Community discussions

MikroTik App
 
sealouiw
newbie
Topic Author
Posts: 36
Joined: Sun Jan 31, 2021 11:10 am

Double-check my first hAP ac2 configuration

Tue Mar 09, 2021 6:40 pm

I recently purchased a hAP ac2 and this is the first time I play with such a product. It would be great if someone could take a look at my configuration and tell me if I made any obvious mistakes or if you would have done anything differently.
[admin@MikroTik] > /export hide-sensitive 
# mar/09/2021 17:23:56 by RouterOS 6.48.1
# software id = AQPZ-DUUH
#
# model = RouterBOARD D52G-5HacD2HnD-TC
# serial number = XXXXXXXXXXXX
/interface bridge
add ingress-filtering=yes name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-onlyn country=germany default-forwarding=no distance=indoors guard-interval=long installation=indoor mode=ap-bridge skip-dfs-channels=all ssid=WLAN-XXXXXX \
    wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode band=5ghz-onlyac channel-width=20/40/80mhz-XXXX country=germany default-forwarding=no distance=indoors guard-interval=long installation=indoor mode=ap-bridge skip-dfs-channels=\
    all ssid=WLAN-XXXXXX wireless-protocol=802.11 wps-mode=disabled
/interface vlan
add interface=ether1 name=vlan2 vlan-id=32
add interface=ether1 name=vlan3 vlan-id=33
add interface=ether1 name=vlan4 vlan-id=36
add interface=ether1 name=vlan5 vlan-id=39
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=intranet supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=wlan1 name=management
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=32
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=33
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=36
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=39
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=vlan2 pvid=32
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=vlan3 pvid=33
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=vlan4 pvid=36
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=vlan5 pvid=39
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=39
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=39
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge1 network=192.168.88.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Berlin
/system leds settings
set all-leds-off=immediate
/system ntp client
set enabled=yes primary-ntp=192.168.30.1
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Double-check my first hAP ac2 configuration

Tue Mar 09, 2021 6:52 pm

/interface vlan
add interface=ether1 name=vlan2 vlan-id=32
add interface=ether1 name=vlan3 vlan-id=33
add interface=ether1 name=vlan4 vlan-id=36
add interface=ether1 name=vlan5 vlan-id=39
Instead of using ehter1 I would expect to see the bridge.
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=32
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=33
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=36
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=39
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=vlan2 pvid=32
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=vlan3 pvid=33
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=vlan4 pvid=36
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=vlan5 pvid=39
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=39
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=39
Why are there vlan interfaces here?

Perhaps you can give some information on the purpose for using VLAN's?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Double-check my first hAP ac2 configuration

Tue Mar 09, 2021 9:26 pm

The configuration you have does nothing.
Suggest you read this reference and give it another shot............
viewtopic.php?f=13&t=143620
 
sealouiw
newbie
Topic Author
Posts: 36
Joined: Sun Jan 31, 2021 11:10 am

Re: Double-check my first hAP ac2 configuration

Wed Mar 10, 2021 3:30 pm

Instead of using ehter1 I would expect to see the bridge.
I use ether1 as hybrid port, which is connected to my firewall.
Why are there vlan interfaces here?
It does not work without them.
Perhaps you can give some information on the purpose for using VLAN's?
ether2, ether3, ether4 and ether5 are supposed to be access ports with separate vlan ids and ether5 is supposed to be on the same vlan as the two wifi interfaces.
The configuration you have does nothing.
My configuration seems to be doing exactly what I want, at least as far as I can tell. I've read the entire thread you linked, but this configuration is the best I could come up with.
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Double-check my first hAP ac2 configuration

Wed Mar 10, 2021 3:54 pm

So you are trying to configure it as switch with 1 trunk port (eth1) and only accessports, correct?
Because it makes no sense to use NAT...

I think this would be sufficient (haven't tested it) to reset without default configuration and then add:
/interface bridge
add admin-mac=XX:XX:XX:XX:XX auto-mac=no name=bridge1 protocol-mode=none vlan-filtering=yes

/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=32
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=33
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=36
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=39
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan0 pvid=39
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=39

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=32
add bridge=bridge1 tagged=ether1 vlan-ids=33
add bridge=bridge1 tagged=ether1 vlan-ids=36
add bridge=bridge1 tagged=ether1 vlan-ids=39
Be aware that you might be disconnected...
 
sealouiw
newbie
Topic Author
Posts: 36
Joined: Sun Jan 31, 2021 11:10 am

Re: Double-check my first hAP ac2 configuration

Wed Mar 10, 2021 6:04 pm

So you are trying to configure it as switch with 1 trunk port (eth1) and only accessports, correct?
Correct, but eth1 is supposed to be a hybrid port. I want the hAP ac2 to be part of the 192.168.30.1/24 subnet.
Because it makes no sense to use NAT...
The dhcp-server stuff in my config is a leftover from my backup management access through wlan1, because I'm not using Winbox.
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=32
I don't understand that part.
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Double-check my first hAP ac2 configuration

Wed Mar 10, 2021 6:15 pm

I don't understand that part.
Have a look at the link that anav posted, their you will find all info you need.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Double-check my first hAP ac2 configuration

Wed Mar 10, 2021 8:00 pm

While rea.g the link also provide a network diagram as it should help figure out what you are trying to accomplish.
 
sealouiw
newbie
Topic Author
Posts: 36
Joined: Sun Jan 31, 2021 11:10 am

Re: Double-check my first hAP ac2 configuration

Thu Mar 11, 2021 12:26 pm

Have a look at the link that anav posted, their you will find all info you need.
I'll try my luck once more and report back.
also provide a network diagram as it should help figure out what you are trying to accomplish.
I simply want the hAP ac2 to act as a managed switch with the management interface only accessible via untagged traffic on eth1.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Double-check my first hAP ac2 configuration

Thu Mar 11, 2021 5:43 pm

I am using my hex as a managed switch.

My management vlan is 11
I have a bridge and on the bridge vlan filtering is selected and pvid=1 the default.

ether1 - trunk port , all vlans running on this trunk
ether2 - pvid44 - access port on specific vlan (DIRECT link to secondary ISP)
ether3 - trunk port running vlan11, and two other vlans for testing and config purposes(simulating hooking up managed devices anywhere on my network)
ether4 pvid11 access port to access point in the room
ether5 pvid11 access port to pc

The ip address of the switch is on the management vlan11.
If it was a hapac, the only difference would be
adding WLANS to the bridge as ports and associated pvids.
 
sealouiw
newbie
Topic Author
Posts: 36
Joined: Sun Jan 31, 2021 11:10 am

Re: Double-check my first hAP ac2 configuration

Fri Mar 12, 2021 12:15 am

Where exactly is the issue with my current configuration? Is it plain wrong or just not elegant? As I said earlier, it does seem to do exactly what I want.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Double-check my first hAP ac2 configuration

Fri Mar 12, 2021 12:29 am

If it works, then great! probably thought it was a router not a switch at the start, my bad.
 
sealouiw
newbie
Topic Author
Posts: 36
Joined: Sun Jan 31, 2021 11:10 am

Re: Double-check my first hAP ac2 configuration

Fri Mar 12, 2021 10:21 am

I am by no means an expert, so it may well be that I simply don't recognize a mistake. That's why I came here.

PS: I did give the "all interfaces on a single bridge" approach another try, but failed miserably.
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Double-check my first hAP ac2 configuration

Fri Mar 12, 2021 11:27 am

Can you please have a look at this configuration: download/file.php?id=45586 (it is referred to in this topic: viewtopic.php?f=13&t=143620#p706997)
This is an example of a switch with trunk port, access ports and hybrid ports.

Tip: set vlan filtering ON on the bridge in the last step of configuring the device.
 
sealouiw
newbie
Topic Author
Posts: 36
Joined: Sun Jan 31, 2021 11:10 am

Re: Double-check my first hAP ac2 configuration

Tue Mar 16, 2021 12:41 pm

I found the relevant help section that describes exactly why my current configuration is problematic: https://help.mikrotik.com/docs/display/ ... linterface
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Double-check my first hAP ac2 configuration

Tue Mar 16, 2021 4:35 pm

Which problem specifically page number para #?
The correct configuration of vlans was addressed in the link provided initially??
 
sealouiw
newbie
Topic Author
Posts: 36
Joined: Sun Jan 31, 2021 11:10 am

Re: Double-check my first hAP ac2 configuration

Wed Mar 17, 2021 9:47 am

Yes, but I also wanted to know what kind of problems might arise with my current configuration.
Which problem specifically page number para #?
Take a look at the "VLAN in a bridge with a physical interface" section (the link in my above post should point right at it).
 
sealouiw
newbie
Topic Author
Posts: 36
Joined: Sun Jan 31, 2021 11:10 am

Re: Double-check my first hAP ac2 configuration

Thu Mar 25, 2021 5:23 pm

I have updated my configuration - thanks to all who helped me:
[admin@MikroTik] > /export hide-sensitive 
# mar/25/2021 16:18:09 by RouterOS 6.48.1
# software id = AQPZ-DUUH
#
# model = RouterBOARD D52G-5HacD2HnD-TC
# serial number = XXXXXXXXXXXX
/interface bridge
add ingress-filtering=yes name=bridge1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-onlyn country=germany \
    default-forwarding=no distance=indoors guard-interval=long installation=indoor mode=ap-bridge skip-dfs-channels=all \
    ssid=WLAN-XXXXXX wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode band=5ghz-onlyac channel-width=20/40/80mhz-XXXX \
    country=germany default-forwarding=no distance=indoors guard-interval=long installation=indoor mode=ap-bridge \
    skip-dfs-channels=all ssid=WLAN-XXXXXX wireless-protocol=802.11 wps-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=intranet supplicant-identity=MikroTik
/interface wireless
add mac-address=CE:2D:E0:E5:2E:FB master-interface=wlan1 name=wlan3 security-profile=intranet ssid=xxxxxxxxxxxxxxxx \
    wds-default-bridge=bridge1 wps-mode=disabled
/interface bridge port
add bridge=bridge1 ingress-filtering=yes interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=72
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=73
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=76
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=79
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=79
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=79
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan3 pvid=76
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=72
add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=73
add bridge=bridge1 tagged=ether1 untagged=ether4,wlan3 vlan-ids=76
add bridge=bridge1 tagged=ether1 untagged=ether5,wlan1,wlan2 vlan-ids=79
/ip dhcp-client
add disabled=no interface=bridge1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Berlin
/system leds settings
set all-leds-off=immediate
/system ntp client
set enabled=yes primary-ntp=192.168.70.1
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
 
sealouiw
newbie
Topic Author
Posts: 36
Joined: Sun Jan 31, 2021 11:10 am

Re: Double-check my first hAP ac2 configuration

Fri Mar 26, 2021 5:32 pm

Does vlan-mode=secure make any different with the above bridge vlan configuration?

Who is online

Users browsing this forum: Bing [Bot], emunt6, Florian, menyarito, stef70 and 84 guests