Community discussions

MikroTik App
  4. RouterOS
  5. Wireless Networking

CAPsMAN, VLAN bridge and bidirectional broadcast (SOLVED)

Post Reply
 
lpalochka
just joined
Topic Author
Posts: 4
Joined: Wed Mar 09, 2016 1:03 pm

CAPsMAN, VLAN bridge and bidirectional broadcast (SOLVED)

Wed Mar 09, 2016 2:14 pm

Sorry for making a new topic. I've tried to use search however haven't found a solution on this. I'm trying to configure Mikrotik 2011UiAS-2HnD as AP with dynamic vlan assignment and all look fine and clear except dhcp:
Code: Select all
[admin@802.1_test] /interface wireless cap> /export compact                                  
# mar/09/2016 12:03:02 by RouterOS 6.34.2
# software id = KTBV-5JEH
#
/interface bridge
add name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] l2mtu=4074 mtu=4000
set [ find default-name=ether2 ] l2mtu=4074 mtu=2000
set [ find default-name=ether3 ] l2mtu=4074
set [ find default-name=ether4 ] l2mtu=4074
set [ find default-name=ether5 ] l2mtu=4074
/interface wireless
# managed by CAPsMAN
# channel: 2427/20-Ce/gn(30dBm), SSID: 8021_Test, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b disabled=no ssid=MikroTik
/caps-man interface
add arp=enabled configuration.mode=ap configuration.ssid=8021_Test datapath.bridge=bridge1 \
    datapath.client-to-client-forwarding=no datapath.local-forwarding=yes datapath.vlan-mode=use-tag disabled=no l2mtu=1600 \
    mac-address=4C:5E:0C:E9:0E:29 master-interface=none mtu=2290 name=cap1 radio-mac=4C:5E:0C:E9:0E:29 \
    security.authentication-types=wpa-eap,wpa2-eap security.eap-methods=passthrough security.eap-radius-accounting=yes \
    security.encryption=aes-ccm,tkip
/interface vlan
add interface=bridge1 name=v40_br vlan-id=40
add comment=management interface=ether1 name=v69 vlan-id=69
/ip neighbor discovery
set v897 comment=management
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-eap mode=dynamic-keys radius-eap-accounting=yes radius-mac-mode=\
    as-username-and-password supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/caps-man aaa
set mac-mode=as-username-and-password
/caps-man access-list
add action=query-radius client-to-client-forwarding=yes disabled=no mac-address=00:00:00:00:00:00 radius-accounting=yes \
    ssid-regexp="" vlan-mode=no-tag
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=cap1
add bridge=bridge1 interface=ether1
/interface wireless access-list
add authentication=no disabled=yes vlan-mode=no-tag
/interface wireless cap
set bridge=bridge1 discovery-interfaces=bridge1 enabled=yes interfaces=wlan1
/ip address
add address=10.0.0.253/24 interface=v69 network=10.0.0.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dns
set servers=10.0.0.3
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add distance=1 gateway=10.0.0.1
/lcd
set time-interval=daily
/lcd interface pages
set 0 interfaces=sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10
/radius
add address=10.0.0.3 secret=secret service=wireless
/system clock
set time-zone-autodetect=no
/system identity
set name=802.1_test
/user aaa
set use-radius=yes
Client can connect to the AP, AP asks radius about vlan tag but when client tries to obtain an IP address it can't do it even tough I can see as an offer as a reply from dhcp-server:
Code: Select all
 14:48:48.327694  In PFE proto 2 (ipv4): (tos 0x0, ttl 128, id 321, offset 0, flags [none], proto: UDP (17), length: 328) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:24:d6:21:6d:e4, length 300, xid 0x3d11c7e7, secs 1024, Flags [none]
	  Client-Ethernet-Address 00:24:d6:21:6d:e4
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Client-ID Option 61, length 7: ether 00:24:d6:21:6d:e4
	    Hostname Option 12, length 4: "dell"
	    Vendor-Class Option 60, length 8: "MSFT 5.0"
	    Parameter-Request Option 55, length 12: 
	      Subnet-Mask, Domain-Name, Default-Gateway, Domain-Name-Server
	      Netbios-Name-Server, Netbios-Node, Netbios-Scope, Router-Discovery
	      Static-Route, Classless-Static-Route, Classless-Static-Route-Microsoft, Vendor-Option
14:48:48.328592 Out 64:87:88:3a:38:07 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 40, p 6, ethertype IPv4, (tos 0x0, ttl   1, id 16330, offset 0, flags [none], proto: UDP (17), length: 328) 192.168.40.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300, xid 0x3d11c7e7, Flags [none]
	  Your-IP 192.168.40.107
	  Client-Ethernet-Address 00:24:d6:21:6d:e4
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Offer
	    Server-ID Option 54, length 4: 192.168.40.1
	    Lease-Time Option 51, length 4: 120
	    Subnet-Mask Option 1, length 4: 255.255.255.0
	    Default-Gateway Option 3, length 4: 192.168.40.1
	    Domain-Name-Server Option 6, length 12: x.x.x.x
	    Domain-Name Option 15, length 15: "bla-bla"
If I configure static IP it starts to work as I expect. Could you give a peace of advice where I did a mistake or just how to allow bidirectional flow of broadcast packets
Last edited by lpalochka on Fri Mar 11, 2016 1:20 pm, edited 1 time in total.
Top
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: CAPsMAN, VLAN bridge and bidirectional broadcast

Wed Mar 09, 2016 10:40 pm

Only thing I see is you "hung" the vlan management interface directly from ether1, whereas ether1 is already added to bridge1; additionaly I see the dhcp-client is bound to ether1.

both the vlan interface and dhcp-client should be tied to bridge1.

Where's the DHCP server? where did you get the packet capture, on the 2011? On which interface?
Top
 
lpalochka
just joined
Topic Author
Posts: 4
Joined: Wed Mar 09, 2016 1:03 pm

Re: CAPsMAN, VLAN bridge and bidirectional broadcast

Wed Mar 09, 2016 11:14 pm

Hi,

Thanks for the reply. Diagram is simple: "dhcp-server" -- (trunk) switch (trunk) -- 2011. I captured packets on the dhcp server side and it's in 40 vlan-id. Management interface uses only to connect 2011 and radius server that's why I added it only to ether1 instead of bridge1. Dhcp-clients are only wireless (cap interface).
Only thing I see is you "hung" the vlan management interface directly from ether1, whereas ether1 is already added to bridge1; additionaly I see the dhcp-client is bound to ether1.

both the vlan interface and dhcp-client should be tied to bridge1.

Where's the DHCP server? where did you get the packet capture, on the 2011? On which interface?
Top
 
lpalochka
just joined
Topic Author
Posts: 4
Joined: Wed Mar 09, 2016 1:03 pm

Re: CAPsMAN, VLAN bridge and bidirectional broadcast

Fri Mar 11, 2016 3:53 am

I don't know however if it might helps I put some packets that were sniffed:

1) with static IP configured on client side, when client starts to ping gateway (broadcasts are seen on the server side):

a) Mikrotik:
Code: Select all
[admin@802.1_test] /tool sniffer> packet print detail 
 0 time=54.79 num=1 direction=rx src-mac=68:A3:C4:F4:A6:12 dst-mac=FF:FF:FF:FF:FF:FF vlan=40 interface=wlan1 protocol=arp size=46 
   cpu=0 fp=no 

 1 time=54.792 num=2 direction=tx src-mac=64:87:88:3A:38:07 dst-mac=68:A3:C4:F4:A6:12 vlan=40 interface=wlan1 protocol=arp size=60 
   cpu=0 fp=no 

 2 time=54.793 num=3 direction=rx src-mac=68:A3:C4:F4:A6:12 dst-mac=64:87:88:3A:38:07 vlan=40 interface=wlan1 
   src-address=192.168.40.20 dst-address=192.168.40.1 protocol=ip ip-protocol=icmp size=102 cpu=0 fp=no ip-packet-size=84 
   ip-header-size=20 dscp=0 identification=18768 fragment-offset=0 ttl=64 

 3 time=54.813 num=4 direction=tx src-mac=64:87:88:3A:38:07 dst-mac=68:A3:C4:F4:A6:12 vlan=40 interface=wlan1 
   src-address=192.168.40.1 dst-address=192.168.40.20 protocol=ip ip-protocol=icmp size=102 cpu=0 fp=no ip-packet-size=84 
   ip-header-size=20 dscp=0 identification=18768 fragment-offset=0 ttl=64
b) gateway (dhcp-server):
Code: Select all
04:22:39.613176  In 68:a3:c4:f4:a6:12 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 40, p 0, ethertype ARP, arp who-has 192.168.40.1 tell 192.168.40.20
04:22:39.613211 Out 64:87:88:3a:38:07 > 68:a3:c4:f4:a6:12, ethertype 802.1Q (0x8100), length 46: vlan 40, p 0, ethertype ARP, arp reply 192.168.40.1 is-at 64:87:88:3a:38:07
c) client
Code: Select all
04:22:39.614706 68:a3:c4:f4:a6:12 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.40.1 tell 192.168.40.20, length 28
04:22:39.617224 64:87:88:3a:38:07 > 68:a3:c4:f4:a6:12, ethertype ARP (0x0806), length 56: Ethernet (len 6), IPv4 (len 4), Reply 192.168.40.1 is-at 64:87:88:3a:38:07, length 42
04:22:39.617245 68:a3:c4:f4:a6:12 > 64:87:88:3a:38:07, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 18894, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.40.20 > 192.168.40.1: ICMP echo request, id 27231, seq 0, length 64
04:22:39.619049 64:87:88:3a:38:07 > 68:a3:c4:f4:a6:12, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 18894, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.40.1 > 192.168.40.20: ICMP echo reply, id 27231, seq 0, length 64
1) with static IP configured on client side, when gateway starts to ping client and there are no arp records on each side:

a) gateway
Code: Select all
04:29:09.783651 Out 64:87:88:3a:38:07 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 40, p 0, ethertype ARP, arp who-has 192.168.40.20 tell 192.168.40.1
04:29:10.583067 Out 64:87:88:3a:38:07 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 40, p 0, ethertype ARP, arp who-has 192.168.40.20 tell 192.168.40.1
04:29:11.183048 Out 64:87:88:3a:38:07 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 40, p 0, ethertype ARP, arp who-has 192.168.40.20 tell 192.168.40.1
04:29:11.983058 Out 64:87:88:3a:38:07 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 40, p 0, ethertype ARP, arp who-has 192.168.40.20 tell 192.168.40.1
...
b) Miktotik with command (can see broadcasts)

"[admin@802.1_test] /tool sniffer> /tool sniffer start interface=wlan1 mac-address=64:87:88:3A:38:07,FF:FF:FF:FF:FF:FF
[admin@802.1_test] /tool sniffer> packet print detail
"
Code: Select all
[admin@802.1_test] /tool sniffer> packet print detail 
 0 time=0.052 num=1 direction=tx src-mac=64:87:88:3A:38:07 dst-mac=FF:FF:FF:FF:FF:FF vlan=40 interface=wlan1 protocol=arp size=60 
   cpu=0 fp=no 

 1 time=0.951 num=2 direction=tx src-mac=64:87:88:3A:38:07 dst-mac=FF:FF:FF:FF:FF:FF vlan=40 interface=wlan1 protocol=arp size=60 
   cpu=0 fp=no 

 2 time=1.752 num=3 direction=tx src-mac=64:87:88:3A:38:07 dst-mac=FF:FF:FF:FF:FF:FF vlan=40 interface=wlan1 protocol=arp size=60 
   cpu=0 fp=no 

 3 time=2.452 num=4 direction=tx src-mac=64:87:88:3A:38:07 dst-mac=FF:FF:FF:FF:FF:FF vlan=40 interface=wlan1 protocol=arp size=60 
   cpu=0 fp=no
c) client (can't see any broadcast even they should be sent by mikrotik:
Code: Select all
[root@bsd /usr/home/root_test]# tcpdump -nevvvvi wlan0 
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
capability mode sandbox enabled



04:30:23.171062 4c:5e:0c:e9:0e:29 > 68:a3:c4:f4:a6:12, ethertype EAPOL (0x888e), length 145: EAPOL key (3) v1, len 127
04:30:23.171202 68:a3:c4:f4:a6:12 > 4c:5e:0c:e9:0e:29, ethertype EAPOL (0x888e), length 113: EAPOL key (3) v1, len 95
04:30:43.189929 4c:5e:0c:e9:0e:29 > 68:a3:c4:f4:a6:12, ethertype IPv4 (0x0800), length 14: IP0 [|ip]
04:31:03.456878 4c:5e:0c:e9:0e:29 > 68:a3:c4:f4:a6:12, ethertype IPv4 (0x0800), length 14: IP0 [|ip]
04:31:23.460539 4c:5e:0c:e9:0e:29 > 68:a3:c4:f4:a6:12, ethertype IPv4 (0x0800), length 14: IP0 [|ip]
Top
 
uldis
MikroTik Support
MikroTik Support
Posts: 3446
Joined: Mon May 31, 2004 2:55 pm

Re: CAPsMAN, VLAN bridge and bidirectional broadcast

Fri Mar 11, 2016 10:43 am

Try setting the multicast-helper for the cap interface to full.
Top
 
lpalochka
just joined
Topic Author
Posts: 4
Joined: Wed Mar 09, 2016 1:03 pm

Re: CAPsMAN, VLAN bridge and bidirectional broadcast

Fri Mar 11, 2016 1:18 pm

Thank you so much. I still can't understand why this option influences to broadcast however it solved the issue. Btw if anyone could explain why should I set multicast-helper to full I'd be very appreciated.
Try setting the multicast-helper for the cap interface to full.
Top
 
uldis
MikroTik Support
MikroTik Support
Posts: 3446
Joined: Mon May 31, 2004 2:55 pm

Re: CAPsMAN, VLAN bridge and bidirectional broadcast (SOLVED)

Fri Mar 11, 2016 6:18 pm

Per-interface VLAN tag can be overridden on per-client basis by means of access-list and RADIUS attributes (for both - regular wireless and wireless controller).

This way traffic can be separated between wireless clients even on the same interface, but must be used with care - only "interface VLAN" broadcast/multicast traffic will be sent out. If working broadcast/multicast is necessary for other (overridden) VLANs as well, multicast-helper can be used for now (this changes every multicast packet to unicast and then it is only sent to clients with matching VLAN ids).
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 84 guests
  4. RouterOS
  5. Wireless Networking