I’ve got a problem connecting cAP ac (RBcAPGi-5acD2nD) to hEX PoE (960PGS).
After being connected to router ap gets local ip which I may use for winbox or http connection.
After that I log in to cAP ac and switch it to “CAP” mode turning on CAPsMAN on hEX PoE side at the same time (see full config).
cAP ac looses connection and reboot.
I have such log at hEX side:
[<MAC_BASE>:4B,Join,<CERT_ID>] joined, provides radio(s): <MAC_BASE>:4D,<MAC_BASE>:4E
cap6: selected channel 5180/20-Ceee/ac/P(20dBm)
cap5: selected channel 2452/20-Ce/gn(20dBm)
Nice!
But finally lots of
defconf offering lease 192.168.3.206 for <MAC_BASE>:4B without success
...
So I have APs operatinal but ip connection to cAP itself is lost.
Also I can see some connectivity issue:
I can’t use CAPsMAN configured APs wireless directly from plain clients but only through side repeater router with another SSID.
I tried to
– turn off some DROP firewall rules,
– added corresponding eth3 interface to LAN interface group,
– turned on/off neighbour discovery on interface,
– turned on long preamble mode from Wireless FAQ (I have Apple clients),
– allowed local and client-to-client forwarding in CAPsMAN config
with no success.
My clients are
– Macbook Air with AirPort Extreme (Broadcom BCM43xx),
– Netis WF2120 (RTL8188CU chip based)
– several Xiaomi devices.
Side repeater router: old Zyxel Keenetic Extra (but I suppose it could be any other repeater that works like MAC intermediate)
Still have no ip connection to cAP nor direct wireless IP connectivity.
MAC ping from hEX on corresponding interface to cAP ac’s <MAC_BASE>:4B works fine.
Looks like I have some firewall rule that blocks DHCPREQUEST response from cAP and some L3 traffic from that but I can’t figure out which one is incorrect.
PS I also tried RC version of router os for cAP ac but it was overheated and finally could not load at some point so I made a hard reset and loaded stable version that works a bit better but still no IP for cAP nor direct connectivity for clients.
Please help to figure out what am I doing wrong?
Here is my Hex POE config:
# model = 960PGS
/caps-man channel
add band=2ghz-b/g/n name=2.4
add band=5ghz-a/n/ac name=5
/interface bridge
add admin-mac=<SOME_MAC_1>:59 auto-mac=no comment=defconf name=bridge
add fast-forward=no name=bridge_vlan3 pvid=3 vlan-filtering=yes
add fast-forward=no name=bridge_vlan4 pvid=4 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] mac-address=<SOME_MAC_2>:EB
set [ find default-name=ether2 ] loop-protect=on name=ether2-master poe-out=off
set [ find default-name=ether3 ] loop-protect=on
set [ find default-name=ether4 ] loop-protect=on poe-out=off
set [ find default-name=ether5 ] loop-protect=off
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=ether2-master loop-protect=on name=ether2_vlan3 vlan-id=3
add interface=ether2-master loop-protect=on name=ether2_vlan4 vlan-id=4
/caps-man datapath
add arp=enabled bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=datapath1
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security1 passphrase=<SOME_PASSPHRASE>
/caps-man configuration
add channel=5 country=russia datapath=datapath1 datapath.bridge=bridge guard-interval=long mode=ap name=5 security=security1 ssid=SSID1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/caps-man configuration
add channel=2.4 country=russia datapath=datapath1 datapath.bridge=bridge datapath.client-to-client-forwarding=yes datapath.interface-list=all datapath.local-forwarding=yes guard-interval=long mode=ap name=2.4 security=security1 ssid=SSID2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool ranges=192.168.3.10-192.168.3.254
add name=dhcp_vlan3_pool ranges=192.168.4.10-192.168.4.250
add name=dhcp_vlan4_pool ranges=192.168.5.10-192.168.5.250
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool always-broadcast=yes disabled=no interface=bridge name=defconf
add add-arp=yes address-pool=dhcp_vlan3_pool always-broadcast=yes disabled=no interface=bridge_vlan3 name=dhcp_vlan3_server
add add-arp=yes address-pool=dhcp_vlan4_pool always-broadcast=yes disabled=no interface=bridge_vlan4 name=dhcp_vlan4_server
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=5 radio-mac=00:00:00:00:00:00
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=2.4 radio-mac=00:00:00:00:00:00
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge_vlan4 interface=ether2_vlan4 pvid=4
add bridge=bridge_vlan3 interface=ether2_vlan3 pvid=3
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether3 list=LAN
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add list=LAN
/ip address
add address=192.168.3.1/24 comment=defconf interface=ether2-master network=192.168.3.0
add address=192.168.4.1/24 interface=bridge_vlan3 network=192.168.4.0
add address=192.168.5.1/24 interface=bridge_vlan4 network=192.168.5.0
/ip arp
add address=192.168.3.207 interface=bridge mac-address=<SOME_MAC_3>:37
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.3.245 mac-address=<SOME_MAC_4>:C6 server=defconf
/ip dhcp-server network
add address=192.168.3.0/24 comment=defconf gateway=192.168.3.1 netmask=24
add address=192.168.4.0/24 gateway=192.168.4.1 netmask=24
add address=192.168.5.0/24 gateway=192.168.5.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="CAPSMAN local traffic enable" dst-address-type=local src-address-type=local
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop subnets interconnection" dst-address=192.168.4.0/24 src-address=192.168.3.0/24
add action=drop chain=forward dst-address=192.168.3.0/24 src-address=192.168.4.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.3.251 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.3.251 to-ports=443