hAP ac^2 WiFi AP after hEX S router

elpeter · Wed Jan 01, 2020 10:25 pm

Hello everyone,

I've been struggling quite a lot rying to configure my hAP ac^2 as a WiFi AP after my hEX S router. I've done everything what I think it's correct but it doesn't work at all

and I'm getting crazy...

This is my schema:

Well Asus WiFi AP is working as expected, WAN IP from hEX and DHCP relay to it.
Same thing for hAP is not working. From Winbox I can ping 8.8.8.8 and traceroute any device either on WIFI (192.168.5.X) and on LAN (192.168.0.X)

But any device that I connect to hAP via WiFi does have an IP from hEX's DHCP Relay but has no Internet connection nor view any device in WiFi or LAN networks.

Here you go my hAP config.

What am I doing wrong???

/interface bridge
add name=bridge
/interface wireless
set [ find default-name=wlan1 ] country=spain disabled=no mode=ap-bridge \
    ssid=24WIFI wireless-protocol=802.11
set [ find default-name=wlan2 ] country=spain disabled=no mode=ap-bridge \
    ssid=5WIFI wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
    PASS wpa2-pre-shared-key=PASS
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.5.2 interface=bridge network=192.168.5.2
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-relay
add dhcp-server=192.168.16.1 disabled=no interface=bridge name=\
    "Mikrotik hEX S"
/ip dns
set servers=192.168.0.50,192.168.0.52
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1
/ip route
add distance=1 dst-address=192.168.5.0/24 gateway=192.168.16.1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external

Thanks so much in advance.

jimbobst · Thu Jan 02, 2020 1:11 am

Happy New Year.

My word, people do have some interesting network setups.

A couple of things I can see:

1.
/ip address
add address=192.168.5.2 interface=bridge network=192.168.5.2

the ip should be 192.168.5.2/24 and network portion should be 192.168.5.0 here I would think assuming a /24

2
/ip route
add distance=1 dst-address=192.168.5.0/24 gateway=192.168.16.1

This route looks incorrect as that is your local network. If you want the wlan devices to get to the lan devices you would need to put 192168.0.0//24 here instead.

3. Also, are the wlan clients getting the bridge IP 192.168.5.2 as their gateway from the DHCP server on the Hex?

Also, do you need the firewalling/NAT? Might be easier to put them all in a bridge. I gather the hex is doing the firewalling also?

Zacharias · Thu Jan 02, 2020 1:18 am

The previous post plus:
I see no IP in your eth1 interface. Also where is your default gateway route 0.0.0.0/0 ?

elpeter · Thu Jan 02, 2020 1:17 pm

Happy new year!! and thank you both for reply

I'll reply inline:

Happy New Year.

My word, people do have some interesting network setups.

A couple of things I can see:

1.
/ip address
add address=192.168.5.2 interface=bridge network=192.168.5.2

the ip should be 192.168.5.2/24 and network portion should be 192.168.5.0 here I would think assuming a /24

The weird thing is that if I set that IP as you say a route is set dynamically which prevents reaching subnet 5 from the router when I do a traceroute.

2
/ip route
add distance=1 dst-address=192.168.5.0/24 gateway=192.168.16.1

This route looks incorrect as that is your local network. If you want the wlan devices to get to the lan devices you would need to put 192168.0.0//24 here instead.

I added that route to be able to reach subnet 5, otherwise with what I mentioned above the dynamic route is through the bridge and as the wan is not in the bridge there's no way to reach subnet 5

3. Also, are the wlan clients getting the bridge IP 192.168.5.2 as their gateway from the DHCP server on the Hex?

Problem is that I have two AP, the Asus one un 5.1 and the hAP on the 5.2 so I set both IPs as gateways, Is that correct? or I'm doing something stupid... Find bellow what a client of hAP wifi gets.

Also, do you need the firewalling/NAT? Might be easier to put them all in a bridge. I gather the hex is doing the firewalling also?

I just copied FW rules from a guy who set an hAP (can´t find the post now) but I deleted them. Only left the masquerade for WAN, which I think is mandatory for internet to work.

The previous post plus:
I see no IP in your eth1 interface. Also where is your default gateway route 0.0.0.0/0 ?

That's given by a static lease from the hEX, I've set a subnet for that, 192.168.16.X in which .1 is the hEX and .2 is the hAP so that ads the dynamic route 0.0.0.0/0 through 192.168.16.1 via eth1

Bear in mind that everything "works" from the hAP, I can reach Internet and subnets from Tools/ping and Tools/Traceroute but not from hAP WiFi clients

So far, now configuration looks like this:

/interface bridge
add name=bridge
/interface wireless
set [ find default-name=wlan1 ] country=spain disabled=no mode=ap-bridge \
    ssid=24WIFI wireless-protocol=802.11
set [ find default-name=wlan2 ] country=spain disabled=no mode=ap-bridge \
    ssid=5WIFI wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
    PASS wpa2-pre-shared-key=PASS
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.5.2/24 interface=ether2 network=192.168.5.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-relay
add dhcp-server=192.168.16.1 disabled=no interface=bridge name=\
    "Mikrotik hEX S"
/ip dns
set servers=192.168.0.50,192.168.0.52
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external

Cannot reach subnet 5.X from hAP now

Thanks!

jimbobst · Thu Jan 02, 2020 1:45 pm

Oh, so the ASUS has clients on 192.168.5.0 network also - that's not apparent form your diagram where they seem to be using 192.168.0.x? That's your issue - trying to route to the same network in a different segment is not going to work properly - you need to rethink what you are trying to do and reconfigure accordingly..

1. The hAP will need another unique network for its clients, say 192.168.6.0.
or.
2. You do away with the "WAN" firewalled/natted interface on the HaP and connect it directly to the 192.168.5.x network (via hap eth2 or reconfigure eth1 to be part of the bridge, disable nat and firewall rules)

I'm assuming the hex is doing firewalling/nat for all the other clients and networks anyway? No need for double nat/firewall unless you have a specific need that you've not described

elpeter · Thu Jan 02, 2020 3:50 pm

Oh, so the ASUS has clients on 192.168.5.0 network also - that's not apparent form your diagram where they seem to be using 192.168.0.x? That's your issue - trying to route to the same network in a different segment is not going to work properly - you need to rethink what you are trying to do and reconfigure accordingly..

1. The hAP will need another unique network for its clients, say 192.168.6.0.
or.
2. You do away with the "WAN" firewalled/natted interface on the HaP and connect it directly to the 192.168.5.x network (via hap eth2 or reconfigure eth1 to be part of the bridge, disable nat and firewall rules)

I'm assuming the hex is doing firewalling/nat for all the other clients and networks anyway? No need for double nat/firewall unless you have a specific need that you've not described

Oh sorry it was a typo, here's the schema:

So what I want is not feasible then, it has to have a separate subnet for the hAP and just create another dhcp for that with same config as in the Asus but pointing to the 6.X instead.

I don't need NAT/FW there but I don't know how to make it work so I tried with that NAT rule and that's the only way it worked. Now I have the following setup and it's finally working:

/interface bridge
add name=bridge
/interface wireless
set [ find default-name=wlan1 ] country=spain disabled=no mode=ap-bridge \
    ssid=24WIFI wireless-protocol=802.11
set [ find default-name=wlan2 ] country=spain disabled=no mode=ap-bridge \
    ssid=5WIFI wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
    PASS wpa2-pre-shared-key=PASS
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.6.1/24 interface=bridge network=192.168.6.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-relay
add dhcp-server=192.168.16.1 disabled=no interface=bridge name=\
    "Mikrotik hEX S"
/ip dns
set servers=192.168.0.50,192.168.0.52
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external

Although it's not what I wanted it's at least working now.

To sum up, having two AP running on the same subnet is not possible unless you connect a LAN cable from AsusAP LAN to hAP eth2 right?

Thanks!

jimbobst · Thu Jan 02, 2020 8:01 pm

"Although it's not what I wanted it's at least working now.

To sum up, having two AP running on the same subnet is not possible unless you connect a LAN cable from AsusAP LAN to hAP eth2 right?"

What is it you want?

According to your diagram everything plugs in to the hex, no? In which case there is no reason the two APs can't be on the same subnet, you just need to reconfigure the hex.
That's a little too obvious so I guess there is some other information you've not shared...?

elpeter · Mon Jan 06, 2020 9:59 am

Thanks jimbobst. Applogies but been busy these days.

Reply inline:

"Although it's not what I wanted it's at least working now.

To sum up, having two AP running on the same subnet is not possible unless you connect a LAN cable from AsusAP LAN to hAP eth2 right?"

What is it you want?
I wanted to have both AP running on the same subnet 5.X

According to your diagram everything plugs in to the hex, no? In which case there is no reason the two APs can't be on the same subnet, you just need to reconfigure the hex.
That's a little too obvious so I guess there is some other information you've not shared...?
My issue might be precisely that, that I don't know what else to do in my hEX to make that work. Right now I have a point to point subnet with each AP 15.0/30 for the Asus and 16.0/30 for the hAP

Another question, that just came up to mi mind... If I want to use any of the other ethX of the hAP as if they were in a switch let's say as if they were plugged in in the hEX... is that something feasible?

Thanks so much you all for your time and patience!! truly appreciate it

hAP ac^2 WiFi AP after hEX S router

hAP ac^2 WiFi AP after hEX S router

Re: hAP ac^2 WiFi AP after hEX S router

Re: hAP ac^2 WiFi AP after hEX S router

Re: hAP ac^2 WiFi AP after hEX S router

Re: hAP ac^2 WiFi AP after hEX S router

Re: hAP ac^2 WiFi AP after hEX S router

Re: hAP ac^2 WiFi AP after hEX S router

Re: hAP ac^2 WiFi AP after hEX S router

Who is online