CAP AC: Stripping MAC Addresses impacting DHCP

milegrin · Fri Dec 29, 2023 9:53 pm

Greetings

First off, I am not a RouterOS guru, I can do the basics & help myself in the most part but am no guru on RouterOS.

The CAP AC WiFi AP I recently installed is ignoring the DNS settings assigned by my network DHCP server configuration. Tried turning off "allow-remote-requests", adding a DHCP-Relay entry and a few other things but cannot get the CAP to allow the clients to get their DNS config from DHCP.

I am not sure if it is the CAP AC forcing the use of the DNS IP's that are configured on it (/ip dns print -> servers) or if it is stripping the MAC Addresses from the DHCP request. Running tcpdump on my DHCP server, I do not see any of the DHCP requests that come via the CAP AC using the expected MAC address so I suspect that the CAP AC is in fact stripping the MAC Addresses so the DHCP server is assigning the "default" config. I have no idea how to fix this and have not been able to find a solution.

Any assistance getting the CAP AC to honour the network DHCP server config will be greatly appreciated

[admin@ap1.home] > /ip dns print 
                      servers: 10.1.1.1,208.67.222.123,208.67.220.123
              dynamic-servers: 
               use-doh-server: 
              verify-doh-cert: no
        allow-remote-requests: no
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1d
                   cache-used: 27KiB
[admin@ap1.home] > /ip dhcp-relay print
Flags: X - disabled, I - invalid 
 #   NAME                                 INTERFACE                                DHCP-SERVER     LOCAL-ADDRESS  
 0   dhcp-relay                           bridge                                   10.1.1.250      0.0.0.0        
[admin@ap1.home] >

My local network setup is pretty simple:

Single network IP range managed by a RaspberryPi (DHCP, DNS, etc)

Old PC as a file server & router backups etc

HAP AC2 (RBD52G-5HacD2HnD) running RouterOS v6.48.6 (long-term) as my boundary router & firewall to the Fibre internet. Does the Internet NAT & port forwarding.

CAP AC (RBcAPGi-5acD2nD) running RouterOS v6.49.10 (long-term) acting as an AP to extend the WiFi coverage (currently standalone as this is the only way I could get it working and I still need to figure out CAPSMAN).

RB433 running RouterOS v6.49.10 (long-term) that I use to learn and test stuff before I break primary devices. I know it is old, it is left over from a defunct community WiFi MAN killed now that we have Fibre readily available.

My DHCP assigns 3 different sets of DNS & predefined client IP's based on MAC Addresses:

for the family, I use the OpenDNS Family Shield DNS IP's & local DNS server for LAN devices (EG Printer & file server etc)

for the normal DHCP clients, I use the default of OpenDNS Family Shield DNS IP's

for work, I use OpenDNS Family Shield DNS IP's, local DNS & company DNS IP's (VPN issue fix ... crude I know but it works)

Laptops & phones have hardcoded IP's via DHCP which I use for QOS rules on the HAP AC2

Regards
Michael

erlinden · Fri Dec 29, 2023 10:16 pm

Could it be that the cAP ac is configured as router and not as accesspoint?
An export of it would be very helpful:

/export file=anynameyoulike

Remove serial and any other private info, and place the information between code tags by use of the </>-button

milegrin · Sat Dec 30, 2023 11:48 am

Greetings

Thank you. Config export as requested

# dec/30/2023 00:10:02 by RouterOS 6.49.10
# software id = MDEQ-9G98
#
# model = RBcAPGi-5acD2nD
# serial number = xxxxxxxxxxxxxx
/interface bridge
add admin-mac=18:FD:74:19:A7:XX auto-mac=no name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country="south africa" disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=PhoenixWiFiSSID2 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country="south africa" disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid=PhoenixWiFiSSID5 \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
    "Pr35h4rEdKey" wpa2-pre-shared-key="Pr35h4rEdKey"
/ip pool
add name=dhcp_pool10.1.1 ranges=10.1.1.200-10.1.1.230
/ip dhcp-server
add address-pool=dhcp_pool10.1.1 interface=bridge lease-time=4h name=\
    dhcp-10.1.1 relay=10.1.1.250
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.1.1.252/24 interface=ether1 network=10.1.1.0
/ip dhcp-relay
add add-relay-info=yes dhcp-server=10.1.1.250 disabled=no interface=bridge \
    name=dhcp-relay relay-info-remote-id=""
/ip dhcp-server network
add address=10.1.1.0/24 gateway=10.1.1.254
/ip dns
set cache-max-ttl=1d servers=10.1.1.250,208.67.222.123,208.67.220.123
/ip dns static
add address=192.168.88.1 comment=defconf disabled=yes name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping distance=1 gateway=10.1.1.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
/ip ssh
set always-allow-password-login=yes forwarding-enabled=remote
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/system clock
set time-zone-name=Africa/Johannesburg
/system clock manual
set time-zone=+02:00
/system identity
set name=ap1.home
/system note
set note="!! Griffin Family  -  Authorised Access Only !!\
    \n!! Contact : Michael <michael@home.za> !!\
    \n!!           +27 83 123 4567                 !!"
/system ntp client
set enabled=yes primary-ntp=159.138.166.199 secondary-ntp=102.64.113.152 \
    server-dns-names=0.ubuntu.pool.ntp.org,1.ubuntu.pool.ntp.org
/system package update
set channel=long-term
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool graphing interface
add interface=bridge
add interface=ether1
add interface=ether2
add interface=wlan1
add interface=wlan2
add allow-address=10.1.1.0/24
/tool graphing queue
add allow-address=10.1.1.0/24
/tool graphing resource
add allow-address=10.1.1.0/24

I have a verbose export as well if you would prefer.

This standalone WiFi AP is the only config I could get working. I am busy reading the CAPsMan docs & desperately wish there was an Idiots Guide to CAPsMan for a simple SME / Home / Home Office setup, so would relish any recommendations, especially integration into the existing WiFi Network.

Regards
Michael

erlinden · Sat Dec 30, 2023 12:30 pm

Your cAP ac is indeed configured as a router (instead of a home ap).
I think the easiest way to get you to the preferred solution you:

Reset to defaults
From Quickset select homeap dual
Select WPA2 and preferred pre shared key

For reference:
https://wiki.mikrotik.com/wiki/Manual:Reset
https://wiki.mikrotik.com/wiki/Manual:Quickset

anav · Sat Dec 30, 2023 3:30 pm

This is how I setup my capac ( as an AP/switch) ( sorry no capsman ).
viewtopic.php?t=182276

milegrin · Sat Dec 30, 2023 10:35 pm

Greetings

Thank you. The CAPAC is actively being used so I am testing on my RB433.

I reset the RB433 and selected "Home AP" as "Home AP Dual" is not available. Again tried a number of options but no luck. The device is working and I can connect to it and it sees the network but I am unable to connect the WiFi at all. WiFi authentication appears to succeed but it is not able to obtain an IP and traceroute on the DHCP server shows no connection attempts.

# dec/30/2023 22:18:38 by RouterOS 6.49.10
# software id = IMML-TGJ1
#
# model = 433
# serial number = 213B01AAXXXX
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=10 country="south africa" \
    disabled=no frequency-mode=manual-txpower mode=ap-bridge ssid=\
    WiFiRB433 wireless-protocol=802.11 wps-mode=disabled
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa-pre-shared-key=zaQ12Wsx \
    wpa2-pre-shared-key=zaQ12Wsx
/interface list member
add interface=ether1 list=WAN
add interface=ether1 list=LAN
/ip address
add address=10.1.1.249/24 interface=ether1 network=10.1.1.0
/ip dhcp-relay
add dhcp-server=10.1.1.250 disabled=no interface=ether1 name=dhcp_relay1
/ip dns
set servers=10.1.1.250,208.67.222.123,208.67.220.123
/ip route
add distance=1 gateway=10.1.1.254
/system clock
set time-zone-name=Africa/Johannesburg
/system gps
set set-system-time=yes
/system identity
set name=rb433b
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set bridge1 disabled=yes display-time=5s
set wlan1 disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
/system routerboard settings
set auto-upgrade=yes
/tool user-manager database
set db-path=user-manager

Any advice would be appreciated

Michael

anav · Sat Dec 30, 2023 11:45 pm

Ahh okay so your not using vlans........... and only want to send one flat subnet to the CAPAC ??

/interface bridge
add ingress-filtering=no name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface list
add name=management
/interface wireless
AS REQUIRED assuming names wifi1 and wifi2 (2.4 and 5 ghz)
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=wifi1
add bridge=bridge interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=management
/interface list member
add interface=bridge list=management
add interface=emergaccess list=management
/ip address
add address=10.1.1.249/24 interface=Bridge comment="IP address of capac on subnet"
add address=192.168.55.1/24 interface=emergaccess network=192.168.55.0 comment="ether2 access off bridge"
/ip dns
set allow-remote-requests=yes servers=10.1.1.254 { Note: Done so all dns requests use subnet }
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.1.1.254 comment="ensures route avail through subnet gateway"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=x.x.x.x
set api disabled=yes
set api-ssl disabled=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.1.1.254
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management

milegrin · Mon Jan 01, 2024 11:03 pm

Greetings

I sourced a refurbished cAP ac and spent the last day resetting & reconfiguring it; major mission!

I have configured the router as you suggested and while it works, the out come is the same in that it is stripping MAC Addresses from the DHCP requests resulting in the incorrect DHCP configuration being applied.

# jan/01/2024 22:08:53 by RouterOS 6.49.10
# software id = VIZX-79YQ
#
# model = RBcAPGi-5acD2nD
# serial number = 
/interface ethernet
set [ find default-name=ether2 ] name=eth2emergaccess
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] country="south africa" disabled=no mode=\
    ap-bridge ssid=Phoenix241 wireless-protocol=802.11
set [ find default-name=wlan2 ] country="south africa" disabled=no mode=\
    ap-bridge ssid=Phoenix241 wireless-protocol=802.11
/interface list
add name=management1
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=zaQ!@Wsx \
    wpa2-pre-shared-key=zaQ!@Wsx
/snmp community
set [ find default=yes ] addresses=10.1.1.0/24 disabled=yes
add addresses=10.1.1.0/24 name=grafted security=private
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=management1
/interface list member
add interface=bridge1 list=management1
add interface=eth2emergaccess list=management1
/ip address
add address=192.168.88.1/24 interface=eth2emergaccess network=192.168.88.0 \
    comment="ether2 emergency access off bridge"
add address=10.1.1.240/24 interface=bridge1 network=10.1.1.0 \
    comment="IP address of cAPac on subnet"
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d \
    servers=10.1.1.250,208.67.222.123,208.67.220.123
/ip route
add comment="ensures route avail through subnet gateway" distance=1 gateway=\
    10.1.1.254
/ip service
set ftp disabled=yes
/ip smb
set comment=ap5 domain=HOME
/ip smb users
add name=grafted password=zaQ!@Wsx read-only=no
/snmp
set contact="M G" enabled=yes location=Home trap-community=grafted \
    trap-generators=interfaces,temp-exception trap-version=3
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=ap5240
/system ntp client
set enabled=yes
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management1

My network is simple, a single IP C-Class with no vlan tagging. The network DNS, NameD & DHCP services are provided by a Raspberry Pi. I would love to use the RouterOS for NameD & DHCP but it does not allow the level of customisation I need. The internet gateway is a hAP ac2 and the WiFi is access was upgraded from TP Link & Netgear AP's to use cAP ac's (ultimately goal is to get cAPsMan working but baby steps) . The DHCP worked 100% with the generic AP's.

I appreciate any assistance you can provide.

Regards
Michael

anav · Tue Jan 02, 2024 12:47 am

Do not understand about DHCP requests...........
The Cap is not acting as a router solely as an AP switch and has no Firewall rules, no DHCP functionality...... or anything......

Since you use pi for DNS, assuming that you direct your users to PI already so why did you deviate on the setup provided?
Assuming pi server is .250??
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d \
servers=10.1.1.250,208.67.222.123,208.67.220.123

it should be as presumably you direct all 10.1.1.0/24 subnet ( all users to PI somewhere else......... ) on the MAIN router and devices etc. and there in lies the problem.
The capac is sending everything over the subnet gateway. How are you directing all subnet users to your PI on the MAIN router, whatever you are doing there should work for all CAPAC attached wifi devices.......

Ensure you do this and see the results.
/ip dns
set allow-remote-requests=yes servers=10.1.1.254

milegrin · Thu Jan 04, 2024 10:22 am

Greetings

Thank you for all your assistance. I am not sure why I needed to point the DNS to the gateway (hAP ac2) which other than being the gateway to the internet, does not provide services to the local network. I tried reading up on the RouterOS DNS options and still not sure (hence the delayed response - I wanted to understand not just blindly do)

Changing the cAPac "/ip dns" to a single IP pointing to the gateway did not resolve the issue unfortunately.

When connecting via the cAPac, it obfuscates/changes the MAC address provided in the DHCP request resulting in the incorrect DHCP options being provided.

Connecting via the cAP ac, the Raspberry Pi (DHCP Server) arp table shows the following which is not actual laptop MAC address nor any MAC I can find on the cAPac:

Address                  HWtype  HWaddress           Flags Mask            Iface
10.1.1.148               ether   1e:3e:f8:32:12:5e   C                     eth0

Connecting via the Netgear AP, arp table shows the following which is the actual laptop WiFi MAC Address and therefore the correct DHCP options are obtained:

Address                  HWtype  HWaddress           Flags Mask            Iface
10.1.1.13                ether   0c:02:bd:9e:d9:be   C                     eth0

This is the export from the cAPac

# jan/04/2024 09:22:08 by RouterOS 6.49.10
# software id = VIZX-79YQ
#
# model = RBcAPGi-5acD2nD
/interface ethernet
set [ find default-name=ether2 ] name=eth2emergaccess
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] country="south africa" disabled=no mode=\
    ap-bridge ssid=Phoenix5 wireless-protocol=802.11
set [ find default-name=wlan2 ] country="south africa" disabled=no mode=\
    ap-bridge ssid=Phoenix5 wireless-protocol=802.11
/interface list
add name=management1
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa2-pre-shared-key="zse4%THN"
/snmp community
set [ find default=yes ] addresses=10.1.1.0/24 disabled=yes
add addresses=10.1.1.0/24 name=grafted security=private
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=management1
/interface list member
add interface=bridge1 list=management1
add interface=eth2emergaccess list=management1
/ip address
add address=192.168.88.1/24 comment="ether2 emergency access off bridge" \
    interface=eth2emergaccess network=192.168.88.0
add address=10.1.1.240/24 comment="IP address of cAPac on subnet" \
    interface=bridge1 network=10.1.1.0
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=10.1.1.254
/ip route
add comment="ensures route avail through subnet gateway" distance=1 gateway=10.1.1.254
/ip service
set ftp disabled=yes
/ip smb
set comment=ap240 domain=HOME
/ip smb users
add name=grafted password=zse4%THN read-only=no
/snmp
set contact="Michael" enabled=yes location=Home trap-community=grafted \
    trap-generators=interfaces,temp-exception trap-version=3
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=ap5240
/system ntp client
set enabled=yes primary-ntp=10.1.1.254 secondary-ntp=159.138.166.199 \
    server-dns-names=0.ubuntu.pool.ntp.org,1.ubuntu.pool.ntp.org
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management1

To be honest, I am unable to find any solution nor understand why RouterOS is changing the MAC Addresses. Right now, this is a bit of a deal breaker.

I truly appreciate any advice & insight you can provide.

mkx · Thu Jan 04, 2024 11:40 am

Connecting via the cAP ac, arp table shows the following which is not actual laptop MAC address nor any MAC I can find on the cAPac:
Code: Select all
Address                  HWtype  HWaddress           Flags Mask            Iface
10.1.1.148               ether   1e:3e:f8:32:12:5e   C                     eth0

The MAC address shown is a "locally administered MAC address".

But a question: are you sure it's not your wireless device doing it? All recent iOS and android devices (including Samsung) by default use "anonymized" MAC addresses when connecting to yet-unknown wireless networks and one has to toggle to use device MAC address (that setting is per SSID).

un9edsda · Thu Jan 04, 2024 10:21 pm

This is the export from the cAPac

# jan/04/2024 09:22:08 by RouterOS 6.49.10
# software id = VIZX-79YQ
#
# model = RBcAPGi-5acD2nD
/interface ethernet
set [ find default-name=ether2 ] name=eth2emergaccess
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] country="south africa" disabled=no mode=\
    ap-bridge ssid=Phoenix5 wireless-protocol=802.11
set [ find default-name=wlan2 ] country="south africa" disabled=no mode=\
    ap-bridge ssid=Phoenix5 wireless-protocol=802.11
# ...
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
# ...
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=ap5240
# ...

To be honest, I am unable to find any solution nor understand why RouterOS is changing the MAC Addresses. Right now, this is a bit of a deal breaker.

From your configuration export it looks like that your cAP ac (wave2 device) is still on the v6 line of RouterOS. With v7.13 it got a nice software refresh. Therefore the first thing to do is to Netinstall (there is a Mikrotik YouTube video about it) the current stable RouterOS v7 version on your device. It is an ARM based equipment, therefore you'll need the routeros-7.13-arm.npk and the wifi-qcom-ac-7.13-arm.npk packages from the extra packages (this one is to be uploaded via VinBox after the Netinstall). There are some hoops to jump trough tough during the process:

after downloading the required files (routeros-7.13-arm.npk ; all_packages-arm-7.13.zip ; netinstall64-7.13.zip or netinstall-7.13.tar.gz) connect your computer to a simple (not smart/managed aka dumb) switch, and the Eth1 port of the cAP ac to the same switch.
Make a photo of the label (containing its MAC address among other things) on the cAP ac as it may come handy down the road.
After the successful Netinstall if the cAP ac is powered with PoE than connect a second patch cable to its Eth2 port, otherwise remove the patch cable from Eth1 port of the cAP ac and connect it to its Eh2 port.
Log in to the cAP ac with WinBox. After that in the right side panel select System / RouterBOARD and click on the Upgrade button, than on the OK one.
In the right side panel select System / Reboot and click on the Yes button, than wait for the reboot of the cAP ac.
Log in to the cAP ac with WinBox. After that in the right side panel select Files, than click on the Upload button and find the wifi-qcom-ac-7.13-arm.npk file which you have extracted from the all_packages-arm-7.13.zip file and upload it.
In the right side panel select System / Reboot and click on the Yes button, than wait for the reboot of the cAP ac.
Log in to the cAP ac with WinBox. After that in the right side panel select System / Packages and make sure that you have two packages in the Package List namely: routeros and wifi-qcom-ac.
In the right side panel select System / Reset Configuration and tick the CAPS Mode and Do Not Backup checkboxes and make sure that the other two are not checked. Than click on the Reset Configuration button.
After the cAP ac restarted log in to the cAP ac with WinBox. Click OK to apply the default configuration and change the admin user's password.
You may log out from the cAP ac, than disconnect it and also your computer from the simple switch. Connect your computer to the switch port it was connected previously and connect the Eth1 port of the cAP ac to the switch/router port where you will intend to use it on the long run.
Check in your DHCP server what address it has assigned to the cAP ac.
Read trough the new WiFi part of the documentation to have an overview about the basics of the configuration options.
You may apply the below quick fix configuration before dwelling deeper (like upgrading both the HAP AC2 and RB433 with the above described method of Netinstall to v7.13 in order to make central management of WiFi and roaming possible with the new CAPsMAN which can be found under the WiFi in the right side panel and /interface/wifi in the terminal.

The quick fix (temporary) configuration:

/interface wifi channel
add band=5ghz-a comment="EU/EEA ETSI RLAN 1 sub-band 1 - max. EIRP: 23 dBm (20\
    0 mW) - channel width 20 MHz - 802.11a - channel #36" disabled=no \
    frequency=5180 name=wifi-channel-eu-5g-a-020-036 width=20mhz
add band=5ghz-a comment="EU/EEA ETSI RLAN 1 sub-band 1 - max. EIRP: 23 dBm (20\
    0 mW) - channel width 20 MHz - 802.11a - channel #40" disabled=no \
    frequency=5200 name=wifi-channel-eu-5g-a-020-040 width=20mhz
add band=5ghz-a comment="EU/EEA ETSI RLAN 1 sub-band 1 - max. EIRP: 23 dBm (20\
    0 mW) - channel width 20 MHz - 802.11a - channel #44" disabled=no \
    frequency=5220 name=wifi-channel-eu-5g-a-020-044 width=20mhz
add band=5ghz-a comment="EU/EEA ETSI RLAN 1 sub-band 1 - max. EIRP: 23 dBm (20\
    0 mW) - channel width 20 MHz - 802.11a - channel #48" disabled=no \
    frequency=5240 name=wifi-channel-eu-5g-a-020-048 width=20mhz
add band=2ghz-g comment="EU/EEA ETSI 2.4 GHz DSSS - max. EIRP: 20 dBm (100 mW)\
    \_- channel width 20 MHz - 802.11g - channel #1" disabled=no frequency=\
    2412 name=wifi-channel-eu-2.4g-g-20-01 width=20mhz
add band=2ghz-g comment="EU/EEA ETSI 2.4 GHz DSSS - max. EIRP: 20 dBm (100 mW)\
    \_- channel width 20 MHz - 802.11g - channel #7" disabled=no frequency=\
    2442 name=wifi-channel-eu-2.4g-g-20-07 width=20mhz
add band=2ghz-g comment="EU/EEA ETSI 2.4 GHz DSSS - max. EIRP: 20 dBm (100 mW)\
    \_- channel width 20 MHz - 802.11g - channel #13" disabled=no frequency=\
    2472 name=wifi-channel-eu-2.4g-g-20-13 width=20mhz
add band=2ghz-n comment="EU/EEA ETSI 2.4 GHz DSSS - max. EIRP: 20 dBm (100 mW)\
    \_- channel width 20 MHz - 802.11n - channel #1" disabled=no frequency=\
    2412 name=wifi-channel-eu-2.4g-n-20-01 width=20mhz
add band=2ghz-n comment="EU/EEA ETSI 2.4 GHz DSSS - max. EIRP: 20 dBm (100 mW)\
    \_- channel width 20 MHz - 802.11n - channel #7" disabled=no frequency=\
    2442 name=wifi-channel-eu-2.4g-n-20-07 width=20mhz
add band=2ghz-n comment="EU/EEA ETSI 2.4 GHz DSSS - max. EIRP: 20 dBm (100 mW)\
    \_- channel width 20 MHz - 802.11n - channel #13" disabled=no frequency=\
    2472 name=wifi-channel-eu-2.4g-n-20-13 width=20mhz
add band=5ghz-n comment="EU/EEA ETSI RLAN 1 sub-band 1 - max. EIRP: 23 dBm (20\
    0 mW) - channel width 40 MHz - 802.11n - channel #38" disabled=no \
    frequency=5180 name=wifi-channel-eu-5g-n-040-038 width=20/40mhz
add band=5ghz-n comment="EU/EEA ETSI RLAN 1 sub-band 1 - max. EIRP: 23 dBm (20\
    0 mW) - channel width 40 MHz - 802.11n - channel #46" disabled=no \
    frequency=5220 name=wifi-channel-eu-5g-n-040-046 width=20/40mhz
add band=5ghz-n comment="EU/EEA ETSI RLAN 1 sub-band 2 - max. EIRP: 23 dBm (20\
    0 mW) - channel width 40 MHz - 802.11n - channel #54" disabled=no \
    frequency=5260 name=wifi-channel-eu-5g-n-040-054 skip-dfs-channels=\
    disabled width=20/40mhz
add band=5ghz-n comment="EU/EEA ETSI RLAN 1 sub-band 2 - max. EIRP: 23 dBm (20\
    0 mW) - channel width 40 MHz - 802.11n - channel #62" disabled=no \
    frequency=5300 name=wifi-channel-eu-5g-n-040-062 skip-dfs-channels=\
    disabled width=20/40mhz
add band=5ghz-n comment="EU/EEA ETSI RLAN 2 band - max. EIRP: 30 dBm (1000 mW)\
    \_- channel width 40 MHz - 802.11n - channel #102" disabled=no frequency=\
    5500 name=wifi-channel-eu-5g-n-040-102 skip-dfs-channels=disabled width=\
    20/40mhz
add band=5ghz-n comment="EU/EEA ETSI RLAN 2 band - max. EIRP: 30 dBm (1000 mW)\
    \_- channel width 40 MHz - 802.11n - channel #110" disabled=no frequency=\
    5540 name=wifi-channel-eu-5g-n-040-110 skip-dfs-channels=disabled width=\
    20/40mhz
add band=5ghz-n comment="EU/EEA ETSI RLAN 2 band - max. EIRP: 30 dBm (1000 mW)\
    \_- channel width 40 MHz - 802.11n - channel #118" disabled=no frequency=\
    5580 name=wifi-channel-eu-5g-n-040-118 skip-dfs-channels=disabled width=\
    20/40mhz
add band=5ghz-n comment="EU/EEA ETSI RLAN 2 band - max. EIRP: 30 dBm (1000 mW)\
    \_- channel width 40 MHz - 802.11n - channel #126" disabled=no frequency=\
    5620 name=wifi-channel-eu-5g-n-040-126 skip-dfs-channels=disabled width=\
    20/40mhz
add band=5ghz-n comment="EU/EEA ETSI RLAN 2 band - max. EIRP: 30 dBm (1000 mW)\
    \_- channel width 40 MHz - 802.11n - channel #134" disabled=no frequency=\
    5660 name=wifi-channel-eu-5g-n-040-134 skip-dfs-channels=disabled width=\
    20/40mhz
add band=5ghz-n comment="EU/EEA ETSI RLAN 2 band - max. EIRP: 30 dBm (1000 mW)\
    \_- channel width 40 MHz - 802.11n - channel #144" disabled=no frequency=\
    5700 name=wifi-channel-eu-5g-n-040-142 skip-dfs-channels=disabled width=\
    20/40mhz
add band=5ghz-ac comment="EU/EEA ETSI RLAN 1 sub-band 1 - max. EIRP: 23 dBm (2\
    00 mW) - channel width 40 MHz - 802.11ac - channel #38" disabled=no \
    frequency=5180 name=wifi-channel-eu-5g-ac-040-038 width=20/40mhz
add band=5ghz-ac comment="EU/EEA ETSI RLAN 1 sub-band 1 - max. EIRP: 23 dBm (2\
    00 mW) - channel width 40 MHz - 802.11ac - channel #46" disabled=no \
    frequency=5220 name=wifi-channel-eu-5g-ac-040-046 width=20/40mhz
add band=5ghz-ac comment="EU/EEA ETSI RLAN 1 sub-band 2 - max. EIRP: 23 dBm (2\
    00 mW) - channel width 40 MHz - 802.11ac - channel #54" disabled=no \
    frequency=5260 name=wifi-channel-eu-5g-ac-040-054 skip-dfs-channels=\
    disabled width=20/40mhz
add band=5ghz-ac comment="EU/EEA ETSI RLAN 1 sub-band 2 - max. EIRP: 23 dBm (2\
    00 mW) - channel width 40 MHz - 802.11ac - channel #62" disabled=no \
    frequency=5300 name=wifi-channel-eu-5g-ac-040-062 skip-dfs-channels=\
    disabled width=20/40mhz
add band=5ghz-ac comment="EU/EEA ETSI RLAN 2 band - max. EIRP: 30 dBm (1000 mW\
    ) - channel width 40 MHz - 802.11ac - channel #102" disabled=no \
    frequency=5500 name=wifi-channel-eu-5g-ac-040-102 skip-dfs-channels=\
    disabled width=20/40mhz
add band=5ghz-ac comment="EU/EEA ETSI RLAN 2 band - max. EIRP: 30 dBm (1000 mW\
    ) - channel width 40 MHz - 802.11ac - channel #110" disabled=no \
    frequency=5540 name=wifi-channel-eu-5g-ac-040-110 skip-dfs-channels=\
    disabled width=20/40mhz
add band=5ghz-ac comment="EU/EEA ETSI RLAN 2 band - max. EIRP: 30 dBm (1000 mW\
    ) - channel width 40 MHz - 802.11ac - channel #118" disabled=no \
    frequency=5580 name=wifi-channel-eu-5g-ac-040-118 skip-dfs-channels=\
    disabled width=20/40mhz
add band=5ghz-ac comment="EU/EEA ETSI RLAN 2 band - max. EIRP: 30 dBm (1000 mW\
    ) - channel width 40 MHz - 802.11ac - channel #126" disabled=no \
    frequency=5620 name=wifi-channel-eu-5g-ac-040-126 skip-dfs-channels=\
    disabled width=20/40mhz
add band=5ghz-ac comment="EU/EEA ETSI RLAN 2 band - max. EIRP: 30 dBm (1000 mW\
    ) - channel width 40 MHz - 802.11ac - channel #134" disabled=no \
    frequency=5660 name=wifi-channel-eu-5g-ac-040-134 skip-dfs-channels=\
    disabled width=20/40mhz
add band=5ghz-ac comment="EU/EEA ETSI RLAN 2 band - max. EIRP: 30 dBm (1000 mW\
    ) - channel width 40 MHz - 802.11ac - channel #144" disabled=no \
    frequency=5700 name=wifi-channel-eu-5g-ac-040-142 skip-dfs-channels=\
    disabled width=20/40mhz
add band=5ghz-ac comment="EU/EEA ETSI RLAN 1 sub-band 1 - max. EIRP: 23 dBm (2\
    00 mW) - channel width 80 MHz - 802.11ac - channel #42" disabled=no \
    frequency=5180 name=wifi-channel-eu-5g-ac-080-042 width=20/40/80mhz
add band=5ghz-ac comment="EU/EEA ETSI RLAN 1 sub-band 2 - max. EIRP: 23 dBm (2\
    00 mW) - channel width 80 MHz - 802.11ac - channel #58" disabled=no \
    frequency=5260 name=wifi-channel-eu-5g-ac-080-058 skip-dfs-channels=\
    disabled width=20/40/80mhz
add band=5ghz-ac comment="EU/EEA ETSI RLAN 2 band - max. EIRP: 30 dBm (1000 mW\
    ) - channel width 80 MHz - 802.11ac - channel #106" disabled=no \
    frequency=5500 name=wifi-channel-eu-5g-ac-080-106 skip-dfs-channels=\
    disabled width=20/40/80mhz
add band=5ghz-ac comment="EU/EEA ETSI RLAN 2 band - max. EIRP: 30 dBm (1000 mW\
    ) - channel width 80 MHz - 802.11ac - channel #122" disabled=no \
    frequency=5580 name=wifi-channel-eu-5g-ac-080-122 skip-dfs-channels=\
    disabled width=20/40/80mhz
add band=5ghz-ac comment="EU/EEA ETSI RLAN 2 band - max. EIRP: 30 dBm (1000 mW\
    ) - channel width 80 MHz - 802.11ac - channel #138" disabled=no \
    frequency=5660 name=wifi-channel-eu-5g-ac-080-138 skip-dfs-channels=\
    disabled width=20/40/80mhz
/interface wifi datapath
add bridge=bridge bridge-cost=50000 comment=\
    defconf disabled=no name=capdp
/interface wifi security
add authentication-types=wpa2-psk,wpa-psk comment="WPA2-PSK\
    secret keys, Management Frame protection allowed" \
    disable-pmkid=no disabled=no ft=no management-protection=allowed name=\
    wifi-security-PhoenixWiFi-wpa2-psk-mpa passphrase=Pr35h4rEdKey \
    sae-anti-clogging-threshold=5 sae-max-failure-rate=40 sae-pwe=both wps=\
    disable
add authentication-types=wpa2-psk,wpa-psk comment="WPA2-PSK\
    secret keys, Management Frame protection disabled" \
    disable-pmkid=no disabled=no ft=no management-protection=disabled name=\
    wifi-security-PhoenixWiFi-wpa2-psk-mpd passphrase=Pr35h4rEdKey \
    sae-anti-clogging-threshold=5 sae-max-failure-rate=40 sae-pwe=both wps=\
    disable
/interface wifi configuration
add chains=0,1 comment="PhoenixWiFi 2.4 GHz" country=\
    "South Africa" disabled=no dtim-period=3 hide-ssid=no manager=capsman-or-local \
    mode=ap multicast-enhance=disabled name=\
    wifi-configuration-PhoenixWiFi-2.4g qos-classifier=\
    priority security=wifi-security-PhoenixWiFi-wpa2-psk-mpa ssid=\
    PhoenixWiFi tx-chains=0,1 tx-power=20
add chains=0,1 comment="PhoenixWiFi 5 GHz" country=\
    "South Africa" disabled=no dtim-period=3 hide-ssid=no manager=capsman-or-local \
    mode=ap multicast-enhance=disabled name=\
    wifi-configuration-PhoenixWiFi-5.0g qos-classifier=\
    priority security=wifi-security-PhoenixWiFi-wpa2-psk-mpa ssid=\
    PhoenixWiFi tx-chains=0,1 tx-power=30
/interface wifi
# no connection to CAPsMAN, managed locally
set [ find default-name=wifi1 ] channel=\
    wifi-channel-eu-5g-ac-080-106 comment="PhoenixWiFi 5 GHz" \
    configuration=wifi-configuration-PhoenixWiFi-5.0g \
    configuration.manager=capsman-or-local .mode=ap datapath=capdp disabled=\
    no
# no connection to CAPsMAN, managed locally
set [ find default-name=wifi2 ] channel=\
    wifi-channel-eu-2.4g-g-20-01 comment=\
    "PhoenixWiFi 2.4 GHz" configuration=\
    wifi-configuration-PhoenixWiFi-2.4g configuration.manager=\
    capsman-or-local .mode=ap datapath=capdp disabled=no
/ipv6 dhcp-client option
add code=12 name=hostname value="\$(HOSTNAME)"
/interface bridge port
set 0 bridge=bridge comment="ETH1 (PoE in)" \
    interface=ether1 internal-path-cost=10000 path-cost=10000 trusted=yes
set 1 bridge=bridge comment="ETH2 (PoE out)" \
    interface=ether2 internal-path-cost=10000 path-cost=10000
/ipv6 settings
set accept-router-advertisements=yes
/interface wifi cap
set discovery-interfaces=bridge slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=vh_-_bp22bna4_-_capax-01_-_bridge_1-w2
/ipv6 dhcp-client
add interface=bridge request=prefix use-interface-duid=yes
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=ap1.home
/system leds settings
set all-leds-off=immediate
/system note
set note="!! Griffin Family  -  Authorised Access Only !!\
    \n!! Contact : Michael <michael@home.za> !!\
    \n!!           +27 83 123 4567                 !!"
set show-at-login=yes

milegrin · Fri Jan 05, 2024 9:37 pm

Thank you. Selecting "Phone Mac" for the specific SSID fixed it for the phone. Resetting my laptop wifi (delete everything & recreate) seems to have fixed it as well; thank you greatly for everyone's assistance.

As for running RouterOS7, I tried that on my refurbed cAPac and ended up jumping through major hoops to revert back to V6 as it was just too different, I could not get the WiFi working and really wanted to fix the first "issue" before creating a whole new one. Now that the problem has been resolved, I will follow the guidance and give V7 a try again

Connecting via the cAP ac, arp table shows the following which is not actual laptop MAC address nor any MAC I can find on the cAPac:
Code: Select all
Address                  HWtype  HWaddress           Flags Mask            Iface
10.1.1.148               ether   1e:3e:f8:32:12:5e   C                     eth0
The MAC address shown is a "locally administered MAC address".

But a question: are you sure it's not your wireless device doing it? All recent iOS and android devices (including Samsung) by default use "anonymized" MAC addresses when connecting to yet-unknown wireless networks and one has to toggle to use device MAC address (that setting is per SSID).

CAP AC: Stripping MAC Addresses impacting DHCP

CAP AC: Stripping MAC Addresses impacting DHCP

Re: CAP AC: DHCP assigned DNS

Re: CAP AC: DHCP assigned DNS

Re: CAP AC: DHCP assigned DNS

Re: CAP AC: DHCP assigned DNS

Re: CAP AC: DHCP assigned DNS

Re: CAP AC: DHCP assigned DNS

Re: CAP AC: DHCP assigned DNS

Re: CAP AC: DHCP assigned DNS

Re: CAP AC: Stripping MAC Addresses impacting DHCP

Re: CAP AC: Stripping MAC Addresses impacting DHCP

Re: CAP AC: Stripping MAC Addresses impacting DHCP

Re: CAP AC: Stripping MAC Addresses impacting DHCP