CAPax 2 SSIDS on 2 VLANs + 1MGT VLAN > I'm getting desperate

woland · December 28, 2023, 2:37pm

Hi! Just replaced my old AP by a CAPax and it ran for a few months flawlessly, until I tried an update to 7.13. The wifi had issues with some devices (mainly some cheap Windows laptops with some RTL wifi chipsets) so I decided to roll back to 7.12.1, as this is a mission critical network beeing in the state of change freeze (used for sending Christmas wishes by my wife, and I dared to touch it shortly before Christmas) . The downgrade went very badly, I have managed to loose most of my config. Of course I have no backup of the config. The network looks like this (some MT switches omitted, but they are working well since years):

I am managing the network from the “Management Station” (my PC), from VLAN1. My RB5009 connects to the internet and routes between VLANS (nothing changed here, it was working well).

On the CAPax there are the following VLANs.
VL9 for management with the management interface 10.1.9.21
VL3 for privileged access 10.1.3.x, SSID “kk”
VL6 for guest access 10.1.6.x, SSID “kk-guest”
VL5 also for guest access, currently unused

WIFI clients can connect, but have no network acces.
If I disable the 5GHz WIFI interfaces, then I can ping management interface on the CAPac 10.1.9.21 from my PC!
Now as soon as I enable the 5G Interfaces, pings are lost.
I can always access my CAPac via RoMON from the RB5009.
The Interfaces:

Bridge Ports:

Bridge VLANS:

My Config:
capax.conf.rsc (5.35 KB)
I have tried some things, like changing the MAC on the 5G interfaces, but it did not help.
I’m not sure: is it some VLAN basics problem, which I can´t see any more, because I have gone over the config many many times?
Is this a bug? Maybe I just don´t understand how wifiwave2 works?
I would very much appreciate some help!

Thanks and a happy new year to everyone!

Peter

holvoetn · December 28, 2023, 8:47pm

Since you have an explicit forward accept rule for list “lfwd” followed by drop on forward, possibly this part ? The missing interfaces ?

/interface list member
add interface=e2 list=lmgt
add interface=vl9 list=lmgt
--> add interface=*5 list=lfwd
add interface=ap1-kk2g_kk list=lfwd
--> add interface=*4 list=lfwd
add interface=ap1-kk2g_kk-guest list=lfwd

whatever · December 28, 2023, 9:00pm

cough

woland · December 29, 2023, 9:29am

Unfortunately you are right, Sir!

woland · December 29, 2023, 9:40am

Thanks, Holvoetn! I don´t think it’s relevant, as that list is just used in the IP firewall. The packets are not routed, but only bridged to their VLANs?
Still I of course tried it:

/interface list member
add interface=e2 list=lmgt
add interface=vl9 list=lmgt
add interface=ap1-kk2g_kk list=lfwd
add interface=ap1-kk2g_kk-guest list=lfwd
add interface=ap1-kk5g_kk list=lfwd
add interface=ap1-kk5g_kk-guest list=lfwd
add interface=br0 list=lfwd
add interface=e1 list=lfwd
add interface=vl9 list=lfwd

As soon as I disabled the interface ap1-kk5g_kk & ap1-kk5g_kk-guest after modifiying the list as above, the pings start to work.
Should I open a ticket with MT, does it look like a bug to you?
I have found so many posts regarding issues with wifiwave2, but none about this particular issue…

Peter

holvoetn · December 29, 2023, 9:49am

It was the first obvious problem I saw.
On those interfaces you mention, there seems to be a duplicate MAC address ?

set [ find default-name=wifi1 ] channel=5gax configuration=kk-5g
configuration.mode=ap datapath=dp-vl3 mac-address=> 48:A9:8A:BA:1F:FC > name=
ap1-kk5g_kk security=kk
add configuration=kk-guest-5g configuration.mode=ap datapath=dp-vl6
mac-address=> 4A:A9:8A:BA:1F:FC > master-interface=ap1-kk5g_kk name=
ap1-kk5g_kk-guest security=kk-guest

You should see something about that in log, I would think ?
Does it work if you only enable the master interface ?

If you add 1 to MAC address on slave interface (4A:A9:8A:BA:1F:FD), does it work then ?
Assuming that address is not already used in your network …

woland · December 29, 2023, 10:24am

Thanks @holvoetn!
I have set the unique MACs now, also changed the admin MAC of the bridge:

[admin@kk-ap1] /interface> print brief 
Flags: R - RUNNING; S - SLAVE
Columns: NAME, TYPE, ACTUAL-MTU, L2MTU, MAX-L2MTU, MAC-ADDRESS
#    NAME               TYPE    ACTUAL-MTU  L2MTU  MAX-L2MTU  MAC-ADDRESS      
0 RS e1                 ether         1500   1568       9214  48:A9:8A:BA:1F:9A
1    e2                 ether         1500   1568       9214  48:A9:8A:BA:1F:9B
2  S ap1-kk2g_kk        wifi          1500   1560       1560  48:A9:8A:BA:1F:9D
3    ap1-kk2g_kk-guest  wifi                 1560       1560  48:A9:8A:BA:1F:9E
4  S ap1-kk5g_kk        wifi          1500   1560       1560  48:A9:8A:BA:1F:FC
5    ap1-kk5g_kk-guest  wifi                 1560       1560  4A:A9:8A:BA:1F:FD
6 R  br0                bridge        1500   1560             48:A9:8A:BA:1F:FA
7 R  vl9                vlan          1500   1556             48:A9:8A:BA:1F:FA

The behavior is still the same. As soon as I enable ap1-kk5g_kk-guest or ap1-kk5g_kk, there are no answers to the pings.
I believe, that the same MAC for the bridge br0 itself and for the vl9, which is a vlan subif attached to br0 is OK.
At least I have the same on the RB5009, the bridge and all the vlan interfaces have there the same MAC.

Ad Logs:
I have filtered the logs for the word “duplicate” but I have have found none. Also I have looked at the logs, and I don´t see anything suspicious.
I have set besides the default logs, some debug:

/system logging
add topics=debug,caps
add topics=debug,wireless
add topics=debug,interface

holvoetn · December 29, 2023, 10:48am

I still prefer to make sure MAC addresses are unique.
Looking further.

I suppose here is a mistake too ?
2GHz interface as slave on 5GHz ?

add configuration=kk-guest-2g configuration.mode=ap datapath=dp-vl6 disabled=\
    no mac-address=48:A9:8A:BA:1F:9D master-interface=ap1-kk5g_kk name=\
    ap1-kk2g_kk-guest security=kk-guest

woland · December 29, 2023, 11:53am

OK, I see your point, but I can´t find how to set the bridge mac different from the vlan mac?
If I change the bridge MAC , the vl9 MAC changes too:

6 R  br0                bridge        1500   1568             48:A9:8A:BA:1F:CA
7 R  vl9                vlan          1500   1564             48:A9:8A:BA:1F:CA

I suppose here is a mistake too ?
2GHz interface as slave on 5GHz ?

add configuration=kk-guest-2g configuration.mode=ap datapath=dp-vl6 disabled=
no mac-address=48:A9:8A:BA:1F:9D master-interface=ap1-kk5g_kk name=
ap1-kk2g_kk-guest security=kk-guest

>

Oh yes, thanks!
Oh no: I just did correct it, and everything stays the same, no answer to pings if 5GHz WIFI is enabled.
I have found a further issue, there is an interesting  command, which I have just found:

```text
[admin@kk-ap1] /interface/wifiwave2/actual-configuration> print
 0 name="ap1-kk2g_kk" l2mtu=1560 mac-address=48:A9:8A:BA:1F:8A arp-timeout=auto 
   radio-mac=48:A9:8A:BA:1F:9D 
   configuration.mode=ap .ssid="kk" .country=Hungary .tx-power=10 
   security.authentication-types=wpa2-psk,wpa3-psk .passphrase="something" 
   datapath.bridge=br0 .vlan-id=3 
   channel.band=2ghz-ax .width=20mhz 

 1 name="ap1-kk2g_kk-guest" l2mtu=1560 mac-address=4A:A9:8A:BA:1F:8B arp-timeout=auto 
   master-interface=ap1-kk2g_kk 
   configuration.mode=ap .ssid="kk-guest" .country=Hungary .tx-power=10 
   security.authentication-types=wpa2-psk,wpa3-psk .passphrase="something" 
   datapath.bridge=br0 .vlan-id=6 
   channel.band=2ghz-ax .width=20mhz 

 2 name="ap1-kk5g_kk" l2mtu=1560 mac-address=48:A9:8A:BA:1F:8C arp-timeout=auto 
   radio-mac=48:A9:8A:BA:1F:9C 
   configuration.mode=ap .ssid="kk" .country=Hungary 
   security.authentication-types=wpa2-psk,wpa3-psk .passphrase="something" 
   datapath.bridge=br0 .vlan-id=3 
  channel.band=5ghz-ax .width=20/40/80mhz  ###Here correct channel set

 3 name="ap1-kk5g_kk-guest" l2mtu=1560 mac-address=48:A9:8A:BA:1F:8D arp-timeout=auto 
   master-interface=ap1-kk5g_kk 
   configuration.mode=ap .ssid="kk-guest" .country=Hungary 
   security.authentication-types=wpa2-psk,wpa3-psk .passphrase="something" 
   datapath.bridge=br0 .vlan-id=6 
   channel.band=2ghz-ax .width=20mhz ###Here the wrong channel 2ghz-ax is set

If I’m looking in WinBox (3.40), I can´t set the channel for the subinterface. Which is logical, I can´t have different band settings for the same interface for different SSIDs. This might be a bug and I have created a supout.rif, just to be prepared.
NO, I have found the issue, also the configuration had the wrong channel config. My mistake…
Now /interface/wifiwave2/actual-configuration shows the correct config! AND my sons report: they have internet access via WiFi again!
Getting there slowly! Thanks a lot @holvoetn !

BUT: ping to 10.1.9.21 stops as soon as the 5G interface is enabled…

Now I would like to scream, just a bit. Or maybe go boxing, or something else violent.

holvoetn · December 29, 2023, 11:57am

Please post latest config.
Will check if I see other things which might be off.

woland · December 29, 2023, 12:14pm

Hi,
many thanks!
Here it goes:
capax.rsc (5.65 KB)
Peter

holvoetn · December 29, 2023, 12:27pm

You have again an invalid interface in those lists.

add interface=*A list=lfwd

Correct that one and since this address list is used in firewall rules, clear connection table in IP Firewall Connections.
(or reboot but your sons might not be too happy with that move )

I assume you are testing ping from Management PC on VL1 towards 10.1.9.21 ?

Another thing to troubleshoot is to clear all counters on IP Firewall Filter rules, then perform ping and see which counters are moving (or not where you expect them).

holvoetn · December 29, 2023, 12:36pm

It just occurred to me …

You are using RB5009 as central router ?
Then why all the filtering and other complexity on cAP AX ?

Just let the trunk go from RB5009 to cAP AX and do all the routing/filtering on RB.

woland · December 29, 2023, 1:34pm

Thanks! Yes, actually my rb5009 is doing all the filtering and hangs on a 10G Trunk as a router on a stick.
Well all the firewalling on the CAPax is just additional security measures, as I read on the forums a few years ago. (I guess I just worked in IT for too long.) But that should not be the culprit, it was working well before and I did not touch that.
Also now I have just inserted 5 new rules before everything else. Everything is accepted in every chain:

/ip firewall filter
add action=accept chain=input comment="from MgtStation aka MyPC ICMP" log=yes log-prefix=":from MgtStation aka MyPC ICMP" protocol=icmp src-address=10.1.1.100
add action=accept chain=output comment="to MgtStation aka MyPC ICMP" dst-address=10.1.1.100 log=yes log-prefix=":to MgtStation aka MyPC ICMP" protocol=icmp
add action=accept chain=forward comment="fwd accept all"
add action=accept chain=input comment="in accept all"
add action=accept chain=output comment="out accept all"

I can now check the counters increasing for my PC (10.1.1.100).
As my family just left home I was free to reboot as I like, so I just did it!
Now I got the same misterious behavior, but I see more:

It seems like the packets are leaving the firewall as both rule 1 and rule 2 counters increase simultaneously.
This is true for both cases, it doesnt matter if 5G Interfaces are enabled or disabled.
I also launched tcpdump on my PC, to see what the ICMP packets look like.
With tcpdump I can verify if 5G Interfaces disabled I get replies, with 5G enabled I don´t.
Wow!
I will try to make a trace on the RB5009 and check with Wireshark.
This is incredible… I’m just guessing, but maybe somehow the packets are sent back over the wrong VLAN? How is that possible if I only enable the 5G WIFI?

woland · December 29, 2023, 2:00pm

Here comes some more fun:
The uplink trunk interface on the CAPax does not see the ICMP replies until around rule No. 79, where I disable the 5G interface!
With no 5GHz Wifi, pings are answered.

/tool sniffer
set file-limit=10000KiB file-name=capax filter-interface=e1uplink \
    filter-ip-protocol=icmp memory-limit=1000KiB

If I put the trace on br0 I have same behavior.

woland · December 29, 2023, 2:11pm

I have downloaded the PCAP from br0, and opened it with Wireshark, but of course there is nothing special in there.
I guess my only two options are to open a ticket with MT support or to wait for the next 7.13.1/7.14rc28 release then.
Special thanks to @holvoethn responses to my extensive posts!

Still, I´d appreciate any further idea or suggestion…
Peter

holvoetn · December 29, 2023, 2:17pm

It doesn’t hurt to try already 7.13 or 7.14beta.
I’ve seen some lines related to bridge and VLAN in those change logs …

woland · December 29, 2023, 2:29pm

Yeah, I was all high hopes about the 7.13, and it worked, but it simply did not like my sons laptop. Still considering to maybe try 7.14b4, I just have read the relnotes. Only after downloading the backup!
Anyway I have a working WIFI now and my sons will be back soon, so I might wait with the next experiment.
Or I prepare my hap ax2 for my sons to use, before I try 7.14b4…
Thanks again for your help!