I’m setting up a new network with L009UiGS-2HaxD as CAPsMAN controller and several external cAP ax.
All of them ROS 7.18.2
This is first time for me when I faced with “new” CAPsMAN method using Bridge VLAN filtering for
devices having wifi-qcom package.
More that five year I use “old” CAPsMAN setup based on wireless package and new method is
quite complex for me.
Right now new Wifi network is working but there is issue: I can’t achieve client isolation for “Guest” VLAN10.
More precisely, isolation works only for internal WiFi interfaces of the L009 controller itself. That is, if you physically turn off external cAP ax access points, then isolation of VLAN10 clients works due to the enabled option “Client Isolation” in the datapath, which is specified in the guest Configuration.
But as soon as clients connect to external cAP ax - the option
“Client Isolation” is ignored. As I understand it, my CAPsMAN implementation is made with so-called “local forwarding” and internal traffic between clients of access points does not reach the L009 controller. I even tried to add Bridge Filter for blocking In. Interface VLAN 10 and Out. Interface VLAN10, but this filter does not work at cAP ax (mikrotik shows warning “in/out-bridge-port matcher not possible when interface (vlan10) is not slave”).
So what is my setup:
Controller L009 has the only one bridge with activated option VLAN FILTERING, frame types “admit only VLAN tagged”
There are VLANS:
VLAN6 - office (no client isolation needed), used for wired connections and WiFi
VLAN10 - guests (client isolation needed), used only for WiFi
VLAN50 - management (no client isolation needed), used for wired connections only, so far.
VLAN50 is used as CAPsMAN management interface
Setting up L009 controller, I created several configurations as for VLAN6 as for VLAN10.
Here is example of 2 guest configurations:
/interface wifi configuration
add channel=ch-2GHz-AX country=Ukraine datapath=datapath-guest \
datapath.client-isolation=yes disabled=no mode=ap name=cfg-Guest-2GHz-AX \
security=sec-guests security.authentication-types=wpa2-psk,wpa3-psk \
.disable-pmkid=yes .ft=yes .ft-over-ds=yes .wps=disable ssid=GUESTS
add channel=ch-5GHz-AX country=Ukraine datapath=datapath-guest \
datapath.client-isolation=yes disabled=no mode=ap name=cfg-Guest-5GHz-AX \
security=sec-guests security.authentication-types=wpa2-psk,wpa3-psk .ft=\
yes .ft-over-ds=yes ssid=GUESTS
Datapath added to Guest configuration also contains “client isolation” option:
/interface wifi datapath
add client-isolation=yes disabled=no name=datapath-guest vlan-id=10
cAP ax access points have the only bridge with VLAN FILTERING too.
Here is full config:
/interface bridge
add admin-mac=D4:01:C3:FA:F6:DB auto-mac=no comment=defconf frame-types=\
admit-only-vlan-tagged name=bridgeLocal vlan-filtering=yes
/interface vlan
add interface=bridgeLocal name=vlan6 vlan-id=6
add interface=bridgeLocal name=vlan10 vlan-id=10
add interface=bridgeLocal name=vlan50 vlan-id=50
/interface wifi datapath
add bridge=bridgeLocal client-isolation=yes comment=defconf disabled=no name=\
data-cap
/interface wifi
# managed by CAPsMAN 10.0.50.1, traffic processing on CAP
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=\
data-cap disabled=no
# managed by CAPsMAN 10.0.50.1, traffic processing on CAP
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=\
data-cap disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=6
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=10
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=50
/interface wifi cap
set caps-man-addresses=10.0.50.1 discovery-interfaces="" enabled=yes \
slaves-datapath=data-cap
/ip dhcp-client
add comment=defconf default-route-tables=main interface=vlan50