CAPSMAN + Guest WiFi

i have a main device RB3011UiAS, and i decided to create a capsman network in our office, and we need two SSID’s, first main wlan for private needs with hidden wifi network, and second for guest, customers and other who come to our office.

So, i created and configured CAPSMAN propely

Set up DHCP for both networks, and create two bridge interfaces for private and guest network,

But i stucked in the one thing. When i connect to the private network, it’s ok, i’ve got an ip address and have a n internet access, but when i tryed to connect to guest network, i also get ip address, but no internet access, and also i can’t ping my router from the connected device.

When i connect to the private network, it’s ok, i’ve got an ip address and have a n internet access, but when i tryed to connect to guest network, i also get ip address, but no internet access, and also i can’t ping my router from the connected device.

I assume you mean the internet router plugged to the CAPsMAN controller? If so, check that masquerade applies equally for both networks (e.g. is applied on the out-interface criteria.)

Can the open network client ping gateway IP handed out by DHCP (10.35.0.1, watch out you set it as a /32)?

Exporting the relevant sections (DHCP, IP Addresses, IP Firewall, Routes, etc.) and c&p here will help, pictures are barely readable and don’t include all the relevant details.

thx for you answer, sorry for poor quality of picture, here is a config, i hope it’ll help. My knowledge is not so deep, i don’t know which info i need to share

https://www.dropbox.com/s/17lhcv7dqc47d3a/1.rsc?dl=0

i suspect that the problem hiding in the bridge section or NAT section, but i’m not sure

Next time don’t post sensitive data, like passwords, publicly.
Disable this nat rule and check if problem is resolved

add action=masquerade chain=srcnat out-interface=bridgeopen src-address=\
    10.35.0.0/24

oops ) thx for your advice. But your solution doesn’t work, cause i’ve already tryed this way

/caps-man channel
add band=2ghz-b/g/n frequency=2412 name=channel1 tx-power=20
/interface bridge
add name=bridge
add name=bridgeopen
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=\
    datapath1
add bridge=bridge client-to-client-forwarding=yes name=datapath2
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=security1 passphrase=ch153privatewifi
add name=open
/caps-man configuration
add channel=channel1 country=kazakhstan datapath=datapath1 hide-ssid=yes \
    mode=ap name=cfg1 rx-chains=0,1,2 security=security1 ssid=amid-private \
    tx-chains=0,1,2
add channel=channel1 country=kazakhstan datapath=datapath2 mode=ap name=\
    cfgopen rx-chains=0,1,2 security=open ssid=amid tx-chains=0,1,2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
set [ find default=yes ] name=group1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=\
    aes-256-cbc,aes-128-cbc,3des lifetime=8h pfs-group=none
/ip pool
add name=lan-local ranges=192.168.10.130-192.168.10.199
add name=guestwifi ranges=10.35.0.2-10.35.0.254
/ip dhcp-server
add address-pool=lan-local authoritative=after-2sec-delay disabled=no \
    interface=bridge lease-time=1h name=lan-local
add address-pool=guestwifi disabled=no interface=bridgeopen name=guestwifi
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=b,gn \
    master-configuration=cfg1 slave-configurations=cfgopen
/interface bridge port
add bridge=bridge interface=ether4-server
add bridge=bridge interface=ether5-lan-server
add bridge=bridge interface=ether7-lan-1stfloor
add bridge=bridge interface=ether8-lan-2ndfloor
add bridge=bridge interface=ether9-lan-conf
add bridge=bridge interface=ether10-ip-pbx
add bridge=bridge interface=ether6-lan-ipcam
/ip address
add address=192.168.10.1/24 interface=bridge network=192.168.10.0
add address=192.168.12.1/24 interface=ether6-lan-ipcam network=192.168.12.0
add address=10.35.0.1 interface=bridgeopen network=10.35.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether3-zyxel-lte
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.10.35.0/24 list=lan-route-exclude-IP
add address=192.168.40.0/24 list=lan-route-exclude-IP
add address=192.168.10.0/24 list=lan-route-exclude-IP
add address=192.168.12.0/24 list=lan-route-exclude-IP
add address=192.168.20.0/24 list=lan-route-exclude-IP
add address=192.168.30.0/24 list=lan-route-exclude-IP
add address=192.168.100.0/24 list=lan-route-exclude-IP
add address=192.168.110.0/24 list=lan-route-exclude-IP
add address=192.168.120.0/24 list=lan-route-exclude-IP
add address=192.168.130.0/24 list=lan-route-exclude-IP
add address=192.168.200.0/24 list=lan-route-exclude-IP
add address=192.168.10.0/24 list=ISP1-client
add address=10.10.45.0/24 list=ISP2-client
add address=10.65.0.0/24 list=lan-route-exclude-IP
add address=10.66.0.0/19 list=lan-route-exclude-IP
add address=10.66.7.0/24 list=lan-route-exclude-IP
add address=10.65.0.2 list=lan-route-exclude-IP
add address=192.168.99.0/24 list=lan-route-exclude-IP
add address=66.220.144.0/21 comment=facebook disabled=yes list=block-facebook
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=drop chain=input dst-port=53 in-interface=pppoe-ISP1 protocol=udp
add action=accept chain=input protocol=gre
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=udp src-port=4500
add action=accept chain=input dst-port=5060 protocol=udp src-port=5060
add action=accept chain=input dst-port=1723 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=pppoe-ISP2 protocol=udp
add action=drop chain=input dst-port=53 in-interface=pppoe-ISP1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=pppoe-ISP2 protocol=tcp
add action=jump chain=forward connection-state=new disabled=yes jump-target=\
    block-ddos
add action=return chain=block-ddos disabled=yes dst-limit=\
    50,50,src-and-dst-addresses/10s
add action=accept chain=input src-address=127.0.0.1
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=\
    !lan-route-exclude-IP new-routing-mark=ISP1-out passthrough=yes \
    src-address-list=ISP1-client
add action=mark-routing chain=prerouting dst-address-list=\
    !lan-route-exclude-IP new-routing-mark=ISP2-out passthrough=yes \
    src-address-list=ISP2-client
add action=mark-connection chain=input comment=\
    "Mark input connection from ISP1" in-interface=pppoe-ISP1 \
    new-connection-mark=ISP1-cin passthrough=yes
add action=mark-connection chain=input comment=\
    "Mark input connection from ISP2" in-interface=pppoe-ISP2 \
    new-connection-mark=ISP2-cin passthrough=yes
add action=mark-routing chain=output comment=\
    "Mark output connection for routing mark to ISP1" connection-mark=\
    ISP1-cin new-routing-mark=ISP1-out passthrough=yes
add action=mark-routing chain=output comment=\
    "Mark output connection for routing mark to ISP2" connection-mark=\
    ISP2-cin new-routing-mark=ISP2-out passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment=ISP1 out-interface=pppoe-ISP1
add action=masquerade chain=srcnat comment=ISP2 out-interface=pppoe-ISP2
add action=netmap chain=dstnat dst-port=3389 in-interface=pppoe-ISP1 \
    protocol=tcp to-addresses=192.168.10.90 to-ports=3389
add action=netmap chain=dstnat dst-port=8000 in-interface=pppoe-ISP1 \
    protocol=tcp to-addresses=192.168.12.10 to-ports=8000
add action=netmap chain=dstnat dst-port=8000 in-interface=pppoe-ISP1 \
    protocol=udp to-addresses=192.168.12.10 to-ports=8000
add action=netmap chain=dstnat dst-port=10000-65000 in-interface=pppoe-ISP2 \
    protocol=udp to-addresses=192.168.10.15 to-ports=10000-65000
add action=netmap chain=dstnat dst-port=10000-65000 in-interface=pppoe-ISP1 \
    log=yes protocol=udp to-addresses=192.168.10.15 to-ports=10000-65000
add action=netmap chain=dstnat comment=IDPHONE dst-port=5060 in-interface=\
    pppoe-ISP1 protocol=udp to-addresses=192.168.10.15 to-ports=5060
add action=netmap chain=dstnat comment=IDPHONE dst-port=5060 in-interface=\
    pppoe-ISP2 protocol=tcp to-addresses=192.168.10.15 to-ports=5060
add action=netmap chain=dstnat comment=IDPHONE dst-port=5060 in-interface=\
    pppoe-ISP2 protocol=udp to-addresses=192.168.10.15 to-ports=5060
/ip ipsec peer
add dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des exchange-mode=\
    main-l2tp generate-policy=port-override secret=1234
/ip route
add comment="Out route over pppoe-ISP1" distance=1 gateway=\
    82.200.242.218%pppoe-ISP1 routing-mark=ISP1-out
add comment="Out route over pppoe-ISP2" distance=2 gateway=\
    82.200.242.218%pppoe-ISP2 routing-mark=ISP2-out
add comment=Default distance=1 gateway=pppoe-ISP1
add distance=1 gateway=ether3-zyxel-lte
add distance=1 dst-address=8.8.4.4/32 gateway=pppoe-ISP2
add distance=1 dst-address=8.8.8.8/32 gateway=pppoe-ISP1
add distance=1 dst-address=192.168.20.0/24 gateway=10.10.35.20
add distance=1 dst-address=192.168.30.0/24 gateway=10.10.35.30
add distance=1 dst-address=192.168.40.0/24 gateway=10.10.35.40
add distance=1 dst-address=192.168.99.0/24 gateway=l2tp-breadgreen
add distance=1 dst-address=192.168.100.0/24 gateway=10.10.35.100
add distance=1 dst-address=192.168.110.0/24 gateway=10.10.35.110
add distance=1 dst-address=192.168.120.0/24 gateway=10.10.35.120
add distance=1 dst-address=192.168.130.0/24 gateway=10.10.35.130

You seem to miss the IP > DHCP > Network entries.

Also I think for your intended setup

add address=10.35.0.1 interface=bridgeopen network=10.35.0.0

Should be

add address=10.35.0.1/24 interface=bridgeopen network=10.35.0.0

.

Do clients connected to the open network:

1.- Get an IP?
2.- post ipconfig/all or ifconfig & cat /etc/resolv.conf on a open client
3.- post a netstat -rn on an open client
4.- ping 10.35.0.1 fine?

pukkita, thank you very much. You was right, my mistake was ridiculous. I’ve just add “/24” to 10.35.0.0 and guest wifi works! i so dumb…

Your setup is not availale anymore on dropbox…I was hoping to use it as a template.

I had a RB2011 with private (hidden) and guest wlan and am trying to set up CAPsMAN hoping to keep both private and guest networks.

Anyone knows a good tutorial please? I followed the one from Mikrotik wiki, but it describes how to set one wlan only

Hello,
https://www.youtube.com/watch?v=Q9h00PYEzQM
Personally, this video helped me a lot in the past…

Many thanks for very useful video. I tried to follow these instructions, but only get success on main wi-fi network. Guest network no internet. I also tried the tutorial from wiki with even less success. Can someone please help me setup capsman?

I’ll assume you want to set up a virtual AP to run guest WiFi and that you’ll use VLANs to separate traffic of both APs between each other.

So the setup steps are more or less the following:

1. in /caps-man datapath create two datapaths appropriate for both traffic sources (VAPs). Set appropriate properties, such as vlan-mode=use-tag vlan-id=
2. in /caps-man security create two security profiles with appropriate settings (authentication and encryption types, PSK if used, …), one for each VAP
3. in /caps-man configuration create two configuration sets appropriate for each VAP as if they were independent. One of properties that can be defined is channels= … I’m not sure if defining it in a configuration that is used for slave wireless interface throws an error, but defining it in this case doesn’t make sense anyway
   Leaving out this part means CAP can use any supported&allowed channel which often is just fine.
4. in /caps-man provisioning everything is then put in place:

add action=create-dynamic-enabled master-configuration=<name-of-master-configuration> slave-configurations=<name-of-slave-configuration>

Property name (slave-configuration**s**) hints at possibility to use several slave configurations to create several VAPs on same physical AP… I never tried to run more than one VAP on CAP, but I assume value of this property should be comma-separated list of configuration names.

many thanks for the above!

This is what I tried more or less by using the wiki tutorial: https://wiki.mikrotik.com/wiki/Manual:CAPsMAN_with_VLANs
however, 2 issues for me there: first I don’t know which of 2 types described there are aplicable to me (local forwarding or capsman forwarding) - this is my home setup where i what one master wifi for me and one slave network for guest, home apliencies etc (so they need only access to internet but not to each other or my home network).

And second issue is that when I follow the tutorial with VLANs I never can get CAPs to acctually appear in the caps menu, even I have ticked Enable option for each.

I will try of course to find my mistake, but would be good to know which type of setup I need to apply to my case described above.

Generally local forwarding is more resource friendly for both CAP and CAPsMAN devices. It is about how the data from wireless get flushed to network … locally to CAP or via CAPsMAN device. If you’re configuring VLANs, then with local forwarding you have to configure VLANs on all LAN boxes between CAP device and CAPsMAN device. With capsman forwarding you don’t have to do that as there’s a tunnel built between both devices and intermediate boxes are not aware of anything fancy, but CAP and CAPsMAN devices have to encrypt/decrypt all the traffic flowing through that tunnel.

Thank you!

UPDATE:

I have managed to get the capsman work on my home setup which is a rb2011 as manager and 2 caps. I have wifi on both caps but for some reason I cannot make work the wireless on my manager RB2011

Where should I look to start checking please?

On RB2011 CAP, unset Discovery Interface, and input 127.0.0.1 in CAPsMAN Addresses, RB2011 will recognize its wireless interface as a CAP.