CAPsMAN , DHCP and Layer3 no chance?

ruebenmaster · September 25, 2015, 12:53pm

Hallo People,
i’m very new about working with capsman on mikrotik router.

I use for testing WLAN with a capsman manager on other network. This is my testing networks:

Hardware:

RB2011 - only Router between the two networks 192.168.88.0/24 and 192.168.89.0/24

2 mAP2n for APs
x86 - CAPsMAN Manager

Software:

All - 6.32.1
All - CAPsMAN v2

the two mAPs are in the network 192.168.89.0/24 with the IP Addresses: 192.168.89.12 and 192.168.89.13. The gateway from them is the RB2011 with the IP Adress 192.168.89.11. On the other side from the RB2011 Router is the network 192.168.88.0/24. The RB2011 Router have the ip Address 192.168.88.251 there. the gateway to internet is 192.168.88.10, and the MikroTik x86 Router have 192.168.88.254. The MikroTik x86 Router (OS Level 4) is build the CAPsMAN Manager and the DHCP Server.

Binding the two mAPs as cap1 and cap2 is no Problem. It works. Also the configuration file for them is ok. The problem is after the dhcp Server has done his work from the x86 Mikrotik. If a Client comes into the WLAN network, it get the ip address and the other informations like DNS Server and Gateway. After the ip dhcp is done, the WLAN Client can’t ping his gateway or other ip’s in the network.

How to install a central CAPsMAN for APs in different networks with the same Address Range on to use the same gateway to internet.

If it is all in one network, it works…

Thank you for any information.

— <192.168.88.13>cap2
CAPsMAN <192.168.88.254> — <192.168.88.251>“RB2011”<192.168.89.11> — <192.168.89.12>cap1
Gateway <192.168.88.10> --------

greetings
Stephan, the ruebenmaster

uldis · September 25, 2015, 1:36pm

Are you using CAPsMAN Forwarding or Local Forwarding?
What is your CAPsMAN configuration and what is your mAP configuration?

ruebenmaster · September 25, 2015, 3:07pm

Hallo,
how to do the different forwarding? I want both, later in the whole network... CAPsMAN Forwarding and Local Forwarding

I don't find a HowTo with winbox yet...

Here is the export file from one mAP:

sep/25/2015 17:03:59 by RouterOS 6.32.1

software id = V91A-XL2A

/interface wireless

managed by CAPsMAN

channel: 2432/20-Ce/gn(20dBm), SSID: Netz, CAPsMAN forwarding

set [ find default-name=wlan1 ] mode=ap-bridge ssid=MikroTik12
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface wireless cap
set caps-man-addresses=192.168.88.254 certificate=request
discovery-interfaces=ether1 enabled=yes interfaces=wlan1
lock-to-caps-man=yes
/ip address
add address=192.168.89.12/24 interface=ether1 network=192.168.89.0
/ip firewall filter
add action=log chain=forward connection-state=established,related,new
/ip route
add distance=1 gateway=192.168.89.11
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=cap1_AP12
/system leds
set 3 interface=wlan1
/system package update
set channel=current
/system routerboard settings
set cpu-frequency=400MHz
/tool romon port
add

In a few minutes i will send th eexport from the CAPsMAN Manager.

Thx

greetings
Stephan, the Ruebenmaster

ruebenmaster · September 25, 2015, 3:16pm

Hallo,
here is the export from the CAPsMAN Manager (virtual Machine):

sep/25/2015 17:15:45 by RouterOS 6.32.1

software id = 58DW-EGDR

/caps-man configuration
add channel.extension-channel=Ce channel.frequency=2432 comment=
"Konfiguration zum Testen Mitarbieternetz" country=germany
datapath.local-forwarding=no mode=ap name=cfg_cap-APs_Work
security.authentication-types=wpa-psk,wpa2-psk security.encryption=
aes-ccm security.passphrase=Contargo2015 ssid=Netz
add channel.extension-channel=Ce channel.frequency=2432 comment=
"Konfiguration zum Testen Mitarbieternetz" country=germany
datapath.local-forwarding=no mode=ap name=cfg_cap-APs_Work
security.authentication-types=wpa-psk,wpa2-psk security.encryption=
aes-ccm security.passphrase=Contargo2015 ssid=Netz
/interface bridge
add name=bridge_CAPsMAN
/interface ethernet
set [ find default-name=ether2 ] name=LAN-vmnet3 speed=100Mbps
set [ find default-name=ether1 ] name=vmnet-bridge speed=100Mbps
/caps-man interface

add arp=enabled configuration=cfg_cap-APs_Work disabled=no l2mtu=1600
mac-address=E4:8D:8C:10:19:C0 master-interface=none mtu=1500 name=
cap1-AP12 radio-mac=E4:8D:8C:10:19:C0

add arp=enabled configuration=cfg_cap-APs_Work disabled=no l2mtu=1600
mac-address=E4:8D:8C:15:3D:37 master-interface=none mtu=1500 name=
cap1-AP13 radio-mac=E4:8D:8C:15:3D:37
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=1 name=option1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=hs-pool-1 ranges=192.168.99.1-192.168.99.253
add name=dhcp_pool1 ranges=192.168.88.210-192.168.88.220
add name=dhcp_pool2 ranges=192.168.89.210-192.168.89.220
add name=dhcp_pool3 ranges=192.168.89.210-192.168.89.219
add name=dhcp_pool4 ranges=192.168.89.100-192.168.89.149
add name=dhcp_pool5 ranges=192.168.89.100-192.168.89.119
add name=dhcp_pool6 ranges=192.168.89.70-192.168.89.79
add name=dhcp_pool7 ranges=192.168.89.100-192.168.89.119
/ip dhcp-server
add address-pool=dhcp_pool7 disabled=no interface=bridge_CAPsMAN name=
dhcp-CAPsMAN
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/interface bridge port
add bridge=bridge_CAPsMAN interface=cap1-AP12
add bridge=bridge_CAPsMAN interface=vmnet-bridge
/ip address
add address=172.28.28.5/24 interface=LAN-vmnet3 network=172.28.28.0
add address=192.168.88.254/24 interface=vmnet-bridge network=192.168.88.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no
interface=LAN-vmnet3
/ip dhcp-server network
add address=192.168.89.0/24 dns-server=192.168.89.11 gateway=192.168.89.11
/ip dns
set allow-remote-requests=yes servers=192.168.88.10
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=log chain=input connection-state=established,related,new disabled=
yes
add chain=input connection-state=established,related,new
add action=log chain=forward connection-state=established,related,new
disabled=yes
add chain=forward connection-state=established,related,new
add action=log chain=output connection-state=established,related,new
disabled=yes
add chain=output connection-state=established,related,new
add action=log chain=input connection-state=established,related,new disabled=
yes
add chain=input connection-state=established,related,new
add action=log chain=forward connection-state=established,related,new
disabled=yes
add chain=forward connection-state=established,related,new
add action=log chain=output connection-state=established,related,new
disabled=yes
add chain=output connection-state=established,related,new
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge_CAPsMAN
add action=masquerade chain=srcnat out-interface=bridge_CAPsMAN
/ip ipsec policy
set 0 disabled=yes
/ip proxy
set anonymous=yes cache-path=disk1/web-proxy1 enabled=yes parent-proxy=
0.0.0.0
/ip route
add distance=1 gateway=192.168.88.10
add distance=1 gateway=192.168.88.10
add distance=1 dst-address=192.168.89.0/24 gateway=192.168.88.251
add distance=1 dst-address=192.168.89.0/24 gateway=192.168.88.251
/ip service
set api disabled=yes
/ip smb
set domain=poke.mon enabled=yes
/radius
add address=172.16.1.2 called-id=Aloisius01 secret=aloiGeheimXX service=
hotspot timeout=600ms
add address=172.16.1.2 called-id=Aloisius01 secret=aloiGeheimXX service=
hotspot timeout=600ms
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Berlin
/system identity
set name=CAPsMAN
/system ntp client
set enabled=yes primary-ntp=172.27.27.1
/system package update
set channel=current
/tool graphing interface
add
add
/tool romon port
add

uldis · September 25, 2015, 3:39pm

You are using CAPsMAN forwarding mode and on the CAPsMAN you have bridged both CAP interfaces into one bridge interface. You can enabled dhcp server on the bridge interface. But I see that you have added IP address to each of the bridge port interfaces.
When the interfaces are bridged you should assign the IP address to the bridge interface and not to the interface that are in the bridge.

What IP address does the client gets from DHCP server and what IP address does it try to ping?

ruebenmaster · September 25, 2015, 4:36pm

Hallo,
at the moment the Client don’t get a ip address!
After connecting the wlan, the process stopped at getting an ip address.

greetings
Stephan. the ruebenmaster

ruebenmaster · September 28, 2015, 9:01am

Hallo,
i changed the configuration. The ip address is now on the bridge for the two caps.

now the client is getting an ip adress from the range 192.168.89.110 till 192.168.89.119. i can ping the caps ip address 192.168.89.1. but i had no access to the routers, the DNS Servers or internet... i can only ping the caps but nothing else.

i try with and without the local forwarding checkbox. no route to anything.

any idea?

export file from CAPsMAN Manager:

sep/28/2015 11:00:28 by RouterOS 6.32.1

software id = 58DW-EGDR

/caps-man configuration
add channel.extension-channel=Ce channel.frequency=2432 comment=
"Konfiguration zum Testen Mitarbieternetz" country=germany
datapath.local-forwarding=yes mode=ap name=cfg_cap-APs_Work
security.authentication-types=wpa-psk,wpa2-psk security.encryption=
aes-ccm security.passphrase=Contargo2015 ssid=Spucknapf
/interface bridge
add name=bridge_CAPsMAN
/interface ethernet
set [ find default-name=ether2 ] name=LAN-vmnet3 speed=100Mbps
set [ find default-name=ether1 ] name=vmnet-bridge speed=100Mbps
/caps-man interface

add arp=enabled configuration=cfg_cap-APs_Work disabled=no l2mtu=1600
mac-address=E4:8D:8C:10:19:C0 master-interface=none mtu=1500 name=
cap1-AP12 radio-mac=E4:8D:8C:10:19:C0

add arp=enabled configuration=cfg_cap-APs_Work disabled=no l2mtu=1600
mac-address=E4:8D:8C:15:3D:37 master-interface=none mtu=1500 name=
cap1-AP13 radio-mac=E4:8D:8C:15:3D:37
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=1 name=option1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=hs-pool-1 ranges=192.168.99.1-192.168.99.253
add name=dhcp_pool1 ranges=192.168.88.210-192.168.88.220
add name=dhcp_pool2 ranges=192.168.89.210-192.168.89.220
add name=dhcp_pool3 ranges=192.168.89.210-192.168.89.219
add name=dhcp_pool4 ranges=192.168.89.100-192.168.89.149
add name=dhcp_pool5 ranges=192.168.89.100-192.168.89.119
add name=dhcp_pool6 ranges=192.168.89.70-192.168.89.79
add name=dhcp_pool7 ranges=192.168.89.100-192.168.89.119
/ip dhcp-server
add address-pool=dhcp_pool7 disabled=no interface=bridge_CAPsMAN name=
dhcp-CAPsMAN
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/interface bridge port
add bridge=bridge_CAPsMAN interface=cap1-AP12
add bridge=bridge_CAPsMAN interface=cap1-AP13
/ip address
add address=172.28.28.5/24 interface=LAN-vmnet3 network=172.28.28.0
add address=192.168.88.254/24 interface=vmnet-bridge network=192.168.88.0
add address=192.168.89.1/24 interface=bridge_CAPsMAN network=192.168.89.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no
interface=LAN-vmnet3
/ip dhcp-server network
add address=192.168.89.0/24 dns-server=192.168.89.11 gateway=192.168.89.11
/ip dns
set allow-remote-requests=yes servers=192.168.88.10
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=log chain=input connection-state=established,related,new disabled=
yes
add chain=input connection-state=established,related,new
add action=log chain=forward connection-state=established,related,new
disabled=yes
add chain=forward connection-state=established,related,new
add action=log chain=output connection-state=established,related,new
disabled=yes
add chain=output connection-state=established,related,new
add action=log chain=input connection-state=established,related,new disabled=
yes
add chain=input connection-state=established,related,new
add action=log chain=forward connection-state=established,related,new
disabled=yes
add chain=forward connection-state=established,related,new
add action=log chain=output connection-state=established,related,new
disabled=yes
add chain=output connection-state=established,related,new
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge_CAPsMAN
add action=masquerade chain=srcnat out-interface=bridge_CAPsMAN
/ip ipsec policy
set 0 disabled=yes
/ip proxy
set anonymous=yes cache-path=disk1/web-proxy1 enabled=yes parent-proxy=
0.0.0.0
/ip route
add distance=1 gateway=192.168.88.10
add distance=1 gateway=192.168.88.10
add distance=1 dst-address=192.168.89.0/24 gateway=192.168.88.251
add distance=1 dst-address=192.168.89.0/24 gateway=192.168.88.251
/ip service
set api disabled=yes
/ip smb
set domain=poke.mon enabled=yes
/radius
add address=172.16.1.2 called-id=Aloisius01 secret=aloiGeheimXX service=
hotspot timeout=600ms
add address=172.16.1.2 called-id=Aloisius01 secret=aloiGeheimXX service=
hotspot timeout=600ms
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Berlin
/system identity
set name=CAPsMAN
/system ntp client
set enabled=yes primary-ntp=172.27.27.1
/system package update
set channel=current
/tool graphing interface
add
add
/tool romon port
add

greetings
Stephan, the ruebenmaster

ruebenmaster · September 28, 2015, 9:50am

Hallo,
i got it.

now i have found a way to clear this situation.

The dhcp server must give the ip address from CAPsMAN Manager for DNS and Gateway. Local Forwarding is off. So, the traffic must go over the CAPsMAN Manager. It works.
With local forwarding i found no way to connect anything, but the caps himselves.

It is not praticable for our business network to steer all the traffic over CAPsMAN Manager, because there are locations all over europe. You are some with very slow connections to the central office, where the CAPsMAN manager is tethered. Therefore, should the traffic go there directly to the Internet. i will try, till i found a solution for it. With the guidance in the Wiki it does not work strangely around me.

Thanks for any help, building a local forwarding solution.

Many greetings an thx
Stephan. the ruebenmaster

ruebenmaster · September 28, 2015, 11:42am

Hallo,
Unfortunately, I was happy too early. I can on the Internet and in local networks only via ping. HTTP or HTTPS access is not permitted. Unfortunately I can not, even after intensive and extensive research, not even via HTTP to the gateway, ie the CAPsMAN access manager. There are no components at all restrictive firewall rules. All protocols are enabled.

Greetings
Stephan, the ruebenmaster

uldis · September 28, 2015, 12:36pm

It is possible to configure the CAPsMAN Local forwarding so the CAPsMAN only provides the wireless configuration to the CAPs but the traffic will go out though the CAPs.
The DHCP server, internet gateway will be your main router and the CAPs will be in your local network. On the CAP you specify to connect to the central CAPsMAN to get the configuration - it will connect to the CAPsMAN even trough the NAT.
Then everything should be working.

ruebenmaster · September 30, 2015, 5:20am

Zu uldis,
you’re right. Now it is working.

Thank you very much.

Greetings Form Mannheim, Germany
Stephan, the ruebenmaster