Community discussions

MikroTik App
  4. RouterOS
  5. Wireless Networking

AP in L2 mode with CAPsMAN Guest Wi-Fi problem  [SOLVED]

Post Reply
 
User avatar
breskmic
just joined
Topic Author
Posts: 8
Joined: Sat May 04, 2024 11:25 pm
Location: Czech Republic

AP in L2 mode with CAPsMAN Guest Wi-Fi problem

Sun May 05, 2024 12:29 am

Hello guys, I have little bit unusual configuration of my Mikrotik APs, but it is working well except Guest Wi-Fi via CAPsMAN. Please let me describe my issue.

AP01 is Mikrotik RB962UiGS-5HacT2HnT with OS v7.14.3 and serving as CAPsMAN Manager.
AP02 is Mikrotik RB951G-2HnD with OS v7.14.3 and serving as Remote CAP.

Both APs are interconnected via Cisco Catalyst switch and interconnecting WAN interfaces are configured as Trunks with following VLANs allowed:
VLAN 1100: Management
VLAN 1200: LAN
VLAN 1300: Wi-Fi
VLAN 1400: Wi-Fi_Guest

In VLAN 1100 is created VLAN interface on both APs for management traffic, used for CAPsMAN, etc.
To VLAN 1200 are assigned all physical LAN interfaces on both APs.
To VLAN 1300 is assigned physical WLAN1 on both APs.
To VLAN 1400 is assigned virtual WLAN_Guest on both APs.

Both APs are working in L2 mode only, all L3 and FW/NAT were disabled.
L3 including DHCP for all client VLANs and FW/NAT services are provided by Juniper SRX firewall, which is connected to the same Cisco Catalyst switch as both APs.

I know that it is little bit wild setup, but everything works fine, except Guest Wi-Fi on AP02.

When I am trying to connect to Guest Wi-Fi on AP02 authentication will pass correctly, but then my mobile phone is telling that this connection is without Internet access and disconnect me automatically. Unfortunately there is nothing useful in logs on both APs and Guest Wi-Fi on AP01 is working correctly.

Please see my APs configurations below. Any idea what could be wrong?

AP01
Code: Select all
# model = RB962UiGS-5HacT2HnT
/interface bridge
add admin-mac=<REMOVED> auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country="czech republic" disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=WIFI wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country="czech republic" disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid=WIFI_5G \
    wireless-protocol=802.11 wps-mode=disabled
/interface bonding
add comment="Uplink to SW01" mode=802.3ad name=Po1 slaves=ether1,ether2 \
    transmit-hash-policy=layer-2-and-3
/interface vlan
add interface=Po1 name=V1100_MGMT vlan-id=1100
/caps-man security
add authentication-types=wpa2-psk comment="WiFi_Guest Security" encryption=\
    aes-ccm group-encryption=aes-ccm name=security_guest passphrase=\
    <REMOVED>
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=security1 passphrase=<REMOVED>
/caps-man configuration
add country="czech republic" datapath.bridge=bridge .local-forwarding=yes \
    .vlan-id=1300 .vlan-mode=no-tag name=WIFI security=security1 \
    security.group-key-update=5m ssid=WIFI
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/caps-man configuration
add comment=Guest country="czech republic" datapath.bridge=bridge \
    .interface-list=dynamic .local-forwarding=yes .vlan-id=1400 .vlan-mode=\
    no-tag mode=ap name=WIFI_Guest security=security_guest \
    security.group-key-update=5m ssid=WIFI_Guest
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa-pre-shared-key=\
    <REMOVED> wpa2-pre-shared-key=\
    <REMOVED>
add authentication-types=wpa2-psk comment="Guest Wi-Fi networks password." \
    mode=dynamic-keys name=Guest_PWD supplicant-identity=MikroTik \
    wpa-pre-shared-key=<REMOVED> wpa2-pre-shared-key=<REMOVED>
/interface wireless
add comment=Guest disabled=no mac-address=<REMOVED> master-interface=\
    wlan1 name=wlan_guest security-profile=Guest_PWD ssid=WIFI_Guest \
    vlan-id=1400 wps-mode=disabled
add comment=Guest disabled=no mac-address=<REMOVED> master-interface=\
    wlan2 name=wlan_guest_5g security-profile=Guest_PWD ssid=WIFI_5G_Guest \
    vlan-id=1400
/interface wireless manual-tx-power-table
set wlan_guest comment=Guest
set wlan_guest_5g comment=Guest
/interface wireless nstreme
set *A comment=Guest
set *E comment=Guest
/ip smb users
set [ find default=yes ] disabled=yes
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add comment=Management disabled=no interface=V1100_MGMT
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=WIFI \
    slave-configurations=WIFI_Guest
/interface bridge filter
add action=drop chain=forward disabled=yes in-interface=wlan_guest_5g
add action=drop chain=forward disabled=yes out-interface=wlan_guest_5g
add action=drop chain=forward disabled=yes in-interface=wlan_guest
add action=drop chain=forward disabled=yes out-interface=wlan_guest
/interface bridge port
add bpdu-guard=yes bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 \
    internal-path-cost=10 path-cost=10 pvid=1200
add bpdu-guard=yes bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 \
    internal-path-cost=10 path-cost=10 pvid=1200
add bpdu-guard=yes bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 \
    internal-path-cost=10 path-cost=10 pvid=1200
add bridge=bridge comment=defconf interface=sfp1 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wlan1 \
    internal-path-cost=10 path-cost=10 pvid=1300
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wlan2 \
    internal-path-cost=10 path-cost=10 pvid=1300
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan_guest_5g internal-path-cost=10 path-cost=10 pvid=1400
add bridge=bridge comment=Trunk frame-types=admit-only-vlan-tagged interface=\
    Po1 internal-path-cost=10 path-cost=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan_guest internal-path-cost=10 path-cost=10 pvid=1400
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=MGMT tagged=bridge,Po1 untagged=\
    V1100_MGMT vlan-ids=1100
add bridge=bridge comment=LAN1 tagged=bridge,Po1 untagged=\
    ether3,ether4,ether5 vlan-ids=1200
add bridge=bridge comment=WIFI1 tagged=bridge,Po1 untagged=\
    wlan1,wlan2 vlan-ids=1300
add bridge=bridge comment=WIFI2_GUEST tagged=bridge,Po1 untagged=\
    wlan_guest_5g,wlan_guest vlan-ids=1400
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=Po1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=<REMOVED> comment=Management interface=V1100_MGMT \
    network=<REMOVED>
/ip dhcp-client
add comment=Gateway disabled=yes interface=Po1
/ip dns
set allow-remote-requests=yes servers=<REMOVED>
/ip dns static
add address=<REMOVED> comment=defconf name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=<REMOVED> routing-table=main \
    suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=https-cert disabled=no
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=AP01
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=<REMOVED>
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
AP02
Code: Select all
# model = RB951G-2HnD
/interface bridge
add admin-mac=<REMOVED> auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2462/20-eC/gn(17dBm), SSID: WIFI, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country="czech republic" disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik \
    wireless-protocol=802.11 wps-mode=disabled
/interface vlan
add interface=ether1 name=V1100_MGMT \
    vlan-id=1100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk comment="Guest Wi-Fi networks password." \
    mode=dynamic-keys name=Guest_PWD supplicant-identity=MikroTik \
    wpa2-pre-shared-key=<REMOVED>
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bpdu-guard=yes bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 \
    internal-path-cost=10 path-cost=10 pvid=1200
add bpdu-guard=yes bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 \
    internal-path-cost=10 path-cost=10 pvid=1200
add bpdu-guard=yes bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 \
    internal-path-cost=10 path-cost=10 pvid=1200
add bpdu-guard=yes bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 \
    internal-path-cost=10 path-cost=10 pvid=1200
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wlan1 \
    internal-path-cost=10 path-cost=10 pvid=1300
add bridge=bridge comment=Trunk frame-types=admit-only-vlan-tagged interface=\
    ether1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN protocol=lldp
/interface bridge vlan
add bridge=bridge comment=LAN1 tagged=bridge,ether1 untagged=\
    ether2,ether3,ether4,ether5 vlan-ids=1200
add bridge=bridge comment=WIFI1 tagged=bridge,ether1 untagged=\
    wlan1 vlan-ids=1300
add bridge=bridge comment=WIFI2_GUEST tagged=bridge,ether1 \
    untagged=wlan2 vlan-ids=1400
add bridge=bridge comment=MGMT tagged=bridge,ether1 untagged=\
    V1100_MGMT vlan-ids=1100
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireless cap
# 
set bridge=bridge discovery-interfaces=V1100_MGMT enabled=yes \
    interfaces=wlan1
/ip address
add address=<REMOVED> comment=Management interface=V1100_MGMT \
    network=<REMOVED>
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dns
set allow-remote-requests=yes servers=<REMOVED>
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=https-cert disabled=no
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=AP02
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=<REMOVED>
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
User avatar
breskmic
just joined
Topic Author
Posts: 8
Joined: Sat May 04, 2024 11:25 pm
Location: Czech Republic

Re: AP in L2 mode with CAPsMAN Guest Wi-Fi problem

Fri May 10, 2024 3:02 pm

Nobody can find anything wrong? So, maybe, could be this a bug?
Top
 
Tuxmaster
just joined
Posts: 8
Joined: Sun Dec 03, 2023 11:27 am

Re: AP in L2 mode with CAPsMAN Guest Wi-Fi problem

Sun May 12, 2024 11:46 am

Hi breskmic,
I wouldn't use a phone for testing, but rather a Linux laptop, where you can get closer to the WLAN + IP stack more easily. You can then take a look at the command line to see what packets are going where and, if necessary, use wireshark to see exactly what is ‘flying’ through the area.
Top
 
User avatar
breskmic
just joined
Topic Author
Posts: 8
Joined: Sat May 04, 2024 11:25 pm
Location: Czech Republic

Re: AP in L2 mode with CAPsMAN Guest Wi-Fi problem

Sun May 12, 2024 7:33 pm

Hi Tuxmaster,
Yes, I can try it. I was only hoping that somebody will find any obvious error in my config, because I am not a MikroTik guru, so there could be something wrong, what I can't see.
Top
 
jaclaz
Forum Veteran
Forum Veteran
Posts: 815
Joined: Tue Oct 03, 2023 4:21 pm

Re: AP in L2 mode with CAPsMAN Guest Wi-Fi problem

Sun May 12, 2024 7:56 pm

No idea if "wrong" but you have some differences in the two configurations about wlans:
on the AP01:
add bridge=bridge comment=WIFI1 tagged=bridge,Po1 untagged=\
wlan1,wlan2 vlan-ids=1300
add bridge=bridge comment=WIFI2_GUEST tagged=bridge,Po1 untagged=\
wlan_guest_5g,wlan_guest vlan-ids=1400
on the AP02:
add bridge=bridge comment=WIFI1 tagged=bridge,ether1 untagged=\
wlan1 vlan-ids=1300
add bridge=bridge comment=WIFI2_GUEST tagged=bridge,ether1 \
untagged=wlan2 vlan-ids=1400
Top
 
User avatar
breskmic
just joined
Topic Author
Posts: 8
Joined: Sat May 04, 2024 11:25 pm
Location: Czech Republic

Re: AP in L2 mode with CAPsMAN Guest Wi-Fi problem

Mon May 13, 2024 9:41 am

Hello jaclaz, thank you for your reply. I suppose that this should be OK, because AP02 simply don't have hardware for 5G, so this config is missing there and only 2,4GHz Wi-Fis are used there.
Top
 
User avatar
vingjfg
Member
Member
Posts: 375
Joined: Fri Oct 20, 2023 1:45 pm

Re: AP in L2 mode with CAPsMAN Guest Wi-Fi problem

Mon May 13, 2024 11:44 am

From your configurations, there is an upstream device or devices to which your AP connect. Can you send the configuration of the one to which AP2 connects?
Top
 
jaclaz
Forum Veteran
Forum Veteran
Posts: 815
Joined: Tue Oct 03, 2023 4:21 pm

Re: AP in L2 mode with CAPsMAN Guest Wi-Fi problem

Mon May 13, 2024 11:51 am

I don't know, if you have only wlan1 on AP02, why is there a reference to wlan2?

On AP01 the untagged are wlan1, wlan2 and wlan_guest_5G, wlan_guest
On AP02 the untagged are wlan1 (OK) and wlan2 (shouldn't this be wlan_guest?)

Maybe it is just a naming confusion that I noticed.
Top
 
User avatar
breskmic
just joined
Topic Author
Posts: 8
Joined: Sat May 04, 2024 11:25 pm
Location: Czech Republic

Re: AP in L2 mode with CAPsMAN Guest Wi-Fi problem

Mon May 13, 2024 2:03 pm

I don't know, if you have only wlan1 on AP02, why is there a reference to wlan2?

On AP01 the untagged are wlan1, wlan2 and wlan_guest_5G, wlan_guest
On AP02 the untagged are wlan1 (OK) and wlan2 (shouldn't this be wlan_guest?)

Maybe it is just a naming confusion that I noticed.
I see your point. However, naming on AP02 is created automatically by CAPsMAN, so in this case wlan1 on AP02 is corresponding to wlan1 on AP01 and wlan2 on AP02 is corresponding to wlan_guest on AP01, so this should be correct.
Top
 
User avatar
breskmic
just joined
Topic Author
Posts: 8
Joined: Sat May 04, 2024 11:25 pm
Location: Czech Republic

Re: AP in L2 mode with CAPsMAN Guest Wi-Fi problem

Mon May 13, 2024 2:11 pm

From your configurations, there is an upstream device or devices to which your AP connect. Can you send the configuration of the one to which AP2 connects?
Yes, all devices are interconnected via Cisco Catalyst switch, and there is nothing special, only all VLANs defined and trunks with allowed needed VLANs - see below:
Code: Select all
vlan 1000
 name NATIVE
!
vlan 1100
 name MGMT
!
vlan 1200
 name LAN1
!
vlan 1300
 name WIFI1
!
vlan 1400
 name WIFI2_GUEST
end

interface GigabitEthernet1/0/7
 description AP02_Eth1
 switchport trunk native vlan 1000
 switchport trunk allowed vlan 1100,1200,1300,1400
 switchport mode trunk
end

interface Port-channel4
 description AP01_Po1
 switchport trunk native vlan 1000
 switchport trunk allowed vlan 1100,1200,1300,1400
 switchport mode trunk
end
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11808
Joined: Thu Mar 03, 2016 10:23 pm

Re: AP in L2 mode with CAPsMAN Guest Wi-Fi problem  [SOLVED]

Mon May 13, 2024 2:41 pm

I think you have to set datapath.vlan-mode to "use-tag". Otherwise VLAN headers won't be handled by wireless driver when passing between wireless interface and bridge. And as far as I remember (I'm not running capsman ATM) capsman doesn't do anything about bridge when provisioning wireless interface, so it's not adding wlanX interface as neither tagged nor access port to bridge (it simply adds wifiX to bridge without further config).

From documentation:
datapath.vlan-id (integer [1..4095]; Default: ) VLAN ID to assign to interface if vlan-mode enables use of VLAN tagging
datapath.vlan-mode (use-service-tag | use-tag; Default: ) Enables and specifies the type of VLAN tag to be assigned to the interface (causes all received data to get tagged with VLAN tag and allows the interface to only send out data tagged with given tag)

You may want to check if my suspicions are correct by running
Code: Select all
/interface/bridge/port/print

and
Code: Select all
/interface/bridge/vlan/print

and inspect the output.
Top
 
User avatar
breskmic
just joined
Topic Author
Posts: 8
Joined: Sat May 04, 2024 11:25 pm
Location: Czech Republic

Re: AP in L2 mode with CAPsMAN Guest Wi-Fi problem

Mon May 13, 2024 3:30 pm

I think you have to set datapath.vlan-mode to "use-tag". Otherwise VLAN headers won't be handled by wireless driver when passing between wireless interface and bridge. And as far as I remember (I'm not running capsman ATM) capsman doesn't do anything about bridge when provisioning wireless interface, so it's not adding wlanX interface as neither tagged nor access port to bridge (it simply adds wifiX to bridge without further config).

From documentation:
datapath.vlan-id (integer [1..4095]; Default: ) VLAN ID to assign to interface if vlan-mode enables use of VLAN tagging
datapath.vlan-mode (use-service-tag | use-tag; Default: ) Enables and specifies the type of VLAN tag to be assigned to the interface (causes all received data to get tagged with VLAN tag and allows the interface to only send out data tagged with given tag)

You may want to check if my suspicions are correct by running
Code: Select all
/interface/bridge/port/print

and
Code: Select all
/interface/bridge/vlan/print

and inspect the output.
Thak you very much.

You are absolutely right, I am set "use-tag" parameter in Datapath VLAN mode on AP01 and VLAN was assigned to WLAN interface on AP02 immediately. It is working now correctly.

Currently I am only thinking why it is working for WiFi1, if there was not set use-tag too. In fact it stop working if I will set use-tag on wifi1. This is confusing.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11808
Joined: Thu Mar 03, 2016 10:23 pm

Re: AP in L2 mode with CAPsMAN Guest Wi-Fi problem

Mon May 13, 2024 5:56 pm

Because you have this construct:
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=wlan1 \
internal-path-cost=10 path-cost=10 pvid=1300

Even though radio part is provisioned by CAPsMAN, the bridge config is still in force. If you remove this line, then you'll need similar vlan settings on capsman as you have now for guest wifi.
Top
 
User avatar
breskmic
just joined
Topic Author
Posts: 8
Joined: Sat May 04, 2024 11:25 pm
Location: Czech Republic

Re: AP in L2 mode with CAPsMAN Guest Wi-Fi problem

Tue May 14, 2024 11:27 am

Tank you for your explanation mkx.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests
  4. RouterOS
  5. Wireless Networking