CAPsMAN - How to force layer 2?

swisstico · June 16, 2016, 1:43am

Hello everybody,

We have an issue with CAPsMAN and need your help.
We configured a wifi in various routers linked a main one with CAPsMAN and all routers (including the main one) are managed by CAPsMAN.

Everything works fine EXCEPT the main router, for the reason that is the only one that connect to himself in layer 3 (by IP), so the firewall is blocking it and we must add a filter rule to bypass the firewall.
There is a way to force CAPsMAN to work in layer 2?

2 examples (2 different offices):
http://imgur.com/a/SkNyC

Thanks for your help!

mrz · June 16, 2016, 11:58am

Yes you can, set discovery-interface to any local interface on the manager router, or create a dummy loopback interface with static MAC and set discovery-interface to that one.

eworm · July 28, 2016, 9:10pm

Same issue here… Could not make it work with a local ethernet interface. Either connects on layer 3 or not at all. Is it picky on interfaces that belongs to bridge, have vlan config, … whatever?

Any what is a dummy loopback interface? A bridge with no ports? A virtual ethernet interface? Tried both, no success either.

czolo · August 2, 2016, 7:05pm

Maybe try that:

interface wireless cap set caps-man-addresses=127.0.0.1

eworm · August 2, 2016, 7:48pm

That is still layer 3, no?

czolo · August 2, 2016, 8:08pm

Yes, but it works

swisstico · August 25, 2016, 4:42am

Nice workaround!
This is our solution for now:

Add CAPsMAN to discover address 127.0.0.1 (As czolo wrote)

/interface wireless cap set caps-man-addresses=127.0.0.1

Open Firewall for CAPsMAN

/ip firewall filter add chain=output action=accept protocol=udp src-address=127.0.0.1 dst-address=127.0.0.1 port=5246,5247
/ip firewall filter add chain=input  action=accept protocol=udp src-address=127.0.0.1 dst-address=127.0.0.1 port=5246,5247

BUT PLEASE MikroTik Team, fix the issue, we would be so thankful!

czolo · August 25, 2016, 6:48pm

thx

jrbenito · January 21, 2019, 2:49pm

This is still an issue almost three years later.

I cannot forbid CAPsMan on all interfaces but local because it prevents own cap to connect
I cannot use layer 2 on own cap interface
The worst: this is not documented anywhere besides user forums (it should be on CAPsMan manual to prevent people be fighting hours with something that isn´t going to work)
I noticed that if I enable certificate request and CAPsMan is not configured, event disabling the certificate request on Cap has no effect, it still requests certificate to CAPsMan resulting in error. (this is a bug)

nescafe2002 · January 21, 2019, 3:08pm

Have you tried the last beta?

https://mikrotik.com/download/changelogs/testing-release-tree

What’s new in 6.44beta50 (2018-Dec-17 13:01):

*) capsman - always accept connections from loopback address;

jrbenito · January 21, 2019, 8:19pm

Nope, I am running 6.43.8. Nice to see a solution is finally coming.

Pea · January 21, 2019, 10:18pm

https://wiki.mikrotik.com/wiki/Manual:Simple_CAPsMAN_setup#CAP_in_CAPsMAN
But I agree that having firewall rule for CAP on CAPsMAN is annoying. L2 should run as other CAPs.