I'm seeking advice regarding the configuration of Capsman on version 7.14. I've been following the guide at https://help.mikrotik.com/docs/display/ ... ionexample, but I encounter an error with ac devices stating "client was disconnected because could not assign vlan".
Basic information:
- 2x AX cAPGi-5HaxD2HaxD devices (cap)
- 1x AC RBD23UGS-5HPacD2HnD device (cap)
- 1x RB5009UPr+S+ device (capsman)
- The error "client was disconnected because could not assign vlan" doesn't appear immediately but after a while when switching between devices.
- It only appears on the guest network (Vlan20).
- It only shows on the interface of the RBD23UGS-5HPacD2HnD device (cap).
- If I create a separate SSID for the RBD23UGS-5HPacD2HnD (cap) device and connect to it, then the error does not appear.
Capsman:
Code: Select all
# 2024-03-14 08:35:19 by RouterOS 7.14
# software id = Q3U8-3MIZ
#
# model = RB5009UPr+S+
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - Synology"
set [ find default-name=ether2 ] name="ether2 - ChotNet"
set [ find default-name=ether3 ] name="ether3 - Mikrotik - LTE"
set [ find default-name=ether4 ] name="ether4 - Mikrotik - Prizemi" poe-lldp-enabled=yes
set [ find default-name=ether5 ] name="ether5 - Mikrotik - Podkrovi" poe-lldp-enabled=yes
set [ find default-name=ether6 ] name="ether6 - Mikrotik - Venek" poe-lldp-enabled=yes poe-out=forced-on poe-priority=1
set [ find default-name=ether7 ] name="ether7 - Mikrotik - Technicka"
set [ find default-name=ether8 ] name="ether8 - Synology - Kamera"
set [ find default-name=sfp-sfpplus1 ] name="sfp - switch"
/interface vlan
add interface=bridge1 name="VLAN20 - guest" vlan-id=20
/interface list
add name=WAN
add name=LAN
/interface wifi channel
add disabled=no name=channel1 skip-dfs-channels=all
/interface wifi datapath
add bridge=bridge1 disabled=no name=datapath-private
add bridge=bridge1 client-isolation=yes disabled=no name=datapath-public vlan-id=20
add bridge=bridge1 disabled=no name=DP_AC
/interface wifi security
add authentication-types=wpa-psk,wpa2-psk disabled=no ft=yes ft-over-ds=yes group-key-update=5m name=Camrak
add authentication-types=wpa3-psk disabled=no ft=yes ft-over-ds=yes group-key-update=5m name=Camrak-guest
/interface wifi configuration
add channel=channel1 country=Czech datapath=datapath-private disabled=no mode=ap name="Camrak - private" security=Camrak ssid=Camrak
add channel=channel1 country=Czech datapath=datapath-public disabled=no mode=ap name="Camrak - guest" security=Camrak-guest ssid=Camrak-guest
add channel=channel1 country=Czech datapath=DP_AC disabled=no mode=ap name=AC-private security=Camrak ssid=Camrak
add channel=channel1 country=Czech datapath=DP_AC disabled=no mode=ap name=AC-guest security=Camrak-guest ssid=Camrak-guest
/ip pool
add name=dhcp-public ranges=192.168.2.2-192.168.2.254
add name=dhcp-private ranges=192.168.1.130-192.168.1.199
/ip dhcp-server
add address-pool=dhcp-private interface=bridge1 lease-time=8h30m name=dhcp-private
add address-pool=dhcp-public interface="VLAN20 - guest" lease-time=1w name=dhcp-public
/ip smb users
set [ find default=yes ] disabled=yes
/routing table
add disabled=no fib name=to_ChotNet
add disabled=no fib name=to_LTE
/interface bridge port
add bridge=bridge1 interface="ether4 - Mikrotik - Prizemi"
add bridge=bridge1 interface="sfp - switch"
add bridge=bridge1 interface="ether1 - Synology"
add bridge=bridge1 interface="ether5 - Mikrotik - Podkrovi"
add bridge=bridge1 interface="ether6 - Mikrotik - Venek"
add bridge=bridge1 interface="ether7 - Mikrotik - Technicka"
add bridge=bridge1 interface="ether8 - Synology - Kamera"
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge1 tagged="ether4 - Mikrotik - Prizemi,ether5 - Mikrotik - Podkrovi,ether6 - Mikrotik - Venek,bridge1" vlan-ids=20
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add interface="ether2 - ChotNet" list=WAN
add interface="ether4 - Mikrotik - Prizemi" list=LAN
add interface="ether5 - Mikrotik - Podkrovi" list=LAN
add interface="ether6 - Mikrotik - Venek" list=LAN
add interface="ether7 - Mikrotik - Technicka" list=LAN
add interface="ether8 - Synology - Kamera" list=LAN
add interface="sfp - switch" list=LAN
add interface="ether3 - Mikrotik - LTE" list=WAN
add interface="ether1 - Synology" list=LAN
add interface="VLAN2 - private" list=LAN
add interface=bridge1 list=LAN
/interface wifi capsman
set enabled=yes interfaces=all package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration="Camrak - private" name-format="2,4 GHz -%I" slave-configurations="Camrak - guest" supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration="Camrak - private" name-format="5 GHz - %I" slave-configurations="Camrak - guest" supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=AC-private name-format="2,4 GHz -%I" slave-configurations=AC-guest supported-bands=2ghz-n
add action=create-dynamic-enabled disabled=no master-configuration=AC-private name-format="5 GHz - %I" slave-configurations=AC-guest supported-bands=5ghz-ac
/ip address
add address=85.163.60.43/29 interface="ether2 - ChotNet" network=85.163.60.40
add address=192.168.188.5/24 interface="ether3 - Mikrotik - LTE" network=192.168.188.0
add address=192.168.2.1/24 interface="VLAN20 - guest" network=192.168.2.0
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 caps-manager=192.168.1.1 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input in-interface-list=WAN limit=10,5:packet protocol=icmp
add action=drop chain=input in-interface-list=WAN protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=add-src-to-address-list address-list=knock address-list-timeout=1m chain=input comment="port knock" dst-port=11111 in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=22,8291 in-interface-list=WAN protocol=tcp src-address-list=knock
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=drop chain=forward comment="ochrana ze site hostu" dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment="ChotNet - default route" disabled=no distance=5 dst-address=0.0.0.0/0 gateway=85.163.60.41 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="LTE - default route" disabled=no distance=10 dst-address=0.0.0.0/0 gateway=192.168.188.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=8.8.4.4/32 gateway=85.163.60.41 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=81
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol= ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule
add action=lookup disabled=yes src-address=192.168.1.24/32 table=to_LTE
/system clock
set time-zone-name=Europe/Prague
/system identity
set name="MikroTik - router"
/system logging
add disabled=yes topics=wireless
add disabled=yes topics=caps
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script="ip route\r\
\nset [find distance=5] distance=15" host=8.8.4.4 http-codes="" interval=\
7s start-delay=2m test-script="" timeout=2s type=simple up-script=\
"ip route\r\
\nset [find distance=15] distance=5"
/tool romon
set enabled=yes
AC CAP:
Code: Select all
# 2024-03-14 09:03:54 by RouterOS 7.14
# software id = YTD7-NWJP
#
# model = RBD23UGS-5HPacD2HnD
/interface bridge
add name=bridgeLocal vlan-filtering=yes
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: Camrak, channel: 2467/n/eC
set [ find default-name=wifi1 ] configuration.manager=capsman disabled=no
# managed by CAPsMAN
# mode: AP, SSID: Camrak, channel: 5220/ac/eeCe
set [ find default-name=wifi2 ] configuration.manager=capsman disabled=no
# managed by CAPsMAN
# mode: AP, SSID: Camrak-guest
add disabled=no mac-address=1A:FD:74:28:A5:D8 master-interface=wifi1 name=wifi21
# managed by CAPsMAN
# mode: AP, SSID: Camrak-guest
add disabled=no mac-address=1A:FD:74:28:A5:D9 master-interface=wifi2 name=wifi22
/interface list
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal interface=wifi1
add bridge=bridgeLocal interface=wifi21 pvid=20
add bridge=bridgeLocal interface=wifi2
add bridge=bridgeLocal interface=wifi22 pvid=20
add bridge=bridgeLocal interface=sfp1
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1,bridgeLocal untagged=wifi21,wifi22 vlan-ids=20
/interface list member
add interface=ether1 list=LAN
add interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes lock-to-caps-man=no slaves-static=yes
/ip dhcp-client
add interface=bridgeLocal
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ip upnp
set enabled=yes
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/Prague
/system identity
set name="MikroTik - venek"
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/tool romon
set enabled=yes
Could someone please guide me on what I'm doing wrong? Thanks a lot for the help.
