Community discussions

MikroTik App
  4. RouterOS
  5. Wireless Networking

Problems with Capsman on RB5009 and CAP 5HaxD2HaxD using rOS 7.14.1 [SOLVED]

Post Reply
 
carcuevas
just joined
Topic Author
Posts: 10
Joined: Sun Jan 07, 2024 11:37 pm

Problems with Capsman on RB5009 and CAP 5HaxD2HaxD using rOS 7.14.1 [SOLVED]

Wed Mar 20, 2024 10:56 pm

Hello guys,
I am now in very interesting situation, for the past days I am trying to make CAPsMAN work on a RB5009, I have installed the `wifi-qcom` package on the RB5009, and after so much testing I could partially make CAPsMAN work, the setup I have is the following:

RB5009 uses Ether1 and Ether2 in bonding (and bridged) to one Switch (which works but it's not in the scope of this problem I guess).
RB5009 uses Ether7 to connect to the CAP 5HaxD2HaxD ether1.

I use various VLANs:
vlan_id=99 for Management
vlan_id=10 for employees
vlan_id=80 for guests
vlan_id=90 configured but not in use yet.


Also I asume that the `wifi-qcom` works differently than the `wifi-qcom-ac` for rOS v7.14.1 meaning that I do NOT need to specify the VLANs on the CAPs and so, enough to do it in the CAPsMAN as usual...

But I have 2 weird problems I have:

1- Even if I Configured the IP on the bridge of the CAP (also the route) I cannot ping the CAPsMAN, nor cannot ping 1.1.1.1 for example from the CAP. But somehow the CAP can connect to the CAPsMAN and create the WIFI ... :shock: :shock: I guess CAPsMAN works in a lower layer, but I Guess this is not right in my installation.

2- I can make the CAP work with a primary SSID but I tried to specify the `ih-guest` ssid as slave, which is created but when joining to the WIFI I am not receiving any IP address from the DHCP server.

I am stuck with this for days, and I am not sure what I am doing bad.... So I wanted to ask you if one of you please can you check my configs, I don't see where can be the problem ....


For the CAPsMAN:
Code: Select all
# model = RB5009UPr+S+
# serial number = XXXXXXXXXXXX
/interface bridge
add name=bridge1 pvid=99 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Bonding to switch1 Switch Port1" \
    poe-out=off
set [ find default-name=ether2 ] comment="Bonding to switch1 Switch Port2" \
    poe-out=off
set [ find default-name=ether5 ] comment="ADMIN ETH" name=ether5-access
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no comment=\
    "ISP WAN" name=sfp speed=1G-baseT-full
/interface wifi
add name=cap-wifi1 radio-mac=AA:BB:CC:DD:EE:30
/interface vlan
add comment="Guests VLAN80 for WIFI" interface=bridge1 name=guests vlan-id=80
add comment="employees vlan" interface=bridge1 name=vlan10 vlan-id=10
add comment="sysadmins vlan" interface=bridge1 name=vlan90 vlan-id=90
add comment="Admin Vlan" interface=bridge1 name=vlan99 vlan-id=99
/interface bonding
add comment="Bonding Trunk for Switch" mode=802.3ad name=bonding_to_switch \
    slaves=ether1,ether2
/interface list
add comment="all Vlans" name=VLAN
add comment="The WAN" name=WAN
add comment="Where the admin VLAN is trunk" name=BASE
add comment="The Interface list needed for ADMINS" name=ADMIN
/interface wifi channel
add band=5ghz-ax disabled=no frequency=\
    5230-5250,5210-5230,5190-5210,5170-5190 name=5GHz_US_bands width=20/40mhz
/interface wifi datapath
add bridge=bridge1 comment="Employees VLAN WIFI" disabled=no name=\
    employees_wifi_datapath vlan-id=10
add bridge=bridge1 comment="Employees VLAN WIFI" disabled=no name=\
    guests_datapath vlan-id=80
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk comment=\
    "Security Profile for Employees wifi" disabled=no name=\
    employees_wifi_security_profile wps=disable
add authentication-types=wpa2-psk,wpa3-psk comment=\
    "Security Profile for Employees wifi" disabled=no name=\
    guests_wifi_security_profile wps=disable
/interface wifi configuration
add channel=5GHz_US_bands comment="Employees WIFI 5GHz" country=\
    "United States" datapath=employees_wifi_datapath disabled=no name=\
    5g_employees security=employees_wifi_security_profile ssid=ihconau2
add channel=5GHz_US_bands comment="Employees WIFI 5GHz" country=\
    "United States" datapath=guests_datapath disabled=no name=5g_guests \
    security=employees_wifi_security_profile ssid=ih-guests
/ip pool
add comment="employees vlan10" name=vlan10 ranges=\
    192.168.10.10-192.168.10.254
add comment="sysadmin vlan90" name=vlan90 ranges=192.168.90.10-192.168.90.254
add comment="ip pool for ether5" name=ether5 ranges=10.0.0.10-10.0.0.20
add comment="ip pool for admin vlan99" name=vlan99 ranges=\
    10.0.99.2-10.0.99.254
add comment="Guests vlan80" name=vlan80 ranges=10.0.80.10-10.0.80.254
/ip dhcp-server
add address-pool=vlan10 comment="For employees vlan10" interface=vlan10 \
    lease-time=10m name=vlan10
add address-pool=vlan90 comment="For sysadmins vlan90" interface=vlan90 \
    lease-time=10m name=vlan90
add address-pool=ether5 comment="DHCP for eth5 access" interface=\
    ether5-access lease-time=5d name=ether5
add address-pool=vlan99 comment="For admin vlan99" disabled=yes interface=\
    vlan99 lease-time=10m name=vlan99
add address-pool=vlan80 comment="For guests vlan80" interface=guests \
    lease-time=10m name=vlan80
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7 pvid=99
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=bonding_to_switch pvid=99
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge1 comment="Base VLAN99" tagged=bonding_to_switch,bridge1 \
    untagged=ether6,ether8,ether7 vlan-ids=99
add bridge=bridge1 comment="Employees VLAN10" tagged=\
    ether6,ether7,ether8,bonding_to_switch,bridge1 vlan-ids=10
add bridge=bridge1 comment="Sysadmins VLAN90" tagged=\
    ether6,ether7,ether8,bonding_to_switch,bridge1 vlan-ids=90
add bridge=bridge1 comment="Guests VLAN80" tagged=\
    bridge1,bonding_to_switch,ether7 vlan-ids=80
/interface list member
add comment=VLAN10 interface=vlan10 list=VLAN
add comment=VLAN90 interface=vlan90 list=VLAN
add comment=VLAN99 interface=vlan99 list=VLAN
add comment="BASE just vlan99" interface=vlan99 list=BASE
add comment="admin vlan99" interface=vlan99 list=ADMIN
add comment="Sysadmin from vlan90" interface=vlan90 list=ADMIN
add interface=sfp list=WAN
/interface wifi access-list
add action=reject comment="Reject anonymous MACs for WIFIs" disabled=yes \
    mac-address=02:00:00:00:00:00 mac-address-mask=02:00:00:00:00:00
/interface wifi cap
set enabled=yes slaves-static=yes
/interface wifi capsman
set enabled=yes interfaces=BASE package-path="" require-peer-certificate=no \
    upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled comment="Employees 5Ghz provisioning" \
    disabled=no master-configuration=5g_employees slave-configurations=\
    5g_guests supported-bands=5ghz-ax
/ip address
add address=10.0.99.1/24 comment="admin vlan99 Ip addresses" interface=vlan99 \
    network=10.0.99.0
add address=192.168.10.1/24 comment="employees vlan_10 Ip addresses" \
    interface=vlan10 network=192.168.10.0
add address=192.168.90.0/24 comment="sysadmins vlan90 Ip addresses" \
    interface=vlan90 network=192.168.90.0
add address=10.0.0.1/24 comment="Admin IP for eth5" interface=ether5-access \
    network=10.0.0.0
add address=aaa.bbb.ccc.234/29 comment="Main IP for ISP Router" \
    interface=sfp network=aaa.bbb.ccc.232
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=1.1.1.1,8.8.4.4 gateway=10.0.0.1
add address=10.0.80.0/24 comment="Guests vlan80 network" dns-server=\
    1.1.1.1,8.8.4.4 gateway=10.0.80.1
add address=10.0.99.0/24 comment="Admin vlan90 network" dns-server=\
    1.1.1.1,8.8.4.4 gateway=10.0.99.1
add address=192.168.10.0/24 comment="employees vlan10 network" dns-server=\
    192.168.10.1 gateway=192.168.10.1
add address=192.168.90.0/24 comment="Syadmins vlan99 network" dns-server=\
    192.168.90.1 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.4.4
/ip firewall filter
add action=drop chain=input comment="DROP DNS tcp port 53 from WAN" dst-port=\
    53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="DROP DNS udp port 53 from WAN" dst-port=\
    53 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add action=accept chain=input comment=\
    "Allow ICMP to WAN From Wan for monitoring" in-interface-list=WAN \
    protocol=icmp src-address-list=Wan_monitoring
add action=drop chain=input comment="drop ICMP to WAN" in-interface-list=WAN \
    protocol=icmp
add action=accept chain=input comment="Accept Loopback for CAPSMAN" \
    dst-address=127.0.0.1
add action=accept chain=input comment="Allow everything from VLANs" \
    in-interface-list=VLAN
add action=accept chain=input comment="Allow Admin VLAN full access" \
    in-interface-list=BASE
add action=drop chain=input comment="DROP REST OF INPUT" in-interface-list=\
    WAN
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
    "Drop everything Forward from VLANs- TO ACTIVE WHEN TESTED" \
    in-interface-list=VLAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade WAN" \
    out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip route
add comment="Main Wan Gateway" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=aaa.bbb.ccc.233 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.0.0.0/24,10.0.69.0/24,10.0.99.0/24,192.168.90.0/24
set api disabled=yes
set winbox address=\
    10.0.0.0/24,10.0.69.0/24,10.0.99.0/24,192.168.90.0/24,192.168.10.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=America/Chicago
/system identity
set name=router01
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
add address=europe.pool.ntp.org
/tool romon
set enabled=yes


For the CAP:
Code: Select all
# model = cAPGi-5HaxD2HaxD
# serial number = XXXXXXXXXXX
/interface bridge
add name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: ihconau2, channel: 5220/ax/Ce
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp \
    disabled=no
# managed by CAPsMAN
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp \
    disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1 pvid=99
add bridge=bridgeLocal comment=defconf interface=ether2
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip address
add address=10.0.99.101 interface=bridgeLocal network=10.0.99.0
/ip route
add dst-address=0.0.0.0/0 gateway=10.0.99.1
/system note
set show-at-login=no

Many many thanks in advance !! :)
Last edited by carcuevas on Wed Mar 27, 2024 8:37 pm, edited 1 time in total.
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 5500
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Problems with Capsman on RB5009 and CAP 5HaxD2HaxD using rOS 7.14.1 :

Thu Mar 21, 2024 8:33 am

Start reading help page with example.
And since you did not specify the version ... as of 7.13 it's not needed to have wifi-qcom installed on capsman controller.

https://help.mikrotik.com/docs/display/ ... ionexample:


PS side question: why capsman with only 1 cAP AX ? Doesn't make sense.
Top
 
carcuevas
just joined
Topic Author
Posts: 10
Joined: Sun Jan 07, 2024 11:37 pm

Re: Problems with Capsman on RB5009 and CAP 5HaxD2HaxD using rOS 7.14.1 :

Thu Mar 21, 2024 7:27 pm

Well, the idea is to use between 4 and 6 CAPs, but I wanted to make one working and then I would add the rest of them..

I read actually this document, and It was not that clear for me (maybe because I am not native) or I did not get immediately that the CAPsMAN server if does not have the Radios there is no need of installing the wifi-qcom, somehow I overlooked this...

Also in the configuration from there, well I think it's a bit different, there is no use of a management VLAN(in my case the vlan_id:99) but now I am thinking if it's really needed to have a management VLAN (this what I saw in some of the documentation as best practice some time ago so I always followed this)... but maybe it is this why it's behaving like this...

PS: I read that the management VLAN Still being recommended as best practice because of security reasons.... Wondering if maybe it can be that I need to filter VLAN in the CAP bridge... :?
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 5500
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Problems with Capsman on RB5009 and CAP 5HaxD2HaxD using rOS 7.14.1 :

Thu Mar 21, 2024 8:55 pm

Complicated ...

if you want to use management VLAN (which indeed is recommended, make no mistake there), you should enable VLAN filtering on cap to make it airtight.
But current implementation of wave2 capsman does not support dynamic vlan setup via datapath on a vlan enabled bridge, it can only work if vlan filtering is NOT enabled.
So you need to go all the way VLAN then, setup all ports etc. manually for vlan AND you can only use create enabled interfaces to be sure the same interface will end up on the same VLAN. And not use datapath to steer that vlan assignment. It will be done on cap via bridge.
That's how I understood it should be done with current situation.

I'm sure it's a SW limitation somewhere (the device can use VLAN without any problem) but it seems to require quite some time before they can get it ironed out in capsman context.

The linked reference should work perfectly, only no dedicated management VLAN.
Top
 
carcuevas
just joined
Topic Author
Posts: 10
Joined: Sun Jan 07, 2024 11:37 pm

Re: Problems with Capsman on RB5009 and CAP 5HaxD2HaxD using rOS 7.14.1 :

Thu Mar 21, 2024 9:41 pm

Uhmm this what I expected, but I even tried that approach and I failed miserably... but later I thought that this problem of needing to define the VLANs in the CAPs was just for the wifi-qcom-ac not for the wifi-qcom... at least from the documentation is what I understood and the truth is that I get nearer to the working solution with this configs I attached to this post... Just I am not able to reach via IP the CAPsManager, and I cannot make the DHCP works for the slave wifis...

PS: I tried to filter VLAN in bridge on the CAP and it didn't help much, actually it made it worse since the main WIFI was not able to assign IP either...
PS2: According to this post it should not need to add manually the VLANS on the CAP. viewtopic.php?t=202377
Top
 
carcuevas
just joined
Topic Author
Posts: 10
Joined: Sun Jan 07, 2024 11:37 pm

Re: Problems with Capsman on RB5009 and CAP 5HaxD2HaxD using rOS 7.14.1 :

Mon Mar 25, 2024 7:46 pm

OK, I have tried to define the VLANs and so once more in the CAPs as follows:
Code: Select all
/interface bridge
add name=bridge1 priority=0x2000 protocol-mode=mstp region-name=us region-revision=1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Trunk l2mtu=1560
/interface wifi
# no connection to CAPsMAN
add configuration.manager=capsman .mode=ap disabled=no 
add configuration.mode=ap disabled=no master-interface=wifi1 name=wifi1slave1
# no connection to CAPsMAN
add configuration.manager=capsman .mode=ap disabled=no
add configuration.mode=ap disabled=no master-interface=wifi2 name=wifi2slave1
/interface vlan
add interface=bridge1 name=mgmt99 vlan-id=99
/interface bridge port
add bridge=bridge1 edge=no interface=ether1
add bridge=bridge1 edge=yes interface=wifi1 pvid=10
add bridge=bridge1 edge=yes interface=wifi1slave1 pvid=80
add bridge=bridge1 edge=yes interface=wifi2 pvid=10
add bridge=bridge1 edge=yes interface=wifi2slave1 pvid=80
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=99
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=80
/interface wifi cap
set caps-man-addresses=10.0.99.1 enabled=yes slaves-static=yes
/ip address
add address=10.0.99.101 interface=mgmt99 network=10.0.99.0
/ip route
add dst-address=0.0.0.0/0 gateway=10.0.99.1
/system clock
set time-zone-name=America/Chicago
/system note
set show-at-login=no
/tool romon
set enabled=yes

No luck at all, like this not only I cannot ping for example the CAPsMAN on 10.0.99.1 but also the CAPs are not starting the SSIDs since they cannot connect at all to the CAPsMAN ...
Code: Select all
 /interface/wifi> print 
Flags: M - MASTER; B - BOUND; I - INACTIVE
Columns: NAME, MASTER-INTERFACE, CONFIGURATION.MODE
#     NAME         MASTER-INTERFACE  CONFIGURATION.MODE
;;; no connection to CAPsMAN
0 MBI wifi1                          ap                
1   I wifi1slave1  wifi1             ap                
;;; no connection to CAPsMAN
2 MBI wifi2                          ap                
3   I wifi2slave1  wifi2             ap
Code: Select all
 /ping 10.0.99.1  
  SEQ HOST                                     SIZE TTL TIME       STATUS                                          
    0                                                              no route to host                                
    1                                                              no route to host                                
    sent=2 received=0 packet-loss=100%
so I am still very stuck with this... not sure what to do now... I do not want to remove the management vlan since this will be on production.
Top
 
carcuevas
just joined
Topic Author
Posts: 10
Joined: Sun Jan 07, 2024 11:37 pm

Re: Problems with Capsman on RB5009 and CAP 5HaxD2HaxD using rOS 7.14.1 :

Tue Mar 26, 2024 12:58 am

With the following config on the CAP, I am nearly there, I can ping the CAPsMAN server the main WIFI from the CAPsMAN is working, but the slave WIFI is also giving the DHCP server for the Slave WIFI, but for some reason there is no internet in the guests SSID, using the vlan80...

The CAP config
Code: Select all
/interface bridge
add ingress-filtering=no name=bridge1 port-cost-mode=short priority=0x2000 pvid=99 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Trunk l2mtu=1560
/interface vlan
add comment="Managment VLAN99" interface=bridge1 name=MGMT vlan-id=99
/interface wifi datapath
add bridge=bridge1 disabled=no name=vlan10_employees vlan-id=10
add bridge=bridge1 disabled=no name=vlan80_guests vlan-id=80
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: ihconau2, channel: 5220/ax/Ce
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap datapath=vlan10_employees disabled=no
# managed by CAPsMAN
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap datapath=vlan10_employees disabled=no
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10 pvid=99
/interface bridge vlan
add bridge=bridge1 comment="For mgmt vlan99" tagged=bridge1 vlan-ids=99
add bridge=bridge1 comment="For employees vlan10" tagged=bridge1,ether1 vlan-ids=10
add bridge=bridge1 comment="For Guests vlan80" tagged=bridge1,ether1 vlan-ids=80
/interface wifi cap
set caps-man-addresses=10.0.99.1 enabled=yes slaves-datapath=vlan80_guests slaves-static=no
/ip address
add address=10.0.99.101/24 comment="admin vlan ip" interface=MGMT network=10.0.99.0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.0.99.1
/system clock
set time-zone-name=America/Chicago
/system identity
set name=au1-core-ap02
/system note
set show-at-login=no
/tool romon
set enabled=yes

The CAPsMAN server config
Code: Select all
/interface wifi
# SSID not set
add configuration.mode=ap disabled=no name=cap-wifi1 
/interface wifi channel
add band=5ghz-ax disabled=no frequency=5230-5250,5210-5230,5190-5210,5170-5190 \
    name=5GHz_US_bands width=20/40mhz
add band=2ghz-ax disabled=no frequency=2412,2432,2422,2442 name=\
    2GHZ_AX_US_BANDS secondary-frequency=2417,2427,2437 skip-dfs-channels=all \
    width=20mhz
/interface wifi datapath
add bridge=bridge1 comment="Employees VLAN WIFI" disabled=no name=\
    employees_wifi_datapath vlan-id=10
add bridge=bridge1 comment="GUESTS VLAN80 WIFI" disabled=no name=\
    guests_wifi_datapath vlan-id=80
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk comment=\
    "Security Profile for Employees wifi" disabled=no name=\
    employees_wifi_security_profile wps=disable
add authentication-types=wpa2-psk,wpa3-psk comment=\
    "Security Profile for Employees wifi" disabled=no name=\
    guests_wifi_security_profile wps=disable
/interface wifi configuration
add channel=5GHz_US_bands comment="Employees WIFI 5GHz" country=\
    "United States" datapath=employees_wifi_datapath disabled=no name=\
    5g_employees security=employees_wifi_security_profile ssid=ihconau2
add channel=5GHz_US_bands comment="GUESTS WIFI 5GHz" country="United States" \
    datapath=guests_wifi_datapath disabled=no name=5g_guests security=\
    guests_wifi_security_profile ssid=ih-guests
add channel=2GHZ_AX_US_BANDS comment="Employees WIFI 2.4GHz" country=\
    "United States" datapath=employees_wifi_datapath disabled=no name=\
    2g_employees security=employees_wifi_security_profile ssid=ihconau2
add channel=2GHZ_AX_US_BANDS comment="GUESTS WIFI 5GHz" country=\
    "United States" datapath=guests_wifi_datapath disabled=no name=2g_guests \
    security=guests_wifi_security_profile ssid=ih-guests
/interface wifi access-list
add action=reject comment="Reject anonymous MACs for WIFIs" disabled=yes \
    mac-address=02:00:00:00:00:00 mac-address-mask=02:00:00:00:00:00
/interface wifi cap
set enabled=yes slaves-static=yes
/interface wifi capsman
set enabled=yes interfaces=BASE package-path="" require-peer-certificate=no \
    upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled comment="Employees 5Ghz provisioning" \
    disabled=no master-configuration=5g_employees slave-configurations=\
    5g_guests supported-bands=5ghz-ax
add action=create-dynamic-enabled comment="Employees 2.4Ghz provisioning" \
    disabled=no master-configuration=2g_employees slave-configurations=\
    2g_guests supported-bands=2ghz-ax

edit: A couple of corrections... I am nearly there but I don't know why I cannot go to internet with this config already from the guest...
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 5500
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Problems with Capsman on RB5009 and CAP 5HaxD2HaxD using rOS 7.14.1 :

Tue Mar 26, 2024 6:11 am

Obviously your problem is in the vlan part, which you did not show.

Full config for both please.
Top
 
carcuevas
just joined
Topic Author
Posts: 10
Joined: Sun Jan 07, 2024 11:37 pm

Re: Problems with Capsman on RB5009 and CAP 5HaxD2HaxD using rOS 7.14.1 :

Tue Mar 26, 2024 5:52 pm

thanks,

The Vlans involved are

vlan_id=99 for Management (10.0.99.0/24)
vlan_id=10 for employees (192.168.10.0/24)
vlan_id=80 for guests (10.0.80.0/24)

And the full configs are:




For CAPsMAN server
Code: Select all
# 2024-03-26 10:37:28 by RouterOS 7.14.1
# software id = E10X-RDVX
#
# model = RB5009UPr+S+

/interface bridge
add name=bridge1 pvid=99 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Bonding to au1-usw-01 Switch Port1" \
    poe-out=off
set [ find default-name=ether2 ] comment="Bonding to au1-usw-01 Switch Port2" \
    poe-out=off
set [ find default-name=ether5 ] comment="ADMIN ETH" name=ether5-access
set [ find default-name=ether8 ] comment="Temporarily for swtich in VLAN10"
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no comment=\
    "ISP WAN" name=sfp speed=1G-baseT-full
/interface wifi
# SSID not set
add configuration.mode=ap disabled=no name=cap-wifi1 radio-mac=\
    AA:BB:CC:DD:EE:FF
/interface vlan
add comment="Guests VLAN80 for WIFI" interface=bridge1 name=guests_v80 \
    vlan-id=80
add comment="employees vlan" interface=bridge1 name=vlan10 vlan-id=10
add comment="sysadmins vlan" interface=bridge1 name=vlan90 vlan-id=90
add comment="Admin Vlan" interface=bridge1 name=vlan99 vlan-id=99
/interface bonding
add comment="Bonding Trunk for Switch" mode=802.3ad name=bonding_to_switch \
    slaves=ether1,ether2
/interface list
add comment="all Vlans" name=VLAN
add comment="The WAN" name=WAN
add comment="Where the admin VLAN is trunk" name=BASE
add comment="The Interface list needed for ADMINS" name=ADMIN
/interface wifi channel
add band=5ghz-ax disabled=no frequency=\
    5230-5250,5210-5230,5190-5210,5170-5190 name=5GHz_US_bands width=20/40mhz
add band=2ghz-ax disabled=no frequency=2412,2432,2422,2442 name=\
    2GHZ_AX_US_BANDS secondary-frequency=2417,2427,2437 skip-dfs-channels=all \
    width=20mhz
/interface wifi datapath
add bridge=bridge1 comment="Employees VLAN WIFI" disabled=no name=\
    employees_wifi_datapath vlan-id=10
add bridge=bridge1 comment="GUESTS VLAN80 WIFI" disabled=no name=\
    guests_wifi_datapath vlan-id=80
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk comment=\
    "Security Profile for Employees wifi" disabled=no name=\
    employees_wifi_security_profile wps=disable
add authentication-types=wpa2-psk,wpa3-psk comment=\
    "Security Profile for Employees wifi" disabled=no name=\
    guests_wifi_security_profile wps=disable
/interface wifi configuration
add channel=5GHz_US_bands comment="Employees WIFI 5GHz" country=\
    "United States" datapath=employees_wifi_datapath disabled=no name=\
    5g_employees security=employees_wifi_security_profile ssid=ihconau2
add channel=5GHz_US_bands comment="GUESTS WIFI 5GHz" country="United States" \
    datapath=guests_wifi_datapath disabled=no name=5g_guests security=\
    guests_wifi_security_profile ssid=ih-guests
add channel=2GHZ_AX_US_BANDS comment="Employees WIFI 2.4GHz" country=\
    "United States" datapath=employees_wifi_datapath disabled=no name=\
    2g_employees security=employees_wifi_security_profile ssid=ihconau2
add channel=2GHZ_AX_US_BANDS comment="GUESTS WIFI 5GHz" country=\
    "United States" datapath=guests_wifi_datapath disabled=no name=2g_guests \
    security=guests_wifi_security_profile ssid=ih-guests
/ip pool
add comment="employees vlan10" name=vlan10 ranges=\
    192.168.10.10-192.168.10.254
add comment="sysadmin vlan90" name=vlan90 ranges=192.168.90.10-192.168.90.254
add comment="ip pool for ether5" name=ether5 ranges=10.0.0.10-10.0.0.20
add comment="ip pool for admin vlan99" name=vlan99 ranges=\
    10.0.99.2-10.0.99.254
add comment="Guests vlan80" name=vlan80 ranges=10.0.80.10-10.0.80.254
/ip dhcp-server
add address-pool=vlan10 comment="For employees vlan10" interface=vlan10 \
    lease-time=10m name=vlan10
add address-pool=vlan90 comment="For sysadmins vlan90" interface=vlan90 \
    lease-time=10m name=vlan90
add address-pool=ether5 comment="DHCP for eth5 access" interface=\
    ether5-access lease-time=5d name=ether5
add address-pool=vlan99 comment="For admin vlan99" interface=vlan99 \
    lease-time=10m name=vlan99
add address-pool=vlan80 comment="For GUESTS vlan80" interface=guests_v80 \
    lease-time=10m name=guests_vlan80
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge1 interface=ether6
add bridge=bridge1 ingress-filtering=no interface=ether7 pvid=99
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=bonding_to_switch pvid=99
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge1 comment="Base VLAN99" tagged=bonding_to_switch,bridge1 \
    untagged=ether6,ether8,ether7 vlan-ids=99
add bridge=bridge1 comment="Employees VLAN10" tagged=\
    ether6,ether7,ether8,bonding_to_switch,bridge1 vlan-ids=10
add bridge=bridge1 comment="Sysadmins VLAN90" tagged=\
    ether6,ether7,ether8,bonding_to_switch,bridge1 vlan-ids=90
add bridge=bridge1 comment="Guests VLAN80" tagged=\
    bridge1,bonding_to_switch,ether7 vlan-ids=80
/interface list member
add comment=VLAN10 interface=vlan10 list=VLAN
add comment=VLAN90 interface=vlan90 list=VLAN
add comment=VLAN99 interface=vlan99 list=VLAN
add comment="BASE just vlan99" interface=vlan99 list=BASE
add comment="admin vlan99" interface=vlan99 list=ADMIN
add comment="Sysadmin from vlan90" interface=vlan90 list=ADMIN
add interface=sfp list=WAN
/interface wifi access-list
add action=reject comment="Reject anonymous MACs for WIFIs" disabled=yes \
    mac-address=02:00:00:00:00:00 mac-address-mask=02:00:00:00:00:00
/interface wifi cap
set enabled=yes slaves-static=yes
/interface wifi capsman
set enabled=yes interfaces=BASE package-path="" require-peer-certificate=no \
    upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled comment="Employees 5Ghz provisioning" \
    disabled=no master-configuration=5g_employees slave-configurations=\
    5g_guests supported-bands=5ghz-ax
add action=create-dynamic-enabled comment="Employees 2.4Ghz provisioning" \
    disabled=no master-configuration=2g_employees slave-configurations=\
    2g_guests supported-bands=2ghz-ax
/ip address
add address=10.0.99.1/24 comment="admin vlan99 Ip addresses" interface=vlan99 \
    network=10.0.99.0
add address=192.168.10.1/24 comment="employees vlan_10 Ip addresses" \
    interface=vlan10 network=192.168.10.0
add address=192.168.90.0/24 comment="sysadmins vlan90 Ip addresses" \
    interface=vlan90 network=192.168.90.0
add address=10.0.0.1/24 comment="Admin IP for eth5" interface=ether5-access \
    network=10.0.0.0
add address=xxx.yyy.zzz.tt4/29 comment="Main IP for router  for ISP" \
    interface=sfp network=xxx.yyy.zzz.tt2
add address=192.168.80.0/24 comment="sysadmins vlan80 Ip addresses" \
    interface=guests_v80 network=192.168.80.0
/ip dhcp-server lease
add address=192.168.10.100 client-id=1:b4:22:0:66:43:a7 comment=Printer \
    mac-address=B4:22:00:66:43:A7 server=vlan10
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=1.1.1.1,8.8.4.4 gateway=10.0.0.1
add address=10.0.80.0/24 comment="Guests vlan80 network" dns-server=\
    1.1.1.1,8.8.4.4 gateway=10.0.80.1
add address=10.0.99.0/24 comment="Admin vlan90 network" dns-server=\
    1.1.1.1,8.8.4.4 gateway=10.0.99.1
add address=192.168.10.0/24 comment="employees vlan10 network" dns-server=\
    192.168.10.1 gateway=192.168.10.1
add address=192.168.90.0/24 comment="Syadmins vlan99 network" dns-server=\
    192.168.90.1 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.4.4
/ip firewall filter
add action=drop chain=input comment="DROP DNS tcp port 53 from WAN" dst-port=\
    53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="DROP DNS udp port 53 from WAN" dst-port=\
    53 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add action=drop chain=input comment="drop ICMP to WAN" in-interface-list=WAN \
    protocol=icmp
add action=accept chain=input comment="Accept Loopback for CAPSMAN" \
    dst-address=127.0.0.1
add action=accept chain=input comment="Allow everything from VLANs" \
    in-interface-list=VLAN
add action=accept chain=input comment="Allow Admin VLAN full access" \
    in-interface-list=BASE
add action=drop chain=input comment="DROP REST OF INPUT" in-interface-list=\
    WAN
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
    "Drop everything Forward from VLANs- TO ACTIVE WHEN TESTED" \
    in-interface-list=VLAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade ISP WAN" \
    out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip route
add comment="Main isp Gateway" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=xxx.yyy.zzz.tt3 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.0.0.0/24,10.0.69.0/24,10.0.99.0/24,192.168.90.0/24
set api disabled=yes
set winbox address=\
    10.0.0.0/24,10.0.69.0/24,10.0.99.0/24,192.168.90.0/24,192.168.10.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=America/Chicago
/system identity
set name=au1-core-rt01
/system logging
add disabled=yes topics=debug
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
add address=europe.pool.ntp.org
add address=asia.pool.ntp.org
/tool romon
set enabled=yes


For CAP

Code: Select all
/interface bridge
add ingress-filtering=no name=bridge1 port-cost-mode=short priority=0x2000 pvid=99 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Trunk l2mtu=1560
/interface vlan
add comment="Managment VLAN99" interface=bridge1 name=MGMT vlan-id=99
/interface wifi datapath
add bridge=bridge1 disabled=no name=vlan10_employees vlan-id=10
add bridge=bridge1 disabled=no name=vlan80_guests vlan-id=80
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: ihconau2, channel: 5220/ax/Ce
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap datapath=vlan10_employees disabled=no
# managed by CAPsMAN
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap datapath=vlan10_employees disabled=no
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10 pvid=99
/interface bridge vlan
add bridge=bridge1 comment="For mgmt vlan99" tagged=bridge1 vlan-ids=99
add bridge=bridge1 comment="For employees vlan10" tagged=bridge1,ether1 vlan-ids=10
add bridge=bridge1 comment="For Guests vlan80" tagged=bridge1,ether1 vlan-ids=80
/interface wifi cap
set caps-man-addresses=10.0.99.1 enabled=yes slaves-datapath=vlan80_guests slaves-static=no
/ip address
add address=10.0.99.101/24 comment="admin vlan ip" interface=MGMT network=10.0.99.0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.0.99.1
/system clock
set time-zone-name=America/Chicago
/system identity
set name=au1-core-ap02
/system note
set show-at-login=no
/tool romon
set enabled=yes

Thanks again for having a look :)
Top
 
carcuevas
just joined
Topic Author
Posts: 10
Joined: Sun Jan 07, 2024 11:37 pm

Re: Problems with Capsman on RB5009 and CAP 5HaxD2HaxD using rOS 7.14.1 [SOLVED]

Wed Mar 27, 2024 8:34 pm

Hi,

Finally I made it work, I guess because I did many many changes lately I had a few errors in the VLAN80 so it was not working indeed... but now I Got it working, so for somebody struggling when using the CAPsMAN on 7.14.1, hopefully this can help ...:

At least for me it was a key thing to have the datapaths configuration on the CAPs otherwise for it was not working... Also this is just for the wifi-qcom I guess it will NOT work for wifi-qcom-ac

Vlans involved are

vlan_id=99 for Management (10.0.99.0/24)
vlan_id=10 for employees (192.168.10.0/24)
vlan_id=80 for guests (10.0.80.0/24)

And the full configs are:

For CAPsMAN server
Code: Select all
# 2024-03-26 10:37:28 by RouterOS 7.14.1
# software id = E10X-RDVX
#
# model = RB5009UPr+S+

/interface bridge
add name=bridge1 pvid=99 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Bonding to au1-usw-01 Switch Port1" \
    poe-out=off
set [ find default-name=ether2 ] comment="Bonding to au1-usw-01 Switch Port2" \
    poe-out=off
set [ find default-name=ether5 ] comment="ADMIN ETH" name=ether5-access
set [ find default-name=ether8 ] comment="Temporarily for swtich in VLAN10"
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no comment=\
    "ISP WAN" name=sfp speed=1G-baseT-full
/interface wifi
# SSID not set
add configuration.mode=ap disabled=no name=cap-wifi1 radio-mac=\
    AA:BB:CC:DD:EE:FF
/interface vlan
add comment="Guests VLAN80 for WIFI" interface=bridge1 name=guests_v80 \
    vlan-id=80
add comment="employees vlan" interface=bridge1 name=vlan10 vlan-id=10
add comment="sysadmins vlan" interface=bridge1 name=vlan90 vlan-id=90
add comment="Admin Vlan" interface=bridge1 name=vlan99 vlan-id=99
/interface bonding
add comment="Bonding Trunk for Switch" mode=802.3ad name=bonding_to_switch \
    slaves=ether1,ether2
/interface list
add comment="all Vlans" name=VLAN
add comment="The WAN" name=WAN
add comment="Where the admin VLAN is trunk" name=BASE
add comment="The Interface list needed for ADMINS" name=ADMIN
/interface wifi channel
add band=5ghz-ax disabled=no frequency=\
    5230-5250,5210-5230,5190-5210,5170-5190 name=5GHz_US_bands width=20/40mhz
add band=2ghz-ax disabled=no frequency=2412,2432,2422,2442 name=\
    2GHZ_AX_US_BANDS secondary-frequency=2417,2427,2437 skip-dfs-channels=all \
    width=20mhz
/interface wifi datapath
add bridge=bridge1 comment="Employees VLAN WIFI" disabled=no name=\
    employees_wifi_datapath vlan-id=10
add bridge=bridge1 comment="GUESTS VLAN80 WIFI" disabled=no name=\
    guests_wifi_datapath vlan-id=80
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk comment=\
    "Security Profile for Employees wifi" disabled=no name=\
    employees_wifi_security_profile wps=disable
add authentication-types=wpa2-psk,wpa3-psk comment=\
    "Security Profile for Employees wifi" disabled=no name=\
    guests_wifi_security_profile wps=disable
/interface wifi configuration
add channel=5GHz_US_bands comment="Employees WIFI 5GHz" country=\
    "United States" datapath=employees_wifi_datapath disabled=no name=\
    5g_employees security=employees_wifi_security_profile ssid=ihconau2
add channel=5GHz_US_bands comment="GUESTS WIFI 5GHz" country="United States" \
    datapath=guests_wifi_datapath disabled=no name=5g_guests security=\
    guests_wifi_security_profile ssid=ih-guests
add channel=2GHZ_AX_US_BANDS comment="Employees WIFI 2.4GHz" country=\
    "United States" datapath=employees_wifi_datapath disabled=no name=\
    2g_employees security=employees_wifi_security_profile ssid=ihconau2
add channel=2GHZ_AX_US_BANDS comment="GUESTS WIFI 5GHz" country=\
    "United States" datapath=guests_wifi_datapath disabled=no name=2g_guests \
    security=guests_wifi_security_profile ssid=ih-guests
/ip pool
add comment="employees vlan10" name=vlan10 ranges=\
    192.168.10.10-192.168.10.254
add comment="sysadmin vlan90" name=vlan90 ranges=192.168.90.10-192.168.90.254
add comment="ip pool for ether5" name=ether5 ranges=10.0.0.10-10.0.0.20
add comment="ip pool for admin vlan99" name=vlan99 ranges=\
    10.0.99.2-10.0.99.254
add comment="Guests vlan80" name=vlan80 ranges=10.0.80.10-10.0.80.254
/ip dhcp-server
add address-pool=vlan10 comment="For employees vlan10" interface=vlan10 \
    lease-time=10m name=vlan10
add address-pool=vlan90 comment="For sysadmins vlan90" interface=vlan90 \
    lease-time=10m name=vlan90
add address-pool=ether5 comment="DHCP for eth5 access" interface=\
    ether5-access lease-time=5d name=ether5
add address-pool=vlan99 comment="For admin vlan99" interface=vlan99 \
    lease-time=10m name=vlan99
add address-pool=vlan80 comment="For GUESTS vlan80" interface=guests_v80 \
    lease-time=10m name=guests_vlan80
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge1 interface=ether6
add bridge=bridge1 ingress-filtering=no interface=ether7 pvid=99
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=bonding_to_switch pvid=99
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge1 comment="Base VLAN99" tagged=bonding_to_switch,bridge1 \
    untagged=ether6,ether8,ether7 vlan-ids=99
add bridge=bridge1 comment="Employees VLAN10" tagged=\
    ether6,ether7,ether8,bonding_to_switch,bridge1 vlan-ids=10
add bridge=bridge1 comment="Sysadmins VLAN90" tagged=\
    ether6,ether7,ether8,bonding_to_switch,bridge1 vlan-ids=90
add bridge=bridge1 comment="Guests VLAN80" tagged=\
    bridge1,bonding_to_switch,ether7 vlan-ids=80
/interface list member
add comment=VLAN10 interface=vlan10 list=VLAN
add comment=VLAN90 interface=vlan90 list=VLAN
add comment=VLAN99 interface=vlan99 list=VLAN
add comment="BASE just vlan99" interface=vlan99 list=BASE
add comment="admin vlan99" interface=vlan99 list=ADMIN
add comment="Sysadmin from vlan90" interface=vlan90 list=ADMIN
add interface=sfp list=WAN
/interface wifi access-list
add action=reject comment="Reject anonymous MACs for WIFIs" disabled=yes \
    mac-address=02:00:00:00:00:00 mac-address-mask=02:00:00:00:00:00
/interface wifi cap
set enabled=yes slaves-static=yes
/interface wifi capsman
set enabled=yes interfaces=BASE package-path="" require-peer-certificate=no \
    upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled comment="Employees 5Ghz provisioning" \
    disabled=no master-configuration=5g_employees slave-configurations=\
    5g_guests supported-bands=5ghz-ax
add action=create-dynamic-enabled comment="Employees 2.4Ghz provisioning" \
    disabled=no master-configuration=2g_employees slave-configurations=\
    2g_guests supported-bands=2ghz-ax
/ip address
add address=10.0.99.1/24 comment="admin vlan99 Ip addresses" interface=vlan99 \
    network=10.0.99.0
add address=192.168.10.1/24 comment="employees vlan_10 Ip addresses" \
    interface=vlan10 network=192.168.10.0
add address=192.168.90.0/24 comment="sysadmins vlan90 Ip addresses" \
    interface=vlan90 network=192.168.90.0
add address=10.0.0.1/24 comment="Admin IP for eth5" interface=ether5-access \
    network=10.0.0.0
add address=xxx.yyy.zzz.tt4/29 comment="Main IP for router  for ISP" \
    interface=sfp network=xxx.yyy.zzz.tt2
add address=10.0.80.1/24 comment="sysadmins vlan80 Ip addresses" \
    interface=guests_v80 network=10.0.80.0
/ip dhcp-server lease
add address=192.168.10.100 client-id=1:b4:22:0:66:43:a7 comment=Printer \
    mac-address=B4:22:00:66:43:A7 server=vlan10
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=1.1.1.1,8.8.4.4 gateway=10.0.0.1
add address=10.0.80.0/24 comment="Guests vlan80 network" dns-server=\
    1.1.1.1,8.8.4.4 gateway=10.0.80.1
add address=10.0.99.0/24 comment="Admin vlan90 network" dns-server=\
    1.1.1.1,8.8.4.4 gateway=10.0.99.1
add address=192.168.10.0/24 comment="employees vlan10 network" dns-server=\
    192.168.10.1 gateway=192.168.10.1
add address=192.168.90.0/24 comment="Syadmins vlan99 network" dns-server=\
    192.168.90.1 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.4.4
/ip firewall filter
add action=drop chain=input comment="DROP DNS tcp port 53 from WAN" dst-port=\
    53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="DROP DNS udp port 53 from WAN" dst-port=\
    53 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add action=drop chain=input comment="drop ICMP to WAN" in-interface-list=WAN \
    protocol=icmp
add action=accept chain=input comment="Accept Loopback for CAPSMAN" \
    dst-address=127.0.0.1
add action=accept chain=input comment="Allow everything from VLANs" \
    in-interface-list=VLAN
add action=accept chain=input comment="Allow Admin VLAN full access" \
    in-interface-list=BASE
add action=drop chain=input comment="DROP REST OF INPUT" in-interface-list=\
    WAN
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
    "Drop everything Forward from VLANs- TO ACTIVE WHEN TESTED" \
    in-interface-list=VLAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade ISP WAN" \
    out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip route
add comment="Main isp Gateway" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=xxx.yyy.zzz.tt3 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.0.0.0/24,10.0.69.0/24,10.0.99.0/24,192.168.90.0/24
set api disabled=yes
set winbox address=\
    10.0.0.0/24,10.0.69.0/24,10.0.99.0/24,192.168.90.0/24,192.168.10.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=America/Chicago
/system identity
set name=au1-core-rt01
/system logging
add disabled=yes topics=debug
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
add address=europe.pool.ntp.org
add address=asia.pool.ntp.org
/tool romon
set enabled=yes

For CAP

Code: Select all
/interface bridge
add ingress-filtering=no name=bridge1 port-cost-mode=short priority=0x2000 pvid=99 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Trunk l2mtu=1560
/interface vlan
add comment="Managment VLAN99" interface=bridge1 name=MGMT vlan-id=99
/interface wifi datapath
add bridge=bridge1 disabled=no name=vlan10_employees vlan-id=10
add bridge=bridge1 disabled=no name=vlan80_guests vlan-id=80
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: ihconau2, channel: 5220/ax/Ce
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap datapath=vlan10_employees disabled=no
# managed by CAPsMAN
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap datapath=vlan10_employees disabled=no
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10 pvid=99
/interface bridge vlan
add bridge=bridge1 comment="For mgmt vlan99" tagged=bridge1 vlan-ids=99
add bridge=bridge1 comment="For employees vlan10" tagged=bridge1,ether1 vlan-ids=10
add bridge=bridge1 comment="For Guests vlan80" tagged=bridge1,ether1 vlan-ids=80
/interface wifi cap
set caps-man-addresses=10.0.99.1 enabled=yes slaves-datapath=vlan80_guests slaves-static=no
/ip address
add address=10.0.99.101/24 comment="admin vlan ip" interface=MGMT network=10.0.99.0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.0.99.1
/system clock
set time-zone-name=America/Chicago
/system identity
set name=au1-core-ap02
/system note
set show-at-login=no
/tool romon
set enabled=yes
Thanks for the help :)

Edit: Corrected some typos
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 5500
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Problems with Capsman on RB5009 and CAP 5HaxD2HaxD using rOS 7.14.1 [SOLVED]

Wed Mar 27, 2024 8:38 pm

You figured it mostly out on your own so congratulations for that ! :lol:
Top
 
carcuevas
just joined
Topic Author
Posts: 10
Joined: Sun Jan 07, 2024 11:37 pm

Re: Problems with Capsman on RB5009 and CAP 5HaxD2HaxD using rOS 7.14.1 [SOLVED]

Wed Mar 27, 2024 11:18 pm

Well sometimes it's enough to ask and a couple of words from somebody else helps to go to the right direction :)
Top
Post Reply

Who is online

Users browsing this forum: sybadi and 13 guests
  4. RouterOS
  5. Wireless Networking