Community discussions

MikroTik App
 
paradoxutopia
just joined
Topic Author
Posts: 2
Joined: Wed Oct 13, 2021 6:42 am

Lost management access to AP, how to regain access?

Fri Oct 15, 2021 5:52 am

I have a hAP ac2 configured as a CAP.

I tried to enable VLAN-filtering, and have now lost webpage (WebFig?) access to my AP. I tried to follow the steps in https://wiki.mikrotik.com/wiki/Manual:I ... figuration to allow untagged (straight from my MacBook via ethernet cable) access, but that didn't seem to work.

I have two bridges, so I feel like that is the culprit, but I am unable to access the router's management page.

This is the last configuration, before I enabled clan-filtering on brigde=cap_bridge.

What I would appreciate help with is, given I have a MacBook, how can I regain access to my router?

I can plug into eth5 and access WAN; when I plug into ports 2,3,4, I get assigned an IP (usually 192.168.88.254) but cannot ping 192.168.88.1 or 8.8.8.8.
/interface bridge
add admin-mac=2C:C8:1B:D1:C9:68 auto-mac=no comment=defconf name=bridge
add name=cap_bridge
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-D1C96C wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5765/20-Ceee/ac(28dBm), SSID: sanctuary-5, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-D1C96D wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment="Management Access Port on eth2" interface=ether2
add bridge=bridge comment="Management Access Port on eth3" interface=ether3
add bridge=bridge comment="Port 4 on iot vlan" interface=ether4 pvid=30
add bridge=cap_bridge comment="Port 5 on private vlan" interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=cap_bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment="vlan1 access port on eth2/eth3" untagged=ether2,ether3 vlan-ids=1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless cap
# 
set bridge=cap_bridge discovery-interfaces=cap_bridge enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf disabled=no interface=ether1
add disabled=no interface=cap_bridge
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system identity
set name="MikroTik hac2-2"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Lost management access to AP, how to regain access?

Fri Oct 15, 2021 4:21 pm

Yup!
(1) Read and use this as a setup model, examples for your scenario are there.
viewtopic.php?t=143620
The article however doesnt use capsman, either do I, its not worth it IMHO unless you have over 3 cap type devices.

(2) One bridge for sure.

(3) What I do is take an unused etherport on the hapac, lets say ether5
interface name=ether5-emergaccess

Remove it from the bridge!
give it an IP address of 192.168.5.2

Add it to the LAN interface members list
Add it to a management interface if you have one.

In this regard you will be able to plug your laptop into ether5, with an IP address of 192.168.5.3 or .5 etc....... and gain access to your router bypassing any hickups that occur on the vlan and bridge setup.
 
paradoxutopia
just joined
Topic Author
Posts: 2
Joined: Wed Oct 13, 2021 6:42 am

Re: Lost management access to AP, how to regain access?

Fri Oct 15, 2021 5:43 pm

Awesome Anav! I will do that going forward. I feel like the part I missed was adding the eth5 to the LAN interface members list? For me, I wanted eth2/3 to be like the management port, so that's on a separate bridge from where the clan-filtering is enabled, so it seems like if I had added eth2/3 to the LAN interface members list, and assigned an IP to those ports, it would work?

I will definitely just have one bridge going forward, but trying to understand where else I went wrong.

Yea, I haven't found Capsman to be super useful, but wanted to try it out since I'm new to mikrotik and it seems like a fancy feature. But also doesn't make sense if/when I want APs that are not Mikrotik branded.

Could you assist me in getting back into the router? I have not tried resetting yet, because all the times I've held the reset button for the various combinations outlined in https://wiki.mikrotik.com/wiki/Manual:Reset (for a separate hap ac2 unit) failed.

Who is online

Users browsing this forum: dioeyandika, GoogleOther [Bot], Rox169 and 48 guests