I'm trying to setup add a guest VLAN to a legacy config and I'm encountering issues when I use a VLAN on the master interface.
The legacy setup is using a CCR could series routerOS 6.44.6 to connect to the ISP over fibre with hosts untagged and tagged VLAN, and using an HAPax2 routerOS 7.12.1 with more hosts untagged and tagged VLAN. The CCR and HAP are bridged together. The CCR does all the DHCP and routing.
Then I purchased an Audience and reinstalled it with routerOS 7.12.1 so it could get its Wifi config from the HAP using capsman and both routers would be using the same wifiwave2. Everything works with OK with my WiFi clients untagged.
Next I tried to configure another VLAN for guest WiFI - but inevitably encountered the issue that you can't have a VLAN tagged slave wifi on an untagged master wifi because the slave interface can't join the bridge. (PS: I tried tagged master and untagged slave, same issue)
Here is that setup
Code: Select all
[admin@HAP] > /interface/wifiwave2/configuration/print detail
Flags: X - disabled
0 name="5ghz" ssid="privateSSID=5G" country=Switzerland security=sec1
1 name="2ghz" ssid="privateSSID" country=Switzerland security=sec1
2 name="5ghz-backend" mode=station-bridge ssid="privateSSID-5G" country=Switzerland security=sec1
channel.band=5ghz-ac
3 name="2ghz-backend" mode=station-bridge ssid="privateSSID" country=Switzerland security=sec1
channel.band=2ghz-n
4 name="5ghz-guest" ssid="guestSSID-5G" country=Switzerland security=sec2
datapath.vlan-id=200
5 name="2ghz-guest" ssid="guestSSID" country=Switzerland security=sec2
datapath.vlan-id=200
[admin@HAP] > /interface/wifiwave2/provisioning/print detail
Flags: X - disabled
0 supported-bands=5ghz-ax action=create-enabled master-configuration=5ghz slave-configurations=5ghz-guest
1 supported-bands=2ghz-ax action=create-enabled master-configuration=2ghz slave-configurations=2ghz-guest
2 radio-mac=XXXXXXX supported-bands=5ghz-ac action=create-dynamic-enabled master-configuration=5ghz-backend
3 supported-bands=2ghz-n action=create-dynamic-enabled master-configuration=2ghz slave-configurations=2ghz-guest
4 supported-bands=5ghz-ac action=create-dynamic-enabled master-configuration=5ghz slave-configurations=5ghz-guest
[admin@HAP] > /interface/wifiwave2/print detail
Flags: M - master; D - dynamic; B - bound; X - disabled, I - inactive, R - running
0 M B default-name="wifi2" name="ax2-2ghz" l2mtu=1560 mac-address=XXXXXXX arp-timeout=auto radio-mac=XXXXX configuration=2ghz
1 B name="ax2-2ghz-guest" l2mtu=1560 mac-address=XXXXXX arp-timeout=auto master-interface=ax2-2ghz configuration=2ghz-guest
2 M BR default-name="wifi1" name="ax2-5ghz" l2mtu=1560 mac-address=XXXXXX arp-timeout=auto radio-mac=XXXXXX configuration=5ghz
3 BR name="ax2-5ghz-guest" l2mtu=1560 mac-address=XXXXXX arp-timeout=auto master-interface=ax2-5ghz configuration=5ghz-guest
4 MDB name="cap-wifi1" mac-address=XXXXXX arp-timeout=auto radio-mac=XXXXXX configuration=2ghz
5 DB ;;; vlan-id configured, but interface does not support assigning vlans
name="cap-wifi2" mac-address=XXXXXX arp-timeout=auto master-interface=cap-wifi1 configuration=2ghz-guest
6 MDB name="cap-wifi3" mac-address=XXXXX arp-timeout=auto radio-mac=XXXXXX configuration=5ghz
7 DB ;;; vlan-id configured, but interface does not support assigning vlans
name="cap-wifi4" mac-address=1A:FD:74:FA:4D:D4 arp-timeout=auto master-interface=cap-wifi3 configuration=5ghz-guest
[admin@HAP] > /interface/bridge/port/print detail
Flags: X - disabled, I - inactive; D - dynamic; H - hw-offload
...
3 ;;; defconf
interface=ether5 bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes
auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes
unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no
4 ;;; defconf
interface=ax2-5ghz bridge=bridge priority=0x20 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none
auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes
unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no
5 I ;;; defconf
interface=ax2-2ghz bridge=bridge priority=0x30 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none
auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes
unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no
7 I interface=ax2-2ghz-guest bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none
auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes
unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no
8 I interface=ax2-5ghz-guest bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none
auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes
unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no
[admin@HAP] > /interface/wifiwave2/cap/print
as-value file interval without-paging
[admin@WifiMikroTik] > /interface/wifiwave2/cap/print
enabled: yes
caps-man-addresses: 127.0.0.1
[admin@HAP] > /interface/wifiwave2/capsman/
remote-cap edit export get print set
[admin@HAP] > /interface/wifiwave2/capsman/print
enabled: yes
interfaces: bridge
ca-certificate: auto
require-peer-certificate: no
upgrade-policy: suggest-same-version
generated-ca-certificate: CAPsMAN-CA-XXXXXX
generated-certificate: CAPsMAN-XXXXXX
[admin@HAP] > /interface/wifiwave2/capsman/remote-cap/print detail
0 address="" identity="Audience-1" board-name="RBD25G-5HPacQD2HPnD" serial="XXXXX" version="7.12.1" base-mac=XXXX common-name="" state="Ok"
[admin@Audience-1] > /interface/wifiwave2/cap print
enabled: yes
discovery-interfaces: bridge
certificate: none
caps-man-addresses: XXXX,YYYY
lock-to-caps-man: no
[admin@Audience-1] > /interface/wifiwave2/capsman/print
enabled: no
generated-ca-certificate: CAPsMAN-CA-XXXXX
generated-certificate: CAPsMAN-XXXXX
/interface/wifiwave2/configuration/set datapath.vlan-id=100 numbers=0,1
and now capsman doesn't work, yet I can see that the Audience has connected from its MAC address in the registration table
Code: Select all
[admin@HAP] > /interface/wifiwave2/print detail
Flags: M - master; D - dynamic; B - bound; X - disabled, I - inactive, R - running
0 M B default-name="wifi2" name="ax2-2ghz" l2mtu=1560 mac-address=XXXXX arp-timeout=auto radio-mac=XXXXXX configuration=2ghz
1 B name="ax2-2ghz-guest" l2mtu=1560 mac-address=XXXXXXX arp-timeout=auto master-interface=ax2-2ghz configuration=2ghz-guest
2 M BR default-name="wifi1" name="ax2-5ghz" l2mtu=1560 mac-address=XXXXXX arp-timeout=auto radio-mac=XXXXXXX configuration=5ghz
3 B name="ax2-5ghz-guest" l2mtu=1560 mac-address=XXXXXX arp-timeout=auto master-interface=ax2-5ghz configuration=5ghz-guest
[admin@HAP] > /interface/wifiwave2/registration-table/print
Flags: A - AUTHORIZED
Columns: INTERFACE, SSID, MAC-ADDRESS, UPTIME, SIGNAL
# INTERFACE SSID MAC-ADDRESS UPTIME SIGNAL
0 A ax2-5ghz KensWifiLAN2_5G XXXXXXX 1m29s -58
[admin@HAP] > /interface/wifiwave2/capsman/remote-cap/print detail
[admin@HAP] >
I cannot ping the Audience on either of its IP addresses either
What needs to be changed to get capsman to work?