CAPsMAN DHCP Server for CAP AX Client

bakulvalas · December 16, 2024, 4:16am

Good afternoon sir, I would like to ask, I have followed tutorials on YouTube and forums on how to configure CAP on AX access points. Why does the client connected to the access point get IP from LAN not from CAPsMAN. I tried to eliminate the datapath on the access point so that the wireless interface does not join the lan bridge, but the client does not get an IP at all, how can I make the connected client get an IP from DHCP from CAPsMAN not from LAN? Here I attach a simple topology. adding VLANs is not possible because there are already thousands of devices connected to the existing CAPsMAN Network

mkx · December 16, 2024, 6:49am

New wifi CAPsMAN doesn’t offer capsman forwarding. Which means that without VLANs CAP is joining normal LAN. And traffic then normally doesn’t hit CAPsMAN. When it comes to DHCP … when DHCP client (WiFi station in your case) sends out DHCP Discovery, every DHCP server in same L2 broadcast domain replies with DHCP Offer … and most DHCP clients follow up with DHCP server which replies fastest.

If I understand your topology sketch right, you’d like wireless clients to join subnet 192.168.94.0/24 … but you can only ensure that if DHCP server serving those IP addresses is the only DHCP server in your L2 broadcast domain … and that most likely means you have to create dedicated L2 broadcast domain for wireless users … by introducing VLANs. If network gear supports VLANs, then it can be introduced without (extensive) disturbance to existing devices if done carefully.

bakulvalas · December 16, 2024, 7:54am

That’s true but that’s just taking an example of one bridge, in the existing capsman network there are 8 bridges that have their own IP and DHCP server, when using the previous generation access point, I only need to configure a profile in CAPsMAN that goes to each datapath. I want to add this access point to the existing capsman network, the old network that is already running does not allow changes to be made.

I have already bought 10 of these AX access points but I have not found a way to combine them with the existing network.

erlinden · December 16, 2024, 8:13am

Would you care to make a network diagram?
Have you considered using VLAN (because of the remark about bridges, while one should be used)?

holvoetn · December 16, 2024, 8:18am

In most cases, 1 bridge is all you need.

If you are planning on having those AX devices connect to a legacy capsman controller (previous generation), that will NOT work. Are you ?

It might be better to follow erlinden’s advice and provide a schematic representation of your network also clarifying what device acts as controller and what other APs are present. Also indicate ROS version each MT device is using (especially controller, if 7.13 or higher things might become easier).

And then we can work from there …

mkx · December 16, 2024, 7:26pm

As I wrote: with new CAPsMAN there is no capsman-forwarding any more. Wireless interfaces, even though provisioned by CAPsMAN, are attached locally to CAP’s bridge and local L2 rules apply.

bakulvalas · December 27, 2024, 7:50am

Sorry for the late update.
I tried to do my own lab, with the diagram as below.

I tried to change from several bridges to 1 bridge with several VLANs. here are the problems I found.

For clients connected to access points paired in 1 hub with CAPsMAN controller (left), IP can be distributed properly.
For clients connected to access points paired with other hubs, IP is not distributed, even though the configuration is the same.
where is my mistake? is the DHCP server on the controller unable to cross the hub?

Thanks,

mkx · December 27, 2024, 2:45pm

Your network is obviously not as flat as you’re trying to imply. There are 3 VLANs mentioned next to CAPsMAN device (and possibly the “untagged” subnet). You’re also writing about “hubs” … these days nobody uses ethernet hubs, everybody is using ethernet switches, quite possibly managed ones. And these have a big chance of messing with VLANs. So you’ll have to provide a lot more details about your setup to get any useful feedback here.

bakulvalas · December 28, 2024, 3:27am

Sorry for providing a less detailed diagram, here is a more detailed diagram for the lab I created and the CAPsMAN configuration.
The first is I paired the CAP access point to HP 1405, there the client managed to get IP properly,
then the second I moved the CAP access point to HP 1920, there the client did not succeed in getting an IP.

CAPsMAN Configuration

/interface bridge
add ingress-filtering=no name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan110 vlan-id=110
add interface=bridge1 name=vlan120 vlan-id=120
add interface=bridge1 name=vlan130 vlan-id=130
add interface=bridge1 name=vlan140 vlan-id=140
add interface=bridge1 name=vlan150 vlan-id=150
/interface wifi channel
add band=2ghz-ax disabled=no name=2.4 skip-dfs-channels=all width=20mhz
add band=5ghz-ax disabled=no name=5 skip-dfs-channels=all width=20mhz
/interface wifi datapath
add bridge=bridge1 disabled=no name=DP
/interface wifi
add configuration.manager=capsman .mode=ap datapath=DP radio-mac=\
    F4:1E:57:2D:DA:D8
add configuration.manager=capsman .mode=ap datapath=DP radio-mac=\
    F4:1E:57:2D:DA:D9
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=sec1
add disabled=no name=usguung
/interface wifi configuration
add channel=2.4 country=Singapore datapath=DP disabled=no mode=ap name=\
    "SSID110 2.4" security=sec1 ssid=SSID-110
add channel=5 country=Singapore datapath=DP disabled=no mode=ap name=\
    "SSID110 5" security=sec1 ssid=SSID-110
add channel=2.4 country=Singapore datapath=DP disabled=no mode=ap name=\
    SSID120-2.4 security=sec1 ssid=SSID-120
add channel=5 country=Singapore datapath=DP disabled=no mode=ap name=SSID120-5 \
    security=sec1 ssid=SSID-120
add channel=2.4 country=Singapore datapath=DP disabled=no mode=ap name=\
    SSID130-2.4 security=sec1 ssid=SSID-130
add channel=5 country=Singapore datapath=DP disabled=no mode=ap name=SSID130-5 \
    security=sec1 ssid=SSID-130
add channel=2.4 country=Singapore datapath=DP disabled=no mode=ap name=\
    "SSID INTRNAL-2.4" security=sec1 ssid=SSID-INTRNAL
add channel=5 country=Singapore datapath=DP disabled=no mode=ap name=\
    "SSID INTRNAL-5" security=sec1 ssid=SSID-INTRNAL
/interface wifi
add configuration="SSID110 2.4" configuration.mode=ap disabled=no name=\
    "SSID110 2.4ax" radio-mac=F4:1E:57:2D:94:82
add configuration="SSID110 5" configuration.mode=ap disabled=no name=\
    "SSID110 5ax" radio-mac=F4:1E:57:2D:94:83
add configuration=SSID120-2.4 configuration.mode=ap disabled=no mac-address=\
    F6:1E:57:2D:94:82 master-interface="SSID110 2.4ax" name="SSID120 2.4ax"
add configuration=SSID120-5 configuration.mode=ap disabled=no mac-address=\
    F6:1E:57:2D:94:83 master-interface="SSID110 5ax" name="SSID120 5ax"
add configuration=SSID130-2.4 configuration.mode=ap disabled=no mac-address=\
    F6:1E:57:2D:94:84 master-interface="SSID110 2.4ax" name="SSID130 2.4ax"
add configuration=SSID130-5 configuration.mode=ap disabled=no mac-address=\
    F6:1E:57:2D:94:85 master-interface="SSID110 5ax" name="SSID130 5ax"
add configuration="SSID INTRNAL-2.4" configuration.mode=ap disabled=no \
    mac-address=F6:1E:57:2D:94:86 master-interface="SSID110 2.4ax" name=\
    "SSID150 2.4ax" security.authentication-types=wpa2-psk
add configuration="SSID INTRNAL-5" configuration.mode=ap disabled=no \
    mac-address=F6:1E:57:2D:94:87 master-interface="SSID110 5ax" name=\
    "SSID150 5ax" security.authentication-types=wpa2-psk
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add dns-name=vlan.trial hotspot-address=50.50.130.1 name=hsprof1
/ip pool
add name=dhcp_pool0 ranges=50.50.110.2-50.50.110.254
add name=dhcp_pool1 ranges=50.50.120.2-50.50.120.254
add name=dhcp_pool2 ranges=50.50.130.2-50.50.130.254
add name=dhcp_pool3 ranges=50.50.140.2-50.50.140.254
add name=dhcp_pool4 ranges=50.50.150.2-50.50.150.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan110 name=dhcp1
add address-pool=dhcp_pool1 interface=vlan120 name=dhcp2
add address-pool=dhcp_pool2 interface=vlan130 name=dhcp3
add address-pool=dhcp_pool3 interface=vlan140 name=dhcp4
add address-pool=dhcp_pool4 interface=vlan150 name=dhcp5
/ip hotspot
add address-pool=dhcp_pool2 disabled=no interface=vlan130 name=hotspot1 \
    profile=hsprof1
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge1 interface=ether1
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=110
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=120
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=130
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=140
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=150
/interface wifi access-list
add action=accept comment="accept 120" disabled=no ssid-regexp=SSID-120 \
    vlan-id=120
add action=accept comment="accept 110" disabled=no ssid-regexp=SSID-110 \
    vlan-id=110
add action=accept comment="accept 130" disabled=no ssid-regexp=SSID-130 \
    vlan-id=130
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
    30:56:96:6D:45:6B signal-range=-80..120 ssid-regexp=SSID-INTRNAL vlan-id=\
    140
add action=reject allow-signal-out-of-range=10s comment="Reject SSID-INTRNAL" \
    disabled=no signal-range=-80..120 ssid-regexp=SSID150 vlan-id=150
/interface wifi cap
set caps-man-addresses=127.0.0.1 caps-man-names=MikroTik discovery-interfaces=\
    bridge1 enabled=yes slaves-datapath=DP
/interface wifi capsman
set enabled=yes interfaces=bridge1 package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no supported-bands=2ghz-ax
add action=create-enabled disabled=no supported-bands=5ghz-ax
/ip address
add address=50.50.110.1/24 interface=vlan110 network=50.50.110.0
add address=50.50.120.1/24 interface=vlan120 network=50.50.120.0
add address=50.50.130.1/24 interface=vlan130 network=50.50.130.0
add address=50.50.140.1/24 interface=vlan140 network=50.50.140.0
add address=50.50.150.1/24 interface=vlan150 network=50.50.150.0
/ip dhcp-client
add interface=bridge1
/ip dhcp-server network
add address=50.50.110.0/24 gateway=50.50.110.1
add address=50.50.120.0/24 gateway=50.50.120.1
add address=50.50.130.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=50.50.130.1
add address=50.50.140.0/24 gateway=50.50.140.1
add address=50.50.150.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=50.50.150.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=50.50.130.0/24
/ip hotspot user
add name=admin
/system note
set show-at-login=no

CAP Configuration

/interface bridge
add admin-mac=F4:1E:57:2D:94:80 auto-mac=no comment=defconf ingress-filtering=\
    no name=bridgeLocal vlan-filtering=yes
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: SSID-110, channel: 2442/ax
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    datapath=capdp disabled=no
# managed by CAPsMAN
# mode: AP, SSID: SSID-110, channel: 5825/ax
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
    datapath=capdp disabled=no
add mac-address=F6:1E:57:2D:94:83 master-interface=wifi2 name=wifi9
add mac-address=F6:1E:57:2D:94:85 master-interface=wifi2 name=wifi10
add mac-address=F6:1E:57:2D:94:87 master-interface=wifi2 name=wifi11
add mac-address=F6:1E:57:2D:94:82 master-interface=wifi1 name=wifi12
add mac-address=F6:1E:57:2D:94:84 master-interface=wifi1 name=wifi13
add mac-address=F6:1E:57:2D:94:86 master-interface=wifi1 name=wifi14
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=110
add bridge=bridgeLocal tagged=ether1,bridgeLocal vlan-ids=120
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=130
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=140
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=150
/interface wifi cap
set caps-man-addresses=10.10.101.131 caps-man-names=MikroTik \
    discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf disabled=yes interface=bridgeLocal
/system note
set show-at-login=no

mkx · December 28, 2024, 11:25am

Are those HP switches configured with VLANs?

BTW, as soon as cAP is provisioned by CAPsMAN, local settings under /interface/wifi largrly don’t sppky. Which includes datapath. Settings from CAPsMAN apply, including bridge name (and yours don’t match). So I wonder how on earth could anything work actually.

holvoetn · December 28, 2024, 11:41am

Regarding bridge and datapath, I think that refers to local bridge of controller where cap interfaces are being attached to.
But I do admit it is not crystal clear.

bridge (bridge interface) Bridge interface to add interface to, as a bridge port.
Virtual (‘slave’) interfaces are by default added to the same bridge, if any, as the corresponding master interface. Master interfaces are not by default added to any bridge.

As it happens to be I finished config of client setup yesterday with L009 and 4 wAP AX, incl VLAN ( main wifi and guest).
Datapath on L009 was set to “bridge”, one for each vlan, APs are in caps mode so it’s named “bridgeLocal” there.
Simply works.

And yes, non- managed switches in a vlan network is most likely a no-go.

bakulvalas · December 30, 2024, 2:34am

Are those HP switches configured with VLANs?

No sir, this unmanaged switch,

Settings from CAPsMAN apply, including bridge name (and yours don’t match). So I wonder how on earth could anything work actually.

yes, this is work perfectly on left side diagram.

And yes, non- managed switches in a vlan network is most likely a no-go.

I tried to combine CAP AX with the existing CAPsMAN, but it is not possible. Then I tried to make the configuration adapt to the current latest Mikrotik AP style, but there are many unmanaged switches scattered on the network.
It seems that CAP AX is not suitable for the current network. Is there another solution, or do I have to give up 10 AX Access Points because they cannot be used, or do I have to spend much more money to replace all the existing switches so that these AX Access points can be installed?
Current Topologi Switch.jpeg

holvoetn · December 30, 2024, 6:57am

There is no problem with cAP AX.
There is a problem with switches which you want to use in a way which they can not handle. Look at those switches as filters. They don’t know about VLAN tags. Most likely they are simply discarding that info so when the packets arrive at cAP AX, there is no VLAN info anymore.
How do you want VLANs to work then ? You need to make sure all communication channels can handle that info.
Ergo… managed switches.

You’re not going to drive a F1 car on a corn field, are you ? The car is not made for it. Neither is the corn field.

3 options:
1- drop the VLAN requirement
2- change all the switches, or only those in the path of a cAP AX (it IS an option therefor I mention it …) and to be honest, it’s almost 2025. For future safety it is needed to do it sooner or later.
3- use Mikrotik for what it can do and apply EOIP tunnel over each segment between CCR and each of the Mikrotik APs so VLAN communication can happen over there. I’ve already done it in a test setup as proof of concept so I know it can be done. Not sure about the exact details anymore …

mkx · December 30, 2024, 3:18pm

As @holvoetn already wrote, unmanaged / non-VLAN-aware switches are a problem in your intended setup. Managed switches are not absolute requirement in VLANed network, but they have to be able to pass “mini-jumbo” frames … 802.1Q headers add 4 bytes to ethernet frame and switches have to be able to pass those frames. If they don’t support 1504-byte frames, then in best case they drop the frames (overruns on Rx) or they clip them to 1500 bytes (invalidating the payload).
But if switches don’t support configuring ports for VLANs, then they don’t offer the required VLAN separation … and thus compromise on VLAN securiry.

bakulvalas · January 9, 2025, 4:53am

Sorry for the late update due to the new year holiday. all my problems above have been resolved now. CAP AX controllers can run together with the old CAPsMAN, all VLANs can run smoothly, all DHCP Servers can be distributed properly. Thanks for all the advice @holvoetn, @mkx
Screenshot 2025-01-09 113503.png
Then I try to install wifi-qcom-ac to my CAP-AC access point, this problem appears
Screenshot 2025-01-07 133459.png
,
but it doesn’t matter because I can still use the old capsman.

holvoetn · January 9, 2025, 5:52am

Wifi-qcom-ac is a bit different on VLAN part.

explicitly set VLAN on interfaces on CAP (use create enabled on provisioning part)
explicitly set VLAN on bridge on CAP
don’t use datapath VLAN setting for those CAPs (separate configuration)