Hmm currently it seems to work some of the times. The clients can connect to one specific AP. When moving away from that AP to the location of another AP. The device does not reconnect. When moving back to the original spot it reconnects.
I had 802.11r (FT) enabled and when connected to the first AP it worked, when moving around it reconnected to another AP, which is better than without FT, but it showed no external internet.
When looking at the firewall logs. I was seeing that the sessions were created, but timed out from the outside world. So the outside world could not redirect traffic back to the wifi client. I have a question: Is that related to ARP tables? If so, then it might be similar to this topic:
viewtopic.php?t=200085
I will paste my config again.
The important thing here is that compared to the example in:
https://help.mikrotik.com/docs/display/ ... ionexample: , I am using only "admit-only-vlan-tagged" in "bridge ports". Should I change this to "admit-only-untagged-and-priority-tagged" or "admit-all" and might this help?
I used to have static VLAN-s in my CAP, but changed this, because I didn't understand beforehand, that CAPSMAN dynamically creates the VLAN-s and etc.
CAPSMAN ROUTER CONF:
/interface bridge
add admin-mac=02:E7:89:69:92:29 auto-mac=no fast-forward=no igmp-snooping=yes name=bridge protocol-mode=mstp region-name=ext region-revision=12 vlan-filtering=yes
/interface vlan
add comment="VLAN 6" interface=bridge name=vlan6 vlan-id=6
add comment="VLAN 40" interface=bridge name=vlan40 vlan-id=40
/interface wifiwave2 datapath
add bridge=bridge comment="Datapath for WiFi clients to pass data through" disabled=no name=vlan6 vlan-id=6
/interface wifiwave2 security
add authentication-types=wpa2-psk disabled=no name=security
/interface wifiwave2 configuration
add country=Estonia datapath=vlan6 disabled=no name=REDACTED-SSID-5GHz security=security ssid=REDACTED-SSID
add country=Estonia datapath=vlan6 disabled=no name=REDACTED-SSID security=security ssid=REDACTED-SSID
/interface wifiwave2
add configuration=REDACTED-SSID disabled=no name=wifi--capax-01_2GHz-1 radio-mac=48:A9:8A:E0:8F:27
# changed intended channel to 5260/ax/Ceee
add configuration=REDACTED-SSID-5GHz disabled=no name=wifi--capax-01_5Ghz-1 radio-mac=48:A9:8A:E0:8F:26
add configuration=REDACTED-SSID disabled=no name=wifi--capax-02_2GHz-1 radio-mac=48:A9:8A:E0:8C:1D
# changed intended channel to 5520/ax/eCee
add configuration=REDACTED-SSID-5GHz disabled=no name=wifi--capax-02_5Ghz-1 radio-mac=48:A9:8A:E0:8C:1C
add configuration=REDACTED-SSID disabled=no name=wifi--capax-03_2GHz-1 radio-mac=48:A9:8A:E4:F5:9F
add configuration=REDACTED-SSID-5GHz disabled=no name=wifi--capax-03_5Ghz-1 radio-mac=48:A9:8A:E4:F5:9E
add configuration=REDACTED-SSID disabled=no name=wifi--capax-04_2GHz-1 radio-mac=48:A9:8A:E4:F5:B3
add configuration=REDACTED-SSID-5GHz disabled=no name=wifi--capax-04_5Ghz-1 radio-mac=48:A9:8A:E4:F5:B2
add configuration=REDACTED-SSID disabled=no name=wifi--capax-05_2GHz-1 radio-mac=48:A9:8A:E4:F5:8F
add configuration=REDACTED-SSID-5GHz disabled=no name=wifi--capax-05_5Ghz-1 radio-mac=48:A9:8A:E4:F5:8E
add configuration=REDACTED-SSID disabled=no name=wifi--capax-06_2GHz-1 radio-mac=48:A9:8A:E4:F5:03
add configuration=REDACTED-SSID-5GHz disabled=no name=wifi--capax-06_5Ghz-1 radio-mac=48:A9:8A:E4:F5:02
add configuration=REDACTED-SSID disabled=no name=wifi--capax-07_2GHz-1 radio-mac=48:A9:8A:E4:F4:E3
# changed intended channel to 5540/ax/eeCe
add configuration=REDACTED-SSID-5GHz disabled=no name=wifi--capax-07_5Ghz-1 radio-mac=48:A9:8A:E4:F4:E2
add configuration=REDACTED-SSID disabled=no name=wifi--capax-08_2GHz-1 radio-mac=48:A9:8A:E4:F5:8B
# changed intended channel to 5765/ax/eCee
add configuration=REDACTED-SSID-5GHz disabled=no name=wifi--capax-08_5Ghz-1 radio-mac=48:A9:8A:E4:F5:8A
add configuration=REDACTED-SSID disabled=no name=wifi--capax-09_2GHz-1 radio-mac=48:A9:8A:E2:B1:A7
add configuration=REDACTED-SSID-5GHz disabled=no name=wifi--capax-09_5Ghz-1 radio-mac=48:A9:8A:E2:B1:A6
add configuration=REDACTED-SSID disabled=no name=wifi--capax-10_2GHz-1 radio-mac=48:A9:8A:E2:AD:F9
add configuration=REDACTED-SSID-5GHz disabled=no name=wifi--capax-10_5Ghz-1 radio-mac=48:A9:8A:E2:AD:F8
add configuration=REDACTED-SSID disabled=no name=wifi--capax-11_2GHz-1 radio-mac=48:A9:8A:E0:8C:3D
add configuration=REDACTED-SSID-5GHz disabled=no name=wifi--capax-11_5Ghz-1 radio-mac=48:A9:8A:E0:8C:3C
add configuration=REDACTED-SSID disabled=no name=wifi--capax-12_2GHz-1 radio-mac=48:A9:8A:E2:AE:99
add configuration=REDACTED-SSID-5GHz disabled=no name=wifi--capax-12_5Ghz-1 radio-mac=48:A9:8A:E2:AE:98
add configuration=REDACTED-SSID disabled=no name=wifi--capax-13_2GHz-1 radio-mac=48:A9:8A:E2:B8:39
add configuration=REDACTED-SSID-5GHz disabled=no name=wifi--capax-13_5Ghz-1 radio-mac=48:A9:8A:E2:B8:38
/ip pool
add name=wifi ranges=10.0.0.100-10.0.3.253
/ip dhcp-server
add address-pool=wifi interface=vlan6 name=wifi
/port
set 0 name=serial0
set 1 name=serial1
/snmp community
set [ find default=yes ] addresses=REDACTED_IP
/system logging action
set 3 remote=192.168.2.6
#error exporting "/interface/bridge/host" (timeout)
/interface bridge msti
add bridge=bridge comment=external identifier=1 vlan-mapping=20,178-179
add bridge=bridge comment=management identifier=2 vlan-mapping=40,50
add bridge=bridge comment=services identifier=3 vlan-mapping=5-6,12-19,25-26,30-39,41-49
/interface bridge port
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=ether6
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=ether7
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=ether8
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=ether9
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=ether10
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=ether11
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=ether12
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=ether13
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=ether14
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=ether16
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
add bpdu-guard=yes bridge=bridge comment="Dedicated Management Port" frame-types=admit-only-untagged-and-priority-tagged interface=ether15 pvid=40
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=all lldp-med-net-policy-vlan=1
/interface bridge vlan
add bridge=bridge untagged=bridge vlan-ids=1
add bridge=bridge tagged=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether16,sfp-sfpplus1,sfp-sfpplus2,bridge untagged=ether15 vlan-ids=40
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether16,sfp-sfpplus1,sfp-sfpplus2 vlan-ids=6
/interface wifiwave2 cap
set discovery-interfaces=all
/interface wifiwave2 capsman
set ca-certificate=auto enabled=yes interfaces=all package-path=/ require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifiwave2 provisioning
add action=create-enabled comment="Match Radio bands for 5GHz wifi." disabled=no master-configuration=REDACTED-SSID-5GHz name-format=%I_5Ghz- supported-bands=5ghz-ax,5ghz-ac
add action=create-enabled comment="Match Radio bands for 2.4GHz radio." disabled=no master-configuration=REDACTED-SSID name-format=%I_2GHz- supported-bands=2ghz-ax,2ghz-n
/ip address
add address=192.168.20.24/24 interface=vlan40 network=192.168.20.0
add address=10.0.0.2/22 interface=vlan6 network=10.0.0.0
/ip dhcp-server network
add address=10.0.0.0/22 comment="VLAN6 subnet for wifi clients." dns-server=REDACTED_IP
/ip dns
set allow-remote-requests=yes servers=REDACTED_IP
/ip route
add distance=1 gateway=192.168.20.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl certificate=REDACTED-DOMAIN-NAME_cert.cer_0 disabled=no tls-version=only-1.2
set api disabled=yes
set winbox disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/snmp
set contact=root@REDACTED-DOMAIN enabled=yes location=Tallinn
/system clock
set time-zone-name=Europe/Tallinn
/system identity
set name=REDACTED-DOMAIN-NAME
/system logging
add action=remote topics=info
add action=remote topics=warning
add action=remote topics=error
add action=remote topics=critical
add action=remote topics=wireless
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=REDACTED_IP
add address=REDACTED_IP
/system routerboard settings
set enter-setup-on=delete-key
/tool e-mail
set address=REDACTED-DOMAIN-NAME from=root@REDACTED-DOMAIN-NAME tls=starttls
CAP CONF:
/interface bridge
add admin-mac=48:A9:8A:E0:8F:25 auto-mac=no comment=trunk name=bridge protocol-mode=none
/interface vlan
add comment="VLAN 40" interface=bridge name=l3vlan40 vlan-id=40
add comment="VLAN 6" interface=bridge name=vlan6 vlan-id=6
/interface wifiwave2 datapath
add bridge=bridge comment="Datapath for WiFi clients to pass data through" disabled=no name=capdp vlan-id=6
/interface wifiwave2
# managed by CAPsMAN
# mode: AP, SSID: REDACTED-SSID, channel: 5680/ax/eCee
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap datapath=capdp disabled=no
# managed by CAPsMAN
# mode: AP, SSID: REDACTED-SSID, channel: 2457/ax/eC
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap datapath=capdp disabled=no
/snmp community
set [ find default=yes ] addresses=REDACTED_IP
/system logging action
set 3 remote=192.168.2.6
/interface bridge port
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge untagged=bridge vlan-ids=1
add bridge=bridge tagged=bridge,ether1 vlan-ids=40
/interface wifiwave2 cap
set caps-man-addresses=192.168.20.24 discovery-interfaces=bridge enabled=yes slaves-datapath=capdp
/ip address
add address=192.168.188.1/24 interface=ether2 network=192.168.188.0
add address=192.168.20.40/24 interface=l3vlan40 network=192.168.20.0
/ip dns
set servers=REDACTED_IP
/ip route
add distance=1 gateway=192.168.20.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
/snmp
set contact=root@REDACTED-DOMAIN enabled=yes location=Tallinn
/system clock
set time-zone-name=Europe/Tallinn
/system identity
set name=wifi--capax-01
/system logging
add action=remote topics=info
add action=remote topics=warning
add action=remote topics=error
add action=remote topics=critical
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=REDACTED_IP
add address=REDACTED_IP
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
/tool e-mail
set address=REDACTED-DOMAIN-NAME from=root@REDACTED-domain tls=starttls
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
Although frame-types specify that:
Specifies allowed frame types on a bridge port. This property only has an effect when vlan-filtering is set to yes.
But for CAPSMAN to work with CAP-s the CAP-s need to disable vlan-filtering, because capsman dynamically creates everything necessary.