CAPsMAN doesn't allow connection to internet

RouterOS General
1

Hello, everyone.
I have been searching this forum and trying many things mentioned here and there, but was not able to solve my problem.

I have 1 router(my CAPsMAN) and 3 AP (wAP, 2 x cAP Lite) devices.
I need to create 2 AP, one for office use, one for guests. And make office AP to run by hotspot. But I can’t get over first step - making CAPsMAN networks work.

I have configured CAPsMAN on router to control all 3 CAPs, but when i connect to created WiFI networks my devices write “connected”, but no internet for both networks created - office and guest.

And from my CAPs I can ping 8.8.8.8 using bridge interface, but i cannot ping 8.8.8.8 using wireless interfaces created ‘wlan1’ or ‘wlan5’, it shows me “timeout”.

I have checked NAT, addresses, DHCP… Can’t find the problem anywhere.
Please, any help would be highly appreciated.

Relevant configurations from CAPsMAN router:

[admin@MikroTik-router] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                    
 0   ;;; defconf
     192.168.88.1/24    192.168.88.0    bridge1                      
 1 D 192.168.1.2/24     192.168.1.0     ether1  
 [admin@MikroTik-router] > /ip dhcp-server print
Flags: D - dynamic, X - disabled, I - invalid 
 #    NAME                                          INTERFACE                                        RELAY           ADDRESS-POOL                                        LEASE-TIME ADD-ARP
 0    LAN dhcp                                      bridge1                                                          LAN dhcp                                            10m       
[admin@MikroTik-router] > ip dhcp-server network print 
Flags: D - dynamic 
 #   ADDRESS            GATEWAY         DNS-SERVER      WINS-SERVER     DOMAIN                                                                                                             
 0   ;;; defconf
     192.168.88.0/24    192.168.88.1    8.8.8.8        
                                        192.168.88.1   
[admin@MikroTik-router] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 3    ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether1 log=no log-prefix="" 

 4    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

 5    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

 6    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 7    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix="" 
[admin@MikroTik-router] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" 

 1    chain=srcnat action=masquerade src-address=0.0.0.0 out-interface=all-wireless log=no log-prefix="" 

 2    chain=srcnat action=masquerade out-interface=bridge1 log=no log-prefix="" 

 3    chain=srcnat action=masquerade out-interface=all-wireless log=no log-prefix="" 
 [admin@MikroTik-router] > ip pool print
 # NAME                                                                                                                                                     RANGES                         
 0 LAN dhcp                                                                                                                                                 192.168.88.10-192.168.88.254   
[admin@MikroTik-router] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.1.1               1
 1 ADC  192.168.1.0/24     192.168.1.2     ether1                    0
 2 ADC  192.168.88.0/24    192.168.88.1    bridge1                   0
 3   S  192.168.88.0/24                    ether1                    1
2

What does “/interface bridge port print” say?

3

Hey, Sindy. Thanks for you answer.
It was automatically generated I believe

 0 R ;;; created from master port
     name="bridge1" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto mac-address=6C:3B:6B:76:DC:75 protocol-mode=none fast-forward=yes igmp-snooping=no priority=0x8000 
     auto-mac=no admin-mac=6C:3B:6B:76:DC:75 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m region-name="" region-revision=0 max-hops=20 vlan-filtering=no 
     pvid=1
4

I’m not interested in the bridge itself, I’m interested in how (and whether at all) the cAP interfaces have been linked to it. That’s why I’ve asked for the output of “/interface bridge port print”, not “/interface bridge print” as you’ve provided.

5

That is output from /interface bridge and not /interface bridge port as requested

6

Ops, i m sorry.
Here it is(from capsman hEX router):

[admin@MikroTik-router] > /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                                             BRIDGE                                             HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ether3                                                bridge1                                            yes    1     0x80         10                 10       none
 1   H ether4                                                bridge1                                            yes    1     0x80         10                 10       none
 2   H ether5                                                bridge1                                            yes    1     0x80         10                 10       none
 3   H ether2-master                                         bridge1                                            yes    1     0x80         10                 10       none
 4   H ether1                                                bridge1                                            yes    1     0x80         10                 10       none
 5 ID  Office-1                                              bridge1                                            yes    1     0x80         10                 10       none
 6 ID  Office-1-1                                            bridge1                                            yes    1     0x80         10                 10       none
 7 ID  Office-2                                              bridge1                                            yes    1     0x80         10                 10       none
 8 ID  Office-2-1                                            bridge1                                            yes    1     0x80         10                 10       none
 9 ID  Office-3                                              bridge1                                            yes    1     0x80         10                 10       none
10 ID  Office-3-1                                            bridge1                                            yes    1     0x80         10                 10       none

I think I have just solved it.
Following like 10th different tutorial, landing on
https://www.youtube.com/watch?v=MFV9JAB0VCM
Can’t really understand why it fixed it, but I added missing IP > address “192.168.88.1/24 192.168.88.0 ether1” for my eth1(which is coming from ISP), while 192.168.88.1(is router). And then configured every CAP as follows:
2018-03-08 14_58_49-admin@192.168.88.7 (Office-cAP-2) - WinBox v6.41.2 on cAP Lite (mipsbe).png
Previously I had no capman address configured and had “bridge1” selected as bridge in CAP configuration. And i had eth1 as discovery interface.
Are there any clues why it works now? :slight_smile:

7

Each CAP must know how to contact its CAPsMAN. It can learn that via DHCP, or you have to configure the CAPsMAN address manually.
Each CAP must be able to talk to its CAPsMAN. So there must be a switched (preferably) or routed network between the CAPs and the CAPsMAN.
Depending on the settings of “local forwarding” in the CAPsMAN configuration, all data extracted from wireless packets will be forwarded from CAP to CAPsMAN and processed there, or will be processed on the CAP itself.

As you haven’t provided the overall diagram of the network, it is hard to say why it was not working before and it works now. Maybe the bridge1 on the CAP is not connected anywhere? I’m a bit scared by what you wrote:

I added missing IP > address “192.168.88.1/24 192.168.88.0 ether1” for my eth1(which is coming from ISP), while 192.168.88.1(is router)

. It can’t be any good to have the same IP address twice in a system, on two different interfaces - it will eject its horns and punch you sooner or later.

So diagram your network topology and we can talk further.