I'm using a cAp ac with RouterOS 6.49.13.

I followed this excellent guide to make an Access Point with VLANS. I works great. viewtopic.php?f=13&t=143620

However, after configureing the device as an access point I can't get into the router anymore with Webfig or Winbox. I'm locked out. The computer that I'm using to access the cAP ac is 10.2.10.50 / VLAN 10. I suspect the issue has something to do with my computer not being in the correct IP range or VLAN to access the AP, but I cant figure it out.

Attached is my complete .rsc file. I'd really appreciate some help figuring this out.

I think these configs may be the issue but I'm not certain...
Thank you.

Recommend using ether2 to configure the device OFF Bridge.
Below is an examplle.

Change the ipv4 settings on your desktop or laptop to something like 192.168.36.5 gateway 192.168.36.1

Have you tried through Winbox using the MAC address (which can hopefully be found in discovered)?

Also use safemode when implementing config changes. After about 15-20 seconds, without any issues undo safe mode, to keep the changes and then turn it back on.

Have you tried through Winbox using the MAC address (which can hopefully be found in discovered)?

Thanks. I did try this but it did not work.

Recommend using ether2 to configure the device OFF Bridge.
Below is an examplle.

Change the ipv4 settings on your desktop or laptop to something like 192.168.36.5 gateway 192.168.36.1

Code: Select all

/interface bridge
add ingress-filtering=no name=bridgegym vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface vlan
add interface=bridgegym name=homeVlan vlan-id=12  { mandatory, trusted vlan must be identified in /interface vlan - do not put any other vlans here!! }
/interface list
add name=ADMIN
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce country=canada disabled=no frequency=5500 \
    mode=ap-bridge name=homeWLan security-profile=home_Security skip-dfs-channels=all ssid=NoPain-NoGain wireless-protocol=\
    802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=canada disabled=no frequency=2437 mode=ap-bridge \
    name=mediaWlan rate-set=configured security-profile=media_Security skip-dfs-channels=all ssid=Media \
    supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=yy.yy.yy.yy  master-interface=mediaWlan multicast-buffering=\
    disabled name=HVAC_WLAN security-profile=Cerv_key ssid=machine wds-cost-range=0 wds-default-cost=0 wmm-support=\
    enabled wps-mode=disabled
/interface bridge port
add bridge=bridgegym ingress-filtering=yes frrame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=homeWLan pvid=12
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=HVAC_WLAN pvid=49
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=mediaWlan pvid=40
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/interface bridge vlan
add bridge=bridgegym tagged=ether1,bridgegym untagged=homeWLan vlan-ids=12  { only the trusted vLAN, where the capac gets its ip address is tagged with bridge }
add bridge=bridgegym tagged=ether1 untagged=mediaWlan vlan-ids=40
add bridge=bridgegym tagged=ether1 untagged=HVAC_WLAN vlan-ids=49
/interface list member
add interface=homeVlan list=ADMIN
add interface=emergaccess list=ADMIN
/ip address
add address=192.168.10.84/24 interface=homeVlan network=192.168.10.0  comment="IP of capac on trusted subnet"
add address=192.168.36.1/24 interface=emergaccess network=192.168.36.0 comment="ether2 access off bridge"
/ip dns
set allow-remote-requests=yes servers=192.168.10.1  { Note: Done so all dns requests use trusted subnet } 
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 comment="ensures route avail through trusted subnet gateway"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=x.x.x.x
set api disabled=yes
set api-ssl disabled=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.10.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management

Anav, Thank you! This was very helpful. I got it working. Normal routing is on ether1. Admin access is on ether2 via 192.168.36.1 like you recommened.

I wasnt 100% certain about which parts of the example script "AccessPoint.rsc" at viewtopic.php?f=13&t=143620 to remove when I added your example script. Attached is my working script. If you see anything obvious I should remove/change/improve/ make more rubust I'd appreciate it.

Thank you again!

Yes.

1. Major omission! Without this you will not be able to reach the AP for config purposes through normal networking ( winbox on base vlan etc.......)
/interface list member
add interface=BASE_VLAN
add interface=emergaccess list=ADMIN

2. Minor omission
/ip dns
set allow-remote-requests=yes servers=192.168.0.1

3. Personal preference. I always manually write down the untagging on /interface bridge vlans so that they are displayed on an export of the config and to double check against Bridge ports. Also if someone else takes over the config, it will be clearer.......

/interface bridge vlan
add bridge=BR1 tagged=ether1 untagged=wlan1,wlan2 vlan-ids=10
add bridge=BR1 tagged=ether1 untagged=wlan1_zz_20,wlan2_zz_20 vlan-ids=20
add bridge=BR1 tagged=ether1 untagged=wlan1_zz_30,wlan2_zz_30 vlan-ids=30
add bridge=BR1 tagged=ether1 untagged=wlan1_zz_40,wlan2_zz_40 vlan-ids=40
add bridge=BR1 tagged=ether1 untagged=wlan1_zz_50,wlan2_zz_50 vlan-ids=50
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99