Ciao a tutti, vi scrivo per riuscire a risolvere un problema con il mio access point. Da PC riesco ad accedere alla configurazione del cap ac tramite ip solo se mi collego a valle del dispositivo, come illustrato nel seguente schema:

  1. Considerando che gli switch sono degli economici unmanaged senza configurazione particolare, potrei avere qualche problema a mantenere la rete così strutturata?
  2. Sono nuovo del mondo del networking, quindi potrei aver sbagliato qualcosa nella configurazione del cap ac, qualche consiglio su cosa controllare?


Sono su rete openfiber e l'hap ac2 come dns punta all'ip di un rpi4 che fa da server dns (pi-hole), non so se questo possa cambiare le cose.

Fai un export hide-sensitive della config del cAP ac e postalo

  • polve93 ha risposto a questo messaggio

    edofullo

    export

    Premi per mostrare Premi per nascondere
    # dec/27/2022 21:14:00 by RouterOS 6.49.7
    # software id = HHVU-7R5F
    #
    # model = RBcAPGi-5acD2nD
    # serial number = xxxxxxxxxx
    /interface bridge
    add admin-mac=2C:C8:1B:1A:65:6F auto-mac=no comment=defconf name=bridge
    /interface list
    add comment=defconf name=WAN
    add comment=defconf name=LAN
    /interface wireless security-profiles
    set [ find default=yes ] supplicant-identity=MikroTik
    add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=polve supplicant-identity=""
    /interface wireless
    set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=2452 installation=indoor \
        mode=ap-bridge name=WIFI2.4 security-profile=polve ssid=BlackNet station-roaming=enabled wireless-protocol=802.11
    set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=5220 installation=\
        indoor mode=ap-bridge name=WIFI5 security-profile=polve ssid=BlackNet station-roaming=enabled wireless-protocol=802.11
    /ip pool
    add name=dhcp ranges=192.168.88.10-192.168.88.254
    /user group
    set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
    /interface bridge port
    add bridge=bridge comment=defconf interface=ether2
    add bridge=bridge comment=defconf interface=WIFI2.4
    add bridge=bridge comment=defconf interface=WIFI5
    add bridge=bridge interface=ether1
    /ip neighbor discovery-settings
    set discover-interface-list=LAN
    /interface list member
    add comment=defconf interface=ether1 list=WAN
    add interface=ether2 list=LAN
    add interface=WIFI5 list=LAN
    add interface=WIFI2.4 list=LAN
    /ip address
    add address=192.168.0.9/24 comment=defconf disabled=yes interface=ether2 network=192.168.0.0
    /ip dhcp-client
    add disabled=no interface=bridge
    /ip dhcp-server network
    add address=0.0.0.0/24 comment=defconf gateway=0.0.0.0 netmask=24
    /ip dns
    set allow-remote-requests=yes servers=192.168.0.5
    /ip dns static
    add address=192.168.0.9 comment=defconf name=router.lan
    /ip firewall filter
    add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
    add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
    add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
    add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
    add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
    add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
    add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
    add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
    add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
    add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
    add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
        in-interface-list=WAN
    /ip firewall nat
    add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
    /ip route
    add disabled=yes distance=1 gateway=192.168.0.4
    /ip service
    set winbox address=192.168.0.191/32
    /system clock
    set time-zone-name=Europe/Rome
    /system routerboard mode-button
    set enabled=yes on-event=dark-mode
    /system script
    add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=\
        ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
        \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
        \n     /system leds settings set all-leds-off=immediate \r\
        \n   } else={\r\
        \n     /system leds settings set all-leds-off=never \r\
        \n   }\r\
        \n "
    /tool mac-server
    set allowed-interface-list=LAN
    /tool mac-server mac-winbox
    set allowed-interface-list=LAN
      14 giorni dopo

      Qualche idea?

      Scusa, mi son scordato.

      polve93 /ip address
      add address=192.168.0.9/24 comment=defconf disabled=yes interface=ether2 network=192.168.0.0

      Prova a dare questo IP al bridge e non alla ether2, il resto mi sembra ok

      Ah, leva il DHCP Server

      • polve93 ha risposto a questo messaggio

        edofullo
        Ho modificato la configurazione ma ancora niente, devo però precisare... da pc riesco a connettermi con winbox solo tramite mac address e non tramite ip address.

        Premi per mostrare Premi per nascondere
        /interface bridge
        add admin-mac=2C:C8:1B:1A:65:6F auto-mac=no comment=defconf name=bridge
        /interface list
        add comment=defconf name=WAN
        add comment=defconf name=LAN
        /interface wireless security-profiles
        set [ find default=yes ] supplicant-identity=MikroTik
        add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=polve supplicant-identity=""
        /interface wireless
        set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=2452 installation=indoor \
            mode=ap-bridge name=WIFI2.4 security-profile=polve ssid=BlackNet station-roaming=enabled wireless-protocol=802.11
        set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=5220 installation=\
            indoor mode=ap-bridge name=WIFI5 security-profile=polve ssid=BlackNet station-roaming=enabled wireless-protocol=802.11
        /ip pool
        add name=dhcp ranges=192.168.88.10-192.168.88.254
        /user group
        set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
        /interface bridge port
        add bridge=bridge comment=defconf interface=ether2
        add bridge=bridge comment=defconf interface=WIFI2.4
        add bridge=bridge comment=defconf interface=WIFI5
        add bridge=bridge interface=ether1
        /ip neighbor discovery-settings
        set discover-interface-list=LAN
        /interface list member
        add comment=defconf interface=ether1 list=WAN
        add interface=ether2 list=LAN
        add interface=WIFI5 list=LAN
        add interface=WIFI2.4 list=LAN
        /ip address
        add address=192.168.0.9/24 comment=defconf interface=bridge network=192.168.0.0
        /ip dhcp-client
        add interface=bridge
        /ip dns
        set allow-remote-requests=yes servers=192.168.0.5
        /ip dns static
        add address=192.168.0.9 comment=defconf name=router.lan
        /ip firewall filter
        add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
        add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
        add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
        add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
        add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
        add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
        add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
        add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
        add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
        add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
        add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
            in-interface-list=WAN
        /ip firewall nat
        add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
        /ip route
        add distance=1 gateway=192.168.0.1
        /ip service
        set winbox address=192.168.0.191/32
        /system clock
        set time-zone-name=Europe/Rome
        /system routerboard mode-button
        set enabled=yes on-event=dark-mode
        /system script
        add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=\
            ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
            \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
            \n     /system leds settings set all-leds-off=immediate \r\
            \n   } else={\r\
            \n     /system leds settings set all-leds-off=never \r\
            \n   }\r\
            \n "
        /tool mac-server
        set allowed-interface-list=LAN
        /tool mac-server mac-winbox
        set allowed-interface-list=LAN
        

          Forse mi sbaglio perché da smartphone mi viene male leggere, vedo solo la eth1 e la eth2 assegnate al bridge (oltre alle Interfacce wifi).
          Il PC è connesso in una di queste porte?

          • [cancellato]

          polve93

          add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

          Nella interface-list LAN il bridge e la ether1 non ci sono, quindi i tentativi di connessione vengono scartati dal firewall.

          Togli la ether1 dalla lista WAN e aggiungi il bridge alla lista LAN. 😉

            [cancellato]

            Ora tutto funziona, grazie mille

            Informativa privacy - Informativa cookie - Termini e condizioni - Regolamento - Disclaimer - 🏳️‍🌈
            P.I. IT16712091004 - info@fibraclick.it

            ♻️ Il server di questo sito è alimentato al 100% con energia rinnovabile