CAPsMAN Master wifi works, slave/virtual APs don't

johnrobinson · October 12, 2015, 3:22pm

Hello! I don’t know if this is basic or advanced, but I’m a beginner with MikroTik kit, so here goes:

I have an RB2011 router which I have set up with 3 networks so far, one native and two VLANs, and CAPsMAN. I have two APs - a mAP2n and a cAP2n - set up as CAPs talking to the CAPsMAN. I have set up 3 wireless configurations. When I go to Provisioning, whichever wireless configuration I set as the Master always works correctly, but neither of the slave/virtual APs do - it appears that a client can associate OK but traffic doesn’t make it onto the LAN to reach the DHCP server. The APs are plugged in to ports ether9 and ether10, but it’s just the same if I connect them via eth5 and a smart switch. I can only imagine there’s something trivial I’ve missed, please can someone tell me what it is?

Here’s my router config:

# oct/12/2015 16:04:29 by RouterOS 6.32.2
# software id = 6HET-QTGN
#
/caps-man channel
add band=2ghz-b/g/n extension-channel=disabled frequency=2412 name=channel1 \
    width=20
add band=2ghz-b/g/n extension-channel=disabled frequency=2437 name=channel6 \
    width=20
add band=2ghz-b/g/n extension-channel=disabled frequency=2462 name=channel11 \
    width=20
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=bhe vlan-id=2 \
    vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=fcq vlan-id=3 \
    vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=mgmt
/caps-man configuration
add channel=channel6 country="united kingdom" datapath=bhe name=wlan-bhe \
    security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
    aes-ccm security.group-encryption=aes-ccm ssid="Big House Events"
add channel=channel11 country="united kingdom" datapath=fcq name=wlan-fcq \
    security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
    aes-ccm security.group-encryption=aes-ccm ssid="Full Cirqle"
add channel=channel1 country="united kingdom" datapath=mgmt hide-ssid=yes \
    name=wlan-mgmt security.authentication-types=wpa-psk,wpa2-psk \
    security.encryption=aes-ccm security.group-encryption=aes-ccm ssid=\
    "Units 8 & 9"
/interface bridge
add name=br-lan2-bhe
add name=br-lan3-fcq
add name=br-lan4-gcq
add admin-mac=E4:8D:8C:20:AE:71 auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether5 ] name=ether5-master
set [ find default-name=ether10 ] name=ether10-master
/ip neighbor discovery
set ether1-gateway discover=no
/interface vlan
add interface=bridge-local l2mtu=1594 name=vlan2 vlan-id=2
add interface=bridge-local l2mtu=1594 name=vlan3 vlan-id=3
add interface=bridge-local l2mtu=1594 name=vlan4 vlan-id=4
/interface ethernet
set [ find default-name=ether2 ] master-port=ether5-master name=ether2-slave
set [ find default-name=ether3 ] master-port=ether5-master name=ether3-slave
set [ find default-name=ether4 ] master-port=ether5-master name=ether4-slave
set [ find default-name=ether6 ] master-port=ether10-master name=ether6-slave
set [ find default-name=ether7 ] master-port=ether10-master name=ether7-slave
set [ find default-name=ether8 ] master-port=ether10-master name=ether8-slave
set [ find default-name=ether9 ] master-port=ether10-master name=ether9-slave
/interface ethernet switch port
set 2 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=0 vlan-mode=secure
set 5 default-vlan-id=0 vlan-mode=secure
set 6 vlan-header=always-strip vlan-mode=secure
set 7 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 8 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 9 vlan-mode=secure
set 10 vlan-mode=secure
set 11 default-vlan-id=0 vlan-mode=secure
set 12 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool2 ranges=192.168.1.64-192.168.1.199
add name=dhcp_pool3 ranges=192.168.3.11-192.168.3.239
add name=dhcp_pool4 ranges=192.168.4.1-192.168.4.253
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
add address-pool=dhcp_pool2 disabled=no interface=br-lan2-bhe lease-time=8h \
    name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=br-lan3-fcq lease-time=8h \
    name=dhcp1
add address-pool=dhcp_pool4 disabled=no interface=br-lan4-gcq lease-time=15m \
    name=dhcp3
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=wlan-mgmt name-format=\
    identity name-prefix=cap slave-configurations=wlan-bhe,wlan-fcq
/interface bridge port
add bridge=bridge-local interface=ether5-master
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=ether10-master
add bridge=br-lan2-bhe interface=vlan2
add bridge=br-lan3-fcq interface=vlan3
add bridge=br-lan4-gcq interface=vlan4
add bridge=bridge-local
/interface ethernet switch vlan
add ports=switch2-cpu,ether10-master,ether9-slave,ether7-slave switch=switch2 \
    vlan-id=2
add ports=switch2-cpu,ether10-master,ether9-slave,ether8-slave switch=switch2 \
    vlan-id=3
add ports=switch2-cpu,ether10-master,ether9-slave switch=switch2 vlan-id=4
add ports=switch2-cpu,ether10-master,ether9-slave,ether6-slave switch=switch2
add independent-learning=no ports=switch1-cpu,ether5-master,ether4-slave \
    switch=switch1
add independent-learning=no ports=\
    switch1-cpu,ether5-master,ether4-slave,ether2-slave switch=switch1 \
    vlan-id=2
add independent-learning=no ports=\
    switch1-cpu,ether5-master,ether4-slave,ether3-slave switch=switch1 \
    vlan-id=3
add independent-learning=no ports=switch1-cpu,ether5-master,ether4-slave \
    switch=switch1 vlan-id=4
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
    bridge-local network=192.168.88.0
add address=192.168.1.1/24 interface=br-lan2-bhe network=192.168.1.0
add address=192.168.3.254/24 interface=br-lan3-fcq network=192.168.3.0
add address=192.168.4.254/24 interface=br-lan4-gcq network=192.168.4.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 \
    netmask=24
add address=192.168.3.0/24 dns-server=192.168.3.254 gateway=192.168.3.254 \
    netmask=24
add address=192.168.4.0/24 dns-server=192.168.4.254 gateway=192.168.4.254 \
    netmask=24
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=\
    established,related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established,related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
/lcd
set default-screen=stats
/system clock
set time-zone-autodetect=no time-zone-name=Europe/London
/system identity
set name=BHE-router
/system ntp client
set enabled=yes primary-ntp=89.145.97.62 secondary-ntp=82.219.4.30
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-slave
add interface=ether3-slave
add interface=ether4-slave
add interface=ether5-master
add interface=ether6-slave
add interface=ether7-slave
add interface=ether8-slave
add interface=ether9-slave
add interface=ether10-master
add interface=sfp1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-slave
add interface=ether3-slave
add interface=ether4-slave
add interface=ether5-master
add interface=ether6-slave
add interface=ether7-slave
add interface=ether8-slave
add interface=ether9-slave
add interface=ether10-master
add interface=sfp1
add interface=bridge-local
/tool user-manager database
set db-path=user-manager

And here’s an AP config:

# oct/12/2015 15:08:16 by RouterOS 6.32.2
# software id = 290T-21QQ
#
/interface bridge
add admin-mac=D4:CA:6D:88:E1:89 auto-mac=no mtu=1500 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-master
set [ find default-name=ether2 ] master-port=ether1-master name=ether2-slave
/ip neighbor discovery
set ether1-master discover=no
/interface wireless channels
add band=2ghz-b/g/n frequency=2412 list=2ghz name=ch1 width=20
add band=2ghz-b/g/n frequency=2437 list=2ghz name=ch6 width=20
add band=2ghz-b/g/n frequency=2462 list=2ghz name=ch11 width=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=mgmt \
    supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=bhe \
    supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=fcq \
    supplicant-identity=""
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(20dBm), SSID: Units 8 & 9, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors \
    mode=ap-bridge security-profile=mgmt ssid="Units 8 & 9" wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/interface bridge port
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether1-master
/interface ethernet switch vlan
add disabled=yes ports=switch1-cpu,ether1-master,ether2-slave switch=switch1
add disabled=yes ports=switch1-cpu,ether1-master,ether2-slave switch=switch1 \
    vlan-id=2
add disabled=yes ports=switch1-cpu,ether1-master,ether2-slave switch=switch1 \
    vlan-id=3
add disabled=yes ports=switch1-cpu,ether1-master,ether2-slave switch=switch1 \
    vlan-id=4
/interface wireless cap
set discovery-interfaces=ether1-master enabled=yes interfaces=wlan1
/ip address
add address=192.168.88.11/24 comment="default configuration" interface=\
    bridge-local network=192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.1
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
# in/out-interface matcher not possible when interface (ether1-master) is slave - use master instead (bridge-local)
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-master
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
    yes out-interface=ether1-master
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set cache-path=web-proxy1
/ip route
add distance=1 gateway=192.168.88.1
/system clock
set time-zone-autodetect=no
/system identity
set name=BHE-mAP2n
/system leds
set 3 interface=ether1-master
/system routerboard settings
set cpu-frequency=400MHz
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-slave
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-slave
add interface=wlan1
add interface=bridge-local

PS. All devices with latest firmware and RouterOS, using CAPsMAN v2 (wireless-cm2 package enabled), and all the VLAN stuff seems to be fine at least at the ethernet level.

plisken · October 13, 2015, 9:55am

Look at this example on my website.
http://www.wirelessinfo.be/index.php/mikrotik/pages/cap2
Not Englisch but look at the printscreens a made

johnrobinson · October 13, 2015, 3:45pm

Thanks plisken, unfortunately I wanted local forwarding which your config didn’t use… Still I tried it your way, and it worked, so it got me wondering and I googled a bit more and I found this other page about someone else having trouble with local forwarding http://forum.mikrotik.com/t/capsman-local-forwarding-problem/84535/1 and in the end all I had to change was to tell the APs to bridge to their bridge-local instead of leaving that setting blank.

In the mean time I reset my CAPs (with loooong press on the reset button til the light stopped flashing to get it to boot in bridge/net-provision mode rather than router mode) so here is the final config on my cAP2n:

# oct/13/2015 16:42:04 by RouterOS 6.32.2
# software id = UVH6-C40P
#
/interface bridge
add admin-mac=E4:8D:8C:F1:54:88 auto-mac=no name=bridgeLocal
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(20dBm), SSID: Units 8 & 9, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridgeLocal interface=ether1
/interface wireless cap
set bridge=bridgeLocal discovery-interfaces=ether1 enabled=yes interfaces=wlan1
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/system clock
set time-zone-name=Europe/London
/system identity
set name=BHE-cAP2n
/system leds
set 0 interface=wlan1
/system routerboard settings
set cpu-frequency=400MHz

plisken · October 13, 2015, 4:39pm

Great, and thank you that you share the configuration with us