CAPsMAN blocking Chromecast

Legend · January 20, 2018, 7:46pm

Hello there.

I’ve been running a really strange problem. When I run my wireless network on my 951Ui-2HnDvia via “direct” (no CAPsMAN involved) configuration, everything works fine: internet works on all devices and I’m able to broadcast from my smartphone to Chromecast, for instance. But if I use the same configurations (at least how I see), but using CAPsMAN (I have two 941-2nD - hAP Lite - on my network as CAPs, but disabled for the moment), internet works fine for all devices, but the Chromecast is not reachable.

Here are my configurations when configured to CAPsMAN:

/caps-man configuration
add channel.band=2ghz-b/g/n channel.control-channel-width=20mhz country=\
    brazil datapath.bridge=bridge-guest name=guest-config \
    security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
    aes-ccm security.passphrase=(****) ssid="JM - Convidado"
add channel.band=2ghz-onlyn channel.control-channel-width=20mhz \
    channel.extension-channel=Ce country=brazil datapath.arp=enabled \
    datapath.bridge=bridge datapath.l2mtu=1600 datapath.mtu=1500 name=\
    main-config security.authentication-types=wpa-psk,wpa2-psk \
    security.encryption=aes-ccm security.passphrase=(****) ssid=\
    "Joao e Maria"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=home-security-profile supplicant-identity=MikroTik \
    wpa-pre-shared-key=(****) wpa2-pre-shared-key=(****)
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=guest-security-profile supplicant-identity=router-main \
    wpa-pre-shared-key=(****) wpa2-pre-shared-key=(****)
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(30dBm), SSID: Joao e Maria, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    distance=indoors frequency=auto mode=ap-bridge security-profile=\
    home-security-profile ssid="Joao e Maria" wireless-protocol=802.11 \
    wps-mode=disabled
add keepalive-frames=disabled mac-address=D6:CA:6D:C6:AE:02 master-interface=\
    wlan1 multicast-buffering=disabled name=wlan2 security-profile=\
    guest-security-profile ssid="JM - Convidado" wds-cost-range=0-4294967295 \
    wds-default-bridge=bridge-guest wds-default-cost=0 wps-mode=disabled
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=main-config \
    slave-configurations=guest-config
/interface wireless cap
# 
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1

And here the “direct” configuration:

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=home-security-profile supplicant-identity=MikroTik \
    wpa-pre-shared-key=(****) wpa2-pre-shared-key=(****)
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=guest-security-profile supplicant-identity=router-main \
    wpa-pre-shared-key=(****) wpa2-pre-shared-key=(****)
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge \
    security-profile=home-security-profile ssid="Joao e Maria" \
    wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=D6:CA:6D:C6:AE:02 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan2 \
    security-profile=guest-security-profile ssid="JM - Convidado" \
    wds-cost-range=0-4294967295 wds-default-bridge=bridge-guest \
    wds-default-cost=0 wps-mode=disabled

Could anyone tell me what’s wrong, or at least point me in the direction?

BartoszP · January 20, 2018, 10:33pm

What size is MTU? Do you have MSS modified?

gulzoo · January 21, 2018, 12:45am

Please check that you have client-to-client-forwarding set to yes. By default is off. You can set it up under Datapath.

bds1904 · January 21, 2018, 3:59am

You forgot to enable client to client forwarding in datapath

Legend · January 22, 2018, 12:37am

I knew it was something simple. The fact that I did not have to mark this option on the “direct” configuration made me confuse. And blocking just wireless devices (I could connect to wired devices just fine) made it all more weird. Thank you, guys!

While we are at this, should I enable “Local Forwarding” too?

These options are rather recent, right? I did not have this problem until June/17, everything worked fine by then.

bds1904 · January 22, 2018, 2:10am

I don’t use local forwarding because it makes the handoff from AP to AP take longer.

Legend · January 22, 2018, 3:05am

For some reason, when I disabled local forwarding, my devices were not able to connect to the wireless. . Will try again later, but for now, will leave it on.

BGDAV · September 29, 2018, 1:55am

hey guys - ive been having similar issues on the latest updates i was running without CAPs-man and now ive set it up - cant for the life of me figure out what im doing wrong - my chromecasts are unable to connect to the internet - have selected client to client as well - if anyone has any ideas would be great (also tried having local and client to client enabled same thing)

[admin@BGDAVmicroRT] /interface wireless security-profiles> print
Flags: * - default
0 * name=“default” mode=dynamic-keys authentication-types=wpa-psk,wpa2-psk
unicast-ciphers=aes-ccm group-ciphers=aes-ccm
wpa-pre-shared-key=“*" wpa2-pre-shared-key="”
supplicant-identity=“MikroTik” eap-methods=passthrough
tls-mode=no-certificates tls-certificate=none mschapv2-username=“”
mschapv2-password=“” disable-pmkid=no static-algo-0=none static-key-0=“”
static-algo-1=none static-key-1=“” static-algo-2=none static-key-2=“”
static-algo-3=none static-key-3=“” static-transmit-key=key-0
static-sta-private-algo=none static-sta-private-key=“”
radius-mac-authentication=no radius-mac-accounting=no
radius-eap-accounting=no interim-update=0s
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username
radius-called-format=mac:ssid radius-mac-caching=disabled
group-key-update=5m management-protection=disabled
management-protection-key=“”

[admin@BGDAVmicroRT] >> /caps-man configuration print
0 name=“Config” ssid=“BGDAVmicro” security.authentication-types=wpa-psk,wpa2-psk
security.passphrase=“*****” datapath=datapath1
datapath.client-to-client-forwarding=yes datapath.bridge=bridge-local

[admin@BGDAVmicroRT] > /interface wireless print
Flags: X - disabled, R - running
0 R ;;; managed by CAPsMAN
;;; channel: 2412/20-Ce/gn(30dBm), SSID: BGDAVmicro, local forwarding
name=“wlan1” mtu=1500 l2mtu=1600 mac-address=4C:5E:0C:70:3E:20
arp=enabled interface-type=Atheros AR9300 mode=ap-bridge
ssid=“BGDAVmicro” frequency=2412 band=2ghz-b/g/n channel-width=20mhz
secondary-channel=“” scan-list=default wireless-protocol=802.11
vlan-mode=no-tag vlan-id=1 wds-mode=disabled wds-default-bridge=none
wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default compression=no