hAP AC as CAPsMAN
WAP as CAP
All of this is working fine, wireless clients can ping each other, they can ping CAPsMAN and CAP too.
Client-to-client forwarding in Datapath is set
CAPsMAN has all it’s FW rules disabled, CAP has no FW rules
MAC ping CAP <—> CAPsMAN is working,
but the ordinary IP request fail in both directions
Is there any ideas?
Can you please share your configuration (except for the sensitive information)?
Did you add a DHCP client to the CAP?
Sure, but do you need the whole config or just a CAPsMAP part?
CAPsMAN pushed via DHCP
[admin@LivingRoomWAP] > interface wireless cap print
enabled: yes
interfaces: wlan 2Ghz,wlan 5Ghz
certificate: request
lock-to-caps-man: yes
discovery-interfaces: main infrastructure
caps-man-addresses: 192.168.99.1
caps-man-names:
caps-man-certificate-common-names:
bridge: none
static-virtual: no
requested-certificate: CAP-CC2DE0E7BE02
locked-caps-man-common-name: CAPsMAN-6C3B6B11DA18
/caps-man channel
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
frequency=2412 name=common-chnls-2Ghz reselect-interval=10h \
skip-dfs-channels=yes tx-power=17
add band=5ghz-a/n/ac comment="20Mhz + Ce = 40Mhz, reselect interval from 5180,\
\_5220, 5745, 5785 once per 10h" control-channel-width=20mhz \
extension-channel=Ce frequency=5180,5220,5745,5785 name=common-chnls-5Ghz \
reselect-interval=10h tx-power=15
/caps-man configuration
add mode=ap name=empty
/caps-man datapath
add bridge="guest infrastructure" name=2CapsMan-guest
add bridge="main infrastructure" client-to-client-forwarding=yes name=\
2CapsMan-private
/caps-man rates
add basic="1Mbps,2Mbps,5.5Mbps,11Mbps,6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,\
48Mbps,54Mbps" name="5GHz Rates" supported="1Mbps,2Mbps,5.5Mbps,11Mbps,6Mb\
ps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps" vht-basic-mcs=mcs0-9 \
vht-supported-mcs=mcs0-9
add basic="1Mbps,2Mbps,5.5Mbps,11Mbps,6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,\
48Mbps,54Mbps" ht-basic-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs\
-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs\
-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-23" ht-supported-mcs="mcs-0,mcs-1,mcs-\
2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mc\
s-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-23" \
name="2GHz rates" supported="1Mbps,2Mbps,5.5Mbps,11Mbps,6Mbps,9Mbps,12Mbps\
,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps"
/caps-man security
add authentication-types=wpa2-psk comment="2GHz/5GHz Security" encryption=\
aes-ccm group-encryption=aes-ccm group-key-update=1h name=private
add authentication-types="" comment="2GHz/5GHz FREE" encryption="" \
group-key-update=5m name=guest
/caps-man configuration
add channel=common-chnls-2Ghz country=russia datapath=2CapsMan-private \
datapath.interface-list=list-2ghz-caps-private distance=indoors \
guard-interval=long hw-protection-mode=rts-cts hw-retries=7 installation=\
indoor keepalive-frames=enabled max-sta-count=10 mode=ap \
multicast-helper=full name=zone-2Ghz-private rx-chains=0,1,2,3 security=\
private ssid="WiFi 2Ghz PRIVATE" tx-chains=0,1,2,3
add channel=common-chnls-5Ghz country=russia datapath=2CapsMan-private \
datapath.interface-list=list-5ghz-caps-private disconnect-timeout=9s \
distance=indoors guard-interval=long hw-protection-mode=rts-cts \
hw-retries=7 installation=indoor keepalive-frames=enabled max-sta-count=\
10 mode=ap multicast-helper=full name=zone-5Ghz-private rx-chains=0,1,2,3 \
security=private ssid="WiFi 5Ghz PRIVATE" tx-chains=0,1,2,3
add channel=common-chnls-2Ghz country=russia datapath=2CapsMan-guest \
datapath.interface-list=list-2ghz-caps-guest distance=indoors \
guard-interval=long hw-protection-mode=rts-cts hw-retries=7 installation=\
indoor keepalive-frames=enabled max-sta-count=10 mode=ap \
multicast-helper=full name=zone-2Ghz-guest rx-chains=0,1,2,3 security=\
guest ssid="WiFi 2Ghz FREE" tx-chains=0,1,2,3
/caps-man aaa
set called-format=mac:ssid interim-update=disabled mac-caching=disabled \
mac-format=XX:XX:XX:XX:XX:XX mac-mode=as-username
/caps-man access-list
add action=reject allow-signal-out-of-range=10s comment="Drop any when poor si\
gnal rate, https://support.apple.com/en-us/HT203068" disabled=no \
signal-range=-120..-70 ssid-regexp=WiFi
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=\
yes comment=iPhoneAlx disabled=no mac-address=AC:61:EA:EA:CC:84 \
ssid-regexp="WiFi 5"
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=\
yes comment=iPhoneGl disabled=no mac-address=00:CD:FE:EC:B5:52 \
ssid-regexp="WiFi 5"
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=\
yes comment=mbpAlx disabled=no mac-address=78:31:C1:CF:9E:70 ssid-regexp=\
WiFi
add action=accept allow-signal-out-of-range=10s ap-tx-limit=0 \
client-to-client-forwarding=yes comment=ATV disabled=no mac-address=\
90:DD:5D:C8:46:AB ssid-regexp="WiFi 5"
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=\
yes comment=iPadAlx disabled=no mac-address=54:E4:3A:B8:12:07 \
ssid-regexp="WiFi 2"
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=\
yes comment=iPhoneAlxr disabled=no mac-address=54:2B:8D:77:38:A0 \
ssid-regexp="WiFi 5"
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=\
yes comment=iPhoneGlo disabled=no mac-address=54:2B:8D:7F:83:A6 \
ssid-regexp="WiFi 5"
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=\
yes comment=asusGl disabled=no mac-address=98:22:EF:26:FE:6E ssid-regexp=\
WiFi
add action=accept allow-signal-out-of-range=10s comment=\
"Allow any other on guest wireless" disabled=no ssid-regexp=FREE
add action=reject allow-signal-out-of-range=10s comment=\
"Drop any other on private wireless" disabled=no ssid-regexp=PRIVATE
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path="" \
require-peer-certificate=yes upgrade-policy=require-same-version
/caps-man manager interface
set [ find default=yes ] comment="Deny CapsMan on All" disabled=no forbid=no \
interface=all
add comment="Deny WAN CapsMan" disabled=no forbid=yes interface=wan
add comment="Do CapsMan on private" disabled=no forbid=no interface=\
"main infrastructure"
add comment="Do CapsMan on guest" disabled=no forbid=no interface=\
"guest infrastructure"
/caps-man provisioning
add action=create-dynamic-enabled comment="2Ghz private/guest" \
common-name-regexp="" disabled=no hw-supported-modes=gn identity-regexp=\
WAP ip-address-ranges="" master-configuration=zone-2Ghz-private \
name-format=prefix-identity name-prefix=2Ghz radio-mac=00:00:00:00:00:00 \
slave-configurations=zone-2Ghz-guest
add action=create-dynamic-enabled comment="5Ghz private" common-name-regexp=\
"" disabled=no hw-supported-modes=ac identity-regexp=WAP \
ip-address-ranges="" master-configuration=zone-5Ghz-private name-format=\
prefix-identity name-prefix=5Ghz radio-mac=00:00:00:00:00:00 \
slave-configurations=""
add action=create-dynamic-enabled comment="2Ghz private/guest (self-cap)" \
common-name-regexp="" disabled=no hw-supported-modes=gn identity-regexp=\
mikrouter ip-address-ranges="" master-configuration=zone-2Ghz-private \
name-format=prefix-identity name-prefix=2Ghz radio-mac=00:00:00:00:00:00 \
slave-configurations=zone-2Ghz-guest
add action=create-dynamic-enabled comment="5Ghz private (self-cap)" \
common-name-regexp="" disabled=no hw-supported-modes=ac identity-regexp=\
mikrouter ip-address-ranges="" master-configuration=zone-5Ghz-private \
name-format=prefix-identity name-prefix=5Ghz radio-mac=00:00:00:00:00:00 \
slave-configurations=""
add action=none comment=DUMMY common-name-regexp="" disabled=no \
hw-supported-modes="" identity-regexp="" ip-address-ranges="" \
master-configuration=empty name-format=prefix-identity name-prefix=dummy \
radio-mac=00:00:00:00:00:00 slave-configurations=""
First thing I notice is that the CAP doesn’t have a bridge configured. If you reset a device to be a Cap it is added. Can you try to set it manually on the Cap and see if it makes a difference?
Next I prefer to have the TX power on the 5G band higher than the 2G band, just to have as many devices on the 5G band as possible.
And at last, I have configured 12Mbps as the only basic rate, and 12Mbps and higher on supported rates. That improved the performance for me.