are typical added then, and are not visible in the "export", but in the "print".
Gives surprises sometimes if you remove or disable the dhcp-client because you finally added a fixed IP address, and forgot about the other dynamic settings.

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sat Oct 17, 2020 11:39 pm
by RandomKappaUsr
Looking at the main router,
I see you dont allow DNS via the router but you do have DNS servers on the net that you have identified.

Maybe blind but I didnt see an ip route rule?
Other than that nothing obvious


I am used to vlans so these configs seem naked to me LOL.
I noticed this..
/ip dns
set allow-remote-requests=yes servers=192.168.88.1

Which may mean you are sending dns requests from the hapaclite, to the main router but you dont allow the main router to function as DNS server from the lan. Not sure if thats how it will work as the config relationship between the two units is not clear to me.
Hello, thanks for your notes.

Unfortunately, I do not understand what do you mean by "I see you dont allow DNS via the router but you do have DNS servers on the net that you have identified.". I have DNS servers set to 1.1.1.1 and 1.0.0.1 (cloudflare) and in my PC's ipconfig I can see the following DNS addresses 192.168.88.1, 1.1.1.1, 1.0.0.1; Also when I check hAP-AC2 DNS cache, it is full of information.

"Maybe blind but I didnt see an ip route rule?" could you please elaborate what shall I chage/set?

Should I switch allow-remote-requests=yes to allow-remote-requests=no on my hapaclite?

Hopefully my last question, when I check my log I see the following rows all the time.
I have found out this is my Xiaomi Vacuum Mop https://www.amazon.de/-/en/Xiaomi-25012 ... 092&sr=8-5

Should I care about it? Is there anything I can do?
Untitled.png

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sat Oct 17, 2020 11:42 pm
by RandomKappaUsr
"Maybe blind but I didnt see an ip route rule?"

Don't forget what comes via the dhcp-client on the WAN interface. :-)
DNS server and Default route are typical added then, and are not visible in the "export", but in the "print".
Gives surprises sometimes if you remove or disable the dhcp-client because you finally added a fixed IP address, and forgot about the other dynamic settings.
is this OK then? :-)
Untitled.png
Untitled2.png

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 12:32 am
by bpwl
DHCP problem. Not easy to diagnose.

I see a DHCP lease for 50 seconds.only. I hope the lease time is not set at 50 sec (it's not in the config file, so it should be the default 10 minutes. (May be set much larger!))

What I think happens is: If you look at the DHCP leases live assignment-status in the DHCP server on the hAP ac2, you will see it appear with status "offered" for 50 seconds, and then not going to "bound" but gets deleted.
The DHCP server has to validate the leased DHCP address, and that validation fails. This forum is full of stories with the DHCP-server on the bridge and failing DHCP leases for WLAN.

The remedies are trial and error. Sometimes adding topic "dhcp" to the system/logging gives more insight. Sometimes sniffing the traffic gives a clue (with a universal wifi repeater in the path the broadcasted validation request never reaches the client, so there is no answer). Timing of interfaces on the bridge when the WLAN has to become active first, combined with spanning tree convergence timing seems to play a role. My knowledge so far.

I have some trials .... to test
1. Set parameters back to default on the WLAN: multicast helper = default, multicast buffering = enabled, keepalive frames = enabled
2. on the bridge "bridge-home" set the STP (spanning tree protocol) mode to "none". In quite some cases that worked.

If not .... what is now the extended DHCP logging in the log ??

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 12:50 am
by RandomKappaUsr
DHCP problem. Not easy to diagnose.

I see a DHCP lease for 50 seconds.only. I hope the lease time is not set at 50 sec (it's not in the config file, so it should be the default 10 minutes. (May be set much larger!))

What I think happens is: If you look at the DHCP leases live assignment-status in the DHCP server on the hAP ac2, you will see it appear with status "offered" for 50 seconds, and then not going to "bound" but gets deleted.
The DHCP server has to validate the leased DHCP address, and that validation fails. This forum is full of stories with the DHCP-server on the bridge and failing DHCP leases for WLAN.

The remedies are trial and error. Sometimes adding topic "dhcp" to the system/logging gives more insight. Sometimes sniffing the traffic gives a clue (with a universal wifi repeater in the path the broadcasted validation request never reaches the client, so there is no answer). Timing of interfaces on the bridge when the WLAN has to become active first, combined with spanning tree convergence timing seems to play a role. My knowledge so far.

I have some trials .... to test
1. Set parameters back to default on the WLAN: multicast helper = default, multicast buffering = enabled, keepalive frames = enabled
2. on the bridge "bridge-home" set the STP (spanning tree protocol) mode to "none". In quite some cases that worked.

If not .... what is now the extended DHCP logging in the log ??

Hello,

So the status in DHCP server is "Bound" all time.
The lease time is 5 hours so that should not be a problem...
Untitled.png

ad 1. it does not matter which settings, always same issue with deassigning
ad 2. switching RSTP to STP kinda scared me since it disconnected me from the router and the internet for like a good minute LOL ... unfortinately did not help and the log is still crazy

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 12:59 am
by bpwl
ad 2. switching RSTP to STP kinda scared me since it disconnected me from the router and the internet for like a good minute LOL ... unfortinately did not help and the log is still crazy
Set STP mode to "none" never to "STP" :-) !!!!! RSTP and MSTP should be good values anyway for their specific cases.

Then the client might release the DHCP lease !? Is that request in the log somewhere? It is not the DHCP server which gave 5 hours and there is no pseudo-bridge repeater in the path (all MAC's do match)

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 2:08 am
by anav
I dont know I am still not sure about how you have setup up DNS.
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 ???????????????
add address=192.168.99.0/24 gateway=192.168.99.1 ???????????????
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1

/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan


What is the point of the static setting (tis from the default config and you could delete it.
More importantly how is the user supposed to get to 1.1.1.1 or 1.0.0.1
Clearly you have stopped the users from using the routers DNS services as port 53 is blocked.
So I think the intent is for the router to use the dynamic dns servers you put into the config.

But you are missing the part in the dhcp-server network to get them there, I think??
Doesnt one have to put in 192.168.88.1 and 192.168.99.1 respectively?? So the router knows to send the DNS requests to the dynamic servers via the lan gateway so to speak????

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 11:07 am
by RandomKappaUsr
I dont know I am still not sure about how you have setup up DNS.
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 ???????????????
add address=192.168.99.0/24 gateway=192.168.99.1 ???????????????
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1

/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan


What is the point of the static setting (tis from the default config and you could delete it.
More importantly how is the user supposed to get to 1.1.1.1 or 1.0.0.1
Clearly you have stopped the users from using the routers DNS services as port 53 is blocked.
So I think the intent is for the router to use the dynamic dns servers you put into the config.

But you are missing the part in the dhcp-server network to get them there, I think??
Doesnt one have to put in 192.168.88.1 and 192.168.99.1 respectively?? So the router knows to send the DNS requests to the dynamic servers via the lan gateway so to speak????

Hello, I am really trying to understand you but I still have no clue what you mean.

My firewall rule for blocking DNS is for ether1 which is my VDSL (pppoe) so I thought that by this rule I block DNS requests from outside the world.

Regarding the dynamic part, I thought that dynamic DNS applies only when I tick "Use peer DNS" as depicted below
Untitled.png
Could you please be more "basic" and tell me what is wrong and what I need to set? What should be the "symptoms" of the incorrect settings now?

Thank you in advance!

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 11:14 am
by RandomKappaUsr
ad 2. switching RSTP to STP kinda scared me since it disconnected me from the router and the internet for like a good minute LOL ... unfortinately did not help and the log is still crazy
Set STP mode to "none" never to "STP" :-) !!!!! RSTP and MSTP should be good values anyway for their specific cases.

Then the client might release the DHCP lease !? Is that request in the log somewhere? It is not the DHCP server which gave 5 hours and there is no pseudo-bridge repeater in the path (all MAC's do match)
Where do I find such log please?

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 11:55 am
by bpwl


Then the client might release the DHCP lease !? Is that request in the log somewhere? It is not the DHCP server which gave 5 hours and there is no pseudo-bridge repeater in the path (all MAC's do match)
Where do I find such log please?
See previous post
The remedies are trial and error. Sometimes adding topic "dhcp" to the system/logging gives more insight. Sometimes sniffing the traffic gives a clue (with a universal wifi repeater in the path the broadcasted validation request never reaches the client, so there is no answer).
Klembord-2.jpg
You can disable it if not needed anymore

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 12:10 pm
by RandomKappaUsr


Then the client might release the DHCP lease !? Is that request in the log somewhere? It is not the DHCP server which gave 5 hours and there is no pseudo-bridge repeater in the path (all MAC's do match)
Where do I find such log please?
See previous post
The remedies are trial and error. Sometimes adding topic "dhcp" to the system/logging gives more insight. Sometimes sniffing the traffic gives a clue (with a universal wifi repeater in the path the broadcasted validation request never reaches the client, so there is no answer).
Klembord-2.jpg

You can disable it if not needed anymore

Oh, thanks! :-)

Here you go... the whole cycle looks like this (left two last line from the old cycle as a proof)
Untitled.png

BTW I believe noone answered me when I was asking if it is safe that my hap-lite has no firewall rules at all or if I rather should place there the default set (not sure how would I do it tho :D).

Best regards

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 12:11 pm
by bpwl
I dont know I am still not sure about how you have setup up DNS.

What is the point of the static setting (tis from the default config and you could delete it.
More importantly how is the user supposed to get to 1.1.1.1 or 1.0.0.1
Clearly you have stopped the users from using the routers DNS services as port 53 is blocked.
So I think the intent is for the router to use the dynamic dns servers you put into the config.

The hAP ac2 DNS server will forward the requests to the entered DNS servers

Klembord-3.jpg
There are no dynamic DNS servers in the list, because of this setting
Klembord-2.jpg
"Use peer DNS" will take the DNS server list presented in the DHCP lease of the ISP, in addition to the static DNS servers entered.
Here you do not use the DNS servers presented by your ISP, but your static Cloudflare DNS servers.
Requesting DNS to 192.168.88.1 for the clients is good practice , as you cache most of the answers speeding up response time and reducing traffic and are able to overrule some answers, and able to add some local ones. The user is not supposed to be allowed to go to another DNS server on the internet. Very usefull when DNS filtering is used (https://www.cloudflare.com/learning/acc ... filtering/) . However now comes the DoH method bypassing our control.

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 12:16 pm
by bpwl

BTW I believe noone answered me when I was asking if it is safe that my hap-lite has no firewall rules at all or if I rather should place there the default set (not sure how would I do it tho :D).

Best regards
You are just bridging in the hAP Lite. Firewall rules are not needed at all, and if they are entered then they will not be used (unless you force the bridge to use the Firewall). Remember everything is LAN in the hAP Lite!

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 12:23 pm
by RandomKappaUsr
I dont know I am still not sure about how you have setup up DNS.

What is the point of the static setting (tis from the default config and you could delete it.
More importantly how is the user supposed to get to 1.1.1.1 or 1.0.0.1
Clearly you have stopped the users from using the routers DNS services as port 53 is blocked.
So I think the intent is for the router to use the dynamic dns servers you put into the config.

The hAP ac2 DNS server will forward the requests to the entered DNS servers


Klembord-3.jpg

There are no dynamic DNS servers in the list, because of this setting

Klembord-2.jpg

"Use peer DNS" will take the DNS server list presented in the DHCP lease of the ISP, in addition to the static DNS servers entered.
Here you do not use the DNS servers presented by your ISP, but your static Cloudflare DNS servers.
Requesting DNS to 192.168.88.1 for the clients is good practice , as you cache most of the answers speeding up response time and reducing traffic and are able to overrule some answers, and able to add some local ones. The user is not supposed to be allowed to go to another DNS server on the internet. Very usefull when DNS filtering is used (https://www.cloudflare.com/learning/acc ... filtering/) . However now comes the DoH method bypassing our control.
So in other words, my current settings is OK?
I also tried Cloudflare's DOH by opening websites took noticeably longer.

You are my savior! :D

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 12:23 pm
by RandomKappaUsr

BTW I believe noone answered me when I was asking if it is safe that my hap-lite has no firewall rules at all or if I rather should place there the default set (not sure how would I do it tho :D).

Best regards
You are just bridging in the hAP Lite. Firewall rules are not needed at all, and if they are entered then they will not be used (unless you force the bridge to use the Firewall). Remember everything is LAN in the hAP Lite!
Perfect, that is what I thought and therefore I loaded empty "preset" while setting up hap-lite! Thanks for confirming

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 12:28 pm
by bpwl

Oh, thanks! :-)

Here you go... the whole cycle looks like this (left two last line from the old cycle as a proof)
This looks like a perfect DHCP lease handshake.
One can even verify the DNS/Domain Servers list offered to the DHCP client.
I think the client Xiaomi sends a lease renew every 50 seconds.

Klembord-2.jpg

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 12:32 pm
by RandomKappaUsr

Oh, thanks! :-)

Here you go... the whole cycle looks like this (left two last line from the old cycle as a proof)
This looks like a perfect DHCP lease handshake. I think the client Xiaomi sends a lease renew every 50 seconds.
Klembord-2.jpg
Well, that is annoying but at least you have confirmed me it is OK.

Can it have something to do with that the Xiaomi can be also accessed outside my WiFi and therfore the lease time is set to low amount? Meaning I can turn on the vacuum cleaner while being far from WiFi...

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 12:41 pm
by bpwl


Well, that is annoying but at least you have confirmed me it is OK.

Can it have something to do with that the Xiaomi can be also accessed outside my WiFi and therfore the lease time is set to low amount? Meaning I can turn on the vacuum cleaner while being far from WiFi...
Some manufacturers just set this some way. Even MKT has a short lease timeout by default. Just avoiding hypothetical problems, and not concerned about the overhead it creates.
You can try to eliminate that logging (topics "info" and prefix "!dhcp", or topics "info,!dhcp".... never tried that one)

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 1:34 pm
by RandomKappaUsr


Well, that is annoying but at least you have confirmed me it is OK.

Can it have something to do with that the Xiaomi can be also accessed outside my WiFi and therfore the lease time is set to low amount? Meaning I can turn on the vacuum cleaner while being far from WiFi...
Some manufacturers just set this some way. Even MKT has a short lease timeout by default. Just avoiding hypothetical problems, and not concerned about the overhead it creates.
You can try to eliminate that logging (topics "info" and prefix "!dhcp", or topics "info,!dhcp".... never tried that one)

Thanks, will try it! :-)

As a last thing, could you please look at my answer from Sun Oct 18, 2020 11:23 am ? Anav's answer confused me and I would like to double check whether my current settings is OK.

As I wrote, I have the following records in my ipconfig
Untitled.png

Is the goal just to have router's ip there, i.e. 192.168.88.1 ? If so, how do I achieve this?

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 1:57 pm
by bpwl

Is the goal just to have router's ip there, i.e. 192.168.88.1 ? If so, how do I achieve this?
Well if the client is going to 1.1.1.1 or 1.0.0.1 then it has the same filtering as 192.168.88.1 . I don't know how to prevent the client from doing this. It does this when 192.168.88.1 has no answer. (That is every time a device starts, because they generate random impossible DNS requests to test the DNS responses. But is also quite common behavior. Don't know if this is coming from the DNS list sent to the client or the DNS server forwarding table.)

Instead of blocking DNS requests to internet, the other alternative is to redirect it to the local DNS. It's a bit more user friendly, for a guest who has set 8.8.8.8 as DNS server, and would not be able to get DNS responses when blocked. With redirect the guest will not use 8.8.8.8 but get a DNS-filtered response from 192.168.88.1

To answer the question ... maybe setting DNS in the DHCP network entry will do what you want
Klembord-2.jpg

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 2:57 pm
by RandomKappaUsr

Is the goal just to have router's ip there, i.e. 192.168.88.1 ? If so, how do I achieve this?
Well if the client is going to 1.1.1.1 or 1.0.0.1 then it has the same filtering as 192.168.88.1 . I don't know how to prevent the client from doing this. It does this when 192.168.88.1 has no answer. (That is every time a device starts, because they generate random impossible DNS requests to test the DNS responses. But is also quite common behavior. Don't know if this is coming from the DNS list sent to the client or the DNS server forwarding table.)

Instead of blocking DNS requests to internet, the other alternative is to redirect it to the local DNS. It's a bit more user friendly, for a guest who has set 8.8.8.8 as DNS server, and would not be able to get DNS responses when blocked. With redirect the guest will not use 8.8.8.8 but get a DNS-filtered response from 192.168.88.1

To answer the question ... maybe setting DNS in the DHCP network entry will do what you want

Klembord-2.jpg

So I have set it the following way...
Not feeling any difference while browsing the internet... but it you say it is better then I will keep it like this :-) ... but it feels weird having two exactly same DNS details on two places :-D
Untitled.png

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 3:42 pm
by bpwl
but it feels weird having two exactly same DNS details on two places :-D
The first setting is for the DNS server. The second is for the clients.
DNS server forward setting is the default sent to the client when "DHCP setup" is used to add a DHCP server while creating the "Network" part, but can be changed.

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 4:36 pm
by RandomKappaUsr
but it feels weird having two exactly same DNS details on two places :-D
The first setting is for the DNS server. The second is for the clients.
DNS server forward setting is the default sent to the client when "DHCP setup" is used to add a DHCP server while creating the "Network" part, but can be changed.
OK, hopefully this is all I needed to set :-)

If you have some more "general settings" advice, I would be grateful. Otherwise, thank you once more for your time and have a nice day!

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 5:26 pm
by anav
Wait, say it isnt so...............are you guys now talking about DNS entries ??? ;-))) bpwl your fired or maybe just me LOL..........

I find DNS usage on MT hard to understand but what I get from this is.

a. You can use the routers DNS service and associated cache to handle DNS, in this case one enters a
dhcp-server-network DNS entry of the subnet gateway and allow users to access port 53 on the INPUT CHAIN.
b. You can back this up with dynamic servers on the DNS entry page.

So the router will use its cache and connectivity to return DNS queries from users. If it cannot find DNS results, it will fall back on the dynamic DNS servers you supplied on the DNS page to attempt to return DNS queries.

If you are following me so far,,,,,,,,,,, the reason you were not getting any DNS is because YOU HAD NO entries for the DNS on the dchp-server-network and therefore there was no link between the users and routers dns services OR the dynamic servers you had put it. I agree from your firewall rules you were not blocking users requests ( I misread it the first time)

Solution to the incorrect config.
A. either put in subnet gateway for DNS entry (and the router will be able to supply DNS services and if not available will use the
dynamic servers set by the admin) OR
B. put in the 1.1.1.1 etc directly in for the subnet.

I had an issue where DNS was screwed up because the device accessing DNS put out a domain name that was not following standard and since I was using the router DNS services, it corrected the name to standard and returned DNS, the device not recognized the new domain name rejected the returns as not valid. When I put in 1.1.1.1 directly on the vlan subnet, the device worked as the DNS site simply copied the domain name for the return traffic (didnt try and be too smart) and it all worked.\

I like the idea of subnet gateway for each entry of dhpc-server-network and simply list all the external DNS servers external you wish to include. That way you only make one list once.
1.1.1.1, then 1.0.0.1, then 8.8.8.8 etc............

There are so many ways to do this, for example
you could put 1.1.1.1 and 1.0.0.1 in for each dhcp-server network DNS entry and then as last entry put in the subnet gateway
Back in dynamic DNS servers you could put in 8.8.8.8 for example.
If the user was unable to get DNS from the two static entries, the router via the last subnet gateway entry on the list would then try to provide DNS services from its cache etc, and if still not found would then go the dynamic ones entered under DNS general.
At least that was my impression.

Use peer DNS, basically instructs the router to pass all dns requests to/via the ISP is my understanding.

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 5:49 pm
by RandomKappaUsr
Wait, say it isnt so...............are you guys now talking about DNS entries ??? ;-))) bpwl your fired LOL..........

I find DNS usage on MT hard to understand but what I get from this is.

a. You can use the routers DNS service and associated cache to handle DNS, in this case one enters a
dhcp-server-network DNS entry of the subnet gateway and allow users to access port 53 on the INPUT CHAIN.
b. You can back this up with dynamic servers on the DNS entry page.

So the router will use its cache and connectivity to return DNS queries from users. If it cannot find DNS results, it will fall back on the dynamic DNS servers you supplied on the DNS page to attempt to return DNS queries.

If you are following me so far,,,,,,,,,,, the reason you were not getting any DNS is because YOU HAD NO entries for the DNS on the dchp-server-network and therefore there was no link between the users and routers dns services OR the dynamic servers you had put it. I agree from your firewall rules you were not blocking users requests ( I misread it the first time)

Solution to the incorrect config.
A. either put in subnet gateway for DNS entry (and the router will be able to supply DNS services and if not available will use the
dynamic servers set by the admin) OR
B. put in the 1.1.1.1 etc directly in for the subnet.

I had an issue where DNS was screwed up because the device accessing DNS put out a domain name that was not following standard and since I was using the router DNS services, it corrected the name to standard and returned DNS, the device not recognized the new domain name rejected the returns as not valid. When I put in 1.1.1.1 directly on the vlan subnet, the device worked as the DNS site simply copied the domain name for the return traffic (didnt try and be too smart) and it all worked.\

I like the idea of subnet gateway for each entry of dhpc-server-network and simply list all the external DNS servers external you wish to include. That way you only make one list once.
1.1.1.1, then 1.0.0.1, then 8.8.8.8 etc............

There are so many ways to do this, for example
you could put 1.1.1.1 and 1.0.0.1 in for each dhcp-server network DNS entry and then as last entry put in the subnet gateway
Back in dynamic DNS servers you could put in 8.8.8.8 for example.
If the user was unable to get DNS from the two static entries, the router via the last subnet gateway entry on the list would then try to provide DNS services from its cache etc, and if still not found would then go the dynamic ones entered under DNS general.
At least that was my impression.

Use peer DNS, basically instructs the router to pass all dns requests to/via the ISP is my understanding.

Hello, from this post I get impression that something was not working on my side.

I only had the issue with DNS on my "dumb switch" hap-lite where it was not able to download upgrade packages and get time from the internet.

This has been resolved by Sob's advice (adding the following changes)
/ip dns
set servers=192.168.88.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.88.1
Since then I can download packages on hap-lite and have no issue at all browsing internet (resolve DNS) from all my device, i.e. wireless, wired to both hap-ac2 and hap-lite.

So I am not sure why would I have to change something now?

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 5:52 pm
by anav
If its working, fine, then ignore anything I said LOL.

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 5:55 pm
by RandomKappaUsr
If its working, fine, then ignore anything I said LOL.

I did not mean to mislead you in any way, that my setup is still not functioning. I believe I replied to that comment that is has been resolved :-D ...

I was just trying to find out what is better, if just to set my preferred DNS servers in IP->DNS or also set them in DHCP server as depicted in my post Sun Oct 18, 2020 1:57 pm...

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 6:13 pm
by anav
Hi,
Its up to you, my only comment is make sure you put an entry in the dhcp-server network of either the subnet gateway vice blank, (my usual preference) or the 1.1.1.1 servers directly.

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 6:39 pm
by RandomKappaUsr
Hi,
Its up to you, my only comment is make sure you put an entry in the dhcp-server network of either the subnet gateway vice blank, (my usual preference) or the 1.1.1.1 servers directly.

Hello,

do you mean like on the screenshot I posted Sun Oct 18, 2020 1:57 pm?

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 6:42 pm
by bpwl
Wait, say it isnt so...............are you guys now talking about DNS entries ??? ;-))) bpwl your fired LOL..........

I find DNS usage on MT hard to understand but what I get from this is.


Use peer DNS, basically instructs the router to pass all dns requests to/via the ISP is my understanding.
Was not hired anyway ... LOL

OP prefers to handle all DNS requests through the 192.168.88.1 MKT DNS server as much as possible. That DNS server/forwarder uses its cache or the alternative servers if not in the cache. (Static entries could be added to the cache, but that's not the case or need here.)

DNS info in the DHCP network was added already around 11:10AM by OP, as can be seen in the DHCP logging.

We say the same (almost) however some wording is confusing.
Dynamic servers: are the ones added by the DHCP lease of the ISP. The entry for dynamic servers is read-only. The method to add dynamic servers is by selecting "Use peer DNS" in DHCP-client
The servers in the DNS server definition are the alternative name servers for this "Forwarding" server" in DNS-language.

DNS failover by the client is not very dynamic. If a DNS-server answers something it will use only that server.

The DNS server in Mikrotik is just a very basic "DNS forwarder" implementation. Not much of its working is revealed. Are there root-DNS-server entries? What with domain filters for forwarding selection, And what with other DNS records: PTR etc ? Secondary DNS possibilities (zone transfer)? etc etc etc ... Not that a router needs to be a full blown DNS server. Other brand gateways are real black boxes compared to Mikrotik.

From the wiki:
 "When both static and dynamic servers are set, static server entries are more preferred, however it does not indicate that static server will always be used (for example, previously query was received from dynamic server, but static was added later, then dynamic entry will be preferred)."

Read-only Properties

Property	                                        Description
cache-used (integer)	                Shows the currently used cache size in KiB
dynamic-server (IPv4/IPv6 list)	List of dynamically added DNS server from different services, for example, DHCP.

Re: Beginner questions (mostly regarding wiring two Mikrotik hAPs together)

Posted: Sun Oct 18, 2020 8:27 pm
by anav
Wow, I have a completely different understanding. Seeing as you have more gray than me (even though I am only slightly younger), I acquiesce to your experience and knowledge.
Especially now realize that my use of the word dynamic was wrong............. I see now that they are specifically the ISP servers and not editable.