Community discussions

MikroTik App
 
cat123
just joined
Topic Author
Posts: 2
Joined: Sat Jul 20, 2024 10:11 pm

AP configuration

Sat Jul 20, 2024 10:25 pm

Hello,

I’ ve bought a Mikrotik cAP ax and connected it via ethernet cable to hAP Lite RB941-2ND. I want to use it as an access point in order to extend WiFi in my house. It emits WiFi signal however connected devices show: no internet connection. How should I configure it to gain internet access?
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1387
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: AP configuration

Sun Jul 21, 2024 6:36 am

Hello, can you export your configuration ? Does your devices get IP address via DHCP ?
 
cat123
just joined
Topic Author
Posts: 2
Joined: Sat Jul 20, 2024 10:11 pm

Re: AP configuration

Sun Jul 21, 2024 2:46 pm

Unfortunately I don't know how to answer your question, but here is my configuration:

/interface bridge
add admin-mac=[...] auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=[...]
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
configuration.country=Poland .mode=ap .ssid=MikroTik-501812 disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
configuration.country=Poland .mode=ap .ssid=MikroTik-501813 disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=[...]
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
jaclaz
Forum Guru
Forum Guru
Posts: 1432
Joined: Tue Oct 03, 2023 4:21 pm

Re: AP configuration

Sun Jul 21, 2024 3:05 pm

Right now you have a "LAN" side with ether2 and wifi1 and wifi2 in a bridge, and a "WAN" side configured as pppoe connection on ether1.

What is the configuration of the hAP Lite RB941-2ND?

Which ports are you using to connect the two devices (like ether1 on the Cap Ax and ether 3 on the hAP lite)?

What is your ISP connection? (I presume a xDSL or similar trough a ISP modem/router connected to the hap Lite, but it is not clear form the information you provided)

Please when posting a configuration, enclose it in the "code" tags, see here:
viewtopic.php?t=203686#p1051720
as it will be much more readable.
 
infabo
Forum Guru
Forum Guru
Posts: 1177
Joined: Thu Nov 12, 2020 12:07 pm

Re: AP configuration

Sun Jul 21, 2024 4:15 pm

Well, it is a shame that Mikrotik does not have a quickset profile for this very common scenario: dumb AP. It is the most common - especially for a CAP ax.
I would reset configuration again and tick the "no default configuration" checkbox. After first boot up this device can be configured manually by using Winbox. Just needs to configure wifi1/wifi2, add a bridge, add all ports to it. connect lan cable on eth1 to your HAP and enable dhcp client on eth1 and you are done.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20818
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: AP configuration

Sun Jul 21, 2024 6:37 pm

easy peasy......
For a one flat subnet 192.168.1.0/24 and 192.168.1.10 assigned to capax, looks like.
....................................................
/interface bridge
add name=bridge vlan-filtering=no

/interface ethernet
set [ find default-name=ether1 ] name=eth1-router   comment="connection to main router"
set [ find default-name=ether2 ]  name=emergaccess comment="local access off bridge"

/interface wifi
settings as required

/interface list
add name=MANAGE

/interface bridge port
add bridge=bridge interface=eth1-router
add bridge=bridge interface=wifi1-2Ghz-name
add bridge=bridge interface=wifi2-5GHz-name
add wlans as required....

/ip neighbor discovery-settings
set discover-interface-list=MANAGE

/interface list member
add interface=bridge list=MANAGE
add interface=emergaccess list=MANAGE

/ip address
add address=192.168.1.10/24 interface=bridge network=192.168.1.0
add address=192.168.55.1/30 interface=emergaccess network=192.168.55.0

/ip dns
set servers=192.168.1.1

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
If your talking with vlans, and no capsman (with capsman no clue)
Trusted vlan, where capax gets its IP address from is 192.168.10.0/24
Only trusted vlan is identified and needs bridge tagged.
.............................
/interface bridge
add ingress-filtering=no name=bridgegym vlan-filtering=yes

/interface ethernet
set [ find default-name=ether2 ] name=emergaccess

/interface vlan
add interface=bridgegym name=homeVlan vlan-id=12  { mandatory, management vlan must be identified in /interface vlan - do not put any other vlans here!! }

/interface list
add name=management

/interface wireless     { as required }

/interface bridge port
add bridge=bridgegym ingress-filtering=yes frame-types=admit-only-vlan-tagged  interface=ether1 comment="from router"
add bridge=bridgegym ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=homeWLan pvid=12
add bridge=bridgegym ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=HVAC_WLAN pvid=49
add bridge=bridgegym ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=mediaWlan pvid=40

/ip neighbor discovery-settings
set discover-interface-list=management

/interface bridge vlan
add bridge=bridgegym tagged=ether1,bridgegym  untagged=homeWLan vlan-ids=12
add bridge=bridgegym tagged=ether1  untagged=mediaWlan vlan-ids=40
add bridge=bridgegym tagged=ether1  untagged=HVAC_WLAN vlan-ids=49

/interface list member
add interface=homeVlan list=management
add interface=emergaccess list=management

/ip address
add address=192.168.10.84/24 interface=homeVlan network=192.168.10.0  comment="IP of capax on trusted subnet"
add address=192.168.36.1/30 interface=emergaccess network=192.168.36.0 comment="ether2 access off bridge"

/ip dns
set allow-remote-requests=yes servers=192.168.10.1  { Note: Done so all dns requests use trusted subnet } 

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 comment="ensures route avail through trusted subnet gateway"

/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.10.1

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1387
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: AP configuration

Mon Jul 22, 2024 6:13 am

That should be default configuration on AP... Then it would be pretty much plug and play...

Who is online

Users browsing this forum: Amazon [Bot], LoPollo and 26 guests