I am trying to setup CAPsMAN with one cap. The idea is to have my normal AP and a guest AP. The future guest APs I can block with rules in the firewall without going through vlans and needed additional switches. Hence CAPsMAN.
The setup is quite simple. I have two bridges. One bridge for “MyNetwork” and one bridge for “MyGuestNetwork”. Both are masqueraded out of ethernet 1. I have setup DHCP on those bridges with two different ranges. The “real” cap interface is bridged to bridge1 together with ethernet2. The virtual cap is bridged to bridge2.
Everything works for MyNetwork but I can’t reach http://www.google.com for MyGuestNetwork.
I have done some troubleshooting.
Switching the virtual cap to bridge1 one doesn’t solve the problem. Switching real cap to bridge2 and it still works. From this I assume it has something to do with the caps (perhaps real vs virtual) and not with something above that (bridge/masquerade/firewall/…).
Normal sites (other than http://www.google.com) seem to work. http://www.google.com gets redirected to https but another https site i visit works normally.
I am a bit lost.
—> further information
It is not only related to google. Also other sites (none https) sites seem to suffer. The loading takes forever.
After a reboot of both the router and the AP the problems are gone.
I hope it stays this way but i doubt it will.
→ some further information
I assume the following is more or less as its supposed to be but comments are appreciated
/interface bridge
add comment="MyNetwork Bridge" l2mtu=1520 name=bridge1
add comment="MyGuestNetwork bridge" l2mtu=1520 name=bridge2
/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] arp=proxy-arp
set [ find default-name=ether5 ] arp=proxy-arp
/ip neighbor discovery
set ether1 discover=no
set bridge1 comment="MyNetwork Bridge"
set bridge2 comment="MyGuestNetwork bridge"
/caps-man configuration
add datapath.bridge=bridge1 name=MyNetwork security.authentication-types=\
wpa2-psk security.encryption=aes-ccm security.passphrase=XXXXXXXXXXXXXX \
ssid=MyNetwork
add datapath.bridge=bridge2 name=MyGuestNetwork \
security.authentication-types=wpa2-psk security.encryption=aes-ccm \
security.passphrase=XXXXXXXXXXXXXX ssid=MyGuestNetwork
/interface wireless security-profiles
set [ find default=yes ] group-ciphers="" unicast-ciphers=""
/ip pool
add name=pool179 ranges=192.168.179.120-192.168.179.254
add name=pool50 ranges=192.168.50.120-192.168.50.254
/ip dhcp-server
add address-pool=pool179 authoritative=yes disabled=no interface=bridge1 \
name=DHCPserver179
add address-pool=pool50 authoritative=yes disabled=no interface=bridge2 name=\
DHCPServer50
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=MyNetwork \
slave-configurations=MyGuestNetwork
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge2 interface=ether5
/ip address
add address=192.168.179.1/24 comment=MyNetwork interface=bridge1 network=\
192.168.179.0
add address=192.168.50.1/24 comment=MyGuestNetwork interface=bridge2 network=\
192.168.50.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes max-udp-packet-size=512 servers=\
xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx
/ip firewall address-list
add address=192.168.50.0/24 list=local-all
add address=192.168.179.0/24 list=local-all
/ip firewall nat
add action=masquerade chain=srcnat comment="default PAT" out-interface=ether1 \
src-address-list=local-all
