mAP lite - Setup with static IP-Address (different than default)

Buechi · Fri Apr 12, 2024 6:32 pm

Dear Community,

I'm working as embedded software developer and have only limited knowledge of ICT network technology. So thank you in advance for your patience

.

What's my intention?
I have an embedded device with an Ethernet interface (no WLAN). On this device, a webserver is running, which is accessible only via a static IP (10.100.30.130). I would like to configure a 'mAP lite' to connect to my embedded device from a mobile device (i.e. smartphone/tablet) via WLAN:

EMBEDDED DEVICE *) <====ETH-Cable====> mAP lite <====WLAN====> MOBILE DEVICE (i.e. Tablet / Smartphone)

*) Webserver with static IP 10.100.30.130

What's the problem?
I did such a configuration some time ago, with another AP. It was not a big issue then to setup this other AP, but due to the very tiny form factor of mAP lite, it would be great, if I could use this one.
Unfortunately I'm really struggling with the Setup to get it work. The main issue is, that I tried to change the IP-Adress of the mAP lite to 10.100.30.100. After rebooting the mAP with the new address, I can't access the Setup-Menu anymore (not with 10.100.30.100 and also not with it's default 192.168.88.1). After resetting the mAP via the Button on the device, it's accessible again via the default IP-Address.

Could someone please give me some ideas, how I can avid the a.m. issue and how to setup the required configuration properly in the mAP lite Setup-Dialogue.

Best thanks in advance for your kind support.

BR
Daniel

jaclaz · Fri Apr 12, 2024 9:16 pm

The map lite has only a single ethernet port, you shouldn't (until you have become more expert with RouterOS) change its IP address (192.168.88.1), you can add a second address to that same port.
The device should then be remain accessible through the default IP.

In any case you could (should) use Winbox for configuration of a Mikrotik device, and Winbox has two ways to access a Mikrotik device, the "normal" one though its IP but also one through its MAC, so you normally can access it even if no IP is configured for the connected port (but not in all cases).

This said, only changing the IP address shouldn't by itself prevent connection, it is possible that there is some firewall rule or some other setting in your current configuration that is "tied" to the default 192.168.88.1 address and does not allow a different IP connection

It is possible that you have *something* that classifies your ethernet port as WAN when you modify it, and WAN is not allowed by default on Mikrotik to access the router/AP, see also this:
viewtopic.php?t=179511

You should post your configuration, according to this post:
viewtopic.php?t=203686#p1051720
so that it is possible to point you to the culprit configuration line, cannot say the map lite, but most Mikrotik have:

/ip firewall filter
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN

/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

but there could be many other possible reasons.

Buechi · Wed Apr 24, 2024 2:58 pm

Dear jaclaz,
Best thanks for your kind feedback so far. I tried once again to setup the device with WinBox and under consideration of your remarks. Unfortunetaly still without success. So as recommendend by you, I will post my current configuration:

# jan/02/1970 00:12:16 by RouterOS 6.49.8
# software id = xyz
#
# model = RBmAPL-2nD
# serial number = xyz
/interface bridge
add admin-mac= xyz auto-mac=no comment=defconf name=bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-80243B wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge1 interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.100.30.129/24 interface=ether1 network=10.100.30.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf disabled=no interface=ether1
add disabled=no interface=bridge1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I hope you or someone else could find the point, where I'm struggling. Best thanks in advance for your help.

BR

Daniel

jaclaz · Wed Apr 24, 2024 6:39 pm

At first sight, it seems to me like you have now a "mixed mode" configuration, it is not at all clear to me if you are attempting to use the device as a router or as a switch.

It is very likely that you lost connection with the device for a different reason, see the post #5 by bpwl here:
viewtopic.php?t=183336

Definitely you need to use Winbox for accessing/configuring it.

See also this thread:
viewtopic.php?t=179511

Depending on the configuration you have, you might need to access it from a PC connected to ether1 or via the WiFi connection, see:
viewtopic.php?t=182419

Let's see if I can list the requirements/fixed points.
1) The embedded device has IP 10.100.30.130, fixed, I presume /24.
2) The map lite ethernet port (ether1) is connected to the embedded device and should have an IP 10.100.30.100(/24), this might be a standalone port or a bridge one, see below.
3) The mobile device (tablet smartphone) should connect via Wi-FI, hence I presume it needs to get an IP from the map lite dhcp server.
Should this address be in the same network as the embedded device (i.e. 10.100.30.0/24) or a different one (as an example 192.168.1.0/24)?
If the first the map lite would be essentially a switch joining wired and wireless devices belonging to a same network (hence the use of the bridge) if the second it will be essentially a router, routing wireless to wired and viceversa.

Further points of note, in random order:
4) The firewall, in your configuration you don't need any firewall rule in /ip firewall filter, you can disable them all
5) The firewall, if you are using the bridge you don't need any /ip firewall nat, if you are routing you need the masquerade rule to nat the LAN to WAN
6) RoS 6.49.8 is a very old release, it should have no issues, but updating it to a 7.xx version might be a good idea (or maybe not)
7) Using a "router" approach should be overall easier than the "switch" one with the bridge, though both are possible

Buechi · Tue May 07, 2024 12:44 pm

Dear jaclaz,
Thank you very much for your kind reply and questions. Please find my answers to them here:

1) The embedded device has IP 10.100.30.130, fixed, I presume /24.

Yes, correct.

2) The map lite ethernet port (ether1) is connected to the embedded device and should have an IP 10.100.30.100(/24), this might be a standalone port or a bridge one, see below.

Yes, correct.

3) The mobile device (tablet smartphone) should connect via Wi-FI, hence I presume it needs to get an IP from the map lite dhcp server.

Yes, correct.

Should this address be in the same network as the embedded device (i.e. 10.100.30.0/24) or a different one (as an example 192.168.1.0/24)?

It is preferred to use the second approach, so that (on the mobile device) it is just necessary to search and connect to the WLAN-Network, provided by the map lite. Afterwards it should be possible to type the IP-Address '10.100.30.130:8080' to the address field of the Browser to establish the connection to this particular IP-Address through WLAN and the (fixed-ip-)Ethernet-Port of the map lite.

4) The firewall, in your configuration you don't need any firewall rule in /ip firewall filter, you can disable them all

Ok.

5) The firewall, if you are using the bridge you don't need any /ip firewall nat, if you are routing you need the masquerade rule to nat the LAN to WAN

Ok.

6) RoS 6.49.8 is a very old release, it should have no issues, but updating it to a 7.xx version might be a good idea (or maybe not)

Ok.

7) Using a "router" approach should be overall easier than the "switch" one with the bridge, though both are possible

Ok.

If you could give me some idea, how to do the configuration of the ap lite according to the a.m. setup the easiest way, this would be great. My best thanks in advance for your kind support.

BR
Daniel

jaclaz · Tue May 07, 2024 3:12 pm

What I would try doing (I believe you have to connect via the wi-fi to access the map lite "as is" via Winbox at address 192.168.88.1 or using MAC)
1) change:
/tool mac-server mac-winbox
set allowed-interface-list=LAN
to
/tool mac-server mac-winbox
set allowed-interface-list=all
this should allow winbox connection on both the ethernet and the wireless interface.

2) I am perplexed by this:
/interface bridge port
add bridge=bridge comment=defconf interface=pwr-line1
the pwr-line1 shouldn't be on a map lite defconf?

3) in any case, remove the ether1 port from bridge1

4) add the wanted address to ether1
/ip address
add address=10.100.30.100/24 comment=testconf interface=ether1 network=10.100.30.0
edit the existing 10.100.30.129 or leave it as is and use that in the following instead of 10.100.30.100

5) since the ether1 is now standalone and has a static IP address, disable these:
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf disabled=no interface=ether1
add disabled=no interface=bridge1

6) go through all the /ip firewall filter rules and disable them all

7) make sure that you have:
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

At this point (unless I am mistaken or forgot something), you should be able to connect via Winbox to the map lite through the ether1 both via IP at 10.100.30.100 (your PC needs to be set temporarily to a static IP address in the 10.100.30.0/24 range) and via MAC.

Check which "dynamic" routes you have now with:
/ip route print

There should be a route to 10.100.30.0/24 with either gateway=ether1 or gateway=10.100.30.100 and one to 192.168.88.0 with either gateway=192.168.88.1 or gateway=bridge.

So, now if you disconnect the PC from ether1, connect your embedded device to ether1 and connect the PC to the wi-fi, you should be able to ping and access the embedded device at 10.100.30.130.

If all the above works, then we can talk of bettering/refiining the configuration.

Don't take the points above as "the ultimate complete guide to map lite configuration", there may be missing steps or *something else*, at the most they can be considered a "good faith attempt to point in the right direction"

Buechi · Wed May 08, 2024 9:00 am

Hi jaclaz,

Perfect. Now it works as it should

. Many, many thanks for your great support and patience so far. Please let me know, if I should try or change something at this point.

BR & many thanks again

Daniel

Buechi · Wed May 08, 2024 9:06 am

...by the way: Please find the current configuration here:

/interface bridge
add admin-mac=78:9A:18:80:24:3A auto-mac=no comment=defconf name=bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-80243B wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.100.30.100/24 interface=ether1 network=10.100.30.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=LAN

jaclaz · Wed May 08, 2024 11:46 am

For the use you have (only accessing through Wi-FI a single device connected to ether1 with a fixed IP address) it seems to me fine.

You don't need any firewall filter rule, up to you if keeping them, but disabled, or downright remove them (this is only a matter of preference, if you prefer a "cleaner" simple configuration, delete them, otherwise, if you think you will want to change something later you can keep them disabled.

It remains the "mistery" (to me) of the:
add bridge=bridge comment=defconf interface=pwr-line1
I would first thy disabling and then remove it.

Since now ether1 has a fixed IP you can disable or remove the
/ip dhcp-client
add comment=defconf interface=ether1

You should have (maybe you missed it in copy/paste of your config) :
/tool mac-server mac-winbox
set allowed-interface-list=all
You can leave it as above (allowing Winbox access from both ether1 and wlan1) or now set it to either:
set allowed-interface-list=WAN <- this is what I would normally do in such a setup, allow Winbox access to WAN interfaces only, i.e. to ether1, this means that you will have to detach the target device and connect the PC via ethernet, I believe it is more reliable, in case something should go wrong than the alternative
or
set allowed-interface-list=LAN <- this means that Winbox access will be possible only through the bridge/wlan1, i.e. via Wi-FI, it is surely more convenient as you don't have to change connection/IP of your computer or fiddle with cables, but it could be less reliable than the cable

Personally I would set it to "all", so that you have both ways of connecting in case of need, given the peculiar use of the device I don't think there is any security risk in practice.

That's it, if it works, it works, there may be further things that you can do to simplify the setup (like removing the bridge1 and make also wlan1 "self-standing") but there is no real reason to do so that I know, and - maybe possible - changes to improve the data rate transfer are not needed, you should have already more throughput than what you need.

mAP lite - Setup with static IP-Address (different than default)

mAP lite - Setup with static IP-Address (different than default)

Re: mAP lite - Setup with static IP-Address (different than default)

Re: mAP lite - Setup with static IP-Address (different than default)

Re: mAP lite - Setup with static IP-Address (different than default)

Re: mAP lite - Setup with static IP-Address (different than default)

Re: mAP lite - Setup with static IP-Address (different than default)

Re: mAP lite - Setup with static IP-Address (different than default)

Re: mAP lite - Setup with static IP-Address (different than default)

Re: mAP lite - Setup with static IP-Address (different than default)

Who is online