Hello everyone!
I have the following setup: my main router is Hex 750Gr3, and HAP AC is connected to it as an AP. I configured CAPsMAN for two private wifis (2.4 ghz and 5 ghz) and two virtual public wifis (2.4 ghz and 5 ghz). Private wifis work just fine. However, neither of public ones are working. The problem is that devices cannot get an IP address from the guest dhcp server. Here are the errors that I see in the log once I try to connect to a public wifi.
Here are the settings:
HEX 750Gr3:
[test@HEX] > /ip export hide-sensitive
# jun/14/2018 04:51:43 by RouterOS 6.41.2
#
# model = RouterBOARD 750G r3
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=MyNetworkPool ranges=192.168.1.50-192.168.1.149
add name=GuestNetworkPool ranges=192.168.2.10-192.168.2.90
/ip dhcp-server
add address-pool=MyNetworkPool authoritative=after-2sec-delay disabled=no \
interface=bridge1-lan lease-time=3d name=MyNetworkDhcp
add address-pool=GuestNetworkPool authoritative=after-2sec-delay disabled=no \
interface=GuestBridge lease-time=3d name=GuestNetworkDhcp
/ip address
add address=192.168.1.1/24 interface=bridge1-lan network=192.168.1.0
add address=192.168.2.10/24 interface=GuestBridge network=192.168.2.0
/ip dhcp-server network
add address=192.168.1.0/24 comment="My Network" dns-server=\
8.8.8.8,8.8.4.4 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 comment="Guest Network" dns-server=\
8.8.8.8,8.8.4.4 gateway=192.168.2.10 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=forward connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=forward connection-state=related
add action=drop chain=input connection-state=invalid in-interface=!bridge1-lan
add action=drop chain=forward connection-state=invalid in-interface=\
!bridge1-lan
add action=accept chain=input in-interface=!bridge1 src-address=192.168.1.0/24
add action=accept chain=input in-interface=!l2tp src-address=\
192.168.1.0/24
add action=accept chain=forward in-interface=bridge1-lan out-interface=\
l2tp
add action=accept chain=forward in-interface=bridge1-lan out-interface=bridge1
add action=drop chain=forward in-interface=l2tp
add action=drop chain=forward in-interface=bridge1
add action=drop chain=input in-interface=l2tp
add action=drop chain=input in-interface=bridge1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=l2tp src-address=\
192.168.1.0/24
add action=masquerade chain=srcnat out-interface=bridge1 src-address=\
192.168.1.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=l2tp \
src-address=192.168.2.0/24
[test@HEX] > /caps-man export hide-sensitive
# jun/14/2018 04:53:31 by RouterOS 6.41.2
#
# model = RouterBOARD 750G r3
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=Ce frequency=2412 name=2412-2Ghz
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=eeCe frequency=5220 name=5220-5Ghz
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=MyNetworkSecurity
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=GuestNetworkSecurity
/caps-man configuration
add channel=2412-2Ghz country=no_country_set datapath=MyNetworkPath mode=ap name=My2GhzConf rx-chains=0,1,2 security=MyNetworkSecurity ssid=Test tx-chains=0,1,2
add channel=5220-5Ghz country=no_country_set datapath=MyNetworkPath mode=ap name=My5GhzConf rx-chains=0,1,2 security=MyNetworkSecurity ssid=Test_5 tx-chains=0,1,2
add channel=2412-2Ghz country=no_country_set datapath=GuestNetworkPath hide-ssid=no mode=ap name=Guest2GhzConf rx-chains=0,1,2 security=GuestNetworkSecurity ssid=Test_Guest tx-chains=0,1,2
add channel=5220-5Ghz country=no_country_set datapath=GuestNetworkPath hide-ssid=no mode=ap name=Guest5GhzConf rx-chains=0,1,2 security=GuestNetworkSecurity ssid=Test5_Guest tx-chains=0,1,2
/caps-man datapath
add bridge=bridge1-lan client-to-client-forwarding=yes local-forwarding=yes name=MyNetworkPath
add bridge=GuestBridge client-to-client-forwarding=no local-forwarding=yes name=GuestNetworkPath
/caps-man interface
add channel=2412-2Ghz configuration=My2GhzConf datapath=MyNetworkPath disabled=no l2mtu=1600 mac-address=AA:BD:EC:2D:48:4B master-interface=none name=cap2ghz radio-mac=AA:BD:EC:2D:48:4B security=MyNetworkSecurity
add channel=2412-2Ghz configuration=Guest2GhzConf datapath=GuestNetworkPath disabled=no l2mtu=1600 mac-address=AA:BD:EC:2D:48:8B master-interface=cap2ghz name=cap2ghz_guest radio-mac=00:00:00:00:00:00 security=GuestNetworkSecurity
add channel=5220-5Ghz configuration=My5GhzConf datapath=MyNetworkPath disabled=no l2mtu=1600 mac-address=BD:AA:EC:2D:48:4B master-interface=none name=cap5ghz radio-mac=BD:AA:EC:2D:48:4B security=MyNetworkSecurity
add channel=5220-5Ghz configuration=Guest5GhzConf datapath=GuestNetworkPath disabled=no l2mtu=1600 mac-address=BD:AA:EC:2D:48:8B master-interface=cap5ghz name=cap5ghz_guest radio-mac=00:00:00:00:00:00 security=GuestNetworkSecurity
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=My2GhzConf radio-mac=AA:BD:EC:2D:48:4B slave-configurations=Guest2GhzConf
add action=create-dynamic-enabled master-configuration=My5GhzConf radio-mac=BD:AA:EC:2D:48:4B slave-configurations=Guest5GhzConf
[test@HEX] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADC 192.168.1.0/24 192.168.1.1 bridge1-lan 0
1 ADC 192.168.2.0/24 192.168.2.10 GuestBridge 0
HAP AC:
[test@HAP_AC] > /ip export hide-sensitive
# jun/14/2018 20:30:38 by RouterOS 6.41.2
#
# model = RouterBOARD 962UiGS-5HacT2HnT
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip address
add address=192.168.1.2/24 interface=bridge1-lan network=192.168.1.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 gateway=192.168.1.1
[test@HAP_AC] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 192.168.1.1 1
1 ADC 192.168.1.0/24 192.168.1.2 bridge1-lan 0
I can ping 192.168.2.10 from 192.168.1.1. I followed the setup instructions very carefully and have no idea what else to try. Please advise. Let me know if you need anything else from me.
Thanks for your time.