Hello!
I don’t understand if it’s normal or my problem: I have 3 vlans. if I connect via eth, everything is fine, if I connect via wireless it works, but I noticed that every time the DHCP of a device is renewed or connected for the first time via Wifi (through capsman), capsman immediately offers it an IP of the bridge’s DHCP and when it expires it takes the IP of the DHCP of its VLAN. it’s normal? If it’s not normal, what should I look for? Thank you!
By opening a new topic you did the first step.
Now, add some relevant information (export from CAPsMAN and CAP) to give us a clue:
/export file=anynameyoullike
Remove serial and any other private information.
Thanks for replay.
this is my capsman config:
# CAPSMAN
/container mounts
add dst=/opt/list name=pihole_list src=/usb1-part1/container_pihole/list
add dst=/etc/pihole name=pihole_etc src=/usb1-part1/container_pihole/etc
add dst=/etc/dnsmasq.d name=pihole_dnsmasq src=\
/usb1-part1/container_pihole/dnsmasq
add dst=/etc/cron.d name=pihole_crono src=/usb1-part1/container_pihole/crono
/disk
set usb1 media-interface=none media-sharing=no
add media-interface=none media-sharing=no parent=usb1 partition-number=1 \
partition-offset=512 partition-size="500 107 861 504" type=partition
/interface bridge
add admin-mac=F6:2C:EA:E2:08:97 auto-mac=no comment=Capsman name=BR-Capsman \
port-cost-mode=short priority=0x6000 vlan-filtering=yes
add admin-mac=4A:89:21:54:BD:D4 auto-mac=no comment=PiHole name=BR-PiHole \
port-cost-mode=short protocol-mode=none
add comment=-mDNS name=BR-mDNS protocol-mode=none
/interface veth
add address=192.168.55.55/25 gateway=192.168.55.1 gateway6="" name=\
veth-pihole
/interface vlan
add comment=Lan interface=BR-Capsman mtu=1480 name=100-Lan vlan-id=100
add comment=Mamma interface=BR-Capsman mtu=1480 name=200-Mamma vlan-id=200
add comment=Guests interface=BR-Capsman mtu=1480 name=300-Guest vlan-id=300
add comment=Domus interface=BR-Capsman mtu=1480 name=400-Domus vlan-id=400
add comment=Control interface=BR-Capsman mtu=1480 name=900-Control vlan-id=\
900
add comment=WAN interface=ether1 mtu=1480 name=XXX-vlan vlan-id=XXX
/interface macvlan
add interface=100-Lan mac-address=BA:C9:E8:55:EE:D8 mode=private mtu=1480 \
name=macvlan100
add interface=400-Domus mac-address=C2:AB:7F:29:3C:40 mode=private mtu=1480 \
name=macvlan400
/interface pppoe-client
add add-default-route=yes disabled=no interface=XXX-vlan name=\
XXX-pppoe user=XXX
/interface list
add name=WAN
add name=LAN
add name=TRUSTED
add name=INTERNET
/interface wifi channel
add band=2ghz-g disabled=no name=guest
add band=5ghz-ax disabled=no frequency=5220 name=wlan5_esterno \
skip-dfs-channels=all width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2437 name=wlan2_channel6_main width=\
20/40mhz
add band=2ghz-ax disabled=no frequency=2412 name=wlan2_channel1
add band=2ghz-ax disabled=no frequency=2462 name=wlan2_channel11
add band=5ghz-ax disabled=no frequency=5220 name=wlan5_interno \
skip-dfs-channels=all width=20/40/80mhz
/interface wifi datapath
add bridge=BR-Capsman disabled=no name=Wifi_Mamma vlan-id=200
add bridge=BR-Capsman disabled=no name=Wifi_Guest vlan-id=300
add bridge=BR-Capsman disabled=no name=Wifi_Lan vlan-id=100
add bridge=BR-Capsman disabled=no name=Wifi_Domus vlan-id=400
/interface wifi security
add authentication-types=wpa2-psk disabled=no group-encryption=ccmp name=lan
add authentication-types=wpa2-psk disabled=no group-encryption=ccmp name=\
guest
add authentication-types=wpa2-psk disabled=no name=service
add authentication-types=wpa2-psk disabled=no group-key-update=1h name=mamma
/interface wifi configuration
add datapath=Wifi_Guest disabled=no name=guest security=guest ssid=Clochard
add antenna-gain=2 channel=wlan2_channel11 country=Italy datapath=Wifi_Domus \
disabled=no mode=ap name=studio_2ghz security=service ssid=LimitService2G
add antenna-gain=2 channel=wlan2_channel1 country=Italy datapath=Wifi_Domus \
disabled=no mode=ap name=centro_2ghz security=service ssid=LimitService2G
add antenna-gain=2 channel=wlan2_channel6_main country=Italy datapath=\
Wifi_Domus disabled=no mode=ap name=server_2ghz security=service ssid=\
LimitService2G
add antenna-gain=2 channel=wlan2_channel11 country=Italy datapath=Wifi_Domus \
disabled=no mode=ap name=taverna_2ghz security=service ssid=\
LimitService2G
add antenna-gain=2 channel=wlan2_channel1 country=Italy datapath=Wifi_Domus \
disabled=no mode=ap name=esterno_2ghz security=service ssid=\
LimitService2G
add antenna-gain=2 datapath=Wifi_Lan disabled=no mode=ap name=lan2G security=\
lan ssid=HyperLimitless
add channel=wlan5_esterno country=Italy datapath=Wifi_Domus disabled=no mode=\
ap name=centro_5ghz security=service ssid=LimitService5G
add datapath=Wifi_Lan disabled=no mode=ap name=lan5G security=lan ssid=\
HyperLimitless
add channel=wlan5_esterno country=Italy datapath=Wifi_Domus disabled=no mode=\
ap name=esterno_5ghz security=service ssid=LimitService5G
add channel=wlan5_esterno country=Italy datapath=Wifi_Domus disabled=no mode=\
ap name=server_5ghz security=service ssid=LimitService5G
add channel=wlan5_interno country=Italy datapath=Wifi_Domus disabled=no mode=\
ap name=studio_5ghz security=service ssid=LimitService5G
add channel=wlan5_interno country=Italy datapath=Wifi_Domus disabled=no mode=\
ap name=taverna_5ghz security=service ssid=LimitService5G
add country=Italy datapath=Wifi_Mamma disabled=no mode=ap name=mamma2G \
security=mamma ssid=Mamma@Home
add country=Italy datapath=Wifi_Mamma disabled=no name=mamma5G security=mamma \
ssid=Mamma@Home
/interface wifi
add configuration=taverna_5ghz disabled=no name=wifi1 radio-mac=\
48:A9:8A:0E:06:47
add configuration=studio_2ghz disabled=no name=wifi2 radio-mac=\
48:A9:8A:0E:03:52
add configuration=centro_2ghz disabled=no name=wifi3 radio-mac=\
48:A9:8A:0E:06:A9
add configuration=server_5ghz disabled=no name=wifi4 radio-mac=\
48:A9:8A:BC:A5:24
add configuration=lan5G disabled=no mac-address=4A:A9:8A:0E:06:47 \
master-interface=wifi1 name=wifi5
add configuration=guest disabled=no mac-address=4A:A9:8A:0E:03:52 \
master-interface=wifi2 name=wifi6
add configuration=lan2G disabled=no mac-address=4A:A9:8A:0E:03:53 \
master-interface=wifi2 name=wifi7
add configuration=guest disabled=no mac-address=4A:A9:8A:0E:06:A9 \
master-interface=wifi3 name=wifi8
add configuration=lan2G disabled=no mac-address=4A:A9:8A:0E:06:AA \
master-interface=wifi3 name=wifi9
add configuration=lan5G disabled=no mac-address=4A:A9:8A:BC:A5:24 \
master-interface=wifi4 name=wifi10
add configuration=studio_5ghz disabled=no name=wifi11 radio-mac=\
48:A9:8A:0E:03:51
add configuration=taverna_2ghz disabled=no name=wifi12 radio-mac=\
48:A9:8A:0E:06:48
add configuration=esterno_5ghz disabled=no name=wifi13 radio-mac=\
48:A9:8A:0E:09:5D
add configuration=lan5G disabled=no mac-address=4A:A9:8A:0E:03:51 \
master-interface=wifi11 name=wifi14
add configuration=guest disabled=no mac-address=4A:A9:8A:0E:06:48 \
master-interface=wifi12 name=wifi15
add configuration=lan2G disabled=no mac-address=4A:A9:8A:0E:06:49 \
master-interface=wifi12 name=wifi16
add configuration=mamma2G disabled=no mac-address=4A:A9:8A:0E:06:4A \
master-interface=wifi12 name=wifi17
add configuration=lan5G disabled=no mac-address=4A:A9:8A:0E:09:5D \
master-interface=wifi13 name=wifi18
add configuration=mamma5G disabled=no mac-address=4A:A9:8A:0E:09:5E \
master-interface=wifi13 name=wifi19
add configuration=server_2ghz disabled=no name=wifi20 radio-mac=\
48:A9:8A:BC:A5:25
add configuration=centro_5ghz disabled=no name=wifi21 radio-mac=\
48:A9:8A:0E:06:A8
add configuration=esterno_2ghz disabled=no name=wifi22 radio-mac=\
48:A9:8A:0E:09:5E
add configuration=guest disabled=no mac-address=4A:A9:8A:BC:A5:25 \
master-interface=wifi20 name=wifi23
add configuration=lan2G disabled=no mac-address=4A:A9:8A:BC:A5:26 \
master-interface=wifi20 name=wifi24
add configuration=lan5G disabled=no mac-address=4A:A9:8A:0E:06:A8 \
master-interface=wifi21 name=wifi25
add configuration=mamma5G disabled=no mac-address=4A:A9:8A:0E:06:AB \
master-interface=wifi21 name=wifi26
add configuration=guest disabled=no mac-address=4A:A9:8A:0E:09:5F \
master-interface=wifi22 name=wifi27
add configuration=lan2G disabled=no mac-address=4A:A9:8A:0E:09:60 \
master-interface=wifi22 name=wifi28
/ip kid-control
add disabled=yes fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d \
thu=0s-1d tue=0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=\
0s-1d tur-thu=0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=MammaPool ranges=10.255.255.100-10.255.255.200
add name=GuestsPool ranges=172.16.0.2-172.16.15.254
add name=DomusPool ranges=192.168.240.100-192.168.240.200
add name=LanPool ranges=192.168.0.100-192.168.0.200
add name=ControlPool ranges=10.10.0.2-10.10.0.254
/ip dhcp-server
add add-arp=yes address-pool=LanPool interface=100-Lan lease-script="# When \"\
1\" all DNS entries with IP address of DHCP lease are removed\r\
\n:local dnsRemoveAllByIp \"1\"\r\
\n# When \"1\" all DNS entries with hostname of DHCP lease are removed\r\
\n:local dnsRemoveAllByName \"1\"\r\
\n# When \"1\" addition and removal of DNS entries is always done also for\
\_non-FQDN hostname\r\
\n:local dnsAlwaysNonfqdn \"1\"\r\
\n# DNS domain to add after DHCP client hostname\r\
\n:local dnsDomain \"lan\"\r\
\n# DNS TTL to set for DNS entries\r\
\n:local dnsTtl \"00:15:00\"\r\
\n# Source of DHCP client hostname, can be \"lease-hostname\" or any other\
\_lease attribute, like \"host-name\" or \"comment\"\r\
\n:local leaseClientHostnameSource \"comment\"\r\
\n\r\
\n:local leaseComment \"dhcp-lease-script_\$leaseServerName_\$leaseClientH\
ostnameSource\"\r\
\n:local leaseClientHostname\r\
\n:if (\$leaseClientHostnameSource = \"lease-hostname\") do={\r\
\n :set leaseClientHostname \$\"lease-hostname\"\r\
\n} else={\r\
\n :set leaseClientHostname ([:pick \\\r\
\n [/ip dhcp-server lease print as-value where server=\"\$leaseServerNa\
me\" address=\"\$leaseActIP\" mac-address=\"\$leaseActMAC\"] \\\r\
\n 0]->\"\$leaseClientHostnameSource\")\r\
\n}\r\
\n:local leaseClientHostnameShort \"\$leaseClientHostname\"\r\
\n:local leaseClientHostnames \"\$leaseClientHostname\"\r\
\n:if ([:len [\$dnsDomain]] > 0) do={\r\
\n :set leaseClientHostname \"\$leaseClientHostname.\$dnsDomain\"\r\
\n :if (\$dnsAlwaysNonfqdn = \"1\") do={\r\
\n :set leaseClientHostnames \"\$leaseClientHostname,\$leaseClientHostn\
ameShort\"\r\
\n }\r\
\n}\r\
\n:if (\$dnsRemoveAllByIp = \"1\") do={\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
and address=\"\$leaseActIP\"]\r\
\n}\r\
\n:foreach h in=[:toarray value=\"\$leaseClientHostnames\"] do={\r\
\n :if (\$dnsRemoveAllByName = \"1\") do={\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\
\" and name=\"\$h\"]\r\
\n }\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
and address=\"\$leaseActIP\" and name=\"\$h\"]\r\
\n :if (\$leaseBound = \"1\") do={\r\
\n :delay 1\r\
\n /ip dns static add comment=\"\$leaseComment\" address=\"\$leaseActIP\
\" name=\"\$h\" ttl=\"\$dnsTtl\"\r\
\n }\r\
\n}" lease-time=1d name=Lan_dhcp
add add-arp=yes address-pool=MammaPool bootp-support=none interface=200-Mamma \
lease-time=1d name=Mamma_dchp
add add-arp=yes address-pool=GuestsPool interface=300-Guest lease-time=12h \
name=Guests_dhcp
add add-arp=yes address-pool=ControlPool interface=400-Domus lease-script="# W\
hen \"1\" all DNS entries with IP address of DHCP lease are removed\r\
\n:local dnsRemoveAllByIp \"1\"\r\
\n# When \"1\" all DNS entries with hostname of DHCP lease are removed\r\
\n:local dnsRemoveAllByName \"1\"\r\
\n# When \"1\" addition and removal of DNS entries is always done also for\
\_non-FQDN hostname\r\
\n:local dnsAlwaysNonfqdn \"1\"\r\
\n# DNS domain to add after DHCP client hostname\r\
\n:local dnsDomain \"domus\"\r\
\n# DNS TTL to set for DNS entries\r\
\n:local dnsTtl \"00:15:00\"\r\
\n# Source of DHCP client hostname, can be \"lease-hostname\" or any other\
\_lease attribute, like \"host-name\" or \"comment\"\r\
\n:local leaseClientHostnameSource \"comment\"\r\
\n\r\
\n:local leaseComment \"dhcp-lease-script_\$leaseServerName_\$leaseClientH\
ostnameSource\"\r\
\n:local leaseClientHostname\r\
\n:if (\$leaseClientHostnameSource = \"lease-hostname\") do={\r\
\n :set leaseClientHostname \$\"lease-hostname\"\r\
\n} else={\r\
\n :set leaseClientHostname ([:pick \\\r\
\n [/ip dhcp-server lease print as-value where server=\"\$leaseServerNa\
me\" address=\"\$leaseActIP\" mac-address=\"\$leaseActMAC\"] \\\r\
\n 0]->\"\$leaseClientHostnameSource\")\r\
\n}\r\
\n:local leaseClientHostnameShort \"\$leaseClientHostname\"\r\
\n:local leaseClientHostnames \"\$leaseClientHostname\"\r\
\n:if ([:len [\$dnsDomain]] > 0) do={\r\
\n :set leaseClientHostname \"\$leaseClientHostname.\$dnsDomain\"\r\
\n :if (\$dnsAlwaysNonfqdn = \"1\") do={\r\
\n :set leaseClientHostnames \"\$leaseClientHostname,\$leaseClientHostn\
ameShort\"\r\
\n }\r\
\n}\r\
\n:if (\$dnsRemoveAllByIp = \"1\") do={\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
and address=\"\$leaseActIP\"]\r\
\n}\r\
\n:foreach h in=[:toarray value=\"\$leaseClientHostnames\"] do={\r\
\n :if (\$dnsRemoveAllByName = \"1\") do={\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\
\" and name=\"\$h\"]\r\
\n }\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
and address=\"\$leaseActIP\" and name=\"\$h\"]\r\
\n :if (\$leaseBound = \"1\") do={\r\
\n :delay 1\r\
\n /ip dns static add comment=\"\$leaseComment\" address=\"\$leaseActIP\
\" name=\"\$h\" ttl=\"\$dnsTtl\"\r\
\n }\r\
\n}" lease-time=1d name=Domus_dhcp
add address-pool=ControlPool interface=BR-Capsman lease-time=5m name=BR-dhcp
/ip smb users
set [ find default=yes ] disabled=yes
/container
add envlist=pihole_envs interface=veth-pihole mounts=\
pihole_list,pihole_etc,pihole_dnsmasq,pihole_crono root-dir=\
usb1-part1/pihole start-on-boot=yes
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb1-part1/pull
/container envs
add key=TZ name=pihole_envs value=Europe/Rome
add key=WEBPASSWORD name=pihole_envs value="XXX"
add key=DNSMASQ_USER name=pihole_envs value=XXX
add key=FTLCONF_LOCAL_IPV4 name=pihole_envs value=192.168.55.55
/interface bridge filter
add action=accept chain=forward comment="Allow mDNS only" dst-address=\
224.0.0.251/32 dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF \
dst-port=5353 in-bridge=BR-mDNS ip-protocol=udp log-prefix="forward MDNS" \
mac-protocol=ip out-bridge=BR-mDNS src-port=5353
add action=accept chain=forward comment="Forward SSDP" dst-address=\
239.255.255.250/32 dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF \
dst-port=1900 in-bridge=BR-mDNS ip-protocol=udp log-prefix="forward SSDP" \
mac-protocol=ip out-bridge=BR-mDNS
add action=drop chain=forward comment="Drop all other L2 traffic" in-bridge=\
BR-mDNS out-bridge=BR-mDNS
/interface bridge nat
add action=src-nat chain=srcnat comment="mDNS - SNAT to Primary VLAN bridge" \
dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF log-prefix="NAT mdns" \
to-src-mac-address=F6:2C:EA:E2:08:97
add action=src-nat chain=srcnat comment="SSDP - SNAT to Primary VLAN bridge" \
dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF log-prefix="NAT ssdp" \
to-src-mac-address=F6:2C:EA:E2:08:97
/interface bridge port
add bridge=BR-Capsman interface=sfp-sfpplus1 internal-path-cost=10 path-cost=\
10
add bridge=BR-Capsman interface=ether8 internal-path-cost=10 path-cost=10 \
pvid=100
add bridge=BR-PiHole interface=veth-pihole internal-path-cost=10 path-cost=10
add bridge=BR-mDNS frame-types=admit-only-untagged-and-priority-tagged \
interface=macvlan100 pvid=1001
add bridge=BR-mDNS frame-types=admit-only-vlan-tagged interface=macvlan400 \
pvid=1001
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
forward=no
/interface bridge vlan
add bridge=BR-Capsman comment="Mamma VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
vlan-ids=200
add bridge=BR-Capsman comment="Guest VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
vlan-ids=300
add bridge=BR-Capsman comment="Domus VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
vlan-ids=400
add bridge=BR-Capsman comment="Casa VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
vlan-ids=100
add bridge=BR-Capsman comment="Control VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
vlan-ids=900
add bridge=BR-mDNS untagged=100-Lan,400-Domus vlan-ids=1001
/interface detect-internet
set detect-interface-list=INTERNET internet-interface-list=INTERNET \
lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add interface=XXX-pppoe list=WAN
add interface=100-Lan list=LAN
add interface=XXX-vlan list=WAN
add interface=200-Mamma list=LAN
add interface=300-Guest list=LAN
add interface=400-Domus list=LAN
add interface=100-Lan list=TRUSTED
add interface=BR-Capsman list=LAN
add interface=BR-PiHole list=LAN
add interface=XXX-pppoe list=INTERNET
/interface wifi access-list
add action=accept comment="Apple Device" disabled=yes mac-address=\
18:34:51:00:00:00 mac-address-mask=FF:FF:FF:00:00:00
/interface wifi capsman
set enabled=yes interfaces=BR-Capsman package-path="" \
require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=server_5ghz \
name-format="" radio-mac=48:A9:8A:BC:A5:24 slave-configurations=lan5G
add action=create-enabled disabled=no master-configuration=studio_2ghz \
name-format="" radio-mac=48:A9:8A:0E:03:52 slave-configurations=\
guest,lan2G
add action=create-enabled disabled=no master-configuration=taverna_5ghz \
name-format="" radio-mac=48:A9:8A:0E:06:47 slave-configurations=lan5G
add action=create-enabled disabled=no master-configuration=esterno_5ghz \
name-format="" radio-mac=48:A9:8A:0E:09:5D slave-configurations=\
lan5G,mamma5G
add action=create-enabled disabled=no master-configuration=centro_5ghz \
name-format="" radio-mac=48:A9:8A:0E:06:A8 slave-configurations=\
lan5G,mamma5G
add action=create-enabled disabled=no master-configuration=esterno_2ghz \
name-format="" radio-mac=48:A9:8A:0E:09:5E slave-configurations=\
guest,lan2G
add action=create-enabled disabled=no master-configuration=server_2ghz \
name-format="" radio-mac=48:A9:8A:BC:A5:25 slave-configurations=\
guest,lan2G
add action=create-enabled disabled=no master-configuration=studio_5ghz \
name-format="" radio-mac=48:A9:8A:0E:03:51 slave-configurations=lan5G \
supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=centro_2ghz \
name-format="" radio-mac=48:A9:8A:0E:06:A9 slave-configurations=\
guest,lan2G
add action=create-enabled disabled=no master-configuration=taverna_2ghz \
name-format="" radio-mac=48:A9:8A:0E:06:48 slave-configurations=\
guest,lan2G,mamma2G
/ip address
add address=192.168.0.1/24 interface=100-Lan network=192.168.0.0
add address=172.16.0.1/20 interface=300-Guest network=172.16.0.0
add address=10.255.255.1/24 interface=200-Mamma network=10.255.255.0
add address=192.168.240.1/24 interface=400-Domus network=192.168.240.0
add address=192.168.55.1/25 interface=BR-PiHole network=192.168.55.0
add address=10.10.0.1/24 interface=BR-Capsman network=10.10.0.0
/ip dhcp-server network
add address=10.10.0.0/24 dns-none=yes gateway=10.10.0.1
add address=10.255.255.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.255.255.1 \
netmask=24
add address=172.16.0.0/20 dns-server=1.1.1.3,1.0.0.3 gateway=172.16.0.1 \
netmask=20
add address=192.168.0.0/24 dns-server=192.168.55.55 gateway=192.168.0.1 \
netmask=24
add address=192.168.240.0/24 dns-server=192.168.55.55 gateway=192.168.240.1 \
netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1m servers=1.1.1.1,1.0.0.1 \
use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip firewall address-list
add address=192.168.0.0/24 comment="Casa NET" list=net_casa
add address=10.255.255.0/24 comment="Mamma NET" list=net_mamma
add address=172.16.0.0/20 comment="Guest NET" list=net_guest
add address=10.255.255.0/24 comment="Excluded from PiHole" list=excluded
add address=172.16.0.0/20 comment="Excluded from PiHole" list=excluded
add address=192.168.55.55 comment="Excluded from PiHole" list=excluded
add address=192.168.240.0/24 comment="Domus NET" list=net_domus
add address=10.10.0.0/24 comment="Excluded from PiHole" list=excluded
add address=192.168.240.10 comment="Excluded from PiHole" list=excluded
add address=192.168.0.0/24 comment="Filtered from PiHole" list=filtered
add address=192.168.240.0/24 comment="Filtered from PiHole" list=filtered
add address=10.10.0.0/24 comment="Control NET" list=net_control
add address=192.168.0.10 comment="Excluded from PiHole" list=excluded
add address=192.168.240.15 comment="Excluded from PiHole" list=excluded
add address=8.8.8.8 list=DNS-DOH
add address=8.8.4.4 list=DNS-DOH
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
"ONLY allow trusted subnet full access to router services" \
src-address-list=net_casa
add action=accept chain=input comment=PiHole dst-port=53,123 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment=PiHole dst-port=53 in-interface-list=\
LAN protocol=tcp
add action=drop chain=input comment="DROP ALL ELSE"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="allow access to ALL DomusNET" \
dst-address-list=net_domus src-address-list=net_casa
add action=accept chain=forward comment="allow access to ALL ControlNET" \
dst-address-list=net_control src-address-list=net_casa
add action=accept chain=forward comment="allow access to AP Mamma" \
dst-address=10.255.255.2 src-address-list=net_casa
add action=accept chain=forward comment="allow access to MCZ from LAN" \
dst-address=192.168.120.1 src-address-list=net_casa
add action=accept chain=forward comment="allow access to MCZ from DOMUS" \
dst-address=192.168.120.1 src-address-list=net_domus
add action=accept chain=forward comment="allow access to PiHOLE" dst-address=\
192.168.55.55 src-address-list=filtered
add action=drop chain=forward comment="BLOCK DOT and DOH" dst-address-list=\
DNS-DOH dst-port=443,853 protocol=udp src-address-list=!excluded
add action=drop chain=forward comment="BLOCK DOT and DOH" dst-address-list=\
DNS-DOH dst-port=443,853 protocol=tcp src-address-list=!excluded
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN src-address-list=!net_control
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="DROP ALL ELSE"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Pihole dst-port=53 in-interface-list=\
LAN protocol=udp src-address-list=!excluded to-addresses=192.168.55.55
add action=dst-nat chain=dstnat comment=Pihole dst-port=53 in-interface-list=\
LAN protocol=tcp src-address-list=!excluded to-addresses=192.168.55.55
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes
/ip route
add comment=MCZ disabled=no distance=1 dst-address=192.168.120.0/24 gateway=\
192.168.240.7 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=xxx-pppoe type=external
add interface=100-Lan type=internal
add interface=400-Domus type=internal
add interface=xxx-vlan type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=Router
/system logging
set 2 disabled=yes
add action=echo disabled=yes topics=dhcp
add action=echo disabled=yes topics=dhcp
add disabled=yes topics=wireless
add action=echo disabled=yes topics=wireless
add action=remote disabled=yes topics=wireless
add disabled=yes prefix=dhcp topics=debug
add disabled=yes prefix=wireless topics=debug
add disabled=yes topics=wireless,debug,error,info,info
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes local-clock-stratum=1 manycast=yes multicast=yes \
use-local-clock=yes
/system ntp client servers
add address=time.cloudflare.com
/system scheduler
add disabled=yes interval=3w4d name="DOH Update" on-event=":global thefile \"\
\"\r\
\n{\r\
\n :local url http://public-dns.info/nameservers-all.txt ;\r\
\n :local filesize ([/tool fetch url=\$url as-value output=none]->\"d\
ownloaded\")\r\
\n :local maxsize 64512 ; # is the maximum supported readable size o\
f a block from a file\r\
\n :local start 0\r\
\n :local end (\$maxsize - 1)\r\
\n :local partnumber (\$filesize / (\$maxsize / 1024))\r\
\n :local reminder (\$filesize % (\$maxsize / 1024))\r\
\n :if (\$reminder > 0) do={ :set partnumber (\$partnumber + 1) }\r\
\n :for x from=1 to=\$partnumber step=1 do={\r\
\n :set thefile (\$thefile . ([/tool fetch url=\$url http-header-f\
ield=\"Range: bytes=\$start-\$end\" as-value output=user]->\"data\"))\r\
\n :set start (\$start + \$maxsize)\r\
\n :set end (\$end + \$maxsize)\r\
\n }\r\
\n}\r\
\n#:log info \"thefile=\$thefile\"\r\
\n#/file remove [find where name=\"check.txt\"];\r\
\n:execute \":put \\\$thefile\" file=check.txt;\r\
\n\r\
\n:global content value=\$thefile;\r\
\n:local contentLen value=[:len \$content];\r\
\n:local lineEnd value=0;\r\
\n:local line value=\"\";\r\
\n:local lastEnd value=0;\r\
\n:local addressListName;\r\
\n:set addressListName \"DNS-DOH\";\r\
\n\r\
\n:if (\$thefile != null) do={\r\
\n :log info \"There are some New DNS\"\r\
\n #/ip firewall address-list remove [/ip firewall address-list find list\
=\$addressListName]\r\
\n :do {\r\
\n :set lineEnd [:find \$content \"\\n\" \$lastEnd ] ;\r\
\n :set line [:pick \$content \$lastEnd \$lineEnd] ;\r\
\n :set lastEnd ( \$lineEnd + 1 ) ;\r\
\n :local entry [:pick \$line 0 \$lineEnd ]\r\
\n :if (\$entry~\"^[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]\
{1,3}\") do={\r\
\n :if ( [:len \$entry ] > 0 ) do={\r\
\n #:log info \"entry=\$entry\"\r\
\n /ip firewall address-list add list=\$addressListName add\
ress=\$entry;\r\
\n }\r\
\n } \r\
\n } while=(\$lineEnd < \$contentLen);\r\
\n } else={\r\
\n :log info \"There no DNS in list\"\r\
\n} " policy=ftp,read,write,policy,test,sniff start-date=2024-02-25 \
start-time=02:00:00
add interval=3w6d name=Blocker-Import on-event="# Turris Import by Blacklister\
\_and edited by Kato\r\
\n{\r\
\n# import config - delay for slow routers\r\
\n#:delay 1m\r\
\n:log warning \"Blocker script started\"\r\
\n/ip firewall address-list\r\
\n:local update do={\r\
\n \r\
\n :if (heirule != null) do={:set \$filtering \", filtering on: \$heirule\
\"}\r\
\n :put \"Start importing address-list: \$listname\$filtering\"\r\
\n :log warning \"Start importing address-list: \$listname\$filtering\"\r\
\n \r\
\n /tool fetch url=\$url dst-path=\"/\$listname.txt\" as-value\r\
\n # delay to wait file flush after fetch\r\
\n :delay 1\r\
\n :local filesize [/file get \"\$listname.txt\" size]\r\
\n :local start 0\r\
\n :local chunkSize 32767;\t\t# requested chunk size\r\
\n :local partnumber\t(\$filesize / \$chunkSize); # how many chunk are chu\
nkSize\r\
\n :local remainder\t(\$filesize % (\$chunkSize-512)); # the last partly c\
hunk and use reduced chunkSize\r\
\n :if (\$remainder > 0) do={ :set partnumber (\$partnumber + 1) }; # tota\
l number of chunks\r\
\n \r\
\n :local listCount [:len [find list=\$listname dynamic]]\r\
\n \r\
\n :put \"Deleting \$listCount entries (dynamic) from address-list: \$list\
name\"\r\
\n :log warning \"Deleting \$listCount entries (dynamic) from address-list\
: \$listname\"\r\
\n\r\
\n :if (\$heirule = null) do={:set \$heirule \".\"}\r\
\n\r\
\n # remove the current dynamic entries completely\r\
\n :do {remove [find where list=\$listname]} on-error={};\r\
\n \r\
\n :set \$listnameTemp (\$listname)\r\
\n \r\
\n :for x from=1 to=\$partnumber step=1 do={\r\
\n :local data ([:file read offset=\$start chunk-size=\$chunkSize file=\
\"\$listname.txt\" as-value]->\"data\")\r\
\n # Only remove the first line only if you are not at the start of list\
\r\
\n :if (\$start > 0) do={:set data [:pick \$data ([:find \$data \"\\n\"]\
+1) [:len \$data]]}\r\
\n :while ([:len \$data]!=0) do={\r\
\n :local line [:pick \$data 0 [:find \$data \"\\n\"]]; # create only \
once and checked twice as local variable\r\
\n :if (\$line~\"^[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1\
,3}\" && \$line~heirule) do={\r\
\n :local addr [:pick \$data 0 [:find \$data \$delimiter]]\r\
\n :do {add list=\$listnameTemp address=\$addr comment=\$description\
} on-error={}; # on error avoids any panics\r\
\n }; # if IP address && extra filter if present\r\
\n :set data [:pick \$data ([:find \$data \"\\n\"]+1) [:len \$data]]; \
# removes the just added IP from the data array\r\
\n # Cut of the end of the chunks by removing the last lines...very di\
rty but it works\r\
\n :if (([:len \$data] < 256) && (x < \$partnumber)) do={:set data [:t\
oarray \"\"]} \r\
\n }; # while\r\
\n\r\
\n #:set start (\$start + \$chunkSize)\r\
\n :set start ((\$start-512) + \$chunkSize); # shifts the subquential st\
arts back with 512\r\
\n }; #do for x\r\
\n \r\
\n /file remove \"\$listname.txt\"\r\
\n :put \"Deleted downloaded file: \$listname.txt\"\r\
\n :log warning \"Deleted downloaded file: \$listname.txt\"\r\
\n}; # do\r\
\n\$update url=https://public-dns.info/nameservers-all.txt delimiter=(\"\\\
n\") listname=DNS-DOH\r\
\n#\$update url=https://level2.netset delimiter=(\"\\n\") listname=z-block\
list-L2\r\
\n#\$update url=https://latest.csv listname=z-blocklist delimiter=, heirul\
e=http\r\
\n#\$update url=https://drop.txt delimiter=(\"\\_\") listname=z-blocklist-\
drop\r\
\n\r\
\n:log warning message=\"Blocker script COMPLETED running\"\r\
\n}" policy=ftp,read,write,policy,test start-date=2024-05-01 start-time=\
02:00:00
/system script
add dont-require-permissions=no name=Blocker-Import owner=RouterOS policy=\
ftp,read,write,policy,test source="# Turris Import by Blacklister and edit\
ed by Kato\r\
\n{\r\
\n# import config - delay for slow routers\r\
\n#:delay 1m\r\
\n:log warning \"Blocker script started\"\r\
\n/ip firewall address-list\r\
\n:local update do={\r\
\n \r\
\n :if (heirule != null) do={:set \$filtering \", filtering on: \$heirule\
\"}\r\
\n :put \"Start importing address-list: \$listname\$filtering\"\r\
\n :log warning \"Start importing address-list: \$listname\$filtering\"\r\
\n \r\
\n /tool fetch url=\$url dst-path=\"/\$listname.txt\" as-value\r\
\n # delay to wait file flush after fetch\r\
\n :delay 1\r\
\n :local filesize [/file get \"\$listname.txt\" size]\r\
\n :local start 0\r\
\n :local chunkSize 32767;\t\t# requested chunk size\r\
\n :local partnumber\t(\$filesize / \$chunkSize); # how many chunk are chu\
nkSize\r\
\n :local remainder\t(\$filesize % (\$chunkSize-512)); # the last partly c\
hunk and use reduced chunkSize\r\
\n :if (\$remainder > 0) do={ :set partnumber (\$partnumber + 1) }; # tota\
l number of chunks\r\
\n \r\
\n :local listCount [:len [find list=\$listname dynamic]]\r\
\n \r\
\n :put \"Deleting \$listCount entries (dynamic) from address-list: \$list\
name\"\r\
\n :log warning \"Deleting \$listCount entries (dynamic) from address-list\
: \$listname\"\r\
\n\r\
\n :if (\$heirule = null) do={:set \$heirule \".\"}\r\
\n\r\
\n # remove the current dynamic entries completely\r\
\n :do {remove [find where list=\$listname]} on-error={};\r\
\n \r\
\n :set \$listnameTemp (\$listname)\r\
\n \r\
\n :for x from=1 to=\$partnumber step=1 do={\r\
\n :local data ([:file read offset=\$start chunk-size=\$chunkSize file=\
\"\$listname.txt\" as-value]->\"data\")\r\
\n # Only remove the first line only if you are not at the start of list\
\r\
\n :if (\$start > 0) do={:set data [:pick \$data ([:find \$data \"\\n\"]\
+1) [:len \$data]]}\r\
\n :while ([:len \$data]!=0) do={\r\
\n :local line [:pick \$data 0 [:find \$data \"\\n\"]]; # create only \
once and checked twice as local variable\r\
\n :if (\$line~\"^[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1\
,3}\" && \$line~heirule) do={\r\
\n :local addr [:pick \$data 0 [:find \$data \$delimiter]]\r\
\n :do {add list=\$listnameTemp address=\$addr comment=\$description\
} on-error={}; # on error avoids any panics\r\
\n }; # if IP address && extra filter if present\r\
\n :set data [:pick \$data ([:find \$data \"\\n\"]+1) [:len \$data]]; \
# removes the just added IP from the data array\r\
\n # Cut of the end of the chunks by removing the last lines...very di\
rty but it works\r\
\n :if (([:len \$data] < 256) && (x < \$partnumber)) do={:set data [:t\
oarray \"\"]} \r\
\n }; # while\r\
\n\r\
\n #:set start (\$start + \$chunkSize)\r\
\n :set start ((\$start-512) + \$chunkSize); # shifts the subquential st\
arts back with 512\r\
\n }; #do for x\r\
\n \r\
\n /file remove \"\$listname.txt\"\r\
\n :put \"Deleted downloaded file: \$listname.txt\"\r\
\n :log warning \"Deleted downloaded file: \$listname.txt\"\r\
\n}; # do\r\
\n\$update url=https://public-dns.info/nameservers-all.txt delimiter=(\"\\\
n\") listname=DNS-DOH\r\
\n#\$update url=https://level2.netset delimiter=(\"\\n\") listname=z-block\
list-L2\r\
\n#\$update url=https://latest.csv listname=z-blocklist delimiter=, heirul\
e=http\r\
\n#\$update url=https://drop.txt delimiter=(\"\\_\") listname=z-blocklist-\
drop\r\
\n\r\
\n:log warning message=\"Blocker script COMPLETED running\"\r\
\n}"
/tool mac-server
set allowed-interface-list=TRUSTED
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
and this is my cap config
# CAP
/interface bridge
add admin-mac=48:A9:8A:BC:A5:1F auto-mac=no comment=defconf name=BR-Cap
/interface ethernet
set [ find default-name=ether1 ] mtu=1480 speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] mtu=1480 speed=100Mbps
/interface vlan
add comment=LAN interface=BR-Cap mtu=1480 name=100-Lan vlan-id=100
add comment=Mamma interface=BR-Cap mtu=1480 name=200-Mamma vlan-id=200
add comment=Guests interface=BR-Cap mtu=1480 name=300-Guest vlan-id=300
add comment=Domus interface=BR-Cap mtu=1480 name=400-Domus vlan-id=400
add comment=Control interface=BR-Cap mtu=1480 name=900-Control vlan-id=900
/interface list
add name=LAN
add name=TRUSTED
/interface wifiwave2 datapath
add bridge=BR-Cap comment=defconf disabled=no name=capdp
/interface wifiwave2
# managed by CAPsMAN
# mode: AP, SSID: LimitService5G, channel: 5220/ax/eeCe
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp \
disabled=no
# managed by CAPsMAN
# mode: AP, SSID: LimitService2G, channel: 2437/ax/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp \
disabled=no
/interface bridge port
add bridge=BR-Cap comment=defconf interface=ether1
add bridge=BR-Cap comment=defconf interface=ether2
add bridge=BR-Cap comment=defconf interface=ether3
add bridge=BR-Cap comment=defconf interface=ether4
add bridge=BR-Cap comment=defconf interface=ether5 pvid=100
/ip firewall connection tracking
set udp-timeout=30s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
forward=no
/interface list member
add interface=100-Lan list=LAN
add interface=400-Domus list=LAN
add interface=200-Mamma list=LAN
add interface=300-Guest list=LAN
add interface=900-Control list=LAN
add interface=100-Lan list=TRUSTED
add interface=BR-Cap list=LAN
/interface wifiwave2 cap
set discovery-interfaces=BR-Cap enabled=yes slaves-datapath=capdp
/ip dhcp-client
add interface=400-Domus
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=AP
/system logging
add topics=wireless
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.240.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
and i attach the screenshot of mikrotik swith between this two device.
Thanks again!
First thing I notice is that there is no VLAN filtering active on the CAPs bridge. Besides, there is a lot of non CAP config. What hardware do you use as CAP?
Thanks so much for trying to help me
I have a HAP AX3
I put on VLAN filtering but the problem got worse, now not only does it offer the devices the bridge’s DHCP server instead of the VLAN, but the devices actually take the bridge’s DHCP IPs…
# CAP
/interface bridge
add admin-mac=48:A9:8A:BC:A5:1F auto-mac=no comment=defconf name=BR-Cap \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] mtu=1480 speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] mtu=1480 speed=100Mbps
/interface vlan
add comment=LAN interface=BR-Cap mtu=1480 name=100-Lan vlan-id=100
add comment=Mamma interface=BR-Cap mtu=1480 name=200-Mamma vlan-id=200
add comment=Guests interface=BR-Cap mtu=1480 name=300-Guest vlan-id=300
add comment=Domus interface=BR-Cap mtu=1480 name=400-Domus vlan-id=400
add comment=Control interface=BR-Cap mtu=1480 name=900-Control vlan-id=900
/interface list
add name=LAN
add name=TRUSTED
/interface wifiwave2 datapath
add bridge=BR-Cap comment=defconf disabled=no name=capdp
/interface wifiwave2
# managed by CAPsMAN
# mode: AP, SSID: LimitService5G, channel: 5220/ax/eeCe
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp \
disabled=no
# managed by CAPsMAN
# mode: AP, SSID: LimitService2G, channel: 2437/ax/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp \
disabled=no
/interface bridge port
add bridge=BR-Cap comment=defconf interface=ether1
add bridge=BR-Cap comment=defconf interface=ether2
add bridge=BR-Cap comment=defconf interface=ether3
add bridge=BR-Cap comment=defconf interface=ether4
add bridge=BR-Cap comment=defconf interface=ether5 pvid=100
/ip firewall connection tracking
set udp-timeout=30s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
forward=no
/interface bridge vlan
add bridge=BR-Cap tagged=BR-Cap,ether1 vlan-ids=100
add bridge=BR-Cap tagged=BR-Cap,ether1 vlan-ids=200
add bridge=BR-Cap tagged=BR-Cap,ether1 vlan-ids=300
add bridge=BR-Cap tagged=BR-Cap,ether1 vlan-ids=400
add bridge=BR-Cap disabled=yes tagged=BR-Cap,ether1 vlan-ids=900
/interface list member
add interface=100-Lan list=LAN
add interface=400-Domus list=LAN
add interface=200-Mamma list=LAN
add interface=300-Guest list=LAN
add interface=900-Control list=LAN
add interface=100-Lan list=TRUSTED
add interface=BR-Cap list=LAN
/interface wifiwave2 cap
set discovery-interfaces=BR-Cap enabled=yes slaves-datapath=capdp
/ip dhcp-client
add interface=400-Domus
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=AP-Server
/system logging
add topics=wireless
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.240.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
What devices are you using (as CAPs and CAPsMAN)? Version?
Check the documentation and have a very good look at the “CAP using “wifi-qcom” package:” part:
https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-CAPsMAN-CAPVLANconfigurationexample:
/interface bridge
add name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add interface=bridgeLocal disabled=no
As you can see there is nothing you have to configure for VLAN on the CAP.
Thanks, I deleted everything and reset everything. I still have the problem that the devices get their IP from the bridge’s DHCP server and not from their VLAN’s DHCP server (only some devices connected via WiFi). For now I have disabled the bridge’s DHCP server. any help?
CAP Config:
/interface bridge
add admin-mac=48:A9:8A:BC:A5:1F auto-mac=no comment=defconf mtu=1500 name=\
BR-Cap
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface vlan
add interface=BR-Cap name=100-Lan vlan-id=100
add interface=BR-Cap name=200-Mamma vlan-id=200
add interface=BR-Cap name=300-Guest vlan-id=300
add interface=BR-Cap name=400-Domus vlan-id=400
add interface=BR-Cap name=900-Control vlan-id=900
/interface list
add name=TRUSTED
/interface wifiwave2 datapath
add bridge=BR-Cap comment=defconf disabled=no name=capdp
/interface wifiwave2
# managed by CAPsMAN
# mode: AP, SSID: LimitService5G, channel: 5220/ax/eeCe
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp \
disabled=no
# managed by CAPsMAN
# mode: AP, SSID: LimitService2G, channel: 2437/n/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp \
disabled=no
/ip ipsec profile
set [ find default=yes ] dpd-interval=8s dpd-maximum-failures=4
/interface bridge port
add bridge=BR-Cap comment=defconf interface=ether1
add bridge=BR-Cap comment=defconf disabled=yes interface=ether2
add bridge=BR-Cap comment=defconf disabled=yes interface=ether3
add bridge=BR-Cap comment=defconf disabled=yes interface=ether4
add bridge=BR-Cap comment=defconf interface=ether5 pvid=100
/ip firewall connection tracking
set udp-timeout=30s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
forward=no
/interface list member
add interface=100-Lan list=TRUSTED
/interface wifiwave2 cap
set discovery-interfaces=BR-Cap enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=BR-Cap
add interface=400-Domus
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=AP
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.10.0.1
add address=192.168.240.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/tool romon
set enabled=yes