Community discussions

MikroTik App
 
5ulo
just joined
Topic Author
Posts: 2
Joined: Sat Mar 10, 2018 4:07 pm

hap AC3 wifi wave2 setup

Sun Jan 23, 2022 1:09 pm

Hi ya'll, please, keep in mind I am still newbie in Mikrotik. I've setup my previous one and forgott about him as the router was working perfectly. Recently I've switched from hap AC2 to AC3 as I wanted to try the Wave2 wifi, but I feel like I am stupid now as I am unable to make it work. In some cases I can connect to wifi but I can't obtain any IP.. And sometimes I got local IP but no internet. My idea is very simple - Dual home AP - one 2G wifi and one 5G wifi. For every device on the network (lan, wifi) have assigned IP from 10.1.1.10-10.1.1.254.. nothing else for start.
RouterOS 7.1.1 stable, wave2 from 7.1 stable package.

This is my output of /export compact
/interface bridge
add admin-mac=DC:2C:6E:00:A7:90 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=C4:6E:1F:66:FA:19
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 channel
add band=2ghz-n frequency=2300-7000 name=ch-2G width=20/40mhz
add band=5ghz-ac frequency=5180 name=ch-5G width=20/40/80mhz
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk encryption=gcmp-256 name=default wps=disable
/interface wifiwave2 configuration
add channel=ch-2G country=Slovakia name=cfg-2G security=default ssid="Net 2G"
add channel=ch-5G country=Slovakia name=cfg-5G security=default ssid="Net 5G"
/interface wifiwave2
set [ find default-name=wifi1 ] configuration=cfg-2G configuration.mode=ap disabled=no
set [ find default-name=wifi2 ] configuration=cfg-5G configuration.mode=ap disabled=no
/ip pool
add name=dhcp ranges=10.1.1.10-10.1.1.254
add name=dhcp_wifi1 ranges=10.1.1.10-10.1.1.254
add name=dhcp_wifi2 ranges=10.1.1.10-10.1.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_wifi1 interface=wifi1 name=dhcp1
add address-pool=dhcp_wifi2 interface=wifi2 name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=*6
add bridge=bridge comment=defconf interface=*7
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.1.1.1/24 comment=defconf interface=bridge network=10.1.1.0
add address=10.1.1.1/24 interface=wifi1 network=10.1.1.0
add address=10.1.1.1/24 interface=wifi2 network=10.1.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.1.1.0/24 comment=defconf dns-server=10.1.1.1 gateway=10.1.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1,8.8.8.8
/ip dns static
add address=10.1.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Bratislava
/system logging
add topics=wireless,debug
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
mkx
Forum Guru
Forum Guru
Posts: 7671
Joined: Thu Mar 03, 2016 10:23 pm

Re: hap AC3 wifi wave2 setup

Sun Jan 23, 2022 3:01 pm

Remove any configuration from interfaces wifi1 and wifi2 (IP address, DHCP server etc.). Add interfaces wifi1 and wifi2 to bridge. Remove the unknown interfaces (marked as *6 and *7 in export) from bridge (they are likely remains from using legacy wireless driver).
BR,
Metod
 
User avatar
rfc1149
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Fri May 15, 2020 4:26 am
Location: England

Re: hap AC3 wifi wave2 setup

Sun Jan 23, 2022 6:06 pm

/ip pool
add name=dhcp ranges=10.1.1.10-10.1.1.254
add name=dhcp_wifi1 ranges=10.1.1.10-10.1.1.254
add name=dhcp_wifi2 ranges=10.1.1.10-10.1.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_wifi1 interface=wifi1 name=dhcp1
add address-pool=dhcp_wifi2 interface=wifi2 name=dhcp2

Is there a reason for three address pools referencing the same network?
You only need one because you're specifying one network range.
DHCP will operate on the bridge interface so allocating different pools only makes sense if you want separate addresses for 2.4 vs 5.
There's no need to overdo it.
Running: ROS 7.1.5 / WinBox 3.35 (64bit)
 
5ulo
just joined
Topic Author
Posts: 2
Joined: Sat Mar 10, 2018 4:07 pm

Re: hap AC3 wifi wave2 setup

Sun Jan 23, 2022 7:11 pm

@mkx thank you, that helped.. just a quick note. ROS v7.1 stable is missing interfaces > port tab in the gui. Is accessible through terminal though.
Wifi speed is now at full speed!
Now just find out why my latest phone wont connect.. but that's another story
Edit - just a quick note: Xiaomi Mi8 is unable to connect to wifi (wifi connected, saved, but nothing else) with WPA2/3 encryption GCMP/GCMP 256, but some other much older devices as Xiaomi Mi4C, MBP2015 were connecting without any problem. So I've set encryption cyphers to CCMP/CCMP 256 and every device is now connecting flawlessly.

@rfc1149 extra pools for wifi were a 'fix' I saw in other topics and were made as an experiment because wifi didn't want assign any IP address.. pools are gone now and everything works.

This is my current startingpoint setup:
/interface bridge
add admin-mac=DC:2C:6E:00:A7:90 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=C4:6E:1F:66:FA:19
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 channel
add band=2ghz-n frequency=2300-7000 name=ch-2G width=20/40mhz
add band=5ghz-ac frequency=5180 name=ch-5G width=20/40/80mhz
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk encryption=ccmp,gcmp,ccmp-256,gcmp-256 name=default wps=disable
/interface wifiwave2 configuration
add channel=ch-2G country=Slovakia name=cfg-2G security=default ssid="Net 2G"
add channel=ch-5G country=Slovakia name=cfg-5G security=default ssid="Net 5G"
/interface wifiwave2
set [ find default-name=wifi1 ] channel=ch-2G configuration=cfg-2G configuration.mode=ap disabled=no security=default
set [ find default-name=wifi2 ] channel=ch-5G configuration=cfg-5G configuration.mode=ap disabled=no security=default
/ip pool
add name=dhcp ranges=10.1.1.10-10.1.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=wifi1
add bridge=bridge interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.1.1.1/24 comment=defconf interface=bridge network=10.1.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.1.1.0/24 comment=defconf dns-server=10.1.1.1 gateway=10.1.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1,8.8.8.8
/ip dns static
add address=10.1.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Bratislava
/system logging
add topics=wireless,debug
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
mkx
Forum Guru
Forum Guru
Posts: 7671
Joined: Thu Mar 03, 2016 10:23 pm

Re: hap AC3 wifi wave2 setup

Sun Jan 23, 2022 10:20 pm

Now that original problem is solved ...

@rfc1149, did you ever see your nick perform in real life? I haven't, but it would be interesting ...
BR,
Metod
 
User avatar
rfc1149
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Fri May 15, 2020 4:26 am
Location: England

Re: hap AC3 wifi wave2 setup

Sun Jan 23, 2022 10:23 pm

@rfc1149 extra pools for wifi were a 'fix' I saw in other topics and were made as an experiment because wifi didn't want assign any IP address.. pools are gone now and everything works.

Sweet! Glad you resolved your issue.
When I first started using Mikrotik, the whole idea of a bridge seemed weird and I didn't like it.
However once I learned that it was integral, I embraced it and haven't looked back since.
WAN ports can never be a bridge port because they cannot operate in slave mode.
Everything that would reasonably be expected to have connectivity to the local network should be a bridge port.
The correct answer is usually the simplest. Happy networking. :D
Running: ROS 7.1.5 / WinBox 3.35 (64bit)
 
User avatar
rfc1149
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Fri May 15, 2020 4:26 am
Location: England

Re: hap AC3 wifi wave2 setup

Sun Jan 23, 2022 10:28 pm

Now that original problem is solved ...

@rfc1149, did you ever see your nick perform in real life? I haven't, but it would be interesting ...

Of course. 8)
https://www.wired.com/2009/09/in-africa ... -internet/
Running: ROS 7.1.5 / WinBox 3.35 (64bit)
 
User avatar
rfc1149
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Fri May 15, 2020 4:26 am
Location: England

Re: hap AC3 wifi wave2 setup

Sun Jan 23, 2022 10:36 pm

Edit - just a quick note: Xiaomi Mi8 is unable to connect to wifi (wifi connected, saved, but nothing else) with WPA2/3 encryption GCMP/GCMP 256, but some other much older devices as Xiaomi Mi4C, MBP2015 were connecting without any problem. So I've set encryption cyphers to CCMP/CCMP 256 and every device is now connecting flawlessly.

/interface wifiwave2 channel
add band=2ghz-n frequency=2300-7000 name=ch-2G width=20/40mhz

By selecting 802.11n only for 2.4GHz, you've limited the operation mode to 802.11n clients.
This prevents compatibility and some devices may behave weirdly when they see a network without basic support for 802.11g.
It goes back to OEM decisions for the chipset of the client device and sometimes parameter customisation decisions for the OS variant.
Too many to list but you get the idea, not all clients behave the same as each other as a result. Too many moving parts. :D

If you're using the same SSID for 2.4GHz and 5GHz then you can have AES CCMP and GCMP enabled for the security profile because WPA3 supports backwards compatibility.
It shouldn't be an issue but my previous statement about wireless client behaviour still stands.

I usually have 802.11 G+N at least for 2.4GHz and for 5GHz N+AC. YMMV. Test, test again. See what works.
Running: ROS 7.1.5 / WinBox 3.35 (64bit)
 
mkx
Forum Guru
Forum Guru
Posts: 7671
Joined: Thu Mar 03, 2016 10:23 pm

Re: hap AC3 wifi wave2 setup

Sun Jan 23, 2022 10:41 pm

Now that original problem is solved ...

@rfc1149, did you ever see your nick perform in real life? I haven't, but it would be interesting ...

Of course. 8)
https://www.wired.com/2009/09/in-africa ... -internet/

Not really the case ... what article describes falls in category of "never underestimate the bandwidth of a station wagon" ...
BR,
Metod
 
User avatar
rfc1149
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Fri May 15, 2020 4:26 am
Location: England

Re: hap AC3 wifi wave2 setup

Sun Jan 23, 2022 10:46 pm

Not really the case ... what article describes falls in category of "never underestimate the bandwidth of a station wagon" ...

Fair enough. I don't think we will ever realise the true potential of IPoAC. :(
Running: ROS 7.1.5 / WinBox 3.35 (64bit)
 
Sob
Forum Guru
Forum Guru
Posts: 8178
Joined: Mon Apr 20, 2009 9:11 pm

Re: hap AC3 wifi wave2 setup

Sun Jan 23, 2022 11:33 pm

There's this: https://www.blug.linux.no/rfc1149/writeup/

But the throughput and latency were terrible, not something you'd want to use regularly. ;)
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
mkx
Forum Guru
Forum Guru
Posts: 7671
Joined: Thu Mar 03, 2016 10:23 pm

Re: hap AC3 wifi wave2 setup

Mon Jan 24, 2022 9:28 pm

Yup, I knew there were a few rare events doing it in reality, I was wondering if anybody around here saw it in person.
BR,
Metod
 
Sob
Forum Guru
Forum Guru
Posts: 8178
Joined: Mon Apr 20, 2009 9:11 pm

Re: hap AC3 wifi wave2 setup

Mon Jan 24, 2022 10:12 pm

I wouldn't expect large overlap between networking and pigeon enthusiats, that may be one problem. I for one have several routers, but zero pigeons or other birds. I do have cat, so in theory, if you wouldn't insist on aerial transport, ... but good luck training cats to do what you want. :)
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
mkx
Forum Guru
Forum Guru
Posts: 7671
Joined: Thu Mar 03, 2016 10:23 pm

Re: hap AC3 wifi wave2 setup

Mon Jan 24, 2022 10:31 pm

I guess you could deploy your cat as raw firewall rule in IPoAC :lol:
BR,
Metod
 
User avatar
rfc1149
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Fri May 15, 2020 4:26 am
Location: England

Re: hap AC3 wifi wave2 setup

Tue Jan 25, 2022 9:14 pm

I guess you could deploy your cat as raw firewall rule in IPoAC :lol:

/ip/firewall/filter/add chain=input action=feed-cat comment=meow
Running: ROS 7.1.5 / WinBox 3.35 (64bit)

Who is online

Users browsing this forum: No registered users and 5 guests