Page 1 of 1
Struggling with HAP AX2 wifi config
Posted: Sun Dec 08, 2024 4:05 pm
by FarmerGiles
I've been using Mikrotik HAP lite APs for a few years, no major issues once I got me head around it. However, I've been struggling with getting the HAP AX2 working with a similar configuration. I'm trying to use it as a simple ap bridge, however clients like my Samsung S23 try and fail to connect.
I'm old school so tend to use terminal for configs, however I have tried using webfig to generate configs to see if I am missing something and incorporate that into my config, its first time I have configured 5 or 2 GHz-ax on Mikrotik. Here's the config so far. its is based upon a working hap-lite config from a bridge perspective and have tried it in the same switch port to hopefully eliminate an issues however the hap-lite OS version is quite a bit behind so many things may have changed in the interim. I have tried removing various filtering etc. to no effect.
# 2024-12-08 13:38:26 by RouterOS 7.16.2
# software id = GVPW-XG05
#
# model = C52iG-5HaxD2HaxD
# serial number = HGN09KRM1JH
/interface bridge
add name=bridge1 protocol-mode=none
/interface vlan
add interface=bridge1 name=mgmt-vlan vlan-id=48
/interface list
add name=BASE
/interface wifi channel
add band=2ghz-ax name=ch-2ghz
add band=5ghz-ax name=ch-5ghz
/interface wifi security
add authentication-types=wpa2-psk ft=yes ft-over-ds=yes name=wifi1-auth wps=disable
add authentication-types=wpa2-psk ft=yes ft-over-ds=yes name=wifi2-auth wps=disable
/interface wifi configuration
add channel.skip-dfs-channels=10min-cac .width=20/40/80mhz country="United Kingdom" mode=ap name=wifi1-conf security=wifi1-auth ssid=non-guest
add channel.skip-dfs-channels=10min-cac .width=20/40mhz country="United Kingdom" mode=ap name=wifi2-conf security=wifi2-auth ssid=guest
/interface wifi
set [ find default-name=wifi1 ] channel=ch-5ghz configuration=wifi1-conf disabled=no
set [ find default-name=wifi2 ] channel=ch-2ghz configuration=wifi2-conf disabled=no
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=8
add bridge=bridge1 interface=ether2 pvid=32
add bridge=bridge1 interface=ether3 pvid=16
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=24
/ip neighbor discovery-settings
set discover-interface-list=BASE
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=32
add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=16
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=48
add bridge=bridge1 tagged=ether1 untagged=wifi1 vlan-ids=8
add bridge=bridge1 tagged=ether1 untagged=wifi2 vlan-ids=24
/interface list member
add interface=mgmt-vlan list=BASE
/ip address
add address=192.168.48.9/24 interface=mgmt-vlan network=192.168.48.0
/ip dns
set servers=192.168.48.33
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add distance=1 gateway=192.168.48.1
/system clock
set time-zone-name=Europe/London
/system identity
set name=Barn-AP
/system logging
set 0 topics=wireless,debug
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=uk.pool.ntp.org
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
Logging wireless.debug doesn't reveal much, I get messages like "C8:2A:DD:A5:73:55@wifi2 associated, signal strength -33" followed swiftly by "C8:2A:DD:A5:73:55@wifi2 disassociated, connection lost, signal strength -34"
The packet sniffer occasionally spots a DHCP request, but usually the client fails on authentication, only occasionally does it fail on "can't get IP address". The fact that the failure changes occasionally makes me think it is struggling a bit to connect so maybe wifi configuration is wrong. I have tried with minimal configs before adding dfs and width settings etc. all to no avail. I've checked and double checked passphrases, remove wpa3 so it just wpa2.
I've been trying various things for a couple of days now so I though I would share my pain and see if anybody can spot the probably obvious error before I get the lighter fluid out
Re: Struggling with HAP AX2 wifi config
Posted: Mon Dec 09, 2024 1:38 am
by mrbyte
Hello!!
I've the same problem since the v.15, there are some threads complaining about this issue in the forum:
viewtopic.php?t=206955
viewtopic.php?t=196170
viewtopic.php?t=207411
I fixed it downgrading the firmware to the 14.3, I hope the upcoming 7.17 will solve it.
Best regards.
Re: Struggling with HAP AX2 wifi config
Posted: Mon Dec 09, 2024 7:05 am
by gigabyte091
Well... If you are using your ax2 as an AP then you should try to enable VLAN filtering on your bridge.
Re: Struggling with HAP AX2 wifi config
Posted: Mon Dec 09, 2024 10:19 am
by FarmerGiles
Well... If you are using your ax2 as an AP then you should try to enable VLAN filtering on your bridge.
Well... yes I did, however I removed it while trying to get the router to become an AP, once it starts doing its thing I will put that config back. VLAN filtering is not likely to be the issue with clients not being able to connect to the AP.
Re: Struggling with HAP AX2 wifi config
Posted: Mon Dec 09, 2024 10:30 am
by holvoetn
Well... If you are using your ax2 as an AP then you should try to enable VLAN filtering on your bridge.
Well... yes I did, however I removed it while trying to get the router to become an AP, once it starts doing its thing I will put that config back. VLAN filtering is not likely to be the issue with clients not being able to connect to the AP.
Oh yes.
If they can not get a DHCP lease from the router due to wrong VLAN settings, how do you expect them to connect ??
Re: Struggling with HAP AX2 wifi config
Posted: Mon Dec 09, 2024 1:44 pm
by FarmerGiles
I knew that was a bad idea however I did re-enable vlan filtering on the bridge and lost management connectivity and no change in wireless connectivity.
Probably my mistake in the config somewhere as I have been fiddling with it somewhat.
Before I did this I did downgraded OS and firmware to 7.14.3. I reset the box back to factory(again!) and connected via MAC using winbox.
Now I can get to 192.68.88.1 via my phone wifi with the default config, that didn't work with the latest "stable" code.
The VLAN set up is one I use on all my other APs and have no issues getting DHCP addresses. This is one of mine from a Hap-lite running 6.x OS code. Yes I will upgrade at some point!
As I said, the following works fine on the HAP lite, looks like quite a few things have changed in the latest OS.
interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge1 name=mgmt-vlan vlan-id=48
/interface list
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=<redacted>
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=guest-profile supplicant-identity="Office AP" wpa-pre-shared-key=<redacted> wpa2-pre-shared-key=<redacted>
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=dynamic-keys name=non-guest radius-mac-authentication=yes supplicant-identity="Office AP" wpa-pre-shared-key=<redacted> wpa2-pre-shared-key=<redacted>
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=auto mode=ap-bridge security-profile=non-guest ssid=non-guest
add disabled=no mac-address=C4:AD:34:DD:E8:69 master-interface=wlan1 name=wlan2 security-profile=guest-profile ssid=guest interface
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=8
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=24
add bridge=bridge1 interface=ether2 pvid=32
add bridge=bridge1 interface=ether3 pvid=16
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=wlan1 vlan-ids=8
add bridge=bridge1 tagged=ether1 untagged=wlan2 vlan-ids=24
add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=32
add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=16
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=48
/interface list member
add interface=mgmt-vlan list=BASE
/interface wireless access-list
add interface=wlan1 mac-address=04:D6:AA:AE:A8:94 vlan-mode=no-tag
add interface=wlan1 mac-address=50:76:AF:B4:2A:5D vlan-mode=no-tag
/ip address
add address=192.168.48.6/24 interface=mgmt-vlan network=192.168.48.0
/ip dns..
set servers=192.168.40.32
/ip route
add distance=1 gateway=192.168.48.1
/system clock
set time-zone-name=Europe/London
/system identity
set name="Office-AP"
/system ntp client
set enabled=yes primary-ntp=192.168.1.1
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
Now I know I can connect via wireless in the default set up, I'll give it another go. my central RB3011UiAS is my DHCP server for the above and works fine, just need to get it working with the new box.
Re: Struggling with HAP AX2 wifi config
Posted: Mon Dec 09, 2024 2:18 pm
by anav
So do you want to run the new device as a router or as an accesspoint/switch?
In either case to avoid vlan filtering hiccups, and to config from a safe spot, recommend you take ether5 off the bridge.
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5
/ip address
add address=192.168.65.1/29 interface=OffBridge5 network=192.168.65.0
/interface list member
add interface=Offbridge5 list=LAN
Now plug in your laptop into ether5, change ipv4 settings to 192.168.65.2 and you should be in!!!
Re: Struggling with HAP AX2 wifi config
Posted: Mon Dec 09, 2024 2:26 pm
by FarmerGiles
In either case to avoid vlan filtering hiccups, and to config from a safe spot, recommend you take ether5 off the bridge.
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5
/ip address
add address=192.168.65.1/29 interface=OffBridge5 network=192.168.65.0
/interface list member
add interface=Offbridge5 list=LAN
Now plug in your laptop into ether5, change ipv4 settings to 192.168.65.2 and you should be in!!!
that's a good idea, I'll do that
So do you want to run the new device as a router or as an accesspoint/switch?
Access-point/Switch. All routing is done on my central router. I intend to use the Hap ax2 for both wired and wireless clients as per the HAP lite config.
Re: Struggling with HAP AX2 wifi config
Posted: Mon Dec 09, 2024 2:26 pm
by gigabyte091
So 3011 is the router so can you post that config here ? As @anav said, take one port off bridge for mgmt purposes.
Did you try to connect wired clients to other ports ?
Re: Struggling with HAP AX2 wifi config
Posted: Mon Dec 09, 2024 2:47 pm
by FarmerGiles
Here's the config of the central internal router, this isn't my broadband router, not that should matter, that is a different make etc.
I use Zyzel GS1900-24 switches with trunk interfaces to both the Mikrotik 3011 and APs, they work fine, are cheap and are passively cooled so not noisy in the office. I haven't implemented different rules for the different VLANs yet, that's on my todo list, but effectively stuff like my IOT will be on a separate VLAN with very little access to other VLANs. I should be retired soon so will have time to inker more.
[admin@office-router] > export
# nov/30/2024 12:29:23 by RouterOS 6.47
# software id = 8SID-37DU
#
# model = RB3011UiAS
# serial number = B8970BB2D102
/interface bridge
add admin-mac=C4:AD:34:F2:D1:07 auto-mac=no comment=defconf name=bridge
add mtu=1504 name=external-bridge
add mtu=1504 name=internal-bridge
/interface vlan
add interface=internal-bridge name=common vlan-id=40
add interface=external-bridge name=guest-WLAN vlan-id=24
add interface=internal-bridge name=internal-WLAN vlan-id=8
add interface=internal-bridge name=internal-wired vlan-id=16
add interface=internal-bridge name=mgmt vlan-id=48
add interface=external-bridge name=wired-IoT vlan-id=32
/interface bonding
add mode=802.3ad name=external-bond slaves=ether6,ether7 transmit-hash-policy=layer-2-and-3
add mode=802.3ad name=internal-bond slaves=ether2,ether3 transmit-hash-policy=layer-2-and-3
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=internal-WAN-pool ranges=192.168.8.16-192.168.8.253
add name=internal-wired-pool ranges=192.168.16.128-192.168.16.253
add comment="for IoT and other external facing server" name=external-wired-pool ranges=192.168.32.128-192.168.32.253
add comment="guest WLAN pool" name=external-WLAN-pool ranges=192.168.24.64-192.168.24.253
add name=management-pool ranges=192.168.48.32-192.168.48.254
add name=common-pool ranges=192.168.40.32-192.168.40.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=internal-WAN-pool disabled=no interface=internal-WLAN lease-time=1h name=internal-WLAN
add address-pool=internal-wired-pool disabled=no interface=internal-wired lease-time=23h name=internal-wired
add address-pool=external-wired-pool disabled=no interface=wired-IoT lease-time=23h name=external-wired
add address-pool=external-WLAN-pool disabled=no interface=guest-WLAN lease-time=1h name="guest WLAN"
add address-pool=common-pool disabled=no interface=common name=common
add address-pool=management-pool disabled=no interface=mgmt lease-time=23h50m name=mgmt
/interface bridge port
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=ether8
add bridge=internal-bridge interface=internal-bond
add bridge=external-bridge interface=external-bond
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=internal-bridge tagged=internal-bond vlan-ids=8,16,40,48
add bridge=external-bridge tagged=external-bond vlan-ids=24,32
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=internal-LAN interface=internal-wired list=LAN
add interface=mgmt list=LAN
/ip address
add address=192.168.88.3/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.88.3/24 interface=ether5 network=192.168.88.0
add address=192.168.8.1/24 interface=internal-WLAN network=192.168.8.0
add address=192.168.16.1/24 interface=internal-wired network=192.168.16.0
add address=192.168.24.1/24 interface=guest-WLAN network=192.168.24.0
add address=192.168.32.1/24 interface=wired-IoT network=192.168.32.0
add address=192.168.40.1/24 interface=common network=192.168.40.0
add address=192.168.48.1/24 interface=mgmt network=192.168.48.0
/ip arp
add address=192.168.88.254 interface=bridge published=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.16.16 mac-address=00:08:9B:F7:F4:B3 server=internal-wired
add address=192.168.16.17 mac-address=D4:85:64:6A:73:CE server=internal-wired
add address=192.168.16.18 mac-address=BC:CF:4F:4B:5A:26 server=internal-wired
add address=192.168.16.19 mac-address=BC:99:11:BE:45:E4 server=internal-wired
add address=192.168.16.22 mac-address=B8:27:EB:47:5A:40 server=internal-wired
add address=192.168.16.23 mac-address=B8:27:EB:34:98:24 server=internal-wired
add address=192.168.16.24 mac-address=B8:27:EB:42:EC:B0 server=internal-wired
add address=192.168.16.25 mac-address=B8:27:EB:7A:44:E3 server=internal-wired
add address=192.168.16.26 mac-address=E8:EA:DA:00:38:E7 server=internal-wired
add address=192.168.16.27 mac-address=E8:EA:DA:00:0B:0E server=internal-wired
add address=192.168.16.28 mac-address=E8:EA:DA:00:0B:0D server=internal-wired
add address=192.168.32.16 mac-address=00:13:95:0E:D2:A6 server=external-wired
add address=192.168.40.32 mac-address=DC:A6:32:2E:46:95 server=common
add address=192.168.48.32 mac-address=C4:AD:34:A6:43:67 server=mgmt
add address=192.168.32.17 mac-address=00:12:17:DD:01:54 server=external-wired
add address=192.168.32.18 mac-address=98:DF:82:AD:CF:2F server=external-wired
add address=192.168.24.65 mac-address=B8:27:EB:83:9F:DD server="guest WLAN"
add address=192.168.16.133 client-id=1:0:15:99:21:9d:9a mac-address=00:15:99:21:9D:9A server=internal-wired
add address=192.168.16.131 client-id=1:dc:a6:32:76:8c:a1 mac-address=DC:A6:32:76:8C:A1 server=internal-wired
add address=192.168.16.169 mac-address=00:1E:8F:6C:D1:5D server=internal-wired
add address=192.168.48.33 mac-address=DC:A6:32:D6:7E:D2 server=mgmt
add address=192.168.16.40 mac-address=B8:27:EB:9F:AB:C1 server=internal-wired
add address=192.168.16.41 mac-address=B8:27:EB:97:98:FF server=internal-wired
add address=192.168.24.24 mac-address=DC:A6:32:02:EF:D0 server="guest WLAN"
add address=192.168.16.30 mac-address=B8:27:EB:05:53:3D server=internal-wired
add address=192.168.16.42 mac-address=E4:5F:01:72:1F:00 server=internal-wired
add address=192.168.48.10 mac-address=2C:C8:1B:FC:FA:5D server=mgmt
add address=192.168.16.43 mac-address=34:9F:7B:EB:B7:CF server=internal-wired
add address=192.168.16.29 mac-address=DC:A6:32:74:BF:84 server=internal-wired
add address=192.168.48.11 mac-address=DC:2C:6E:6A:2D:6D server=mgmt
add address=192.168.16.31 mac-address=D8:EC:E5:D3:75:8C server=internal-wired
add address=192.168.16.49 mac-address=E8:EA:DA:00:5F:9F server=internal-wired
add address=192.168.16.138 client-id=1:1c:69:7a:7:65:13 mac-address=1C:69:7A:07:65:13 server=internal-wired
add address=192.168.16.129 client-id=1:98:df:82:7:fe:8e mac-address=98:DF:82:07:FE:8E server=internal-wired
add address=192.168.16.20 mac-address=BC:CF:4F:CF:F4:34 server=internal-wired
/ip dhcp-server network
add address=192.168.8.0/24 dns-server=192.168.48.33 gateway=192.168.8.1 netmask=24 ntp-server=80.86.38.193
add address=192.168.16.0/24 dns-server=192.168.48.33 gateway=192.168.16.1 netmask=24 ntp-server=80.86.38.193
add address=192.168.24.0/24 dns-server=212.23.3.100,212.23.6.100 gateway=192.168.24.1 netmask=24 ntp-server=80.86.38.193
add address=192.168.32.0/24 dns-server=192.168.48.33 gateway=192.168.32.1 netmask=24 ntp-server=80.86.38.193
add address=192.168.40.0/24 dns-server=212.23.3.100,212.23.6.100 gateway=192.168.40.1 netmask=24 ntp-server=80.86.38.193
add address=192.168.48.0/24 dns-server=192.168.48.33 gateway=192.168.48.1 netmask=24 ntp-server=80.86.38.193
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward disabled=yes dst-address=192.168.1.10 dst-port=5900 protocol=udp src-address=0.0.0.0
add action=accept chain=input dst-address=0.0.0.0 dst-port=161 protocol=udp src-address=0.0.0.0
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.1.10 dst-port=5900 in-interface=ether1 protocol=tcp src-address=0.0.0.0 to-addresses=192.168.32.16 to-ports=5900
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.1.10 dst-port=5900 in-interface=ether1 protocol=udp src-address=0.0.0.0 to-addresses=192.168.32.16 to-ports=5900
/snmp
set contact="redacted" enabled=yes location="barn office" trap-target=192.168.48.33
/system clock
set time-zone-name=Europe/London
/system identity
set name=office-router
/system ntp client
set enabled=yes primary-ntp=192.168.1.1
/tool graphing interface
add interface=ether1
add interface=internal-bond
add interface=external-bond
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=guest-WLAN filter-ip-protocol=0 filter-mac-address=00:00:00:00:00:00/00:00:00:00:00:00 filter-port=ircu
[admin@office-router] >
Re: Struggling with HAP AX2 wifi config
Posted: Mon Dec 09, 2024 2:49 pm
by FarmerGiles
Did you try to connect wired clients to other ports ?
Not yet, I'm going to reinstall the original config before I was wrestling with the wifi and take a look. I'll let you know how it goes
Re: Struggling with HAP AX2 wifi config
Posted: Mon Dec 09, 2024 3:09 pm
by gigabyte091
Is there any reason you have 3 bridges ? I think that could be the source of your problems.
Re: Struggling with HAP AX2 wifi config
Posted: Mon Dec 09, 2024 3:23 pm
by FarmerGiles
Is there any reason you have 3 bridges ? I think that could be the source of your problems.
It is a long time since I configured the central router, and I did plagiarise quite a few configs from the forum, but I believe the general idea is so that you can control access between bridges. I'm sure there is probably a better way, there always is with networking. My background is Juniper/Cisco/Arista/FTOS(now Dell) with a bit of Cumulus/Sonic but I am mainly a manage now so very rusty. I don't touch wifi in my day job. I am warming to the Mikrotik CLI but I do find it hard going at times!
However, if the 3 bridges on the 3100 is the problem with the hap ax2, why do all the hap-lite APs work with the same VLAN set up? I plugged the AX into the same port as an Hap-lite and the wireless didn't work, but I didn't test the wired, so I think that is my next step.
Re: Struggling with HAP AX2 wifi config
Posted: Mon Dec 09, 2024 4:09 pm
by anav
Listent to the experts who understand the config process and how they interrlate (vice copy and pasting).
On each device use the off bridge process to conduct the vlan filtering configurations, saves one much grief.
Update each device to 7.16.2, if you do it manually you need to go to 7.12.1 first then 7.16.2
Then ensure the requirements are clearly stated for us to understand
a. identify all users/device, (internal, external, admin)
b. identify all the traffic required including vpns, port forwarding etc.
c. identify the management or trusted vlan.
d. a network diagram always helps.
Then the main router 3011? can be configured followed by the rest of the devices.
Re: Struggling with HAP AX2 wifi config
Posted: Mon Dec 09, 2024 6:25 pm
by FarmerGiles
I reloaded the config line by line, adding the tip about a non-bridge interface and now it works
I had a warm feeling as soon as I applied vlan-filtering to the bridge and I still had management connectivity.
One thing I did notice is that when I applied ingress filtering to the bridge port, it didn't show up in the config, only if you print detail.
I must have made some small error, I will try and do a diff later but the config tends to move around a bit so maybe not that easy.
Here's the working config, I've got a few tweaks to do to ntp etc. however I'm pleased its working on the wifi side, I will check the wired side later, work is getting in the way
# 2024-12-09 16:14:34 by RouterOS 7.14.3
# software id = GVPW-XG05
#
# model = C52iG-5HaxD2HaxD
# serial number = HGN09KRM1JH
/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=non-guest disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.mode=ap .ssid=guest disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface vlan
add interface=bridge1 name=mgmt-vlan vlan-id=48
/interface list
add name=BASE
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=24
add bridge=bridge1 interface=ether3 pvid=16
add bridge=bridge1 interface=ether2 pvid=16
add bridge=bridge1 interface=ether4 pvid=16
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=8
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=48
add bridge=bridge1 tagged=ether1 untagged=wifi1 vlan-ids=8
add bridge=bridge1 tagged=ether1 untagged=wifi2 vlan-ids=24
/interface list member
add interface=mgmt-vlan list=BASE
/ip address
add address=192.168.48.9/24 interface=mgmt-vlan network=192.168.48.0
add address=192.168.65.1/29 interface=OffBridge5 network=192.168.65.0
/ip dns
set servers=192.168.48.33
/ip route
add distance=1 gateway=192.168.48.1
/system clock
set time-zone-name=Europe/London
/system identity
set name=Barn-AP
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
In terms of upgrading the other components and finishing off the filters between VLANs, I definitely want to do that still. I bought a spare second hand RB3011 so will use that, my kids will hate me if I screw up the house network for days. I have a network diagram and will start a new thread soon. Thanks for your help.
Re: Struggling with HAP AX2 wifi config
Posted: Mon Dec 09, 2024 6:56 pm
by gigabyte091
Why one bridge instead of multiple ? Well how I understand it, and I'm not a network professional by any means, is that bridge is simply a network switch done in software and in ROS on most of the devices that is offloaded to the switch chip so with one bridge you have HW offload.
But with multiple bridges you are losing HW offload capability and you relie on CPU to do the dirty work and this is where you loose performance because your CPU have to handle all the data.
Also with multiple bridges you are creating multiple separate L2 domains(basically creating more and more switches) and then you use VLAN to create more networks. You can use one bridge and create vlans you need, they are isolated on L2 and with firewall rules you can isolate them on L3.
If I wrote something wrong someone will correct me.
Re: Struggling with HAP AX2 wifi config
Posted: Mon Dec 09, 2024 7:12 pm
by holvoetn
Why one bridge instead of one ?
...
If I wrote something wrong someone will correct me.
First line is not correct
Re: Struggling with HAP AX2 wifi config
Posted: Mon Dec 09, 2024 7:19 pm
by anav
Why two bridges instead of one ?
...
If I wrote something wrong someone will correct me.
First line is not correct
Looks good to me! ;-PP
Re: Struggling with HAP AX2 wifi config
Posted: Mon Dec 09, 2024 7:28 pm
by FarmerGiles
Why one bridge instead of one ? Well how I understand it, and I'm not a network professional by any means, is that bridge is simply a network switch done in software and in ROS on most of the devices that is offloaded to the switch chip so with one bridge you have HW offload.
But with multiple bridges you are losing HW offload capability and you relie on CPU to do the dirty work and this is where you loose performance because your CPU have to handle all the data.
Also with multiple bridges you are creating multiple separate L2 domains(basically creating more and more switches) and then you use VLAN to create more networks. You can use one bridge and create plans you need, they are isolated on L2 and with firewall rules you can isolate them on L3.
If I wrote something wrong someone will correct me.
I don't disagree with any of your statements in theory, however CPU on the RB3011 is averaging about 2%, but that may be because we don't have a lot of traffic. Also the RB3011 has two switches,
Work/life/kids/dogs/retirement has got in the way since I first deployed the RB3011 and the various APs so I have forgotten some of the rationale behind the design but it was loosely based on a design from this forum. I used to have the typical home network with one big internal subnet. The plan was to split that out into several discrete networks so guest and IOT, i.e. untrusted networks can be separated from trusted networks with filtering, but I haven't quite finished that yet. Retirement is looming so I will have more time.
Here's a high level diagram
high-level2.jpg
And a little more detail
high-level.jpg
Note there is no redundancy, one failure and it all falls in a heap, so the intention is add redundant components at some stage, hence why I bought a second hand RB3011 recently.
Rather than discuss this in a wifi thread, I'll post in a more suitable thread soon
Cheers
Andy
Re: Struggling with HAP AX2 wifi config
Posted: Mon Dec 09, 2024 8:44 pm
by FarmerGiles
I finished off the AP config and tested the wired ports, all good now. Now I know they work I'll buy a couple more as I had a couple of hap-lite die a while ago. One of them was is in an outbuilding and ants had set up home in it, probably nice and warm in winter
Not sure what happened to the other one but that was in my wife's workshop so anything could have happened to it......
# 2024-12-09 18:39:18 by RouterOS 7.14.3
# software id = GVPW-XG05
#
# model = C52iG-5HaxD2HaxD
# serial number = HGN09KRM1JH
/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=non-guest disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.mode=ap .ssid=guest disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface vlan
add interface=bridge1 name=mgmt-vlan vlan-id=48
/interface list
add name=BASE
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=24
add bridge=bridge1 interface=ether2 pvid=16
add bridge=bridge1 interface=ether4 pvid=16
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=8
add bridge=bridge1 interface=ether3 pvid=16
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=48
add bridge=bridge1 tagged=ether1 untagged=wifi1 vlan-ids=8
add bridge=bridge1 tagged=ether1 untagged=wifi2 vlan-ids=24
add bridge=bridge1 tagged=ether1 untagged=ether2,ether3,ether4 vlan-ids=16
/interface list member
add interface=mgmt-vlan list=BASE
/ip address
add address=192.168.48.9/24 interface=mgmt-vlan network=192.168.48.0
add address=192.168.65.1/29 interface=OffBridge5 network=192.168.65.0
/ip dns
set servers=192.168.48.33
/ip route
add distance=1 gateway=192.168.48.1
/system clock
set time-zone-name=Europe/London
/system identity
set name=Barn-AP
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=uk.pool.ntp.org
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
Re: Struggling with HAP AX2 wifi config
Posted: Mon Dec 09, 2024 9:44 pm
by anav
/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=16
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=16
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=16
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=8
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=24
/tool mac-server
set allowed-interface-list=none { its not secure we dont use it. )
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/interface list member
add interface=mgmt-vlan list=BASE
add interface=OffBridge5 list=BASE { otherwise cannot access the router for backup config etc.}
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.48.1 { to ensure all smart devices get the same timing from the main router and its NTP service,which probably hooks into uk pool etc. }
Note: ensure that on main router services on input chain are allowed for LAN users include dst-port=53,123 protocol=udp
Re: Struggling with HAP AX2 wifi config
Posted: Tue Dec 10, 2024 12:07 pm
by gigabyte091
First line is not correct
Looks good to me! ;-PP
I corrected the mistake, it's hard to write on the phone