AP01 is Mikrotik RB962UiGS-5HacT2HnT with OS v7.14.3 and serving as CAPsMAN Manager.
AP02 is Mikrotik RB951G-2HnD with OS v7.14.3 and serving as Remote CAP.
Both APs are interconnected via Cisco Catalyst switch and interconnecting WAN interfaces are configured as Trunks with following VLANs allowed:
VLAN 1100: Management
VLAN 1200: LAN
VLAN 1300: Wi-Fi
VLAN 1400: Wi-Fi_Guest
In VLAN 1100 is created VLAN interface on both APs for management traffic, used for CAPsMAN, etc.
To VLAN 1200 are assigned all physical LAN interfaces on both APs.
To VLAN 1300 is assigned physical WLAN1 on both APs.
To VLAN 1400 is assigned virtual WLAN_Guest on both APs.
Both APs are working in L2 mode only, all L3 and FW/NAT were disabled.
L3 including DHCP for all client VLANs and FW/NAT services are provided by Juniper SRX firewall, which is connected to the same Cisco Catalyst switch as both APs.
I know that it is little bit wild setup, but everything works fine, except Guest Wi-Fi on AP02.
When I am trying to connect to Guest Wi-Fi on AP02 authentication will pass correctly, but then my mobile phone is telling that this connection is without Internet access and disconnect me automatically. Unfortunately there is nothing useful in logs on both APs and Guest Wi-Fi on AP01 is working correctly.
Please see my APs configurations below. Any idea what could be wrong?
AP01
Code: Select all
# model = RB962UiGS-5HacT2HnT
/interface bridge
add admin-mac=<REMOVED> auto-mac=no comment=defconf name=bridge \
port-cost-mode=short vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country="czech republic" disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=WIFI wireless-protocol=802.11 \
wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country="czech republic" disabled=no distance=indoors \
frequency=auto installation=indoor mode=ap-bridge ssid=WIFI_5G \
wireless-protocol=802.11 wps-mode=disabled
/interface bonding
add comment="Uplink to SW01" mode=802.3ad name=Po1 slaves=ether1,ether2 \
transmit-hash-policy=layer-2-and-3
/interface vlan
add interface=Po1 name=V1100_MGMT vlan-id=1100
/caps-man security
add authentication-types=wpa2-psk comment="WiFi_Guest Security" encryption=\
aes-ccm group-encryption=aes-ccm name=security_guest passphrase=\
<REMOVED>
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
name=security1 passphrase=<REMOVED>
/caps-man configuration
add country="czech republic" datapath.bridge=bridge .local-forwarding=yes \
.vlan-id=1300 .vlan-mode=no-tag name=WIFI security=security1 \
security.group-key-update=5m ssid=WIFI
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/caps-man configuration
add comment=Guest country="czech republic" datapath.bridge=bridge \
.interface-list=dynamic .local-forwarding=yes .vlan-id=1400 .vlan-mode=\
no-tag mode=ap name=WIFI_Guest security=security_guest \
security.group-key-update=5m ssid=WIFI_Guest
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik wpa-pre-shared-key=\
<REMOVED> wpa2-pre-shared-key=\
<REMOVED>
add authentication-types=wpa2-psk comment="Guest Wi-Fi networks password." \
mode=dynamic-keys name=Guest_PWD supplicant-identity=MikroTik \
wpa-pre-shared-key=<REMOVED> wpa2-pre-shared-key=<REMOVED>
/interface wireless
add comment=Guest disabled=no mac-address=<REMOVED> master-interface=\
wlan1 name=wlan_guest security-profile=Guest_PWD ssid=WIFI_Guest \
vlan-id=1400 wps-mode=disabled
add comment=Guest disabled=no mac-address=<REMOVED> master-interface=\
wlan2 name=wlan_guest_5g security-profile=Guest_PWD ssid=WIFI_5G_Guest \
vlan-id=1400
/interface wireless manual-tx-power-table
set wlan_guest comment=Guest
set wlan_guest_5g comment=Guest
/interface wireless nstreme
set *A comment=Guest
set *E comment=Guest
/ip smb users
set [ find default=yes ] disabled=yes
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add comment=Management disabled=no interface=V1100_MGMT
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=WIFI \
slave-configurations=WIFI_Guest
/interface bridge filter
add action=drop chain=forward disabled=yes in-interface=wlan_guest_5g
add action=drop chain=forward disabled=yes out-interface=wlan_guest_5g
add action=drop chain=forward disabled=yes in-interface=wlan_guest
add action=drop chain=forward disabled=yes out-interface=wlan_guest
/interface bridge port
add bpdu-guard=yes bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3 \
internal-path-cost=10 path-cost=10 pvid=1200
add bpdu-guard=yes bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 \
internal-path-cost=10 path-cost=10 pvid=1200
add bpdu-guard=yes bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether5 \
internal-path-cost=10 path-cost=10 pvid=1200
add bridge=bridge comment=defconf interface=sfp1 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=wlan1 \
internal-path-cost=10 path-cost=10 pvid=1300
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=wlan2 \
internal-path-cost=10 path-cost=10 pvid=1300
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=wlan_guest_5g internal-path-cost=10 path-cost=10 pvid=1400
add bridge=bridge comment=Trunk frame-types=admit-only-vlan-tagged interface=\
Po1 internal-path-cost=10 path-cost=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=wlan_guest internal-path-cost=10 path-cost=10 pvid=1400
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=MGMT tagged=bridge,Po1 untagged=\
V1100_MGMT vlan-ids=1100
add bridge=bridge comment=LAN1 tagged=bridge,Po1 untagged=\
ether3,ether4,ether5 vlan-ids=1200
add bridge=bridge comment=WIFI1 tagged=bridge,Po1 untagged=\
wlan1,wlan2 vlan-ids=1300
add bridge=bridge comment=WIFI2_GUEST tagged=bridge,Po1 untagged=\
wlan_guest_5g,wlan_guest vlan-ids=1400
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=Po1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=<REMOVED> comment=Management interface=V1100_MGMT \
network=<REMOVED>
/ip dhcp-client
add comment=Gateway disabled=yes interface=Po1
/ip dns
set allow-remote-requests=yes servers=<REMOVED>
/ip dns static
add address=<REMOVED> comment=defconf name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=<REMOVED> routing-table=main \
suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=https-cert disabled=no
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=AP01
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=<REMOVED>
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Code: Select all
# model = RB951G-2HnD
/interface bridge
add admin-mac=<REMOVED> auto-mac=no comment=defconf name=bridge \
port-cost-mode=short vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2462/20-eC/gn(17dBm), SSID: WIFI, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country="czech republic" disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik \
wireless-protocol=802.11 wps-mode=disabled
/interface vlan
add interface=ether1 name=V1100_MGMT \
vlan-id=1100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk comment="Guest Wi-Fi networks password." \
mode=dynamic-keys name=Guest_PWD supplicant-identity=MikroTik \
wpa2-pre-shared-key=<REMOVED>
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bpdu-guard=yes bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether2 \
internal-path-cost=10 path-cost=10 pvid=1200
add bpdu-guard=yes bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3 \
internal-path-cost=10 path-cost=10 pvid=1200
add bpdu-guard=yes bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 \
internal-path-cost=10 path-cost=10 pvid=1200
add bpdu-guard=yes bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether5 \
internal-path-cost=10 path-cost=10 pvid=1200
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=wlan1 \
internal-path-cost=10 path-cost=10 pvid=1300
add bridge=bridge comment=Trunk frame-types=admit-only-vlan-tagged interface=\
ether1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN protocol=lldp
/interface bridge vlan
add bridge=bridge comment=LAN1 tagged=bridge,ether1 untagged=\
ether2,ether3,ether4,ether5 vlan-ids=1200
add bridge=bridge comment=WIFI1 tagged=bridge,ether1 untagged=\
wlan1 vlan-ids=1300
add bridge=bridge comment=WIFI2_GUEST tagged=bridge,ether1 \
untagged=wlan2 vlan-ids=1400
add bridge=bridge comment=MGMT tagged=bridge,ether1 untagged=\
V1100_MGMT vlan-ids=1100
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireless cap
#
set bridge=bridge discovery-interfaces=V1100_MGMT enabled=yes \
interfaces=wlan1
/ip address
add address=<REMOVED> comment=Management interface=V1100_MGMT \
network=<REMOVED>
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dns
set allow-remote-requests=yes servers=<REMOVED>
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=https-cert disabled=no
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=AP02
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=<REMOVED>
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN