Mikrotik "cap ac" as AP - need some advice

Hi,
I have just flashed my Mikrotik "cap ac" with OpenWRT 22.03 and need some advice how to configure.

What I want to achive:
My primary router will act as router, firewall and it does not have any wifi suport, just a LAN1 output cable in my home (also running wrt).
My "cap ac" will be an AP, having private-wifi and additional guest-wifi. LAN-output cabling on the same subnet as LAN1 (it only have two ports).
Basicly as this setup but with additional guest-wifi.

Should I just bridge input and output and add a guest-zone with DHCP-server? But then it will need the primary gateway, how then to isolate the guest-zone from the primary router?

Any ideas much appreciated!
/T

Follow this guide:

Thanks pavelgl!

So my first try was to follow that guide, but connection problem with guest-wifi.
Maybe you was just referring to the isolation part of the guide and I should have gone: guest -> wan instead? Let me know.

But this should work I guess.
Anyhow here are my config for my first attempt as mentioned above:

# dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'


# firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'
	option input 'REJECT'

config rule
	option src 'guest'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	option name 'Guest DHCP and DNS'
	option dest_port '53 67 68'

config rule
	option name 'Guest - Block'
	option src 'guest'
	option dest 'lan'
	option target 'DROP'

config forwarding
	option src 'guest'
	option dest 'lan'


# network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd3e:c6d6:55da::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config device
	option name 'eth0.1'
	option macaddr '08:55:31:ac:8b:fd'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'

config device
	option name 'eth0.2'
	option macaddr '08:55:31:ac:8b:fc'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '4 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.11.1'
	option netmask '255.255.255.0'

# wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option band '2g'
	option htmode 'HT40'
	option channel '5'
	option cell_density '0'
	option country 'SE'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'openwrt'
	option encryption 'psk2'
	option key 'passwd'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'guest'
	option network 'guest'
	option encryption 'psk2'
	option key 'passwd'

Please have a look, much appreciated!

If I understand correctly, the "cap ac" is connected to the main router via the lan interface and its wan interface is not used.
Looking at the IP configuration of the lan interface, I think I may be wrong.
Please clarify this first.

Correct, the idea (if possible) is not to use WAN-interface (only using the port). However in the first attempt I just copied the tutorial where the WAN was used.

To clarify, I have not tried guest-wifi without WAN yet. Not sure how to do this either...

Thanks!

You need to delete device eht0.2, the wan interfaces and vlan 2.
Then add the second port to the default vlan 1.

uci delete network.@device[2]
uci delete network.wan
uci delete network.wan6
uci delete network.@switch_vlan[1]
uci set network.@switch_vlan[0].ports='4 5 0t'

Assuming the LAN IP address of the main router is 192.168.1.1 and 192.168.1.2 is free, change the IP configuration of the lan interface of the AP as follows:

uci set network.lan.ipaddr='192.168.1.2'
uci set network.lan.netmask='255.255.255.0'
uci set network.lan.gateway='192.168.1.1'
uci set network.lan.dns='192.168.1.1'

Run uci show network and verify that the configuration looks like this:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd3e:c6d6:55da::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config device
        option name 'eth0.1'
        option macaddr '08:55:31:ac:8b:fd'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.2'
        option gateway '192.168.1.1'
        option dns '192.168.1.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '4 5 0t'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.11.1'
        option netmask '255.255.255.0'

Disable the DHCP service for the lan interface:

uci set dhcp.lan.ignore='1'

Rewrite this rule using dest_ip address (the private IP subnet):

rulenum=$(uci show firewall | grep 'Guest - Block' | sed 's/.*\@//;s/\.name.*//')
uci delete firewall.@"$rulenum"
uci add firewall rule
uci set firewall.@rule[-1]=rule
uci set firewall.@rule[-1].src='guest'
uci set firewall.@rule[-1].name='Guest - Block'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].dest_ip='192.168.1.0/24'
uci set firewall.@rule[-1].target='REJECT'
uci set firewall.@rule[-1].proto='all'

Restart the affected services without committing the changes:

/etc/init.d/network restart; /etc/init.d/dnsmasq restart; /etc/init.d/firewall restart

You will lose access to the device.

Update your computer's IP configuration and try to connect to the new device's IP address.

If everything is fine commit the changes (uci commit changes).
If you can't access the device, turn off/on the power and the previous setting will be restored.

I think we are getting there

I hade some problems with uci commit changes and had to do
uci commit
reload_config

I also strugled with guest DNS and masquerad settings, I hope Iv got it right(?).
Please have a look at the config below.

# dhcp

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'


# firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option forward 'ACCEPT'

config rule
	option src 'guest'
	option name 'Guest - Block'
	option target 'REJECT'
	option dest 'lan'
	list proto 'all'
	list dest_ip '192.168.1.0/24'

config rule
	option name 'Guest - DNS and DHCP'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	option src 'guest'
	option dest 'lan'
	list dest_ip '192.168.1.1'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'guest'


# network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde6:9918:2577::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config device
	option name 'eth0.1'
	option macaddr '08:55:31:ac:8b:fd'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.2'
	option gateway '192.168.1.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '4 5 0t'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.11.1'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	list dns '1.1.1.1'
	list dns '8.8.8.8'

Edit the traffic rule to look like the one below and set the default input policy for the guest zone to REJECT or DROP.

config rule
	option name 'Guest - DNS and DHCP'
	option dest_port '53 67'
	option target 'ACCEPT'
	option src 'guest'
	list proto 'udp'

The gateway option here is wrong, so remove it.
Move the DNS servers to the lan interface where they are directly reachable from.

The rest looks correct.

Thanks pavelgl!
It works fine now, I hope Iv got it now
See below:

# dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'


# firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config rule
	option src 'guest'
	option name 'Guest - Block'
	option target 'REJECT'
	option dest 'lan'
	list proto 'all'
	list dest_ip '192.168.1.0/24'

config rule
	option name 'Guest - DNS and DHCP'
        option dest_port '53 67'
	option target 'ACCEPT'
	option src 'guest'
	list proto 'udp'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'
	option input 'REJECT'

config forwarding
	option src 'guest'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'guest'


# network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde6:9918:2577::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config device
	option name 'eth0.1'
	option macaddr '08:55:31:ac:8b:fd'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.2'
	option gateway '192.168.1.1'
	list dns '1.1.1.1'
	list dns '8.8.8.8'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '4 5 0t'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.11.1'
	option netmask '255.255.255.0'

Respectfully but this can not possibly work.
The cap ac is powered thru its wan port (eth0.2).
So how can you connect it to your Router over the lan port?

I'm in the same boat as you, I'm struggling to get my cap ac act as a "dumb AP" broadcasting multiple ssid, but I power it over a PoE switch on the wan port.
I'm missing something essential here.
Thanks for any input.

Hi,

My PoE is still connected to ETH1. My only explanation is that the WAN port (or ETH1 on the device) is still physically connected to the PoE.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.