CapsMan data path not working

warllo · September 13, 2019, 4:14pm

Hi,

I have clients that are not able to complete a speed test due to the upload failing. The download works great, affected clients are also unable to browse. Hoping someone could provide some input. Here is my config. As a workaround I have enabled Local Forwarding on the datapath1 and this resolves the issue.

# sep/13/2019 12:02:11 by RouterOS 6.45.6
# software id = 
#
#
#
/caps-man channel
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=Ce \
    frequency=2412 name=channel1
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2442 name=channel6
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2472 name=channel11
add band=5ghz-onlyac control-channel-width=20mhz extension-channel=Ceee \
    frequency=5180 name=channel157
/interface bridge
add comment="Primary LAN Bridge" name=PrimaryLan
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no comment=WAN-DHCP \
    disable-running-check=no speed=1Gbps
set [ find default-name=ether2 ] comment=LAN disable-running-check=no
/caps-man datapath
add bridge=PrimaryLan local-forwarding=yes name=datapath1
/caps-man security
add authentication-types=wpa2-psk comment= encryption=aes-ccm name=\
    2.4
add authentication-types=wpa2-psk comment= encryption=aes-ccm name=5
/caps-man configuration
add channel=channel1 country="united states3" datapath=datapath1 mode=ap \
    name=config1 security=2.4 ssid=Mikrotik-Test
add channel=channel157 country="united states3" datapath=datapath1 name=\
    config2 security=2.4 ssid=test5
/caps-man interface
add arp=enabled channel=channel157 configuration=config2 datapath=datapath1 \
    disabled=no l2mtu=1600 mac-address=CC:2D:E0:1D:6A:BA master-interface=\
    none mtu=1500 name=cap3 radio-mac=CC:2D:E0:1D:6A:BA radio-name=\
    CC2DE01D6ABA
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=PrimaryLan ranges=192.168.2.90-192.168.2.200
/ip dhcp-server
add address-pool=PrimaryLan disabled=no interface=PrimaryLan name=PrimaryLan
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=config1 name-format=\
    prefix name-prefix=Mikrotik-
add action=create-dynamic-enabled master-configuration=config2 name-format=\
    prefix name-prefix=Mikrotik- radio-mac=CC:2D:E0:1D:6A:BB
/interface bridge port
add bridge=PrimaryLan interface=ether2
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=PrimaryLan list=LAN
/ip address
add address=192.168.2.1/24 interface=PrimaryLan network=192.168.2.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1,1.1.1.1 gateway=192.168.2.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.1
/ip dns static
add address=192.168.2.6 name=nextcloud.warllo.org
add address=192.168.2.6 name=ha.warllo.rog
add address=192.168.2.6 name=vpn.warllo.org
add address=192.168.2.6 name=dock.warllo.org
add address=192.168.2.6 name=plex.warllo.org
add address=192.168.2.6 name=collabora.warllo.org
add address=192.168.2.6 name=fire.warllo.org
add address=192.168.2.6 name=graph.warllo.org
add address=192.168.2.6 name=jelly.warllo.org
add address=192.168.2.6 name=vsc.warllo.org
add address=192.168.2.6 name=dockera.warllo.org
/ip firewall address-list
add address=192.168.2.2-192.168.2.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment=\
    "DEFAULT: Accept established, related, and untracked traffic." \
    connection-state=established,related,untracked
add action=accept chain=input comment="DEFAULT: Accept ICMP traffic." log=yes \
    protocol=icmp
add action=drop chain=input comment="DEFAULT: Drop invalid traffic." \
    connection-state=invalid
add action=drop chain=input comment=\
    "DEFAULT: Drop all other traffic not coming from LAN." in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "DEFAULT: Accept established, related, and untracked traffic." \
    connection-state=established,related,untracked
add action=drop chain=forward comment="DEFAULT: Drop invalid traffic." \
    connection-state=invalid
add action=drop chain=forward comment=\
    "DEFAULT: Drop all other traffic from WAN that is not DSTNATed." \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="HTTP to Web Server" dst-port=80 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.2.6 to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS to Web Server" dst-port=443 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.2.6 to-ports=443
add action=dst-nat chain=dstnat comment="OVPN to AS Server" dst-port=1194 \
    in-interface=ether1 protocol=udp to-addresses=192.168.2.6 to-ports=1194
add action=dst-nat chain=dstnat comment="OPVNAS Web Interface" dst-port=943 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.2.6 to-ports=943
add action=dst-nat chain=dstnat comment="Plex to Plex Server" dst-port=32400 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.2.6 to-ports=32400
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api-ssl disabled=yes
/ip smb users
add name=warllo read-only=no
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=PrimaryLan type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=America/Chicago
/system logging
add action=disk topics=firewall
/system ntp client
set enabled=yes primary-ntp=216.239.35.0 server-dns-names=time.google.com

Amm0 · September 14, 2019, 4:37pm

Perhaps CAPsMAN needs to add the dynamically created CAP interface to an “Interface List”, the default firewall will drop !LAN traffic. But not sure.

Out of curiosity, any reason you don’t want to use local forwarding? CAPsMAN still controls the configuration with local forwarding so you get the same centralized management control. I’ve never been quite sure of the benefits of DTLS tunneling L2 packets (e.g. CAPsMAN data paths and RFC 5416)– people smarter than me may. Local forwarding with VLANs exposed for the CAPs to use seems more manageable to me.

warllo · September 15, 2019, 3:34pm

Thanks for the reply I will try adding the caps interface to the lan lists. I was not using local forwarding as I want to apply mangle rules and queues to the traffic coming from the wireless network.

warllo · September 16, 2019, 2:08pm

I checked the LAN Interface list and the CAP interfaces were already added dynamically. Hoping for some other suggestions.

Amm0 · September 17, 2019, 2:47am

Was just a guess… maybe someone else see something. Certainly don’t know what might have changed in ROS to cause this either .

But your description is kinda curious:

I say that since that’s not easy to do: “download works” but “upload doesn’t” in a speed test… That kinda means some request are getting out (e.g. there was some command test that starts the download test, so some traffic has to go out (or “upload”) to the internet to start it. Asymmetric firewall rules and/or the resulting NAT/connection tracking effects might cause something like that. If you reset the firewall counters, send some traffic using local-forwarding=no, then reset counters again, and send some traffic using local-forwarding=yes, see if any of the “drop” rules change.

Other thing is perhaps DNS is messed, somewhere. If your speed test uses IP address, that would work; while HTTP browsing won’t work if DNS is messed up.

Also, since you mention queues, might want to just disable them to see if there involved in why local-forwarding=no doesn’t work for ya.