CAPsMAN confusing...

homerouter · February 4, 2022, 8:43am

CAPsMAN confusing…

At the moment i have 5 mAPLite, all set manual up vlan, ip, wlan and so on, they are connected to my MT router’s trunk.
MT router handle it all firewall, DHCP…

Can the CAPsMAN be set to only handle wifi stuff like SSID, channel, encryption…

If so how?

Last time i used CAPsMAN it was so slow that i disabled it and set all manually.

holvoetn · February 4, 2022, 12:12pm

Largely depends on how you set the forwarding.

If you set capsman forwarding, this is what happens (how I understood):
1- data arrives at maplite through Wifi
2- data gets encrypted in SW (on a slow device)
3- data is send over the encrypted link to capsman
4- data is decrypted in SW on capsman device (for 5 mAP Lites !!)
5- data is forwarded to end-target (or handled by bridge or …), regular business here
6- reply comes back to capsman
7- data is encrypted again
8- data is sent to maplite
9- data is decrypted again
10- data is delivered to client device.
You get the idea already ?

Take into account maplite is a slow device (I have one too, I don’t expect fabulous traffic to be sent trough it, but it’s multi-purpose usage is its power. That and it’s cool to have a full blown router in the palm of your hand ).
And not knowing what you use as CAPSMAN, it can have a major hit there as well since all encrypting/decrypting for capsman is done in SW, times 5.

Use local forwarding and there is no encryption, no decription, only network stuff.
Goes a lot faster.

sindy · February 4, 2022, 12:49pm

Unless something has changed and the Wiki manual has not been updated accordingly, only the control part of the CAP<->CAPsMAN traffic is encrypted. So only the encapsulation/decapsulation (addition/removal of additional headers) makes the difference between local forwarding and capsman forwarding.

holvoetn · February 4, 2022, 12:55pm

OK, good to know.
From what I learned up til now it was everything.

EDIT: After rereading that wiki, local or manager forwarding remains relevant especially if the normal gateway for that network is not the capsman device itself.
Also useful to know which CAPSMAN device is being used.
E,g, I can get up to 60mb download on a maplite (simple speedtest on a PC connected via Wifi to maplite, maplite connected to hex using ethernet, hex to 200Mb/20mb connection of ISP).
Times 5 means roughly 250/300mbs if all comes together. If CAPSMAN or gateway or ISP only has a connection of 100Mb or less, then that will be the bottleneck.

@homerouter
Might be useful to post your config of the capsman device ?
/export hide-sensitive file=anynameyouwish, post config here between code quotes.

sindy · February 4, 2022, 1:16pm

Just checked with ROS 6.47.10 and IP-connected CAP - yup, not encrypted. When sniffing the CAPsMAN traffic while pinging a wireless client on the CAP with caps-man forwarding, I can see the complete Ethernet frame to be encapsulated in plaintext.

homerouter · February 4, 2022, 4:56pm

As talking speed it is ok wifi 25/25Mbit and the hex750r3 to internet 250/250Mbit. And between vlan with 3 streams, 750/750Mbit.

Removed all not important.

# jan/31/2022 17:18:46 by RouterOS 6.49.2

/interface bridge add name=bridge1 vlan-filtering=yes

/interface vlan add interface=bridge1 name=vlan-10 vlan-id=10

/interface list add name=BASE_WAN

/interface bridge port add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-10 pvid=10
/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-20 pvid=20
/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-30 pvid=30

/interface bridge vlan add bridge=bridge1 tagged=ether1,bridge1,vlan-10 untagged=wlan-10 vlan-ids=10
/interface bridge vlan add bridge=bridge1 tagged=ether1 untagged=wlan-20 vlan-ids=20
/interface bridge vlan add bridge=bridge1 tagged=ether1 untagged=wlan-30 vlan-ids=30

/ip address add address=192.168.10.7/24 interface=vlan-10 network=192.168.10.0
/ip dns set servers=192.168.10.1
/ip route add distance=1 gateway=192.168.10.1

holvoetn · February 4, 2022, 5:09pm

And where is capsman config ?
Not relevant perhaps ?

homerouter · February 4, 2022, 9:16pm

I dont use it for now, i set all up manually.

My q. was, is it possible to only use it for updating SSID, Channels, and so on wifi stuff?

holvoetn · February 4, 2022, 9:19pm

Yep

sindy · February 4, 2022, 9:20pm

Yes, it is. That’s what local-forwarding=yes in capsman datapath is good for.

homerouter · February 5, 2022, 7:45am

@sindy Thanks:-)