I tried to enable VLAN-filtering, and have now lost webpage (WebFig?) access to my AP. I tried to follow the steps in https://wiki.mikrotik.com/wiki/Manual:I ... figuration to allow untagged (straight from my MacBook via ethernet cable) access, but that didn't seem to work.
I have two bridges, so I feel like that is the culprit, but I am unable to access the router's management page.
This is the last configuration, before I enabled clan-filtering on brigde=cap_bridge.
What I would appreciate help with is, given I have a MacBook, how can I regain access to my router?
I can plug into eth5 and access WAN; when I plug into ports 2,3,4, I get assigned an IP (usually 192.168.88.254) but cannot ping 192.168.88.1 or 8.8.8.8.
Code: Select all
/interface bridge
add admin-mac=2C:C8:1B:D1:C9:68 auto-mac=no comment=defconf name=bridge
add name=cap_bridge
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-D1C96C wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5765/20-Ceee/ac(28dBm), SSID: sanctuary-5, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-D1C96D wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment="Management Access Port on eth2" interface=ether2
add bridge=bridge comment="Management Access Port on eth3" interface=ether3
add bridge=bridge comment="Port 4 on iot vlan" interface=ether4 pvid=30
add bridge=cap_bridge comment="Port 5 on private vlan" interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=cap_bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment="vlan1 access port on eth2/eth3" untagged=ether2,ether3 vlan-ids=1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless cap
#
set bridge=cap_bridge discovery-interfaces=cap_bridge enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf disabled=no interface=ether1
add disabled=no interface=cap_bridge
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system identity
set name="MikroTik hac2-2"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN