CAPsMAN - Local-Forwarding - how to choose bridge

Stril · October 4, 2020, 6:54pm

Hi!

I am just trying to do my first CAPsMAN-setup.Everything is clear, except the local-forwarding.

Can you give me a hint on how to steer, which local bridge is used at the CAP, if I choose “local-forwarding”?
If the AP would not be managed, I would be able to configure:

SSID1 - bridged to bridge1
SSID2 - bridged to bridge2

At CAPsMAN, I was not able to find anything like that. I can choose the bridge in “central-breakout-mode”, but not in local-forwarding-mode.

What did I do wrong?

Thank you for your help!
Stril

mkx · October 4, 2020, 7:11pm

Don’t know about GUI but in CLI datapath has bridge property when local-forwarding set to either yes or no. I’m not sure how it’s interpreted if set with local-forwarding, but I guess it’s used on CAP as intended.

But then … with bridge being VLAN aware, rarely there’s need to run more than one bridge.

whatever · October 4, 2020, 7:18pm

In local-forwarding mode you select the bridge on the cap itself in

/interface wireless cap
set bridge=...

.
I don’t think you are able to select multiple bridges, use tagged vlans in datapath instead.

Stril · October 5, 2020, 2:08pm

Hi!

Thank you!
So, if I add a new virtualAP via CAPsMAN with local-forwarding, I would have to

add VLAN to AP
add VLAN to AP-uplink tagged
add vAP via CAPsMAN with vlan-tag=xx and local-forwarding

Right?

Thank you for your help!

mkx · October 5, 2020, 9:04pm

Again: do you have some particular reason for running multiple bridges on a RB device?

A hint: you can run VLANs entirely internal to AP if you don’t want to run VLANs on wires between AP and the rest of LAN… I can elaborate but after you explain your use case.

Stril · October 6, 2020, 6:09am

Hi!

I do not have any technical reason to do so.
The only advantage of multiple bridges is better visibility for me, as I do not really like the way, mikrotik shows up vlan interfaces.

mkx · October 6, 2020, 6:32am

It’s your choice.

However, since introduction of VLAN-enabled bridges (somewhere in version 6.41 IIRC) there is no (main-stream) technical reason to run more than one bridge per MT device. And there are things that don’t play well when there are multiple bridges (as you noticed yourself).

erlinden · October 6, 2020, 6:43am

In addition to @mkx: it is sufficient to configure the accesspoint(s) as CAP, after that you can do all configuration on the CAPsMAN.

Stril · October 6, 2020, 11:14am

Hi!

I tried exactly this:

CAPsMAN provisioned two vAPs on one physical CAP.

SSID1 - Datapath local-forwarding
SSID2 - Datapath local-forwarding - use-tag=10

But now, the tag does not seem to be used. The vAP on the CAP does still show: no tag, vlan-id 1

Did I miss anything?

mkx · October 6, 2020, 7:16pm

Show /capsman export so we can see what exactly you configured …

whatever · October 7, 2020, 6:03am

Yep, show us your settings. Datapath should be something like

/caps-man datapath add client-to-client-forwarding=yes local-forwarding=yes name=xyz vlan-id=10 vlan-mode=use-tag

gotsprings · October 7, 2020, 5:04pm

Here is my recommendation

/caps-man configuration
add country="united states3" datapath.client-to-client-forwarding=yes \
    datapath.local-forwarding=yes keepalive-frames=enabled mode=ap name=\
    VLAN1 security.authentication-types=wpa2-psk security.encryption=\
    aes-ccm security.group-encryption=aes-ccm security.passphrase=password \
    ssid=VLAN1
add country="united states3" datapath.client-to-client-forwarding=yes \
    datapath.local-forwarding=yes datapath.vlan-id=20 datapath.vlan-mode=\
    use-tag keepalive-frames=enabled mode=ap name=VLAN10 \
    security.authentication-types=wpa2-psk security.encryption=aes-ccm \
    security.group-encryption=aes-ccm security.passphrase=password \
    ssid=VLAN10