Cap-wifi has no internet connection

shmitd2 · October 11, 2023, 7:52pm

Hi guys,
I have an issue with internet connection on cap-wifi. My network configuration are following: mikrotik RB3011 (router) and cAP ax (CAPS mode). cAP is connected to the router via the eth10 port. Router is connected to the ISP modem via the eth1 port. WifiWave2 package is installed on the both devices.

Datapath is configured, but cap-wifi interfaces are not show up on the LAN bridge. As I think they should. Am I right?

troubleshooting:

I connected laptop to the each eth2-10 on the router - internet connection worked.
When my cAP ax was connected to the router (eth1 > eth10) I connected laptop to the eth2 port on the cAP ax device. Internet connection worked.
3.I tried to turn off all firewall rules. No internet connection for wifi.
I used default configuration on router and turned on CAPsMAN. No internet connection for wifi
Wifi client is getting IP address and gateway from dhcp
I added cap-wifi interfaces to the LAN bridge (on router) manually. No internet connection

cAP ax config (default, CAPS mode):

# 1970-01-02 13:15:21 by RouterOS 7.11.2
# software id = NVFZ-WWS8
#
# model = cAPGi-5HaxD2HaxD
/interface bridge
add admin-mac=<removed> auto-mac=no comment=defconf name=bridgeLocal
/interface wifiwave2 datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifiwave2
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    datapath=capdp disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
    datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface wifiwave2 cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system identity
set name="MikroTik AP"
/system note
set show-at-login=no

Router RB 3011 config:

# RouterOS 7.11.2
# software id = 12FA-JLNX
#
# model = RB3011UiAS
/interface bridge
add admin-mac=<removed> auto-mac=no name="LAN Bridge"
add name="WAN Bridge"
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifiwave2 channel
add band=2ghz-ax disabled=no name=2GHz width=\
    20/40mhz
add band=5ghz-ax disabled=no name=5GHz \
    skip-dfs-channels=10min-cac width=20/40/80mhz
/interface wifiwave2 datapath
add bridge="LAN Bridge" disabled=no name=datapath
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=Security wps=disable
/interface wifiwave2 configuration
add antenna-gain=0 channel=2GHz datapath=datapath disabled=no \
    mode=ap name="2GHz config" security=Security ssid=test
add antenna-gain=0 channel=5GHz datapath=datapath disabled=no \
    mode=ap name="5GHz config" security=Security ssid=test
/ip pool
add name=pool ranges=<removed>
/ip dhcp-server
add address-pool=pool comment="LAN Bridge" interface="LAN Bridge" lease-time=\
    1d name="DHCP Server"
/port
set 0 name=serial0
/interface bridge port
add bridge="LAN Bridge" interface=ether2
add bridge="LAN Bridge" interface=ether3
add bridge="LAN Bridge" interface=ether4
add bridge="LAN Bridge" interface=ether5
add bridge="LAN Bridge" interface=ether6
add bridge="LAN Bridge" interface=ether7
add bridge="LAN Bridge" interface=ether8
add bridge="LAN Bridge" interface=ether9
add bridge="LAN Bridge" interface=ether10
add bridge="WAN Bridge" interface=sfp1
add bridge="WAN Bridge" interface=ether1
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface="WAN Bridge" list=WAN
add interface="LAN Bridge" list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wifiwave2 capsman
set enabled=yes interfaces="LAN Bridge" package-path="" \
    require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
    "5GHz config" supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=\
    "2GHz config" supported-bands=2ghz-ax
/ip address
add address=<removed> interface="LAN Bridge" network=<removed>
/ip dhcp-client
add interface="WAN Bridge"
/ip dhcp-server network
add address=<removed> gateway=<removed> netmask=24 ntp-server=<removed>
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    ";;; defconf: accept CAP if CAPsMAN is on the same device" \
    dst-address-type=local src-address-type=local
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=10m default-screen=stats read-only-mode=yes \
    touch-screen=disabled
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system identity
set name="Mikrotik Router"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes multicast=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Can you help me fix the issue with wifi internet connection? I have no idea whats wrong in my config…
capsman config.PNG

gigabyte091 · October 12, 2023, 4:45am

Why are you using two bridges ? Is there a particular reason you have your WAN interfaces on another bridge ?

erlinden · October 12, 2023, 5:36am

Anything in the logging that could give a hint?

shmitd2 · October 12, 2023, 6:49am

somę my offices using spf, some eth for wan. I need one configuration for many locations.

nothing with standard topics

shmitd2 · October 15, 2023, 8:33pm

gateway cannot be on zero address x.x.x.0 (example 192.168.88.0). After I changed address for x.x.x.1 internet connection started to work.

holvoetn · October 15, 2023, 8:58pm

Which firmware bug ?
Gateway can be on .0, only not in /24.

So user error ?

ROS allows a lot of things, even big mistakes.