CAP AX - CAPSMAN- no DHCP lease [SOLVED]

gungner · Tue Jan 30, 2024 1:11 pm

Router RB4011iGS+ (CAPSMAN)
cAP AX 7.3.3
cAP AC (several) any some other AP's all running 7.3.3

All the AC's are managed through CAPSMAN (old one below Wireless) I've 3 VLANS with different IP ranges. Bridge has all the ports added and Use IP firewall + IP Firewall för VLAN. All this works just fine and has done for a long time.

Now I want to upgrade to cAP AX . I rebooted the AX into CAP mode, enabled CAPSMAN on the router (under Wifi). The AX connects fine and I can see it under Remote CAP. I can also see that clients are connecting and being Authorised (A). I have added the new AX interfaces into the CAPSMAN-bridge with correct VLAN/admitt all/Ingress filtering (as I've done with all the other AP's)

In the CAPSMAN logs I see
BASE_DHCP assigned 192.168.1.157 for xx.xx.xx.xx.xx.xx
BASE_DHCP deassigned 192.168.1.157 for xx.xx.xx.xx.xx.xx
BASE_DHCP offering lease 192.168.1.157 for xx.xx.xx.xx.xx.xx without success

No client connecting to AX will get an IP address.

I shall add that all AP's are going through a MikroTik Switch, CSS106-5G. They have "Strict/Only untagged/Leave as" in the VLAN settings. All the same config as the all AC AP's

I've been in the rabbit hole for day's now and don't know how to proceed. Any pointing in a direction is much appreciated or if I shall add anything specific from an export.

Cheers

whatever · Tue Jan 30, 2024 1:16 pm

New Wifi capsman no longer supports traffic tunneling to the controller. It is always in local forwarding mode.

erlinden · Tue Jan 30, 2024 1:24 pm

Can you share the WiFi settings of the CAPsMAN:

/interface/wifi/ export

Or even better a complete export of the device running CAPsMAN:

/export file=anynameyoulike

Remove serial and any other private information.

gungner · Tue Jan 30, 2024 1:39 pm

thanks. I start with /interface/wifi export

# 2024-01-30 12:35:11 by RouterOS 7.13.3
# software id = WLH2-0A7L
#
# model = RB4011iGS+
# serial number = ?
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412 name=2AX2412 width=20mhz
add band=2ghz-ax disabled=no frequency=2437 name=2AX2437 width=20/40mhz
add band=5ghz-ax disabled=no frequency=5180 name=5AX5180 width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5500 name=5AX5500 width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5745 name=5AX5745 width=20/40/80mhz
/interface wifi datapath
add disabled=no name=IOT vlan-id=10
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=valhall
add authentication-types=wpa-psk,wpa2-psk disabled=no name=IOT
/interface wifi configuration
add country=Sweden datapath=IOT disabled=no mode=ap name=Kitchen5AX_IOT \
    security=IOT ssid=NES
/interface wifi
add channel.frequency=2412 configuration=Kitchen2AX_valhall \
    configuration.mode=ap disabled=no name=Kitchen2AX_valhall radio-mac=\
    78:9A:18:?
add configuration=Kitchen5AX_IOT configuration.mode=ap datapath=IOT \
    mac-address=7A:9A:18:? master-interface=Kitchen5AX_valhall name=\
    Kitchen5AX_IOT security=IOT
add channel.frequency=5745 .width=20/40/80mhz configuration=\
    Kitchen5AX_valhall configuration.mode=ap disabled=no name=\
    Kitchen5AX_valhall radio-mac=78:9A:18:?
/interface wifi capsman
set enabled=yes package-path="" require-peer-certificate=no upgrade-policy=\
    none
/interface wifi configuration
add channel=5AX5180 country=Sweden datapath=valhall disabled=no mode=ap name=\
    Kitchen5AX_valhall security=valhall ssid=valhall
add channel=2AX2412 country=Sweden datapath=valhall disabled=no mode=ap name=\
    Kitchen2AX_valhall security=valhall ssid=valhall
/interface wifi datapath
add bridge=valhall_bridge disabled=no name=valhall vlan-id=99

erlinden · Tue Jan 30, 2024 1:55 pm

The first thing I notice is that "configuration=Kitchen2AX_valhall", while it is not a configuration.
Your naming convention is doomed to be a mess: use unique names, i.e. Kitchen5AX_IOT_cfg and IOT_sec

After having another look...mmm, seems you copiy/paste randomly...is this really an export?

Ok, summarize:

VLAN ID 99 is the "corporate" network
VLAN ID `10 is IOT

Would like to see the rest of the config, just to make sure that the VLAN part is correct on the bridge.
But first you can set the datapath bridge property fot the IOT network, that is currently missing.

Question: do you really need wpa-psk?

gungner · Tue Jan 30, 2024 3:54 pm

I've removed all other SSID now, except valhall, just to get something working. VLAN 99 = normal network for computers etc, VLAN 10 is wifi only and IOT devices. ( and I got some more but not handled by this AX) Yes, the export above is directly from router.

wpa-psk is a misstake, but a part of IOT with is removed for the time being.

/interface bridge
add name=valhall_bridge port-cost-mode=short protocol-mode=none \
    vlan-filtering=yes

/interface bridge port
add bridge=valhall_bridge interface=ether4_Ilse_sw internal-path-cost=10 \
    path-cost=10 pvid=99
add bridge=valhall_bridge interface=ether10_Njord internal-path-cost=10 \
    path-cost=10 pvid=99
add bridge=valhall_bridge interface=Kitchen5AX_valhall pvid=99
add bridge=valhall_bridge interface=Kitchen2AX_valhall pvid=99
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=valhall_bridge tagged="valhall_bridge,ether4_Ilse_sw" untagged=ether10_Njord \
    vlan-ids=99

(removed all other connections to just focus on this AX)

AX is connected on ether4_ilse_sw (switch) Njord is a AP connected directly to the router (old outside groove 2.5GHz) and working

New Wifi capsman no longer supports traffic tunneling to the controller. It is always in local forwarding mode.

What do I need to do to fix this? some new forward in Firewall?

cheers

erlinden · Tue Jan 30, 2024 4:14 pm

Don't add the CAP interfaces to the bridge manually, binding is done through datapath.

Have a look at this basic tutorial with CAPsMAN and VLAN:
https://help.mikrotik.com/docs/display/ ... ionexample:

gungner · Tue Jan 30, 2024 4:31 pm

removed (left overs from days in the rabbit hole). Still the same problem. My AX interfaces don't show up in the bride/port list at all even though the AX interface shows in wifi/registration (at least until the DHCP request times out)

the Datapath says

/interface wifi datapath
add bridge=valhall_bridge disabled=no name=valhall vlan-id=99

Why don't the AX interfaces show up in the bridge/port list? any connection to

New Wifi capsman no longer supports traffic tunneling to the controller. It is always in local forwarding mode.

erlinden · Tue Jan 30, 2024 4:37 pm

I would like to suggest starting from a clean situation: remove all /interface/wifi entries and reset the CAP to CAPS Mode.
Especially when there are leftovers.

Why don't the AX interfaces show up in the bridge/port list? any connection to

Because they shouldn't, you should however see the interfaces in the Interface List: /interface

gungner · Tue Jan 30, 2024 6:14 pm

done a CAP reset on AX and a restore router to before I started to include new AX. Also followed https://help.mikrotik.com/docs/display/ ... ionexample. Now I got no connection between router and AX through WIFI at all.

When I remove my bridge from

/interface wifi capsman
set enabled=yes interfaces=br

then I get a connection again and I can see the AX in RemoteCAP, and I see it in Interfaces (no traffic though)

Following the remaining instructions for CAPSMAN, I'm still left with no assigned IP for any client

gungner · Tue Feb 06, 2024 1:39 pm

finally, after hours and hours of trial and error, and watching https://www.youtube.com/watch?v=69pqaZG_7vA over and over again (speech in Polish) I got it to work in my current setup with a few adjustments.

The key was:

New Wifi capsman no longer supports traffic tunneling to the controller. It is always in local forwarding mode.

so nothing to do with my CAPsMAN. Added all VLANs locally to the CAP and also put the CAP IP on a separate VLAN towards my router (which was the last issue to find out and took the longest time to figure out - all in the video).

After that it all worked

Now I'm a happy geezer and thinking of buying an additional CAP AX, and hope there will be a CAPsMAN forwarding in the future.

Cheers,

H4Y3 · Fri Feb 09, 2024 8:30 pm

The key was:
New Wifi capsman no longer supports traffic tunneling to the controller. It is always in local forwarding mode.
so nothing to do with my CAPsMAN. Added all VLANs locally to the CAP and also put the CAP IP on a separate VLAN towards my router (which was the last issue to find out and took the longest time to figure out - all in the video).

I have also found the same solution myself. You are not alone with the problem.

ladegro · Fri Mar 08, 2024 12:53 am

I think I have the exact same problem; CAPSMAN is provisioning the right configuration to the HAP AX3, clients can connect succesfully but the DHCP response from the router doesn't seem to land at the device, thus after five attempts it gives up.

So I'm trying to figure out your last comment;

and also put the CAP IP on a separate VLAN towards my router (which was the last issue to find out and took the longest time to figure out - all in the video).

Can you elaborate a bit? Where did you put the CAP IP exactly in your router?

ladegro · Fri Mar 08, 2024 10:30 am

Okay, got it working but quite the manual way so the benefits of using CAPSMAN are really minimal now;
This is what I did to get VLAN tagging working for both the physical interfaces on the HAP-AX3 as well as for the Wifi interfaces, using routeros 7.14 with wifiwave2 driver (qcom):

- do your VLAN tagging on the bridge in line with the latest documentation (so add the bridge itself tagged to every vlan, as well as the trunk port)
- on CAPSMAN end/router: set up provisioning of the CAPS using 'create enabled', so NOT dynamic
- make sure that on CAPSMAN end/router, you're not pushing a datapath in the configuration, just leave this empty as you need to config it on the CAPs end
- on the CAPS, create a datapath for every vlan, set each to the (same) bridge (add a bridge if not existing already), and set the VLAN id. So in my case I have a datapath10-home, datapath20-domotics, datapath30-guests and datapath40-cameras.
- on the CAPS, click the wifi interfaces, and set them to be managed by CAPSMAN in the configuration tab
- also set the datapath to the according VLAN
- enable CAP, enable VLAN-filtering and let the interfaces be created. I had to select 'slaves static' so I could add the correct datapath afterwards for the virtual AP's, since they need different VLAN.

Now I've got connection, the clients are getting their DHCP response thus IP and can connect and my physical ports can still be assigned different VLANs.

This works and it's "doable" for small networks as I have at home (2x HAP-ax, 1x hap-ac2) but I won't be doing this for clients who serve like 15 CAP's (although I could probably then just disable vlan filtering on the CAP).

Expect Mikrotik to see this as a bug so hopeful that a new release will fix this (though not seeing anything about it in changelog for testing-release/beta).

erlinden · Fri Mar 08, 2024 12:23 pm

For ax devices it is sufficient to set the device to CAP (reset with CAPs Mode). No manual settings on the CAP have to be done, unless you want "something" done with VLAN on the ethernet interfaces. The wireless interfaces can be completely managed by CAPsMAN, including VLAN.

ladegro · Sun Mar 17, 2024 4:40 pm

For ax devices it is sufficient to set the device to CAP (reset with CAPs Mode). No manual settings on the CAP have to be done, unless you want "something" done with VLAN on the ethernet interfaces. The wireless interfaces can be completely managed by CAPsMAN, including VLAN.

Sure, but I've put a HAP in place instead of just a CAP for a reason ofcourse

Indeed I need to use VLAN tagging on the ethernet ports also...

CAP AX - CAPSMAN- no DHCP lease [SOLVED]

CAP AX - CAPSMAN- no DHCP lease [SOLVED]

Re: CAP AX - CAPSMAN- no DHCP lease

Re: CAP AX - CAPSMAN- no DHCP lease

Re: CAP AX - CAPSMAN- no DHCP lease

Re: CAP AX - CAPSMAN- no DHCP lease

Re: CAP AX - CAPSMAN- no DHCP lease

Re: CAP AX - CAPSMAN- no DHCP lease

Re: CAP AX - CAPSMAN- no DHCP lease

Re: CAP AX - CAPSMAN- no DHCP lease

Re: CAP AX - CAPSMAN- no DHCP lease

Re: CAP AX - CAPSMAN- no DHCP lease [SOLVED]

Re: CAP AX - CAPSMAN- no DHCP lease [SOLVED]

Re: CAP AX - CAPSMAN- no DHCP lease [SOLVED]

Re: CAP AX - CAPSMAN- no DHCP lease [SOLVED]

Re: CAP AX - CAPSMAN- no DHCP lease [SOLVED]

Re: CAP AX - CAPSMAN- no DHCP lease [SOLVED]

Who is online