Hi everyone,
I have a connection problem between my Mikrotik router and a Vodafone router that I want to use as AP.
Basic info:
Mikrotik: CCR2004
Vodafone: H500-S
RouterOS: 7.4.1

This is what I did:

Because I'm using a SFP-RJ45 module, I disabled auto negotiation and limited the rate to 1Gbps
I made a bridge between interfaces, including the interface I'm using to connect the AP
In the firewall, I activated NAT/masquerade

All devices in my network (Directedly connected to the MTK or thought a switch) are working fine and had access to internet.
The only device not working is this AP: I can't ping from and the two devices! The AP can't get an IP from the DHCP of the MTK...

[Update]
When I connect the AP with the switch (Connected to the MTK), the AP can get IP address and DNS, and internet (ping 8.8.8..
But I remarqued that when I'm connected with PC to AP's wifi, I can't reach internet, and the problem of ping between the AP and the MTK still no resolved.


I'm new in Mikrotik devices, and I believe I'm missing a basic thing.

Thank you in advance.

Probably but how can I best investigate the issues....... Crystal ball, tarot cards, speculating........
OR
post network diagram
and
/export config (minus public WANIP info)

Hi,
Thanks for your reply.
Attached the diagram.
Next, the config:

***********************************
# aug/26/2022 09:57:17 by RouterOS 7.4.1
# software id = 1FG4-CGSK
#
# model = CCR2004-1G-12S+2XS
# serial number = D4F00C20652D
/interface bridge
add name=LAN1-INFO_Bridge
/interface ethernet
set [ find default-name=ether1 ] comment="Management Port" name=\
"Ethernet1-Mgmt Port"
set [ find default-name=sfp-sfpplus1 ] name="SFP+01->Dell T430 DAC1"
set [ find default-name=sfp-sfpplus2 ] name="SFP+02->Dell T430 DAC2"
set [ find default-name=sfp-sfpplus3 ] name="SFP+03->INFO2 (Local C)"
set [ find default-name=sfp-sfpplus4 ] name="SFP+04->INFO3 (LocalC)"
set [ find default-name=sfp-sfpplus5 ] name="SFP+05->INFO1 (Local D)"
set [ find default-name=sfp-sfpplus6 ] name="SFP+06->Dell R820 DAC1"
set [ find default-name=sfp-sfpplus7 ] name="SFP+07->Dell R820 DAC2"
set [ find default-name=sfp-sfpplus8 ] name="SFP+08->HP DL 360 DAC1"
set [ find default-name=sfp-sfpplus9 ] name=SFP+09
set [ find default-name=sfp-sfpplus10 ] name=SFP+10
set [ find default-name=sfp-sfpplus11 ] auto-negotiation=no comment=\
"AP1_Local D" name=SFP+11->AP1
set [ find default-name=sfp-sfpplus12 ] auto-negotiation=no comment=\
"To IAM Modem 192.168.2.1" name="SFP+12-> IAM Modem"
set [ find default-name=sfp28-1 ] name=SFP28-01
set [ find default-name=sfp28-2 ] name=SFP28-02
/interface list
add name=WAN
add name=LAN1-INFO
add name=LAN2-CAM
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.8.100-192.168.8.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN1-INFO_Bridge lease-time=11m name=\
dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=LAN1-INFO_Bridge interface="SFP+01->Dell T430 DAC1"
add bridge=LAN1-INFO_Bridge interface="SFP+02->Dell T430 DAC2"
add bridge=LAN1-INFO_Bridge interface="SFP+05->INFO1 (Local D)"
add bridge=LAN1-INFO_Bridge interface="SFP+03->INFO2 (Local C)"
add bridge=LAN1-INFO_Bridge interface="SFP+04->INFO3 (LocalC)"
add bridge=LAN1-INFO_Bridge interface="SFP+06->Dell R820 DAC1"
add bridge=LAN1-INFO_Bridge interface="SFP+07->Dell R820 DAC2"
add bridge=LAN1-INFO_Bridge interface="SFP+08->HP DL 360 DAC1"
add bridge=LAN1-INFO_Bridge interface="SFP+12-> IAM Modem"
add bridge=LAN1-INFO_Bridge interface=SFP+11->AP1
/ip address
add address=192.168.3.1/24 comment=defconf interface="Ethernet1-Mgmt Port" \
network=192.168.3.0
add address=192.168.2.2/24 comment="Connect to IAM Modem: 192.168.2.1" \
interface="SFP+12-> IAM Modem" network=192.168.2.0
add address=192.168.8.1/24 interface=LAN1-INFO_Bridge network=192.168.8.0
/ip dhcp-server network
add address=192.168.8.0/24 dns-server=192.168.8.5,8.8.8.8 gateway=192.168.8.1
/ip dns
set servers=192.168.8.5,8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/system clock
set time-zone-name=Africa/Casablanca
/system identity
set name=DSTM-MTK
/system ntp client
set mode=broadcast
/system ntp client servers
add address=id.pool.ntp.org
***********************************
Thank you in advance

Why is WAN port on LAN bridge??
add bridge=LAN1-INFO_Bridge interface="SFP+12-> IAM Modem"

From what you included in your config (only a partial it seems), thats all I see.

Hi,
Thanks for replying.
I did the modification by removing WAN port from LAN bridge.
But this didn't resolve the AP problem: The MTK sill not "seeing" the AP directly connected to the MTK.
When I plug the AP in a no Mikrotik router I can ping between the two devices, and the AP gets internet in addition!
Once replaced under MTK, it doesn't work.
I suspect a firewall blocking rule in the MTK.
Any idea?
Thanks.

I already told you.
Please post FULL Config of both MT and AP. ( one that shows the firewall rules not part of the config )

/ip firewall nat
add action=masquerade chain=srcnat missing out-interface-list=WAN

since its a fixed IP better is
/ip firewall nat
add action=src-nat chain-srcnat to-addresses=192.168.2.2 out-interface="SFP+12-> IAM Modem"

Hi,

next the config:


# aug/31/2022 12:06:11 by RouterOS 7.4.1
# software id = 1FG4-CGSK
#
# model = CCR2004-1G-12S+2XS
# serial number = D4F00C20652D
/interface bridge
add name=LAN1-INFO_Bridge
/interface ethernet
set [ find default-name=ether1 ] comment="Management Port" name=Ether1
set [ find default-name=sfp-sfpplus1 ] comment="->Dell T430 DAC1" name=SFP+01
set [ find default-name=sfp-sfpplus2 ] comment="->Dell T430 DAC2" name=SFP+02
set [ find default-name=sfp-sfpplus3 ] comment="->INFO2 (Local C)" name=SFP+03
set [ find default-name=sfp-sfpplus4 ] comment="->INFO3 (LocalC)" name=SFP+04
set [ find default-name=sfp-sfpplus5 ] comment="->INFO1 (Local D)" name=SFP+05
set [ find default-name=sfp-sfpplus6 ] comment="->Dell R820 DAC1" name=SFP+06
set [ find default-name=sfp-sfpplus7 ] comment="->HP DL360e DAC1" name=SFP+08
set [ find default-name=sfp-sfpplus9 ] name=SFP+09
set [ find default-name=sfp-sfpplus10 ] name=SFP+10
set [ find default-name=sfp-sfpplus11 ] auto-negotiation=no comment="AP1_Local D" name=SFP+11
set [ find default-name=sfp-sfpplus12 ] auto-negotiation=no comment="IAM Modem 192.168.2.1" name=SFP+12
set [ find default-name=sfp28-1 ] name=SFP28-01
set [ find default-name=sfp28-2 ] name=SFP28-02
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp_pool0 ranges=192.168.8.100-192.168.8.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN1-INFO_Bridge lease-time=11m name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
disabled=yes disabled=yes name=zt1 port=9993
/interface bridge port
add bridge=LAN1-INFO_Bridge interface=SFP+01
add bridge=LAN1-INFO_Bridge interface=SFP+02
add bridge=LAN1-INFO_Bridge interface=SFP+03
add bridge=LAN1-INFO_Bridge interface=SFP+04
add bridge=LAN1-INFO_Bridge interface=SFP+05
add bridge=LAN1-INFO_Bridge interface=SFP+06
add bridge=LAN1-INFO_Bridge interface=SFP+08
add bridge=LAN1-INFO_Bridge interface=SFP+09
add bridge=LAN1-INFO_Bridge interface=SFP+10
add bridge=LAN1-INFO_Bridge interface=SFP+11
/interface list member
add interface=LAN1-INFO_Bridge list=LAN
add interface=SFP+12 list=WAN
/ip address
add address=192.168.8.1/24 interface=LAN1-INFO_Bridge network=192.168.8.0
add address=192.168.2.2/24 interface=SFP+12 network=192.168.2.0
/ip dhcp-server network
add address=192.168.8.0/24 dns-server=192.168.8.5,8.8.8.8 gateway=192.168.8.1
/ip dns
set servers=192.168.8.5,8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=SFP+12
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Africa/Casablanca
/system gps
set set-system-time=yes
/system identity
set name=DSTM-MTK
/system ntp client
set mode=broadcast
/system ntp client servers
add address=id.pool.ntp.org

Okay I will assume you have no firewall rules and thus please install the following.......

Hi,
Thanks for replying.
I add rules you sent, but the AP still not getting connection from the MT.
What is strange, is that when I take the AP and I plug it the the Cisco switch, all works fine! Once plugged directly to MT, it doesn't work: no ping, no internet.
The config:

/interface bridge
add name=LAN1-INFO_Bridge
/interface ethernet
set [ find default-name=ether1 ] comment="Management Port" name=Ether1
set [ find default-name=sfp-sfpplus1 ] comment="->Dell T430 DAC1" name=SFP+01
set [ find default-name=sfp-sfpplus2 ] comment="->Dell T430 DAC2" name=SFP+02
set [ find default-name=sfp-sfpplus3 ] comment="->INFO2 (Local C)" name=\
SFP+03
set [ find default-name=sfp-sfpplus4 ] comment="->INFO3 (LocalC)" name=SFP+04
set [ find default-name=sfp-sfpplus5 ] comment="->INFO1 (Local D)" name=\
SFP+05
set [ find default-name=sfp-sfpplus6 ] comment="->Dell R820 DAC1" name=SFP+06
set [ find default-name=sfp-sfpplus7 ] comment="->HP DL360e DAC1" name=SFP+08
set [ find default-name=sfp-sfpplus9 ] name=SFP+09
set [ find default-name=sfp-sfpplus10 ] name=SFP+10
set [ find default-name=sfp-sfpplus11 ] auto-negotiation=no comment=\
"AP1_Local D" name=SFP+11
set [ find default-name=sfp-sfpplus12 ] auto-negotiation=no comment=\
"IAM Modem 192.168.2.1" name=SFP+12
set [ find default-name=sfp28-1 ] name=SFP28-01
set [ find default-name=sfp28-2 ] name=SFP28-02
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp_pool0 ranges=192.168.8.100-192.168.8.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN1-INFO_Bridge lease-time=11m name=\
dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
disabled=yes disabled=yes name=zt1 port=9993
/interface bridge port
add bridge=LAN1-INFO_Bridge interface=SFP+01
add bridge=LAN1-INFO_Bridge interface=SFP+02
add bridge=LAN1-INFO_Bridge interface=SFP+03
add bridge=LAN1-INFO_Bridge interface=SFP+04
add bridge=LAN1-INFO_Bridge interface=SFP+05
add bridge=LAN1-INFO_Bridge interface=SFP+06
add bridge=LAN1-INFO_Bridge interface=SFP+08
add bridge=LAN1-INFO_Bridge interface=SFP+09
add bridge=LAN1-INFO_Bridge interface=SFP+10
add bridge=LAN1-INFO_Bridge interface=SFP+11
/interface list member
add interface=LAN1-INFO_Bridge list=LAN
add interface=SFP+12 list=WAN
/ip address
add address=192.168.8.1/24 interface=LAN1-INFO_Bridge network=192.168.8.0
add address=192.168.2.2/24 interface=SFP+12 network=192.168.2.0
/ip dhcp-server network
add address=192.168.8.0/24 dns-server=192.168.8.5,8.8.8.8 gateway=192.168.8.1
/ip dns
set servers=192.168.8.5,8.8.8.8
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat out-interface=SFP+12
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.2.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
no target-scope=10
/system clock
set time-zone-name=Africa/Casablanca
/system gps
set set-system-time=yes
/system identity
set name=DSTM-MTK
/system ntp client
set mode=broadcast
/system ntp client servers
add address=id.pool.ntp.org



Many thanks

Did you set the IP address manually in the MT.
Go to DHCP leases add the ip address and the mac address of the AP. not much else I can think of.

Hi Anav,
I added the mac of 2 APs, and things seem working for now.
I'm thankful for your patience and help.
PS: the two addresses I added are in "waiting" statut, I don't know if does matter ....

Can I ask you briefly (Cause I should open one other topic for this): As you saw in the diagram in my first post, my MT is behind an ISP modem. It have a public IP. witch way should I explore to do a remote access to my LAN (example my MT) from the WAN (Forwarding ports, VPN, cloud....). I'm looking for security first.

Thanks a lot.

Ensure you update to version 7.5 latest stable firmware and use Wireguard.
viewtopic.php?t=182340


From where and what devices do you plan on accessing the router for config purposes or its subnets to access data ???

Hi,
For update, I'm planning to do it this weekend cause I can't during production time...
For remote access, I want to access the MT from PC for config trough Winbox, may be accessing also some PCs in my LAN ...
Thank you.

Assuming you dont have an MT router at home so a windows client on the pC should work.
As well if you have an IOS device it will work with wireguard client.
I use my iphone with wireguard client and then use the mikrotik app to config the router