Hello.

I have some troubles with connection to wAP ac through WinBox or WebFig.

My setup:

wAP ac connected to switch CRS354, that connected to router CCR1009, that connected to WAN. PC connected to switch.

Both router and switch reset before any configuration:


Router LAN configuration:


DHCP server setted up on router for 192.168.1.0/24.

Switch configuration:

No DHCP server or client is configured on switch.

On switch in interfaces list, I see some traffic on interface where wAP ac connected.

In router, with "/ip dhcp-server lease print", I see wAP ac IP (probably, WAN IP in context of AP, not its own LAN IP) and MAC.

But, default wAP ac LAN IP is "192.168.88.1", so it is unreachable in my setup in "192.168.1.0/24" LAN.

I can connect to the wAP ac with Wi-Fi and access WebFig on "192.168.88.1". In this way, I think, it is possible to configure wAP ac for "192.168.1.0/24" network and then, probably, it will be reachable in LAN. But this is huge work, because I have a few dozens of this AP`s and doing all this work manually is annoying.

Maybe, it is possible to configure something in router or\and swtich that allows to reach this wAP ac throug LAN without any configuration through Wi-Fi?

Thanks.

Ensure you have a trusted LAN.
All smart devices should get a LANIP on this subnet.
Then you are well on your way to ensuring access.

Read for setup ideas.
viewtopic.php?t=143620

You can configure CAPsMAN on your router and set each wAP in CAPsMAN mode using the reset button.

https://wiki.mikrotik.com/wiki/Manual:Reset

Or use NetInstall to install a new default configuration.

https://wiki.mikrotik.com/wiki/Manual:Netinstall

Otherwise, you will have to connect to the wifi of each to configure using winbox or webfig. This is due to the default configuration on the wAP.

You can configure CAPsMAN on your router and set each wAP in CAPsMAN mode using the reset button.

https://wiki.mikrotik.com/wiki/Manual:Reset

Or use NetInstall to install a new default configuration.

https://wiki.mikrotik.com/wiki/Manual:Netinstall

Otherwise, you will have to connect to the wifi of each to configure using winbox or webfig. This is due to the default configuration on the wAP.

I configure CAPsMAN on my router (https://wiki.mikrotik.com/wiki/Manual:S ... sMAN_setup), then connect directly to one of wAP ac through Wi-Fi, in "quick set" change mode to "CAP", check automatic IP address detection from "any" source, and... Nothing. CAPsMAN does not see any cap's. Documentation says that CAP is not requre configuration and defaul CAP-mode is enought.

I can see AP device in DHCP leases with lan IP, like in my first post.

WinBox cant connect to AP, using IP or MAC, and dont see AP as neighbors (L2 issues because of "pc->router->switch->ap" chain?)

Any ideas? Maybe need to add some firewall rules on switch, to which AP is connected?

SOLVED.

Main issue is a default firevall rule on wAP AC "Drop all not coming from LAN" rule (#5 in list "IP -> Firewall -> Filter Rules").

My solution:

1. Connect to AP with Wi-Fi.
2. Go to "192.168.88.1", enter WebFig.
3. Go to "IP -> Firewall -> Filter Rules", find rule "Drop all not coming from LAN" and disable it.

After this, WinBox can connect to AP by IP, WebFig is also reached from PC by AP LAN IP.

And final steps specific for CAPsMAN:

4. Update AP RouterOS with "System -> Packages -> Check for Updates". AP go to reboot.
5. After AP update and reboot, reset AP completely to CAPsMAN mode with "System -> Reset Configuration -> CAPS mode". AP go to reboot. After resetting and rebooting, AP will occur in router CAPsMAN GUI interface.

DO NOT just connect to AP with Wi-Fi and set "CAP" mode in WebFig interface. Looks like this do not reset some firewall rules or so, and AP goes to unusable state: connect to AP with Wi-Fi is no more awailable, CAPsMAN also dont see it, WinBox and WebFig cant connect. In this case, manual resetting is a solution (https://help.mikrotik.com/docs/display/ ... andjumpers)

VLAN is to difficult for me now, but, I think, it is most correct solution and can work with above firevall LAN rule.