Before ROS v7.13 I used the setup of one CRS326-24G-2S+ as the CAPsMAN controller and several AP’s (cAP-AC) which were CAP’s. I had configured the CAPsMAN with several datapaths using vlans and local-forwarding traffic to the CRS where I applied the firewall rules for the vlans. Here’s a short overview about the datapath configuration on the CRS:
The cAPs themselves were configured like this (vlan filtering on bridge disabled, cAPs were behind a trunk port that forwarded all the vlans 40,41,42,50 to the cAPs)
/interface wireless cap
set bridge=bridge1 certificate=request discovery-interfaces=vlanMGM enabled=yes interfaces=wlan2,wlan1 lock-to-caps-man=yes
Everything worked like a charm. Today I tried to migrate to the new wifiwave2 implementation after upgrading to ROS v7.13.
On the cAP’s i replaced the wireless package with the wifi-qcom-ac package. Unfortunately I later found out, that the documentation states that vlan assignment is currently not possible with the ac drivers:
802.11ac chipsets do not support this type of VLAN tagging , but they can be configured as VLAN access ports in bridge settings.
Like it was mentioned in this documentation entry I’ve enabled vlan filtering on the bridge on the cAP and assigned wifi1 the corresponding vlan access port and removed the vlan id in the datapath configuration on the CAPsMAN. This setup worked very well but only with one master configuration. After enabling some secondary slave configurations in the CAPsMAN there were several slave wifi interfaces created in dynamic mode on the cAP. I was unable to assign those dynamic interfaces a fixed vlan, because after a reprovision of the cAP their names changed (numbers were increased).
So my questions here:
Will the vlan assignment for wifi interfaces in the wifi-qcom-ac be supported at some time?
If not, is there any workaround in this scenario I can apply? The mentioned approach with the vlan filtering on the bridge only works for the master configuration. So unfortunately I can use only one wifi with one vlan
In CAP settings you can select that slaves are created as static interfaces:
slaves-static ()
Creates Static Virtual Interfaces, allows the possibility to assign IP configuration to those interfaces. MAC address is used to remember each static-interface when applying the configuration from the CAPsMAN.
Oh thank you man! I have completely overseen this option! At least this is exactly what i need!
Then there’s just my open question whether there will be support for vlans via datapath later? Can maybe s.o. from Mikrotik staff answer this?
And what does the “slaves-datapath” option exactly do? In the online documentation I can’t find anything about this
The following configuration is working now on the cAP’s:
/interface wifi cap
set certificate=CAP-18FD74894484 discovery-interfaces=vlanMGM enabled=yes lock-to-caps-man=yes slaves-static=yes
# The wifi interfaces were renamed manually after creation by CAPsMAN to match their functionality
/interface bridge
add ingress-filtering=no name=brLAN port-cost-mode=short protocol-mode=none pvid=30 vlan-filtering=yes
/interface bridge port
add bridge=brLAN ingress-filtering=no interface=ether1 internal-path-cost=10 multicast-router=disabled path-cost=10 pvid=30
add bridge=brLAN frame-types=admit-only-untagged-and-priority-tagged interface=wifiWIRELESS pvid=40
add bridge=brLAN frame-types=admit-only-untagged-and-priority-tagged interface=wifiSMARTHOME pvid=41
add bridge=brLAN frame-types=admit-only-untagged-and-priority-tagged interface=wifiFON pvid=42
/interface bridge vlan
add bridge=brLAN tagged=brLAN,ether1 vlan-ids=20
add bridge=brLAN tagged=brLAN,ether1 vlan-ids=30
add bridge=brLAN tagged=brLAN,ether1 untagged=wifiWIRELESS vlan-ids=40
add bridge=brLAN tagged=brLAN,ether1 untagged=wifiSMARTHOME vlan-ids=41
add bridge=brLAN tagged=brLAN,ether1 untagged=wifiFON vlan-ids=42
The question above is also my interest.
Is it possible to support VLAN at CAPsManager or will it stay like it is and it is necessary to manage the VLAN at CAP manually?
I partially agree but NOT providing qcom-ac package and throwing away a still perfect usable device is a lot more stupid, waste of time and resources.
And let’s be honest, on all those centrally managed systems, how often does config get changed ?
Not a lot for 99% of them. Pretty static.
So do the effort once and enjoy wave2. Or wait. Or replace all your gear to AX.
Your choice.
Give it some time. It may happen.
At the start with wifiwave2 on AX devices use of VLAN was not that easy either.
It got fixed eventually.
I partially agree but NOT providing qcom-ac package and throwing away a still perfect usable device is a lot more stupid, waste of time and resources.
because I was really glad to have 802.11r and WPA3 encryption on my cAP-ACs. I’ve been waiting so long for to have the wave2 drivers in the stable releases integrated. For my side its totally okay to have to configure it manually on the devices, but I still hope the mikrotik developers get those functionality done.
Firstly, hats off to MikroTik for allowing using the Qualcom 802.11ac ath10k WiFi driver (wifi-qcom-ac); it has a lot of latency and fairness benefits on top of Wave 2 support. I have been hoping for this for a long time . This kind of user support and freedom is what makes MikroTik special!
+1. The real icing on the cake would be wifi-qcom-ac VLAN ID support from the new CAPsMAN; it would be great if MikroTik could chime in if it cannot happen due to hardware limitations, or if it is on the radar…
I also suggest this is a SW limitation. If it worked with the old customized driver, we might only give the developers enough time to implement the support for the new wave2 driver.
Slaves-datapath is necessary if you want your slave interfaces automatically attached to a different bridge than the master interface. If it’s unset, slaves will inherit datapath bridge from the master interface.
