Community discussions

MikroTik App
 
orangehead
just joined
Topic Author
Posts: 10
Joined: Wed May 10, 2023 12:01 pm

how to make lr8 a wifi client

Thu Feb 22, 2024 7:06 pm

Hi all,
Im a netwoking noob.
I have a few lr8 gateways around, they are all connected directly to LAN interfaces and they are all working great. Now i have the chance to deploy one on a new roof but there is no way to connect directly to a LAN port BUT they have a WiFi there that i can use. I searched around in the forum and on google and im overwhelmed from all the settings of router OS.
I noticed that there are always simple and advanced ways to achieve certain goals in router OS and im not sure what to search for. so my question is:
How can i connect the lr8 via WiFi to the network without messing everything up?
 
jaclaz
Long time Member
Long time Member
Posts: 609
Joined: Tue Oct 03, 2023 4:21 pm

Re: how to make lr8 a wifi client

Thu Feb 22, 2024 7:33 pm

It should not be harder than most other Mikrotiks (i.e. hard, but doable).

You will need to connect via ethernet to configure it AND you must be VERY careful to not lock yourself out.

Start here:
viewtopic.php?p=1036407
 
orangehead
just joined
Topic Author
Posts: 10
Joined: Wed May 10, 2023 12:01 pm

Re: how to make lr8 a wifi client

Thu Feb 22, 2024 9:00 pm

Hi Jaclaz,
thank you
i have some ideas:
-on quickset using CPE
-on configuration im already lost. the manual(https://wiki.mikrotik.com/wiki/Manual:Quickset) says that the difference is L2 or L3. i think L3 is what i want but i dont want that it acts as a router, its confusing
-on wireless network select: Address Acquisition -> automatic
- on local network: it wants an ip address, but i want a ip from the dhcp server, im not sure what to put in

will the quickset CPE mess with the LAN port and lock me out?
 
jaclaz
Long time Member
Long time Member
Posts: 609
Joined: Tue Oct 03, 2023 4:21 pm

Re: how to make lr8 a wifi client

Thu Feb 22, 2024 9:18 pm

In this page:
https://wiki.mikrotik.com/wiki/Manual:Quickset
there is a single occurrence of L2 (as part of L2TP/IPsec) and none of L3.
Maybe you are reading another page?

I am not following you on the rest.

The device is intended, if I get it right, never to be connected to via ethernet if not for management (i.e. there is no "local network" at all, only the wireless one), so you can add to ether1 a static IP (doesn't it already have the default 192.168.88.1?) and use a static IP on your PC as well.

The issue about being locked out is relative to possible firewall rules and to the interface belonging to either WAN or LAN and interfaces lists allowed for winbox, as mkx explained on that thread:
viewtopic.php?p=1036407#p1036678
 
orangehead
just joined
Topic Author
Posts: 10
Joined: Wed May 10, 2023 12:01 pm

Re: how to make lr8 a wifi client

Thu Feb 22, 2024 10:16 pm

it says:
What's is difference between Router and Bridge mode?
Bridge mode adds all interfaces to the bridge allowing to forward Layer2 packets (acts as a hub/switch).
In Router mode packets are forwarded in Layer3 by using IP addresses and IP routes (acts as a router).

on the manual https://help.mikrotik.com/docs/display/UM/wAP+LR8+kit it says:
-In the "QuickSet" menu set up the following: Choose your country, to apply country regulation settings;
-Set up your wireless network password in the left field;
-Set up your router password in the bottom field;

But they are doing this on a WASP AP, shown in the image below. I dont want a AP, i need the device to work as a wifi client.
And why should i enter my router password? i dont know what this is intended for.
Like i sayd before, im confused.


I always added a firewall rule for tcp on port 80 to ether1. So i have Poe and data all in one and deactivated wlan1 on interfaces for security. thats how my i set up the gateways normally.

I found a posts searching for precisely this feature but it is not solved.
viewtopic.php?t=187904

I don't know what to search for......
You do not have the required permissions to view the files attached to this post.
 
jaclaz
Long time Member
Long time Member
Posts: 609
Joined: Tue Oct 03, 2023 4:21 pm

Re: how to make lr8 a wifi client

Fri Feb 23, 2024 12:31 am

Yep, in networking different sources like to call the same thing in different ways, the good Mikrotik guys have progressed in this art bringing It to near perfection.
An AP (access point) is usually a bridge between a local wireless (LAN) and a local wired network (still LAN). (the devices connected via wifi are on the same network as the devices connected via ethernet cables) so essentially L2. You may think at It as a switch/hub that connects (bridges) wireless with wired.
A normal wired router is essentially an L3 device as it connects your local network (LAN) to *something else* like a different network or your ISP/internet (WAN), in practice usually a router has more than one port/interface on the LAN side, so It Is also a L2 device, for the interfaces that are into the bridge.
The other lr8's you have are already (if I get it right) "stations" or "routers" as they connect your local network (LAN) wired to ether1 to *something else* (the LoraWan) though there is not really-really any L2 or L3 as you have only one interface in use on the LAN side and the LoraWAN is not actually another network, it is not exactly routing it is UDP packet forwarding.
What you want now is (again if I get it right) the same but connecting the local network (LAN) via wireless to the wifi interface to *something else* (the LoraWan).
So, in theory, you can use the same configuration as those other devices but exchanging the ether1 with the wifi interface.
(but still keeping ether1 enabled as management port, outside any bridge).
Maybe if you post the configuration of one of your other working lr8 (removing/changing sensitive data) it will be easier to point you to the relevant settings.
It is well possibile that what you have now is the wifi interface and ether1 in a bridge and you just disabled the wifi one.
 
orangehead
just joined
Topic Author
Posts: 10
Joined: Wed May 10, 2023 12:01 pm

Re: how to make lr8 a wifi client

Fri Feb 23, 2024 11:31 am

Oh, the lr8 lets you connect via lan nearly out of the box. the only thing to do is add a firewall rule for ether1 to port 80, and voila, it works. the device gets a ip address and i can connect to webfig and it connects to the internet and to the lora-server.It is not found in the manual but you find a few resources online. But i dont know what are the settings in the background.
The other way is to connect over wifi but without internet access. the lr8 creates a open wifi network an you can connect and login to webfig.
But for changing configurations i normally login with winbox over lan.
it is not exactly routing it is UDP packet forwarding
I think so, if you want to make a comparison, its more like a bluetooth iot device that sends data to a bluetooth gateway that translates into internet protocols.
So i have to establish a UDP connection to my lorawan-network-server in a data center.
But the actual gateway is somewhere in a house on the countryside. In the house they have some unknown router with wifi functionality and i have to connect the lr8 in their home-network to get internet access.
So i need to connect to the lr8 via winbox over lan select the wifi ssid and put in the password so that it connects to the wifi.

The default of the lr8 is the opposite, you first connect over wifi, change the settings there and deploy the device over lan.



this is the actual config file from the device in question. it is connected via lan cable in my office
# feb/23/2024 06:42:52 by RouterOS 6.49.13
# software id = blabla
#
# model = RBwAPR-2nD
# serial number = blabla
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=outdoor mode=\
    ap-bridge ssid=MikroTik-0BF10E wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=wlan1 name=defconf
/lora servers
add address=eu.mikrotik.blabla down-port=1700 name=blabla \
    up-port=1700
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=wlan1 list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=wlan1 network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="ether1 tcp allow" dst-port=80 \
    in-interface=ether1 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/lora
set 0 antenna=uFL
/system clock
set time-zone-name=Europe/Rome
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

 
jaclaz
Long time Member
Long time Member
Posts: 609
Joined: Tue Oct 03, 2023 4:21 pm

Re: how to make lr8 a wifi client  [SOLVED]

Fri Feb 23, 2024 2:05 pm

The "main" setting to be changed is:
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=outdoor mode=\
ap-bridge
ssid=MikroTik-0BF10E wireless-protocol=802.11
You want that to be "station".

Then, you need to have (probably) the dhcp client on interface wlan1 (or set a static IP address).

Then you should remove/disable the dhcp server (unless you want to keep it for ether1, in which case you have to set it to the "right" interface, ether1, not wlan1

And finally, you should configure the
/interface wireless security-profiles
to be able to connect to the wi-fi network.
 
orangehead
just joined
Topic Author
Posts: 10
Joined: Wed May 10, 2023 12:01 pm

Re: how to make lr8 a wifi client

Sun Feb 25, 2024 11:25 pm

Hi Jaclaz,
Awesome, i think it works.
ping 8.8.8.8 works
I did not executing the default script at the beginning!(everybody suggested it)It ends in a mess of configurations.
Connecting with winbox by eth1 mac address with LAN cable(USB dongle has problems,it disconnects every few seconds)
Go to Wireless
activate wlan1
security profiles->Mode->dynamic keys,Authentication_Types->WPA2 PSK, WPA2 Pre-shared Key->enter password of the WiFi you want connect to->OK
double-click on the wlan1 interface
Mode->station
click on the Scan button
Start
select network
connect
click OK
IP->DHCP Client, + , wlan1->OK
ping 8.8.8.8 works

i hope i forgot nothing

the only thing, connecting over WiFi to RouterOS does not work, not by winbox and not by Browser What do i miss?

Thank you
 
jaclaz
Long time Member
Long time Member
Posts: 609
Joined: Tue Oct 03, 2023 4:21 pm

Re: how to make lr8 a wifi client

Mon Feb 26, 2024 9:20 pm

The interface needs to be in the "right" interface list, relevant settings are:
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
the above defines two "classes" of interfaces, essentially an "unsafe" one and a "safe" one.

/interface list member
add comment=defconf interface=wlan1 list=LAN
add comment=defconf interface=ether1 list=WAN
the above tells to which class an interface belongs, and finally these:

/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
should be the services/servers involved in Winbox working.

Your settings seem correct, but there could be firewall filter rules that prevent anyway Winbox access from wlan1.

Post again your current configuration, maybe someone can spot the issue.
 
orangehead
just joined
Topic Author
Posts: 10
Joined: Wed May 10, 2023 12:01 pm

Re: how to make lr8 a wifi client

Tue Feb 27, 2024 8:41 am

Hi Jaclaz,
thank you for your patience and your tips!

How i said above, i resetted the lr8 without default script and the config file is now pretty short.
the firewall rule list is complete empty
# feb/27/2024 05:54:20 by RouterOS 6.49.13
# software id = blabla
#
# model = RBwAPR-2nD
# serial number = blabla
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no installation=\
    indoor ssid=blabla
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
    up-port=1700
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip dhcp-client
add disabled=no interface=wlan1
/lora
set 0 antenna=uFL disabled=no servers=loralama
/system clock
set time-zone-name=Europe/Rome
 
jaclaz
Long time Member
Long time Member
Posts: 609
Joined: Tue Oct 03, 2023 4:21 pm

Re: how to make lr8 a wifi client

Tue Feb 27, 2024 11:11 am

You are a minimalist, I like the approach :) .

I believe that the way you configured (should we say under-configured?) it - while working - needs the additions I listed in my previous post (or the equivalent) to have winbox connection, for a test you can copy and paste the three snippets above in terminal, one by one.
They should be "safe", in the worst case they will need some other explicit settings as "dependencies" and winbox will continue not connecting.

There are surely a number of "invisible" (default) settings that are not shown in a simple export, maybe you should make an "/export verbose":
https://help.mikrotik.com/docs/pages/vi ... eId=328160

Or you can inspect the settings with:
https://help.mikrotik.com/docs/display/ROS/MAC+server
/tool mac-server print
and
/tool mac-server mac-winbox print
 
orangehead
just joined
Topic Author
Posts: 10
Joined: Wed May 10, 2023 12:01 pm

Re: how to make lr8 a wifi client

Fri Mar 01, 2024 12:58 am

Hi,
You are a minimalist, I like the approach :) .
Step by step, i like to hear the gears working:)

the last days i played around with the settings and read a lot of configuration files.
When i enter the command:
/tool mac-server mac-winbox
set allowed-interface-list=LAN
and then reboot, im not able to login anymore over win-box with the mac address.... what makes sense, activating mac-winbox on LAN, deactivates it on WAN, what is grouped with the ether1 interface.
BUT the routeros management site is not reachable via IP, not from win-box and not from the browser.
The WiFi connection works because the UDP connection to my server is working!

I can reach two other lr8 in my network over IP (not found in neighbors but reachable), so it might not be a hardware issue somewhere in the network

In the configuration www is enabled and set on port 80.

What do i miss...

here is the export verbose
(without /tool mac-server mac-winbox
set allowed-interface-list=LAN)
# feb/29/2024 21:23:16 by RouterOS 6.49.13
# software id = QJ7C-BMP8
#
# model = RBwAPR-2nD
# serial number = HDG08KSREEP
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full arp=enabled arp-timeout=auto \
    auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
    full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    48:A9:8A:0B:F1:0D mtu=1500 name=ether1 orig-mac-address=48:A9:8A:0B:F1:0D \
    rx-flow-control=off speed=100Mbps tx-flow-control=off
/interface ethernet switch
set 0 cpu-flow-control=yes mirror-source=none mirror-target=none name=switch1
/interface ethernet switch port
set 0 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 1 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" \
    name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" \
    name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" \
    include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" \
    include="" name=static
add comment=defconf exclude="" include="" name=WAN
add comment=defconf exclude="" include="" name=LAN
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=internet \
    default-route-distance=2 name=default use-peer-dns=yes
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=no \
    eap-methods=passthrough group-ciphers=aes-ccm group-key-update=5m \
    interim-update=0s management-protection=disabled mode=dynamic-keys \
    mschapv2-username="" name=default radius-called-format=mac:ssid \
    radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled \
    radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-sta-private-algo=none static-transmit-key=key-0 \
    supplicant-identity=MikroTik tls-certificate=none tls-mode=\
    no-certificates unicast-ciphers=aes-ccm
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=none allow-sharedkey=\
    no ampdu-priorities=0 amsdu-limit=8192 amsdu-threshold=8192 antenna-gain=\
    2 area="" arp=enabled arp-timeout=auto band=2ghz-b/g/n basic-rates-a/g=\
    6Mbps basic-rates-b=1Mbps bridge-mode=enabled channel-width=20mhz \
    compression=no country=etsi default-ap-tx-limit=0 default-authentication=\
    yes default-client-tx-limit=0 default-forwarding=yes \
    disable-running-check=no disabled=no disconnect-timeout=3s distance=\
    dynamic frame-lifetime=0 frequency=2412 frequency-mode=regulatory-domain \
    frequency-offset=0 guard-interval=any hide-ssid=no ht-basic-mcs=\
    mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-supported-mcs="mcs-0,mc\
    s-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,m\
    cs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-2\
    3" hw-fragmentation-threshold=disabled hw-protection-mode=none \
    hw-protection-threshold=0 hw-retries=7 installation=any \
    interworking-profile=disabled keepalive-frames=enabled l2mtu=1600 \
    mac-address=48:A9:8A:0B:F1:0E max-station-count=2007 mode=station mtu=\
    1500 multicast-buffering=enabled multicast-helper=default name=wlan1 \
    noise-floor-threshold=default nv2-cell-radius=30 nv2-downlink-ratio=50 \
    nv2-mode=dynamic-downlink nv2-noise-floor-offset=default nv2-qos=default \
    nv2-queue-count=2 nv2-security=disabled nv2-sync-secret="" \
    on-fail-retry-time=100ms preamble-mode=both radio-name=48A98A0BF10E \
    rate-selection=advanced rate-set=default rx-chains=0,1 scan-list=default \
    secondary-frequency="" security-profile=default skip-dfs-channels=\
    disabled ssid=hofnetz station-bridge-clone-mac=00:00:00:00:00:00 \
    station-roaming=disabled supported-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=\
    1Mbps,2Mbps,5.5Mbps,11Mbps tdma-period-size=2 tx-chains=0,1 \
    tx-power-mode=default update-stats-interval=disabled vlan-id=1 vlan-mode=\
    no-tag wds-cost-range=50-150 wds-default-bridge=none wds-default-cost=100 \
    wds-ignore-ssid=no wds-mode=disabled wireless-protocol=any wmm-support=\
    disabled wps-mode=push-button
/interface wireless manual-tx-power-table
set wlan1 manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9M\
    bps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:\
    17,HT20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,H\
    T40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-\
    7:17"
/interface wireless nstreme
set wlan1 disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=\
    3200 framer-policy=none
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
    flash/hotspot html-directory-override="" http-cookie-lifetime=3d \
    http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit="" \
    smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none \
    !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d name=\
    default !parent-queue !queue-type shared-users=1 status-autorefresh=1m \
    transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=\
    exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m \
    dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 \
    lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=\
    modp1024
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
    up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US \
    up-port=1700
add address=eu1.cloud.thethings.industries down-port=1700 name=\
    "TTS Cloud (eu1)" up-port=1700
add address=nam1.cloud.thethings.industries down-port=1700 name=\
    "TTS Cloud (nam1)" up-port=1700
add address=au1.cloud.thethings.industries down-port=1700 name=\
    "TTS Cloud (au1)" up-port=1700
add address=eu1.cloud.thethings.network down-port=1700 name="TTN V3 (eu1)" \
    up-port=1700
add address=nam1.cloud.thethings.network down-port=1700 name="TTN V3 (nam1)" \
    up-port=1700
add address=au1.cloud.thethings.network down-port=1700 name="TTN V3 (au1)" \
    up-port=1700
add address=188.34.161.37 down-port=1700 name=loralama up-port=1700
/ppp profile
set *0 address-list="" !bridge !bridge-horizon bridge-learning=default \
    !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
    !idle-timeout !incoming-filter !insert-queue-before !interface-list \
    !local-address name=default on-down="" on-up="" only-one=default \
    !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address \
    !session-timeout use-compression=default use-encryption=default use-mpls=\
    default use-upnp=default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default \
    !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
    !idle-timeout !incoming-filter !insert-queue-before !interface-list \
    !local-address name=default-encryption on-down="" on-up="" only-one=\
    default !outgoing-filter !parent-queue !queue-type !rate-limit \
    !remote-address !session-timeout use-compression=default use-encryption=\
    yes use-mpls=default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
    red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 \
    pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
    pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 \
    pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 \
    pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address \
    pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB \
    pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
    pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
set wlan1 queue=wireless-default
/routing bgp instance
set default as=65530 client-to-client-reflection=yes !cluster-id \
    !confederation disabled=no ignore-as-path-len=no name=default out-filter=\
    "" redistribute-connected=no redistribute-ospf=no redistribute-other-bgp=\
    no redistribute-rip=no redistribute-static=no router-id=0.0.0.0 \
    routing-table=""
/routing ospf instance
set [ find default=yes ] disabled=no distribute-default=never !domain-id \
    !domain-tag in-filter=ospf-in metric-bgp=auto metric-connected=20 \
    metric-default=1 metric-other-ospf=auto metric-rip=20 metric-static=20 \
    !mpls-te-area !mpls-te-router-id name=default out-filter=ospf-out \
    redistribute-bgp=no redistribute-connected=no redistribute-other-ospf=no \
    redistribute-rip=no redistribute-static=no router-id=0.0.0.0 \
    !routing-table !use-dn
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=\
    backbone type=default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=\
    no encryption-protocol=DES name=public read-access=yes security=none \
    write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=flash/log disk-lines-per-file=1000 \
    disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=\
    0.0.0.0 syslog-facility=daemon syslog-severity=auto syslog-time-format=\
    bsd-syslog target=remote
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,w\
    eb,sniff,sensitive,api,romon,tikapp,!ftp,!write,!policy,!dude" skin=\
    default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pa\
    ssword,web,sniff,sensitive,api,romon,tikapp,!ftp,!policy,!dude" skin=\
    default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,\
    winbox,password,web,sniff,sensitive,api,romon,tikapp,!dude" skin=default
/caps-man aaa
set called-format=mac:ssid interim-update=disabled mac-caching=disabled \
    mac-format=XX:XX:XX:XX:XX:XX mac-mode=as-username
/caps-man manager
set ca-certificate=none certificate=none enabled=no package-path="" \
    require-peer-certificate=no upgrade-policy=none
/caps-man manager interface
set [ find default=yes ] disabled=no forbid=no interface=all
/certificate settings
set crl-download=no crl-store=ram crl-use=no
/interface bridge port-controller
# disabled
set bridge=none cascade-ports="" switch=none
/interface bridge port-extender
# disabled
set control-ports="" excluded-ports="" switch=none
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no \
    use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes \
    tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=\
    1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m \
    udp-stream-timeout=3m udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic lldp-med-net-policy-vlan=disabled \
    protocol=cdp,lldp,mndp
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes \
    arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
    max-neighbor-entries=8192 route-cache=yes rp-filter=no secure-redirects=\
    yes send-redirects=yes tcp-syncookies=no
/interface detect-internet
set detect-interface-list=none internet-interface-list=none \
    lan-interface-list=none wan-interface-list=none
/interface l2tp-server server
set allow-fast-path=no authentication=pap,chap,mschap1,mschap2 \
    caller-id-type=ip-address default-profile=default-encryption enabled=no \
    keepalive-timeout=30 max-mru=1450 max-mtu=1450 max-sessions=unlimited \
    mrru=disabled one-session-per-host=no use-ipsec=no
/interface list member
add comment=defconf disabled=no interface=wlan1 list=LAN
add comment=defconf disabled=no interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5 cipher=blowfish128,aes128 default-profile=default enabled=\
    no keepalive-timeout=60 mac-address=FE:37:42:59:9F:30 max-mtu=1500 mode=\
    ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
    enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
    default enabled=no force-aes=no keepalive-timeout=60 max-mru=1500 \
    max-mtu=1500 mrru=disabled pfs=no port=443 tls-version=any \
    verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
    00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
    frames-per-second=25 receive-all=no ssid-all=no
/interface wireless cap
set bridge=none caps-man-addresses="" caps-man-certificate-common-names="" \
    caps-man-names="" certificate=none discovery-interfaces="" enabled=no \
    interfaces="" lock-to-caps-man=no static-virtual=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
    multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\
    no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip cloud
set ddns-enabled=no ddns-update-interval=none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-client
add add-default-route=yes default-route-distance=1 dhcp-options=\
    hostname,clientid disabled=no interface=wlan1 use-peer-dns=yes \
    use-peer-ntp=yes
/ip dhcp-server config
set accounting=yes interim-update=0s store-leases-disk=5m
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB \
    max-concurrent-queries=100 max-concurrent-tcp-sessions=20 \
    max-udp-packet-size=4096 query-server-timeout=2s query-total-timeout=10s \
    servers="" use-doh-server="" verify-doh-cert=no
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" \
    disabled=no name=default-trial
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=\
    all src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster \
    cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \
    max-cache-object-size=2048KiB max-cache-size=unlimited \
    max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
    parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no \
    src-address=::
/ip service
set telnet address="" disabled=no port=23
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443 tls-version=any
set api address="" disabled=no port=8728
set winbox address="" disabled=no port=8291
set api-ssl address="" certificate=none disabled=no port=8729 tls-version=any
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=\
    all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/flash/pub \
    disabled=no max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=\
    200 port=1080 version=4
/ip ssh
set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no \
    host-key-size=2048 strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=16k enabled=no \
    inactive-flow-timeout=15s interfaces=all packet-sampling=no \
    sampling-interval=0 sampling-space=0
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes \
    dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes \
    igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes \
    ipv6-flow-label=yes is-multicast=yes last-forwarded=yes nat-dst-address=\
    yes nat-dst-port=yes nat-events=no nat-src-address=yes nat-src-port=yes \
    out-interface=yes packets=yes protocol=yes src-address=yes \
    src-address-mask=yes src-mac-address=yes src-port=yes sys-init-time=yes \
    tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes tcp-window-size=yes tos=yes \
    ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/lora
set 0 antenna=uFL antenna-gain=0dBi channel-plan=eu-868 disabled=no forward=\
    crc-valid,crc-error gateway-id=50303541575D4750 lbt-enabled=no \
    listen-time=5000us name=gateway-0 network=public rssi-threshold=-65dBm \
    servers=loralama !src-address
/lora channels
set 0 bandwidth=125_kHz disabled=no freq-off=-400000 radio=radio1
set 1 bandwidth=125_kHz disabled=no freq-off=-200000 radio=radio1
set 2 bandwidth=125_kHz disabled=no freq-off=0 radio=radio1
set 3 bandwidth=125_kHz disabled=no freq-off=-400000 radio=radio0
set 4 bandwidth=125_kHz disabled=no freq-off=-200000 radio=radio0
set 5 bandwidth=125_kHz disabled=no freq-off=0 radio=radio0
set 6 bandwidth=125_kHz disabled=no freq-off=200000 radio=radio0
set 7 bandwidth=125_kHz disabled=no freq-off=400000 radio=radio0
set 8 bandwidth=250_kHz disabled=no freq-off=-200000 radio=radio1 \
    spread-factor=SF7
set 9 bandwidth=125_kHz datarate=50000 disabled=no freq-off=300000 radio=\
    radio1
/lora radios
set 0 center-freq=867500000 disabled=no rssi-off=-162 tx-enabled=yes \
    tx-freq-max=870000000 tx-freq-min=863000000
set 1 center-freq=868500000 disabled=no rssi-off=-162 tx-enabled=no \
    tx-freq-max=0 tx-freq-min=0
/lora tx-lut
set 0 dac-gain=3 dig-gain=0 disabled=no mix-gain=11 pa-gain=0 rf-power=-6
set 1 dac-gain=3 dig-gain=0 disabled=no mix-gain=13 pa-gain=0 rf-power=-3
set 2 dac-gain=3 dig-gain=0 disabled=no mix-gain=9 pa-gain=1 rf-power=0
set 3 dac-gain=3 dig-gain=0 disabled=no mix-gain=10 pa-gain=1 rf-power=3
set 4 dac-gain=3 dig-gain=0 disabled=no mix-gain=12 pa-gain=1 rf-power=6
set 5 dac-gain=3 dig-gain=0 disabled=no mix-gain=10 pa-gain=2 rf-power=10
set 6 dac-gain=3 dig-gain=0 disabled=no mix-gain=11 pa-gain=2 rf-power=11
set 7 dac-gain=3 dig-gain=0 disabled=no mix-gain=11 pa-gain=2 rf-power=12
set 8 dac-gain=3 dig-gain=2 disabled=no mix-gain=12 pa-gain=2 rf-power=13
set 9 dac-gain=3 dig-gain=0 disabled=no mix-gain=13 pa-gain=2 rf-power=14
set 10 dac-gain=3 dig-gain=0 disabled=no mix-gain=15 pa-gain=2 rf-power=16
set 11 dac-gain=3 dig-gain=0 disabled=no mix-gain=10 pa-gain=3 rf-power=20
set 12 dac-gain=3 dig-gain=0 disabled=no mix-gain=12 pa-gain=3 rf-power=23
set 13 dac-gain=3 dig-gain=0 disabled=no mix-gain=13 pa-gain=3 rf-power=25
set 14 dac-gain=3 dig-gain=0 disabled=no mix-gain=15 pa-gain=3 rf-power=26
set 15 dac-gain=3 dig-gain=0 disabled=no mix-gain=15 pa-gain=3 rf-power=27
/mpls
set allow-fast-path=yes dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
set [ find default=yes ] disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no \
    lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0 \
    use-explicit-null=no
/port firmware
set directory=firmware ignore-directip-modem=no
/ppp aaa
set accounting=yes interim-update=0s use-circuit-id-in-nas-port-id=no \
    use-radius=no
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s \
    multiplier=5
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
    gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
    0.0.0.0 timeout=1m ttl=50
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
    metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
    redistribute-connected=no redistribute-ospf=no redistribute-static=no \
    routing-table=main timeout-timer=3m update-timer=30s
/snmp
set contact="" enabled=no engine-id="" location="" trap-community=public \
    trap-generators=temp-exception trap-target="" trap-version=1
/system clock
set time-zone-autodetect=yes time-zone-name=Europe/Rome
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
    "jan/01/1970 00:00:00" time-zone=+00:00
/system identity
set name=MikroTik
/system leds
set 0 disabled=no interface=wlan1 leds=user-led type=wireless-status
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=no primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0 server-dns-names=""
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
/system routerboard settings
set auto-upgrade=no boot-device=nand-if-fail-then-ethernet boot-protocol=\
    bootp force-backup-booter=no protected-routerboot=disabled \
    reformat-hold-button=20s reformat-hold-button-max=10m silent-boot=no
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
    0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m \
    ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=\
    100
/tool e-mail
set address=0.0.0.0 from=<> port=25 start-tls=no user=""
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=all
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all
/tool sms
set allowed-number="" auto-erase=no channel=0 port=none receive-enabled=no
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any \
    filter-interface="" filter-ip-address="" filter-ip-protocol="" \
    filter-ipv6-address="" filter-mac-address="" filter-mac-protocol="" \
    filter-operator-between-entries=or filter-port="" filter-size="" \
    filter-stream=no memory-limit=100KiB memory-scroll=yes only-headers=no \
    streaming-enabled=no streaming-server=0.0.0.0:37008
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=yes \
    stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \
    use-radius=no

 
jaclaz
Long time Member
Long time Member
Posts: 609
Joined: Tue Oct 03, 2023 4:21 pm

Re: how to make lr8 a wifi client

Fri Mar 01, 2024 2:20 am

Cannot say.
You can try setting (temporarily) the allowed interfaces to "all" both in Mac server and mac server Winbox.
Also could the !dynamic setting in
/ip neighbor discovery-settings
be involved?
 
orangehead
just joined
Topic Author
Posts: 10
Joined: Wed May 10, 2023 12:01 pm

Re: how to make lr8 a wifi client

Sat Mar 02, 2024 8:19 am

Thank you jaclaz!
You saved my ass.
I have to deploy the device today. It is reachable from winbox over mac and it is in a private network, i hope it is good enough.

and the !dynamic did he trick!(edit: for my other devices that are connected over ethernet, they are now visible in winbox neighbors)

Thank you for sharing your knowledge
Last edited by orangehead on Sat Mar 02, 2024 2:36 pm, edited 1 time in total.
 
jaclaz
Long time Member
Long time Member
Posts: 609
Joined: Tue Oct 03, 2023 4:21 pm

Re: how to make lr8 a wifi client

Sat Mar 02, 2024 11:57 am

Good. :)

How did you set the /ip neighbor discovery-settings ?


I guess that it should be:
set discover-interface-list=LAN

but it would be useful to other members searching for similar issues to have a confirmed working value.
 
orangehead
just joined
Topic Author
Posts: 10
Joined: Wed May 10, 2023 12:01 pm

Re: how to make lr8 a wifi client

Sat Mar 02, 2024 2:33 pm

I think i was not clear enough.
I played around with neighbor-discovery settings but it did not help for the "wifi station lr8", the one you helped me connecting..., there i am not able to connect over IP, but with mac address and ... it works.

But in the previous post i talked about the other two lr8's in my network and that winbox could not find them in my network.
I can reach two other lr8 in my network over IP (not found in neighbors but reachable)
On those i changed the setting from LAN to WAN (because i connected them to over the ether1 port and wlan1 is turned off), and winbox now shows them under neighbors, Fantastic!!
First check what the interface in question is a member of, with:
interface/list/member/print
then check the neighbor discovery settings
IP->Neighbors->Discovery settings->Discovery Interface List
you can choose WAN, LAN or all

I go to add some edits for the previous post
 
jaclaz
Long time Member
Long time Member
Posts: 609
Joined: Tue Oct 03, 2023 4:21 pm

Re: how to make lr8 a wifi client

Sat Mar 02, 2024 5:18 pm

So, for the "one" device there is still something missing.

I mean, if it works on the other two devices with WAN, it should work on this "reversed" one with LAN (for the sake of symmetry).

If you did add to that devices ALL the settings I listed in post #10 + the neighbour discovery one, I don't know what else may be still missing. :?

Who is online

Users browsing this forum: No registered users and 10 guests