Community discussions

MikroTik App
 
floevans
just joined
Topic Author
Posts: 4
Joined: Wed Sep 04, 2024 2:04 am

Help setting up cap AX  [SOLVED]

Wed Sep 04, 2024 2:10 am

So not sure what I am doing wrong here... no internet when connected to AP

router config:
# 2024-09-03 17:56:05 by RouterOS 7.12.1
# software id = WXP2-9C15
#
# model = RB5009UPr+S+
# serial number = opps!
/interface bridge
add admin-mac=78:9A:18:D3:29:D5 auto-mac=no comment=defconf name=bridge
/disk
set usb1 type=hardware
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/Chicago
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

AP config:

# 1970-01-02 02:15:38 by RouterOS 7.12.2
# software id = BIPU-WZFW
#
# model = cAPGi-5HaxD2HaxD
# serial number = ack!
/interface bridge
add admin-mac=D4:01:C3:67:87:04 auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.country="United States" .mode=ap .ssid=DXN_NET2 disabled=no security.authentication-types=\
wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country="United States" .mode=ap .ssid=DXN_NET2 disabled=no security.authentication-types=\
wpa2-psk,wpa3-psk
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.2/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.2 gateway=192.168.88.2 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.2 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by floevans on Wed Sep 04, 2024 7:16 pm, edited 1 time in total.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1393
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Help setting up cap AX

Wed Sep 04, 2024 5:32 am

If you are going to use cAP ax as simple AP then this more or less default configuration will not work.

You need to reset cAP ax configuration but check to keep users and check no default configuration. Then create new bridge, add all interfaces to that bridge (so ether1 and 2, wifi1 and 2), create dhcp client on bridge interface, add passwords and SSIDs and when you connect cAP ax to your router it should work then.
 
infabo
Forum Guru
Forum Guru
Posts: 1195
Joined: Thu Nov 12, 2020 12:07 pm

Re: Help setting up cap AX

Wed Sep 04, 2024 11:19 am

I wanted to suggest to just remove all the useless and conflicting config. But it is way too much and error prone as well (if you miss something).

As gigabyte already suggested it is straight forward an clean.

Mikrotik, if you are reading, I have a suggestion: add a quick-set profile for "AP only" (or "AP behind router/firewall" or "AP behind ISP router" - I guess you understand what I mean) mode. A device like CAP AX does not act as a "Home AP" typically. It needs no firewall nor any dhcp server. All it needs to do is: a running DHCP-client on all interfaces. Possibility to configure wifi1/wifi2 on quickset. That's it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20818
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help setting up cap AX

Wed Sep 04, 2024 2:25 pm

Remove your serial number from your post above!
Is an AP so all router crap for the most part is removed.
Ether 2 on the capax will be used as a SAFE off bridge port to configure or access the AP. ******
Remove client from AP, you have set correctly the AP to get a static set IP of 192.168.88.2 outside the dhcp pool.

# model = cAPGi-5HaxD2HaxD
/interface bridge
add admin-mac=D4:01:C3:67:87:04 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=OffBridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.country="United States" .mode=ap .ssid=DXN_NET2 disabled=no security.authentication-types=\
wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country="United States" .mode=ap .ssid=DXN_NET2 disabled=no security.authentication-types=\
wpa2-psk,wpa3-psk
/interface list
add comment=defconf name=MANAGE

/interface bridge port
add bridge=bridge interface=ether1 comment="port to Router"
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface list member
add interface=bridge list=MANAGE
add interface=OffBridge2 list=MANAGE
/ip address
add address=192.168.88.2/24 interface=bridge comment="Static Address of AP outside the IP pool of 5009"
add address=192.168.55.1/30 interface=OffBridge2 network=192.168.55.0
/ip dns
set allow-remote-requests=yes server=192.168.88.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.88.1 routing-table=main
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE


Done!!

Once configured the offbridge port, simply plug your laptop into ether2 and change your laptop ipv4 settings to 192.168.55.2 and you should have full access.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1393
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Help setting up cap AX

Wed Sep 04, 2024 4:10 pm

For better results, maybe disable WPA3, leave WPA2. I have much better experience with WPA2 on ax lineup.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6049
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Help setting up cap AX

Wed Sep 04, 2024 4:17 pm

For better results, maybe disable WPA3, leave WPA2. I have much better experience with WPA2 on ax lineup.
For now, definitely better to skip WPA3, yes.
 
floevans
just joined
Topic Author
Posts: 4
Joined: Wed Sep 04, 2024 2:04 am

Re: Help setting up cap AX

Wed Sep 04, 2024 7:08 pm

ok it is working! Yes I reset them both to default trying to get it to work.

[admin@MikroTik] > export
# 1970-01-02 00:12:53 by RouterOS 7.12.2
# software id = BIPU-WZFW
#
# model = cAPGi-5HaxD2HaxD
# serial number = ha!
/interface bridge
add name=bridge1
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .width=20/40/80mhz configuration.chains=0,1 .country="United States" .mode=ap .ssid=DXN_NET2 .tx-chains=0,1 disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk .encryption=""
set [ find default-name=wifi2 ] channel.band=2ghz-ax .width=20/40mhz configuration.chains=0,1 .country="United States" .mode=ap .ssid=DXN_NET2 .tx-chains=0,1 disabled=no
/interface list
add name=WAN
add name=LAN
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wifi1
add bridge=bridge1 interface=wifi2
/interface list member
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.2/24 interface=bridge1 network=192.168.88.0
/ip dhcp-client
add interface=bridge1
/system note
set show-at-login=no


Do I have to separate the wifi names? it is only connecting on wifi2 the 2.4Ghz channel.
Last edited by floevans on Wed Sep 04, 2024 7:19 pm, edited 1 time in total.
 
infabo
Forum Guru
Forum Guru
Posts: 1195
Joined: Thu Nov 12, 2020 12:07 pm

Re: Help setting up cap AX

Wed Sep 04, 2024 7:17 pm

I guess you messed up you wifi config. what is it about .encryption=""?
 
floevans
just joined
Topic Author
Posts: 4
Joined: Wed Sep 04, 2024 2:04 am

Re: Help setting up cap AX

Wed Sep 04, 2024 7:34 pm

I guess you messed up you wifi config. what is it about .encryption=""?
umm I'm not sure. I got it working with a clean slate but then quickly realized it had no wifi password so I added one. I might have ticked some random box. The web config for these is not great. Trying to clean it up a bit now.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1393
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Help setting up cap AX

Wed Sep 04, 2024 8:45 pm

Is there any reason why you don't use winbox ? Honestly I opened webfig maybe once.

Use WPA2 instead of WPA3 for now, trust me... WPA3, for now, on Mikrotik will probably give you a lot of headaches.

You don't have to separate SSIDs unless you explicitly want to control where your devices connects.
 
infabo
Forum Guru
Forum Guru
Posts: 1195
Joined: Thu Nov 12, 2020 12:07 pm

Re: Help setting up cap AX

Wed Sep 04, 2024 8:48 pm

Winbox is no different to Webfig. Similar UI.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6049
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Help setting up cap AX

Wed Sep 04, 2024 8:56 pm

No it is not.
Big difference in usability.
 
floevans
just joined
Topic Author
Posts: 4
Joined: Wed Sep 04, 2024 2:04 am

Re: Help setting up cap AX

Wed Sep 04, 2024 9:20 pm

Is there any reason why you don't use winbox ? Honestly I opened webfig maybe once.

Use WPA2 instead of WPA3 for now, trust me... WPA3, for now, on Mikrotik will probably give you a lot of headaches.

You don't have to separate SSIDs unless you explicitly want to control where your devices connects.
I was trying to set it up with my MacBook. Obviously not ideal. I din't have any problems setting up the rb5009 with the web interface. I then tried setting up winbox on my linux laptop but it still wasn't native and a little jank. I did end up using a windows machine direct connected. They should really make it clear this is how to set it up. I didn't realize how "live" the interface was, clicking a couple of random buttons will totally jack up your config file. My plan was to ease into routerOS but now I get it a bit more. I still don't understand why it would default to router mode on reset. I'm assuming there are ways to save and backup your good config if I want to test more stuff out?
 
holvoetn
Forum Guru
Forum Guru
Posts: 6049
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Help setting up cap AX

Wed Sep 04, 2024 9:24 pm

I'm assuming there are ways to save and backup your good config if I want to test more stuff out?
Yes.

Binary backup (but can't really be transferred to other device). Simply restore and everything is back as it was.
or
export with show-sensitive on (not 100% complete export but most should be there and can be used as basis for transfer to other devices, even devices of completely different architecture).
This gives you a text export of the complete config.
Especially as a beginner, can be very interesting to read. You will better understand what is done and where.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20818
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help setting up cap AX

Thu Sep 05, 2024 12:03 am

The good news is that soon there will be a useable MAC and linux version of winbox. RIght now its a beta, not ready for beginners IMHO, heck I am not using it either.
Infabo, put yourself in the shoes of newbie regarding usability and you will come to a different conclusion. By that I mean, dont assume a MT owner is conversant with IT, networking or UIs of any sort. ( other than android/iphone etc.)

Who is online

Users browsing this forum: Minions70 and 19 guests