Hello everyone,

I'm having a basic home setup but can't have internet connection from the wifi. There must be something with the bridge.
I have a modem-router on which one of it's lan port is connected to ether1 of my Mikrotik hAP ac2 (v6.42.5), and some computers on the lan ports of the hAP, as well as a second router connected LAN to LAN to get some extra ports and wifi range.
The modem-router has DHCP server enabled and gave 192.168.2.150 to the DHCP client on ether1 of the hAP.
Local network IP address of the hAp is 192.168.2.5 (here I am not sure : can I have the WAN and LAN on the same subnet?)
hAP also have a DHCP server (note sure if it is bad, having two DHCP on the same subnet?)
Then I have a bridge with the ports :
- ether 1
- ether 2
- ether 3
- ether 4
- ether 5
- WLAN (2Ghz)
- WLAN (5Ghz)

On the computer connected to ether2, I can reach Internet but I can't if using the Wifi.
I have read many post of forums and I seems that I should not have ether1 on the bridge but if I don't have it, the LAN ports on the hAP cannot reach Internet.
I'm a bit lost... yesterday, I had my modem-router connected to ether2 instead of ether1 and everything was working ok but I believe it is not really the way it should be connected. I had problems forwarding ports from the outside to my LAN servers so I decided to try to do it the right way, having the Internet link connected to the WAN port instead of LAN... but it is not as simple as I thought...
Is there something special I should do with the Masquerade thing?
Should the WAN IP of ether1 be on a different subnet?
Should ether1 be on the same bridge as everyone?
Why is the wifi unable to reach internet when a physical port can?

I have also read that it is possible to configure the modem-router as a simple bridge and have the pppoe credentials in the Mikrotik router instead. How is that better?

Thanks for your help!
Simon

Usual advice
Please post config
/export hide=sensitive file=mylatestconfig

Also add a diagram if possible but not necessary.

Then I have a bridge with the ports :
- ether 1
- ether 2
- ether 3
- ether 4
- ether 5
- WLAN (2Ghz)
- WLAN (5Ghz)

Take ether 1 out of the bridge and then post config without sensitive information.

Thanks for your help!
Ok I removed ether1 from the bridge and exported the config. I lost internet connexion when I removed ether1 but I re-added it to the bridge in the meantime.
I will draw the diagram soon but please find my config here :
One thing I am so not sure : I enabled DHCP my modem-router and gave a static IP of 192.168.2.150 to ether1... I read that somewhere but... isn't that weird to have ether1 on the same subnet?

# jan/24/2019 06:28:51 by RouterOS 6.42.5
# software id = Q3W3-39HX
#
# model = RBD52G-5HacD2HnD
# serial number = 9E4J3993DKj38S
/interface bridge
add admin-mac=B8:69:F4:6A:19:57 auto-mac=no comment=defconf name=bridge \
protocol-mode=none
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\
dynamic-keys name=Maison supplicant-identity=MikroTik_HAP
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors \
frequency=2437 mode=ap-bridge name=wlan1_2G security-profile=Maison ssid=\
"tHEwIFI" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=\
ap-bridge name=wlan2_5G security-profile=Maison ssid=MrWififi \
wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.2.20-192.168.2.99
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=DHCP
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1_2G
add bridge=bridge comment=defconf interface=wlan2_5G
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.2.5/24 comment=defconf interface=ether2 network=\
192.168.2.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=1.1.1.1,8.8.8.8 \
gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.2.5 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=443 in-interface=bridge protocol=tcp \
to-addresses=192.168.2.44 to-ports=8123
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=bridge \
protocol=tcp to-addresses=192.168.2.44 to-ports=80
add action=dst-nat chain=dstnat dst-port=3218 in-interface=bridge protocol=\
tcp to-addresses=192.168.2.44 to-ports=3218
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Toronto
/system identity
set name=MikroTik_HAP
/system ntp client
set enabled=yes primary-ntp=198.251.50.194
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Try the following:

- Remove ether1 from bridge.

change
/ip address
add address=192.168.2.5/24 comment=defconf interface=ether2 network=\
192.168.2.0

to

/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge network=\
192.168.2.0

Report back on results

Having the same IP address range as your upstream provider, in this case your ISP modem/router, will most likely not work. I will let others comment about this.

I agree I dont understand why the OP would do that??

/interface bridge
add admin-mac=B8:69:F4:6A:19:57 auto-mac=no comment=defconf name=bridge \
protocol-mode=none
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\
dynamic-keys name=Maison supplicant-identity=MikroTik_HAP
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors \
frequency=2437 mode=ap-bridge name=wlan1_2G security-profile=Maison ssid=\
"tHEwIFI" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=\
ap-bridge name=wlan2_5G security-profile=Maison ssid=MrWififi \
wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.0.20-192.168.0.99
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=DHCP
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1_2G
add bridge=bridge comment=defconf interface=wlan2_5G
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=1.1.1.1,8.8.8.8 \
gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related, connection-state=\
established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related,connection-state=\
established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=443 in-interface=WAN protocol=tcp \
to-addresses=192.168.2.44 to-ports=8123
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=WAN \
protocol=tcp to-addresses=192.168.2.44
add action=dst-nat chain=dstnat dst-port=3218 in-interface=WAN protocol=\
tcp to-addresses=192.168.2.44
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Toronto
/system identity
set name=MikroTik_HAP
/system ntp client
set enabled=yes primary-ntp=198.251.50.194
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thanks both of you.
Villageworker, I tried the changes you proposed but as soon as I remove ether1 from the bridge, everyone loose the internet access.
About the ip address range of the upstream provider being the same as the local network, I can change that. I thought I had to give an IP address to ether1 so I activated DHCP on the modem-router on IP range 192.168.2.150-160 and the hAP took 192.168.2.150 on ether1. I could change the IP range to something like 192.168.0.150-160 if needed. I gave in the same subnet (192.168.2.x) since the IP address of the modem-router is 192.168.2.1 and I believe that if I change the IP of the modem-router to a different subnet, I won't be able to access it's web interface from 192.168.2.x anymore? Other than by connecting a cable in it's port but not very convenient... am I right?

Avav : I see what you mean. I think you want me to change the entire subnetwork of the hAP to a different one than the modem-router, right? What about I change the subnet of the modem-router to 192.168.0.1 instead?
Well noted, the dst-nat input interface should be WAN, not bridge. The thing is that I don't have WAN in the list, I thought I could use ether1 instead (it is the WAN port, isn't it?) but I got an error : "in/out interface matcher not possible when interface (ether1) is slave - use master instead (bridge)"
Ok, I added an IP address to the bridge and removed the one for ether2.

thanks again!
Simon

As you modem/router is working I suggest not making any configuration changes on that device.

Your options are to follow what Anav has explained or do a comlete reset of the HAP to factory configuration. Only after you have a working system add configuration changes you desire.

The answer to your other question re: access to your ISP modem/router the short answer is - put the modem/router in bridge mode. Suggest putting this task on your future todo list.

Let us know what you decide.

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

You had noted ether1 was your wan.
so perhaps use in-interface-list=WAN lol.
But yes I am not sure if you have an IP address for your dhcp client setup (from the modem router).
Its a non standard way of doing things which I dont fully understand. Normally the router adds an IP address for the client side

Why not reset and use Quick-set "Home AP". Will give you exactly what you want with
simple interface to setup IP, DHCP, Wifi etc. in 3 minutes you are all set.

But then how would I get paid by MT??
More importantly the OP would learn less.
However nothing wrong with starting from scratch, ie the default and building the rules slowly.

Got interesting results from resetting config to zero and starting over and, at the same time, changing the network address of the modem-router to something different of the HAP.
Now it is working without having to put ether1 in the bridge, which makes sense! And my Wifi is also accessing the internet!

The last thing is port forwarding. Since the HAP is behind the modem-router, I guess this is the problem? I set the NAT rule in the HAP but I believe that the modem-router in front of it has no idea that the packets has to be forwarded to the HAP.
Next thing I am going to try is to set the modem-router to bridge mode.

Thanks eveyone for your great and generous help!
TBC....
Simon

If you setup forwarding rules in the router modem (you have access), then simply forward the ports you need forwarded to the WANIP of the HAP.

The WANIP of the HAP is equal to a the LANIP on the router/modem that is assigned to your HAP.