Community discussions

MikroTik App
 
RedBearAK
just joined
Topic Author
Posts: 5
Joined: Mon May 23, 2022 3:57 am

Bridged hAP-AC2, can only connect via MAC

Mon May 23, 2022 4:48 am

Just set up a new hAP AC2, upgraded it to ROS 7.2.3, factory reset, changed from router to bridge mode with Quick Set settings, set a password for admin and WiFi, and rebooted.

Works fine as a bridge, as it's supposed to. But now I can only connect to the hAP with WinBox via MAC address, and that only works when the device I'm connecting from is directly on the WiFi network being broadcast by the hAP. If I connect to the network via another access point, I can no longer connect via MAC.

The hAP is connected via cable from ether1 to a router that's been the main router for the rest of the network for years, running DD-WRT. The hAP seems to pick up an IP address from the router, with proper netmask, and responds to pings on that IP address. But neither WinBox nor web browsers (for WebFig) can get a response from the hAP on that IP address. Whether I'm connected directly to the hAP WiFi or to another AP.

Another strange thing is that sometimes the hAP has seemed to be handing out its own IP addresses (192.168.88.nnn) to a few devices, as if the default DHCP server is still active. But I didn't even connect it physically to the rest of the network until after switching it to bridged mode and rebooting it, which I assumed would completely disable any built-in DHCP server.

It seems to always respond to pings of its IP address, but half the time I log in with WinBox the spot in the Quick Set UI where the IP address should be shown is blank.

I just wanted it to be a simple passive access point to provide an additional WiFi network. Bridge mode, DHCP off. I tried to set "Address Source" in Quick Set to "Ethernet", but it keeps wanting to go back to "Any" for some reason. I've also set the ether1 interface from "WAN" to "LAN", because I don't want it doing anything but bridging LAN to WiFi.

In short, there is just a lot of really odd behavior that I haven't encountered in most of the network devices I've worked with over the past 20 years, which includes routers with Tomato and DD-WRT firmwares, as well as stock Linksys, TP-Link and D-Link firmwares. RouterOS is definitely... different.

Could the inability to connect by IP have something to do with the firewall? I reset the device to defaults after the upgrade to 7.2.3 and never touched very much besides the Quick Set UI for the most part, just to change it from router to bridge and set the passwords.

Other than the firewall, what else could possibly be making it impossible to connect to WinBox/WebFig via the ping-able IP address?
 
RedBearAK
just joined
Topic Author
Posts: 5
Joined: Mon May 23, 2022 3:57 am

Re: Bridged hAP-AC2, can only connect via MAC

Mon May 23, 2022 6:00 am

Disabled a firewall rule that was dropping all packets "not coming from LAN". Now I can at least connect via WiFi. But that doesn't really explain why it wouldn't respond when the device I'm connecting from was connected to another A/P, in which case the attempt to connect should have come through the LAN interface.

Or at least it should have been the LAN interface after I changed ether1 from "WAN" to "LAN", right? Wonder if this problem would go away if I connected the cable to one of the other Ethernet ports instead of ether1.

After rebooting the device it didn't seem to want to get back on the LAN, but swapping from ether1 to ether5 seems to have fixed that.

But, re-enabling the firewall rule to drop all packets on input "not coming from LAN" once again results in being unable to connect via IP address, even if I'm not connected to the WiFi of the hAP. I'm pretty confused about why that rule is even there, and why it causes such an issue if I'm connected to a different A/P. The A/Ps are not using the same SSID, so there should be no WiFi traffic between them.

I think I was able to cure the DHCP issue with "/ip dhcp-server disable", but I feel like that should never have been necessary. That was pretty strange.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11442
Joined: Thu Mar 03, 2016 10:23 pm

Re: Bridged hAP-AC2, can only connect via MAC

Mon May 23, 2022 12:33 pm

Default firewall heavily relies on proper interface membership: /interface list and beyond. If you change setup (default has ether1 separate as WAN, the rest of interfaces are members of same bridge for LAN), you have to adjust interface membership as well.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bridged hAP-AC2, can only connect via MAC

Mon May 23, 2022 2:19 pm

Makes perfect sense, the router is doing what you have programmed it to do, which means that you dont understand yet, how to configure the Mikrotik.
It will come in time.
Suggest you post your config for review.
/export hide-sensitive file=anynameyouwish
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Bridged hAP-AC2, can only connect via MAC

Mon May 23, 2022 2:44 pm

Quickset Bridge Mode is broken. It removes Bridge from inteface-list=LAN and adds each of the individual Interfaces to this list. That is an incorrect configuration because the individual Interfaces are slaved to the Bridge in Bridge Mode.

I have reported this behavior to support to no avail.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bridged hAP-AC2, can only connect via MAC

Mon May 23, 2022 3:12 pm

Regardless, use of quickset is not recommended and one still needs to learn what the config is doing or not doing.
 
hecatae
Member Candidate
Member Candidate
Posts: 244
Joined: Thu May 21, 2020 2:34 pm

Re: Bridged hAP-AC2, can only connect via MAC

Mon May 23, 2022 8:21 pm

Quickset Bridge Mode is broken. It removes Bridge from inteface-list=LAN and adds each of the individual Interfaces to this list. That is an incorrect configuration because the individual Interfaces are slaved to the Bridge in Bridge Mode.

I have reported this behavior to support to no avail.
On what hardware as it works on my rb941 using 7.2.3
 
RedBearAK
just joined
Topic Author
Posts: 5
Joined: Mon May 23, 2022 3:57 am

Re: Bridged hAP-AC2, can only connect via MAC

Tue May 24, 2022 1:56 am

I think that the primary issue is that the "Home AP Dual" mode, which is what a device like this should have defaulted to as a Quick Set, doesn't provide the user a clear way to put the hAP into a "bridge" mode and disable all routing functions. The Quick Set mode it defaulted to is "WISP AP", which did show a "Bridge" option right next to a "Router" option, and it keeps reverting to showing that configuration even if I close the window and previously had the Quick Set window set to "Home AP Dual". (Probably because of the things I've changed manually, as described below.)

The "WISP AP" is (I'm guessing) a mode intended for when the device is meant to provide wireless internet (ISP) access to clients, which is why the firewall rules disable accessing the device config over WiFi by IP. Makes sense in that context, but this is just for use at home on a private network. The "Home AP Dual" mode has simpler firewall rules but really wants to be a router. It demands to have both a public IP and a "local" IP address, which is confusing in the context of a device that you want to just be a simple bridge/switch rather than a "router" of any kind.

Anyway, I believe that I have figured out how to not only set ether1 to be LAN instead of WAN, but also make sure that port is active on the bridge interface, in which case it finally seems to act like a passive access point bridge/switch no matter which Ethernet port the cable to the router/switch/rest of the network is connected to.

I found a page that kind of explains how to do this, but I already did it all, except for completely deleting the defined DHCP server and client (server is just disabled), and deleting Routing>BFD. Which would leave me unable to connect except by MAC again.

ucp.php?mode=activate&u=201589&k=yxpeh9 ... 4e0fg6rcod

Mikrotik has little excuse for not making such a commonly desired function (i.e., using a WiFi device as just a "dumb" non-routing home AP) easier to configure. It should be possible with a single click changing "Router" to "Bridge", similar to the way it's presented in the "WISP AP" Quick Set mode. On many routers that's pretty much how it works. Well, home routers anyway. But obviously Mikrotik devices are not very strongly oriented toward the typical home user. They must be more worried about home users accidentally disabling the routing functions. But making a "Home Dual AP Router" and a separate "Home Dual AP Bridge" mode would not be something the Mikrotik engineers should have any trouble creating.

I know about CAPsMAN but haven't gotten to the stage where I'm comfortable actually replacing the main gateway/router with another Mikrotik device which could then manage the hAP in CAP mode. I have to assume that would make parts of this kind of setup a bit easier, with the managed APs automatically deferring the routing functions to the CAPsMAN gateway router device.
 
RedBearAK
just joined
Topic Author
Posts: 5
Joined: Mon May 23, 2022 3:57 am

Re: Bridged hAP-AC2, can only connect via MAC

Tue May 24, 2022 8:17 am

Config exported for review:

/interface bridge
add admin-mac=DC:2C:6E:EA:nn:nn auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-XX \
    country="united states3" disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=RBNS-hAP-AC2 wireless-protocol=\
    802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-XXXX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=RBNS-hAP-AC2 wireless-protocol=802.11 wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=yes interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
add interface=bridge list=LAN
add interface=ether1 list=LAN
/ip dhcp-client
add disabled=yes interface=bridge
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    0.0.0.0 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.19.19.2 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" disabled=yes \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Anchorage
/system identity
set name=hAP-AC2
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Anything else here going to cause a problem as a simple access point?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bridged hAP-AC2, can only connect via MAC

Tue May 24, 2022 2:10 pm

Yes, you have not set it up correctly to be a simple switch access point.
viewtopic.php?t=182276

There is no WAN, no LAN, no pool etc...........
Minimize and simplify.........
Something like this except you only have one flat subnet....... not vlans...
/interface bridge
add ingress-filtering=no name=bridge
/interface list
add name=management
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-XX \
    country="united states3" disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=RBNS-hAP-AC2 wireless-protocol=\
    802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-XXXX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=RBNS-hAP-AC2 wireless-protocol=802.11 wps-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=management
/interface list member
add interface=bridge list=management
/ip address
add address=192.168.88.??/24 interface=bridge network=192.168.88.00  
/ip dns
set allow-remote-requests=yes servers=192.168.88.1 
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.88.1 
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=x.x.x.x
set api disabled=yes
set winbox address=as-required
set api-ssl disabled=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management
 
RedBearAK
just joined
Topic Author
Posts: 5
Joined: Mon May 23, 2022 3:57 am

Re: Bridged hAP-AC2, can only connect via MAC

Wed May 25, 2022 12:36 pm

If there were vlans they must have been created by the Quick Set options. I know very little about that.

I used this post to make a cleaner config after doing a no-defaults reset:
viewtopic.php?p=905562#p905562

Seems a lot shorter:
/interface bridge
add name=bridge1
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=\
    dynamic-keys name=secure supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-XX \
    country="united states3" disabled=no frequency=auto installation=indoor \
    mode=ap-bridge security-profile=secure ssid=RBNS-hAP-AC2 \
    wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=\
    20/40/80mhz-XXXX disabled=no frequency=auto installation=indoor mode=\
    ap-bridge security-profile=secure ssid=RBNS-hAP-AC2 wireless-protocol=\
    802.11 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge1 interface=all
/ip dhcp-client
add interface=bridge1
/system clock
set time-zone-name=America/Anchorage
/system identity
set name=Mikrotik.AP
The Wi-Fi channel setups ended up backwards for some reason. I had to fix that but otherwise it seemed to work OK.

But now I'm wondering if there is a good guide to setting the Wi-Fi options to maximize the speed of the connection, especially for the 5GHz band.

Who is online

Users browsing this forum: Adephx, GoogleOther [Bot], MaxwellsEq and 48 guests