Simple AP setup for home

Świętopełek · Fri Dec 23, 2022 3:20 pm

Hi,

Would anyone be so kind as to help with this simple setup for mAP lite please?
It is a tiny access point, that has only two interfaces: 1 wifi and 1 ethernet port.

It will be constantly connected to my home network wifi.
I'd like it to pass any traffic from wifi / LAN, to any device that will be connected through the ethernet port.
Basically, I would like it to work similarly to unmanaged switch connected to LAN.

network architecture.png

# dec/23/2022 13:54:33 by RouterOS 7.6
# software id = K6BA-06RU
#
# model = RBmAPL-2nD
# serial number = NNNNNNNNNNNN
/interface pwr-line
set [ find default-name=pwr-line1 ] disabled=yes
/interface bridge
add admin-mac=NN:NN:NN:NN:NN:NN auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=NNNNNNNNNNNN disabled=no distance=indoors frequency=auto installation=\
    indoor ssid=NNNNNNNNNNNN wireless-protocol=nv2-nstreme-802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp ranges=192.168.88.3-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge ingress-filtering=no interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=wlan1 list=LAN
add interface=ether1 list=LAN
add interface=bridge list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip dhcp-client
add interface=bridge
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=NNNNNNNNNNNN
/system ntp client
set enabled=yes
/system ntp client servers
add address=europe.pool.ntp.org
/system scheduler
add interval=1w name=auto-upgrade on-event="/system package update\r\
    \ncheck-for-updates once\r\
    \n:delay 3s;\r\
    \n:if ( [get status] = \"New version is available\") do={ install }" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/25/2022 start-time=03:30:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Just to be specific:

Although it's currently getting IP from DHCP I'm unable to connect to it via Winbox using IP address. Only MAC connection works. How to fix that?
NTP Client is unable to connect. Ping 8.8.8.8 is not working. How to fix that?
How to configure it so it will work just like a LAN switch for device connected via ether1 port? My gateway is 192.168.0.1.
For the setup displayed above, do I need Firewall at all? Can I remove ALL rules?

mkx · Fri Dec 23, 2022 3:38 pm

You can start off by removing complete firewall section on mAP.
Also remove/disable DHCP server, PC4 should obtain IP address from main DHCP server. Set wireless mode to "station-bridge". If possible, get rid of wpa-psk and tkip settings (keep wpa2-psk and aes-ccm).
Also unset the limitation to access router via MAC only from LAN, everything is LAN in your case.

Do yourself a favour and don't install new ROS version from scheduler ... some come out as very bad and if you insist, be prepared to netinstall your device ocassionally.

Świętopełek · Fri Dec 23, 2022 4:11 pm

Thank you! I have applied all the rules and recommendations above, apart from:
"unset the limitation to access router via MAC only from LAN" - I was not sure where to configure it.

Unfortunately after setting wireless mode to "station bridge" I lost access to it - it's no longer visible for WinBox.
I will try connecting via ethernet.

mkx · Fri Dec 23, 2022 4:30 pm

Thank you! I have applied all the rules and recommendations above, apart from:
"unset the limitation to access router via MAC only from LAN" - I was not sure where to configure it.

I was referring to this part:

/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

.

Unfortunately after setting wireless mode to "station bridge" I lost access to it - it's no longer visible for WinBox.
I will try connecting via ethernet.

Right. I overlooked that you were still using mAP as AP. You need to configure SSID and PSK that matches main AP's settings. That would allow mAP to connect (wirelessly) with AP and the rest of network.

Use winbox, connect to ether port and click MAC address ... this makes working IP setup on mAP unnecessary.

Fri Dec 23, 2022 4:36 pm

Do yourself a favour and don't install new ROS version from scheduler ... some come out as very bad and if you insist, be prepared to netinstall your device ocassionally.

Stable versions of ROS7 work just fine on our little friend

rextended · Fri Dec 23, 2022 4:43 pm

Paste this on terminal directly, without { at start and } at end:

remove frills for sw+ap only code

/ip neighbor discovery-settings
set discover-interface-list=static
/tool mac-server
set allowed-interface-list=all
/tool mac-server mac-winbox
set allowed-interface-list=all
/ip firewall filter
remove [find where dynamic=no]
/ip firewall nat
remove [find where dynamic=no]
/ip pool
remove [find]
/ip dhcp-server
remove [find]
/ip dhcp-server network
remove [find]
/ip address
remove [find where disabled=yes]
/ip dns static
remove [find]
/ip dns
set allow-remote-requests=no
/interface list member
remove [find]
/interface list
remove [find where builtin=no]
/interface bridge
set bridge comment="" auto-mac=no admin-mac=[/int ethernet get ether1 mac-address] protocol-mode=none
{
/interface bridge port
remove [find]
add bridge=bridge interface=ether1
add bridge=bridge interface=wlan1
}
/ip cloud
set update-time=no
/system package update
set channel=stable
/ip service
set api disabled=yes
set api-ssl disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
/system clock
set time-zone-autodetect=no

And after that, /export again the config here.

About your script for "auto-upgrade" immediately to just released firmware, you probably can't do bigger shit...

Świętopełek · Fri Dec 23, 2022 5:04 pm

OK, we have this now:

# dec/23/2022 16:01:57 by RouterOS 7.6
# software id = K6BA-06RU
#
# model = RBmAPL-2nD
# serial number = NNNNNNNNNNNNNN
/interface pwr-line
set [ find default-name=pwr-line1 ] disabled=yes
/interface bridge
add admin-mac=NN:NN:NN:NN:NN:NN auto-mac=no name=bridge protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=NNNNNNNNNNNNNN disabled=no distance=indoors installation=indoor mode=\
    station-bridge ssid=NNNNNNNNNNNNNN wireless-protocol=nv2-nstreme-802.11
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=wlan1
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ovpn-server server
set auth=sha1,md5
/ip cloud
set update-time=no
/ip dhcp-client
add interface=bridge
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Warsaw
/system identity
set name=NNNNNNNNNNNNNN
/system ntp client
set enabled=yes
/system ntp client servers
add address=europe.pool.ntp.org

rextended · Fri Dec 23, 2022 5:09 pm

Again, like before:

/interface lte apn
set [ find default=yes ] ip-type=auto use-network-apn=yes
/ip settings
set max-neighbor-entries=16384
/ipv6 settings
set max-neighbor-entries=16384
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512

After that, must be fixed this:
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n wireless-protocol=nv2-nstreme-802.11

Is better disable old "B" selecting 2ghz-g/n and the wireless protocol must be 802.11 only.

Final considerations:
Now is all OK, but I do not know if the hAPax2 work on ap-bridge mode because wifiwave2 do not support 4MAC mode.

mkx · Fri Dec 23, 2022 5:15 pm

Wireless protocol in any of station modes can be set to all 3 as it is now ... actual mode will be mandated by AP anyway.

I'd change another thing:

/interface wireless
set [ find default-name=wlan1 ] installation=any

The above setting affects the list of allowed frequencies. Again let AP to lead the way.

rextended · Fri Dec 23, 2022 5:17 pm

(wifiwave2 is not only 802.11???)

installation=any

Nice catch!

mkx · Fri Dec 23, 2022 5:17 pm

Ah, indeed @rextended is right about 4-address mode with wifiwave2 driver. OP might have to revert to "station-pseudobridge" wireless mode instead. That comes with its share of problems though. Not running DHCP client on mAP will make it slightly better (you can always use MAC connection to do the management).

Świętopełek · Fri Dec 23, 2022 5:20 pm

OK I have applied all of the above:

# dec/23/2022 16:17:34 by RouterOS 7.6
# software id = K6BA-06RU
#
# model = RBmAPL-2nD
# serial number = NNNNNNNNNN
/interface pwr-line
set [ find default-name=pwr-line1 ] disabled=yes
/interface bridge
add admin-mac=18:NN:NN:NN:NN:NN auto-mac=no name=bridge protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=NNNNNNNNNN disabled=no distance=indoors mode=station-bridge ssid=\
    NNNNNNNNNN wireless-protocol=nv2-nstreme-802.11
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=wlan1
/ip settings
set max-neighbor-entries=16384
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=16384
/ip cloud
set update-time=no
/ip dhcp-client
add interface=bridge
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Warsaw
/system identity
set name=NNNNNNNNNN
/system ntp client
set enabled=yes
/system ntp client servers
add address=europe.pool.ntp.org

So what should we do with that "station bridge" setting?
The main router works in "ap" mode.

rextended · Fri Dec 23, 2022 5:25 pm

Sorry, paste this, your device have less memory than ac2:

/ip settings
set max-neighbor-entries=4096
/ipv6 settings
set max-neighbor-entries=4096

Formerly all is set as expected, except "B" mode and "802.11" only wroted before.

Now the problem is try what wifi mode work with wifiwave2 driver.
Try station-bridge and station-pseudobridge, if fail on both...

Fri Dec 23, 2022 5:26 pm

Wireless itf used for connecting to other AP should be in station.
If any virtual interface is going to be defined on that same mAP Lite (for whatever reason), it should be in bridge.

That's how it works on my device connected to a hAP AC3 with wiwifave2.

But ... AC2 ? That doesn't run wifiwave2.
You mean AX2 ?

rextended · Fri Dec 23, 2022 5:29 pm

I don't have any ax2 device to do some test,
but probably creating an EoIP tunnel between lite wlan1 in station mode and inside the ax2 in ap mode, can it pass the traffic like an ethernet cable?

But ... AC2 ? That doesn't run wifiwave2.
You mean AX2 ?

No mind, the instructions are for the hAP lite which has less memory than my ac2.

Fri Dec 23, 2022 5:37 pm

Once you changed AP mode to station, connect your PC using ethernet to mAP Lite.
Scan the wireless SSIDs and connect to the one you want.

Ah wait ... mine is set with a DHCP server (road warrior device, sets up VPN as well to home).
station-bridge it is then.

Świętopełek · Fri Dec 23, 2022 6:02 pm

# dec/23/2022 16:58:23 by RouterOS 7.6
# software id = K6BA-06RU
#
# model = RBmAPL-2nD
# serial number = NNNNNNNNNNN
/interface pwr-line
set [ find default-name=pwr-line1 ] disabled=yes
/interface bridge
add admin-mac=NN:NN:NN:NN:NN:NN auto-mac=no name=bridge protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce \
    country=NNNNNNNNNNN disabled=no distance=indoors mode=station-bridge ssid=\
    NNNNNNNNNNN wireless-protocol=802.11
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=wlan1
/ip settings
set max-neighbor-entries=4096
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=4096
/ip cloud
set update-time=no
/ip dhcp-client
add interface=bridge
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Warsaw
/system identity
set name=NNNNNNNNNNN
/system ntp client
set enabled=yes
/system ntp client servers
add address=europe.pool.ntp.org

Main home router (HAP ax^2) is using AP mode:

main_router.png

When I unplugged the ethernet cable from mAP lite, mAP lite is not visible from Winbox anymore.

Fri Dec 23, 2022 6:16 pm

AX2 needs to be in AP mode (my AC3 running WW2 is also in AP)
mAP Lite needs to be in station-bridge mode. Then scan for network on wireless interface of mAP, select SSID of ax2 and connect.
Make sure your security settings are ok on map and specified for that wireless interface.

Świętopełek · Fri Dec 23, 2022 6:31 pm

It won't connect with station bridge setting:

happy.png

sad.png

mkx · Fri Dec 23, 2022 6:32 pm

How about station-pseudobridge mode?

Świętopełek · Fri Dec 23, 2022 6:35 pm

station pseudobridge -- it will connect.
But when I switch the Band from 2GHz-B/G/N to 2GHz-G/N then it stops working and it's not able to connect

Świętopełek · Fri Dec 23, 2022 6:41 pm

Maybe station bridge needs some special settings on both ends in order to work?

station-bridge.png

Fri Dec 23, 2022 6:42 pm

Strange why it doesn't want to use station bridge for you ??
Here is mine

2022-12-23_17-40-30.jpg

rextended · Fri Dec 23, 2022 6:53 pm

Again: wifiwave2 do NOT support any mode than "station", do not have 4MAC features.

Fri Dec 23, 2022 6:56 pm

My dear Italian cat ... have you seen my screenshot ?
That's a map lite using station bridge connected to a ww2 ac3.
I clarified that part.

Bridge on that device nicely got a DHCP lease corresponding to the VLAN settings of the SSID I connected it to.

Świętopełek · Fri Dec 23, 2022 7:06 pm

But ax^2 is a wifi6 device.
Documentation for WifiWave2 says the following:

Lost features
The following notable features of the bundled wireless package do not yet have equivalents in the wifiwave2 package

Station-bridging or other 4-address modes
Nstreme and Nv2 wireless protocols

https://help.mikrotik.com/docs/display/ ... stfeatures

rextended · Fri Dec 23, 2022 7:29 pm

That's a map lite using station bridge connected to a ww2 ac3.
I clarified that part.

Yes, ac3, not ax2... I understand, but I do not have any ax2 device (as already wroted) and I can read only the online help.
And the help and the mikrotik staff on other topics on this forum say that station-bridge is unsupported...

Different chip = different drivers...

Świętopełek · Fri Dec 23, 2022 7:43 pm

Most importantly, what should be the setup then?

rextended · Fri Dec 23, 2022 8:09 pm

Post #15

viewtopic.php?t=191915#p973859

ON AX
add IP address 100.64.1.1/30 to the bridge where are the wlans on ax2,
create one eoip-tunnel with MTU 1500, local address 100.64.1.1, remote address 100.64.1.2, tunnel id 1112 and deselect "clamp tcp mss"
add the eoip-tunnel as bridge port inside the bridge where are the wlans

ON lite
remove the wlan1 on the lite from the bridge
set the wlan1 as mode "station" only
add IP address 100.64.1.2/30 to wlan1 inside lite
create one eoip-tunnel with MTU 1500, local address 100.64.1.2, remote address 100.64.1.1, tunnel id 1112 and deselect "clamp tcp mss"
(the eoip have reversed IPs but same tunnel ID)
put the eoip-tunnel inside the bridge where is only the ether1

Cross finger (do not move dhcp client)...

anav · Fri Dec 23, 2022 9:10 pm

I hope op is configuring maplite from etherport until the wifi is sorted!!

Świętopełek · Sat Dec 24, 2022 12:34 am

I performed reset to default settings and configured like below. I think everything works now:

# dec/23/2022 23:24:00 by RouterOS 7.6
# software id = K6BA-06RU
#
# model = RBmAPL-2nD
# serial number = NNNNNNNNNNNNNNN
/interface pwr-line
set [ find default-name=pwr-line1 ] disabled=yes
/interface bridge
add admin-mac=NN:NN:NN:NN:NN:NN auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=NNNNNNNNNNNNNNN disabled=no distance=indoors frequency=auto installation=\
    indoor mode=station-pseudobridge ssid=NNNNNNNNNNNNNNN wireless-protocol=\
    nv2-nstreme-802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge filter
add action=drop chain=input dst-port=68 in-interface=!wlan1 ip-protocol=udp \
    mac-protocol=ip
/interface bridge port
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=wlan1 list=LAN
add interface=ether1 list=LAN
/ip dhcp-client
add interface=bridge
/ip dns
set allow-remote-requests=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=NNNNNNNNNNNNNNN
/system ntp client
set enabled=yes
/system ntp client servers
add address=europe.pool.ntp.org