I cannot figure out what I am doing wrong, I am taking two brand new WAP ac units (RBwAPG-5HacT2HnD-US) and just trying to configure them as a pure hard wired access point. I have tried to do this with CAPsMAN which never works either, so trying to configure it as a basic IP without CAPsMAN for now. I have a RB951G-2HnD configured this way and it works fine, however I can't get anything to work on the the RBwAPG-5HacT2HnD-US. As soon as I try to create a bridge and add all of the interfaces to it I lose all access to the unit via MAC or IP. I find it shocking that there isn't a single "quickset" configuration on this unit to do just this, CAPsMAN mode is the closest but I haven't ever been able to get that to work either (post in Wireless Networking with not attention on the subject). I am currently using 6.39RC25, but I didn't have any luck on the released bits either.
Environment is pretty straight forward, I have a hEX RB750Gr3 as the edge/router/firewall. This is configured to provide NAT, DNS and DHCP to 3 VLANs (1, 10, 1003). I have tested with other access points to verify that those other VLANs work and devices can access the Internet via NAT. The intent is to have 3 SSIDs for each radio (trusted, IoT, and guest). The RB750Gr3 connects to a VLAN capable switch that also connects to the RBwAPG-5HacT2HnD-US. VLAN configuration and routing has been verified, if I go to the RBwAPG-5HacT2HnD-US and I configure a VLAN port against ether1 and assign it an IP address it is reachable from the other segments and the RB750Gr3 shows the corresponding MAC in the correct VLAN MAC tables.
When trying to configure the RBwAPG-5HacT2HnD-US as an actual access point (ap bridge mode) I can't ever get wireless clients to successfully talk to the rest of the network. It seems that the bridge functionality just doesn't even work on this device, no matter which starting configuration I start from (including reset with no defaults) I cannot get bridging to work. I would think that just creating a bridge and adding ether1 to it wouldn't "break" the device, but it does. If I add an administrative MAC to the bridge before hand it still doesn't work, as soon as I set ether1 into the bridge I lose all access to the device either via ether1's MAC or the administrative MAC I allocated and have to do a configuration reset via the physical reset button.
I found the other two Mikrotik products straight forward to setup, but these two RBwAPG-5HacT2HnD are making me question the entire thing as they just don't seem to work even remotely the same as the products with switch chips and there seems to be zero guidance on how configure any of the non-switch chip single ethernet port access points.
Does anyone have any solutions/guides to offer? At this point the configuration is null until I add the bridge and then add ether1 to the bridge, and that doesn't even work.
Re: Problems setting up simple AP with single ethernet port WAP ac
Open a New Terminal on wAPs and 750Gr3 and post an /export of each.
Re: Problems setting up simple AP with single ethernet port WAP ac
I was working on this this weekend, what I did:
Reset without configuration
Configure wan1 & wan2 and enabled them
Added virtual wan3 (bound to wan1) & wan4 (bound to wan2) for my guest vlan
Put it all in one bridge.
Ran into some disconnects but in the end it all worked.
Do the clients receive an IP address?
Reset without configuration
Configure wan1 & wan2 and enabled them
Added virtual wan3 (bound to wan1) & wan4 (bound to wan2) for my guest vlan
Put it all in one bridge.
Ran into some disconnects but in the end it all worked.
Do the clients receive an IP address?
Re: Problems setting up simple AP with single ethernet port WAP ac
Thanks for the responses.
Here is the 750gr3 configuration, I removed my static DHCP leases, firewall filters, netwatch configuration, and scripts for the ddns and maintaining the HE IPv6 tunnel and obfuscated a few other items.
Here is the 750gr3 configuration, I removed my static DHCP leases, firewall filters, netwatch configuration, and scripts for the ddns and maintaining the HE IPv6 tunnel and obfuscated a few other items.
Code: Select all
# feb/06/2017 09:17:15 by RouterOS 6.39rc20
# software id = ABD4-FNNE
#
/interface ethernet
set [ find default-name=ether1 ] comment="To Carrier ONT" rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] comment="LAN to Office Desk" name=ether2-master rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] comment="LAN to upstairs AP" master-port=ether2-master rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether4 ] master-port=ether2-master rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether5 ] master-port=ether2-master rx-flow-control=auto tx-flow-control=auto
/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive local-address=174.25.107.201 mtu=1480 name=sit1 remote-address=216.218.226.238
/ip neighbor discovery
set ether1 discover=no
set ether3 discover=no
set ether4 discover=no
set ether5 discover=no
/interface vlan
add comment=Primary interface=ether2-master name="vlan1 Primary" vlan-id=1
add comment="IoT Devices" interface=ether2-master name=vlan10-IoT vlan-id=10
add comment="CenturyLink WAN" interface=ether1 name="vlan201 WAN" vlan-id=201
add comment="AirPort Extreme Guest Network" interface=ether2-master name=vlan1003-Guest vlan-id=1003
/interface pppoe-client
add add-default-route=yes comment="Century Link" disabled=no interface="vlan201 WAN" name=pppoe-wan user=xxxxxxx@xxxxxx
/ip neighbor discovery
set pppoe-wan discover=no
set vlan10-IoT discover=no
set "vlan201 WAN" discover=no
set vlan1003-Guest discover=no
/interface list
add name=WAN
add name=LAN
add name=guestLAN
add name=IoT
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=primary-dhcp ranges=192.168.1.50-192.168.1.200
add name=Guest ranges=192.168.103.2-192.168.103.250
add name=IoT ranges=192.168.10.2-192.168.10.250
/ip dhcp-server
add add-arp=yes address-pool=primary-dhcp authoritative=yes disabled=no interface=ether2-master lease-time=2w name=lan-default
add add-arp=yes address-pool=Guest disabled=no interface=vlan1003-Guest lease-time=8h name="Guest Network"
add address-pool=IoT disabled=no interface=vlan10-IoT lease-time=1w name="IoT Network"
/ipv6 dhcp-server
add address-pool=2001:470:y:xxx::/64 comment="HE Routed" interface=ether2-master lease-time=2w name=ipv6
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
add disabled=no
/dude
set enabled=yes
/ip neighbor discovery settings
set default=no
/ip settings
set rp-filter=strict
/interface ethernet switch vlan
add independent-learning=yes ports=ether2-master,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=yes ports=ether2-master,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=1003
add independent-learning=no ports=ether2-master,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=1
/interface list member
add interface="vlan201 WAN" list=WAN
add interface=pppoe-wan list=WAN
add interface=ether1 list=WAN
add interface=ether2-master list=LAN
add interface=sit1 list=WAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=vlan1003-Guest list=guestLAN
add interface=vlan10-IoT list=IoT
add interface="vlan1 Primary" list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2-master network=192.168.1.0
add address=192.168.10.1/24 comment="IoT Gateway" interface=vlan10-IoT network=192.168.10.0
add address=192.168.103.1/24 comment="Guest Gateway" interface=vlan1003-Guest network=192.168.103.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment="Primary Network" dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
add address=192.168.10.0/24 comment="Guest Network" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1 netmask=24
add address=192.168.103.0/24 comment="IoT Network" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.103.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=2001:470:20::2,74.82.42.42,2001:4860:4860::8888,8.8.8.8,205.171.3.25,205.171.3.65,208.67.220.220
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-wan
add action=dst-nat chain=dstnat comment=weathercat dst-port=49250,49251,49252,49253,49254 protocol=tcp to-addresses=192.168.1.5
add action=dst-nat chain=dstnat comment="Plex Server" dst-port=32400 protocol=tcp to-addresses=192.168.1.5
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24,192.168.1.0/24
set api address=192.168.88.0/24,192.168.1.0/24
set winbox address=192.168.88.0/24,192.168.1.0/24
set api-ssl address=192.168.88.0/24,192.168.1.0/24
/ip ssh
set strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether2-master type=internal
add interface=pppoe-wan type=external
add interface="vlan1 Primary" type=internal
add disabled=yes interface=vlan1003-Guest type=internal
add disabled=yes interface=vlan10-IoT type=internal
add disabled=yes interface=sit1 type=external
/ipv6 address
add address=2001:470:a:c29::2 advertise=no interface=sit1
add address=2001:470:b:c27::1 interface=ether2-master
/ipv6 firewall filter
add action=drop chain=input comment="block AppleTV from IPv6 due Netflix being bastards" log-prefix="Netflix douchebags" src-mac-address=C8:69:CD:49:C0:1C
add action=drop chain=forward comment="block AppleTV from IPv6 due Netflix being bastards" log-prefix="Netflix douchebags" src-mac-address=C8:69:CD:49:C0:1C
add action=accept chain=input comment="Allow related&established" connection-state=established,related
add action=accept chain=input comment="Allow ICMP" protocol=icmpv6
add action=drop chain=input in-interface=sit1 log-prefix="Input Drop v6"
add action=accept chain=input comment="Accept input from LAN" in-interface-list=LAN
add action=accept chain=forward comment="Forward related&established" connection-state=established,related
add action=accept chain=forward comment="Forward ICMP" protocol=icmpv6
add action=drop chain=forward comment="Drop all other client bound" in-interface-list=WAN log-prefix="Forward Drop v6"
/ipv6 nd
set [ find default=yes ] advertise-dns=yes interface=ether2-master managed-address-configuration=yes mtu=1480 other-configuration=yes ra-interval=1m-10m ra-lifetime=1h reachable-time=3m retransmit-interval=30s
/ipv6 route
add !bgp-as-path !bgp-atomic-aggregate !bgp-communities !bgp-local-pref !bgp-med !bgp-origin !bgp-prepend !check-gateway distance=1 dst-address=2000::/3 gateway=2001:470:a:c29::1 !route-tag
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=arxys-router
/system note
set note="Authorized access only. Access to this device is monitored. Unauthorized access is tracked and reported."
/system ntp client
set enabled=yes primary-ntp=216.229.0.179 secondary-ntp=216.228.192.69 server-dns-names=pool.ntp.org,time.nist.gov,utcnist.colorado.edu,nist-time-server.eoni.com,time-a.timefreq.bldrdoc.gov
/system package update
set channel=release-candidate
/system routerboard settings
# Warning: memory not running at default frequency
set memory-frequency=1200DDR
/tool bandwidth-server
set enabled=no
/tool mac-server
set [ find default=yes ] disabled=yes
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
/tool mac-server ping
set enabled=no
Last edited by effndc on Tue Feb 07, 2017 12:15 am, edited 2 times in total.
Re: Problems setting up simple AP with single ethernet port WAP ac
Just to rule out the RC RouterOS as a problem I downgraded this back to the release build 6.38.1
I am able to get my VLAN10 and VLAN1003 segments to work, but not the one that corresponds to the default LAN (VLAN1) segment. The clients that connect to what should be VLAN1 get this error from the 750Gr3 DHCP-server, either wlan interface primary2G or primary5G same results:
Current configuration is 1 bridge per VLAN grouping the WLAN interfaces with the corresponding VLAN interfaces, while not using VLAN tagging on the wireless interface configuration:
To help validate that VLAN plumbing exists (native/default VLAN everywhere is vlan-id=1):
I am able to get my VLAN10 and VLAN1003 segments to work, but not the one that corresponds to the default LAN (VLAN1) segment. The clients that connect to what should be VLAN1 get this error from the 750Gr3 DHCP-server, either wlan interface primary2G or primary5G same results:
Code: Select all
14:06:15 dhcp,warning lan-default offering lease 192.168.1.64 for 2C:33:61:8B:78:1D without successCode: Select all
# # feb/06/2017 14:04:01 by RouterOS 6.38.1
# software id = ZBMC-HYJW
#
/interface bridge
add name=vlan1-bridge-primary
add name=vlan10-bridge-iot
add name=vlan1003-bridge-guest
/interface vlan
add interface=ether1 name=vlan1 vlan-id=1
add interface=ether1 name=vlan10 vlan-id=10
add interface=ether1 name=vlan1003 vlan-id=1003
/interface wireless security-profiles
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=test-profile supplicant-identity="" wpa2-pre-shared-key=1234567890
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no mode=ap-bridge name=wlan1-primary2G security-profile=test-profile ssid=primary-2G
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40/80mhz-eeCe disabled=no frequency=auto mode=ap-bridge name=wlan2-primary-5G security-profile=test-profile ssid=primary-5g
add disabled=no keepalive-frames=disabled mac-address=6E:3B:6B:76:E5:76 master-interface=wlan1-primary2G mode=ap-bridge multicast-buffering=disabled name=wlan3-guest-2G security-profile=test-profile ssid=guest-2G vlan-id=1003 wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=6E:3B:6B:76:E5:77 master-interface=wlan1-primary2G mode=ap-bridge multicast-buffering=disabled name=wlan4-iot-2G security-profile=test-profile ssid=iot-2G vlan-id=10 vlan-mode=use-tag \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=vlan1-bridge-primary edge=yes interface=vlan1
add bridge=vlan10-bridge-iot edge=yes interface=vlan10
add bridge=vlan1003-bridge-guest edge=yes interface=vlan1003
add bridge=vlan1-bridge-primary interface=wlan1-primary2G
add bridge=vlan1003-bridge-guest interface=wlan3-guest-2G
add bridge=vlan10-bridge-iot interface=wlan4-iot-2G
add bridge=vlan1-bridge-primary interface=wlan2-primary-5G
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=vlan10-bridge-iot
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=vlan1003-bridge-guest
add default-route-distance=0 dhcp-options=hostname,clientid interface=vlan1-bridge-primary
/system clock
set time-zone-name=America/Los_Angeles
/system ntp client
set enabled=yes primary-ntp=216.229.0.179 secondary-ntp=216.228.192.69 server-dns-names=pool.ntp.org,time.nist.gov,utcnist.colorado.edu,nist-time-server.eoni.com,time-a.timefreq.bldrdoc.govCode: Select all
ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 D 192.168.1.252/24 192.168.1.0 ether1
1 D 192.168.10.10/24 192.168.10.0 vlan10-bridge-iot
2 D 192.168.103.234/24 192.168.103.0 vlan1003-bridge-guest
Last edited by effndc on Tue Feb 07, 2017 12:11 am, edited 1 time in total.
Re: Problems setting up simple AP with single ethernet port WAP ac
Thanks for the post, are you using VLANs to isolate the traffic or just using unique SSIDs for access control?I was working on this this weekend, what I did:
Reset without configuration
Configure wan1 & wan2 and enabled them
Added virtual wan3 (bound to wan1) & wan4 (bound to wan2) for my guest vlan
Put it all in one bridge.
Ran into some disconnects but in the end it all worked.
Do the clients receive an IP address?
Re: Problems setting up simple AP with single ethernet port WAP ac
VLAN are used for traffic isolation. The Guest VLAN is only used for WiFi.Thanks for the post, are you using VLANs to isolate the traffic or just using unique SSIDs for access control?
Re: Problems setting up simple AP with single ethernet port WAP ac
On the first export you were using "software vlans", and additionally hardware vlans (/interface ethernet switch vlan), you may use one or the other, but not both.
On the APs, put the right VLAN id on wireless, and set VLAN mode to use tag (802.1q); all packets coming from that SSID virtual interface will be tagged with the VLAN id see http://forum.mikrotik.com/viewtopic.php ... 07#p531848
Then bridge wlan interfaces with ether1, that's all needed.
Additionally, I'd try with latest bugfix (6.37.4). I have seen ARP/DHCP issues with 6.38.
On the APs, put the right VLAN id on wireless, and set VLAN mode to use tag (802.1q); all packets coming from that SSID virtual interface will be tagged with the VLAN id see http://forum.mikrotik.com/viewtopic.php ... 07#p531848
Then bridge wlan interfaces with ether1, that's all needed.
Additionally, I'd try with latest bugfix (6.37.4). I have seen ARP/DHCP issues with 6.38.
Re: Problems setting up simple AP with single ethernet port WAP ac
Thanks for the pointers. I guess I must have done something off the first try, this time I went ahead and followed that guidance with a few more steps. I created the bridge, added an administrative MAC (copy of ether1) and set a DHCP client on the bridge. I was then able to add ether1 to the bridge without losing connectivity, perhaps I was missing the administrative MAC previously.
I now have the configuration working, it was just previously when I first tried this I kept losing access to administer the devices when I added ether1 to the bridge. I don't know if I have the patience to try to get this working in CAPsMAN, though I like the idea of it but my environment is going to be pretty static and I will just copy/paste the configs between them to keep them consistent.
I will share my config for others when I get some time to cleanup it up to be more neutral naming.
I now have the configuration working, it was just previously when I first tried this I kept losing access to administer the devices when I added ether1 to the bridge. I don't know if I have the patience to try to get this working in CAPsMAN, though I like the idea of it but my environment is going to be pretty static and I will just copy/paste the configs between them to keep them consistent.
I will share my config for others when I get some time to cleanup it up to be more neutral naming.
Re: Problems setting up simple AP with single ethernet port WAP ac
Are you connecting by IP? wasn't aware of that...
You'd better connect by mac-winbox or RoMON.
RouterOS offers those incredible flexible and time saving features; try connecting by going to neighbors tab on winbox, all routerboard devices in the same L2 segment as you will appear there: to connect by mac-winbox protocol, double click on the device to be managed Mac address , this way you're not dependent on L3 settings to manage the devices.
Even more powerful, enable RoMON on the all the routers and connect by RoMON. See http://wiki.mikrotik.com/wiki/Manual:RoMON
This way you can work on L3 config without being kicked off the managed device; you may lose connectivity while carrying out some L2 configs (adding bridges, setting ether port masters etc, just click reconnect afterwards and you'll be back into de device.
You'd better connect by mac-winbox or RoMON.
RouterOS offers those incredible flexible and time saving features; try connecting by going to neighbors tab on winbox, all routerboard devices in the same L2 segment as you will appear there: to connect by mac-winbox protocol, double click on the device to be managed Mac address , this way you're not dependent on L3 settings to manage the devices.
Even more powerful, enable RoMON on the all the routers and connect by RoMON. See http://wiki.mikrotik.com/wiki/Manual:RoMON
This way you can work on L3 config without being kicked off the managed device; you may lose connectivity while carrying out some L2 configs (adding bridges, setting ether port masters etc, just click reconnect afterwards and you'll be back into de device.
Who is online
Users browsing this forum: Kuitz and 22 guests