capsman problem

mcaustria · October 28, 2016, 8:14pm

So i really just getting started with capsman but i managed to get an wAP managed by my capsman both are running routeros 6.37.1.
Now my problem:

Routing from Devices conneted to the CAP to the CAPSMAN and to the Deviced connected to that works fine - so to speak from WLAN to LAN and back works…but withing the WLAN i cannot reach oder devices and i dont know why.
Im sure its just a bloody noob mistake im sorry in advance, but i appreciate any help offered.

CAP-config:========================================================================

# oct/28/2016 21:14:44 by RouterOS 6.37.1
# software id = UEYY-MGMG
#
/interface bridge
add admin-mac=[MAC] auto-mac=no name=bridgeLocal
/interface wireless
# managed by CAPsMAN
# channel: 2462/20-eC/gn(20dBm), SSID: d9, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n frequency=2437 ssid=""
# managed by CAPsMAN
# channel: 5260/20-Ceee/ac(23dBm), SSID: d9:5G, CAPsMAN forwarding
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridgeLocal interface=wlan1
/interface wireless cap
# 
set bridge=bridgeLocal certificate=request discovery-interfaces=ether1 enabled=\
    yes interfaces=wlan1,wlan2 lock-to-caps-man=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip upnp
set enabled=yes
/system clock
set time-zone-name=[Somewhere]
/system identity
set name=MT-wAP_CAP01
/system routerboard settings
set cpu-frequency=720MHz protected-routerboot=disabled

CAPsMAN-config:========================================================================

# oct/28/2016 21:45:45 by RouterOS 6.37.1
# software id = Q6QN-27KK
#
/caps-man channel
add band=2ghz-b/g/n frequency=2412 name=2.4_ch01 width=20
add band=2ghz-b/g/n frequency=2417 name=2.4_ch02 width=20
add band=2ghz-b/g/n frequency=2422 name=2.4_ch03 width=20
add band=2ghz-b/g/n frequency=2427 name=2.4_ch04 width=20
add band=2ghz-b/g/n frequency=2432 name=2.4_ch05 width=20
add band=2ghz-b/g/n frequency=2437 name=2.4_ch06 width=20
add band=2ghz-b/g/n frequency=2447 name=2.4_ch08 width=20
add band=2ghz-b/g/n frequency=2452 name=2.4_ch09 width=20
add band=2ghz-b/g/n frequency=2442 name=2.4_ch07 width=20
add band=2ghz-b/g/n frequency=2457 name=2.4_ch10 width=20
add band=2ghz-b/g/n frequency=2462 name=2.4_ch11 width=20
add band=5ghz-a/n/ac frequency=5180 name=5.0_ch036 width=20
add band=5ghz-a/n/ac frequency=5200 name=5.0_ch040 width=20
add band=5ghz-a/n/ac frequency=5220 name=5.0_ch044 width=20
add band=5ghz-a/n/ac frequency=5240 name=5.0_ch048 width=20
add band=5ghz-a/n/ac frequency=5260 name=5.0_ch052 width=20
add band=5ghz-a/n/ac frequency=5280 name=5.0_ch056 width=20
add band=5ghz-a/n/ac frequency=5300 name=5.0_ch060 width=20
add band=5ghz-a/n/ac frequency=5320 name=5.0_ch064 width=20
add band=5ghz-a/n/ac frequency=5745 name=5.0_ch149 width=20
add band=5ghz-a/n/ac frequency=5765 name=5.0_ch153 width=20
add band=5ghz-a/n/ac frequency=5785 name=5.0_ch157 width=20
add band=5ghz-a/n/ac frequency=5805 name=5.0_ch161 width=20
add band=5ghz-a/n/ac frequency=5825 name=5.0_ch165 width=20
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name="WAN(1)"
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=security1 passphrase=[PWD]
/caps-man configuration
add channel=2.4_ch11 country=austria datapath.bridge=bridge1 mode=ap name=\
    cfg2.4 rx-chains=0,1 security=security1 ssid=d9 tx-chains=0,1
add channel=5.0_ch052 country=austria datapath.bridge=bridge1 mode=ap name=\
    cfg5.0 rx-chains=0,1 security=security1 ssid=d9:5G tx-chains=0,1
/caps-man interface
add arp=enabled channel.extension-channel=eC configuration=cfg2.4 disabled=no \
    l2mtu=1600 mac-address=[MAC-radio1] master-interface=none mtu=1500 \
    name=CAP01_2.4 radio-mac=[MAC-radio1]
add arp=enabled configuration=cfg5.0 disabled=no l2mtu=1600 mac-address=\
    [MAC-radio2] master-interface=none mtu=1500 name=CAP01_5.0 \
    radio-mac=[MAC-radio2]
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.9.50-192.168.9.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes radio-mac=[MAC-radio1]
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip address
add address=192.168.9.100/24 interface=ether2 network=192.168.9.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface="WAN(1)"
/ip dhcp-server lease
add address=192.168.9.XXX[SOMEFIXED-leases] server=dhcp1
/ip dhcp-server network
add address=192.168.9.0/24 gateway=192.168.9.100 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.9.XXX[some-internal staic]
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=bogons
add address=192.168.9.0/24 comment=\
    "This subnet will have full access to the router" list=support
/ip firewall filter
add action=drop chain=forward comment=noNET@all disabled=yes
add action=drop chain=forward comment="GDRY noNET" src-mac-address=\
    [MAC-of-NAS]
add action=accept chain=input comment="Full access to SUPPORT address list" \
    in-interface="!WAN(1)" src-address-list=support
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=\
    3,32 protocol=tcp src-address-list=DoS_attack
add action=add-src-to-address-list address-list=DoS_attack \
    address-list-timeout=1d chain=input comment="detect DoS attack" \
    connection-limit=10,32 protocol=tcp
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=input comment=\
    "Block all access to the winbox - except to support list" dst-port=8291 \
    protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept established connections" \
    connection-state=established
add action=accept chain=input comment="Accept related connections" \
    connection-state=related
add action=drop chain=input comment="Drop anything else!"
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=\
    0:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=\
    3:3 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=\
    3:4 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=\
    8:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" \
    icmp-options=11:0-255 limit=5,5:packet protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" disabled=yes \
    protocol=icmp
add action=accept chain=ICMP comment="Echo reply" disabled=yes icmp-options=\
    0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" disabled=yes \
    icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" disabled=yes \
    icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 \
    protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat out-interface="WAN(1)"
/ip firewall service-port
set h323 disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=mt
/system package update
set channel=bugfix
/tool mac-server
set [ find default=yes ] disabled=yes
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge1

=======================================================================

i know the firewall rules are a mess but im didnt have time to properly sort things out
But i still dont get it:
Devices on the cap aswell as on capsman are both part of the same bridge, they all should be able to communicate with eachother
HELP!!! thanks in advance

mcaustria · October 29, 2016, 1:54pm

..okok i found the solution..enable “Client to Client Forwarding” in the Settings of each CAP..settings>Datapathsettings.

Yeah yea, sometimes the answers are really just a search klick and the wright searchphrase away…sorry;)

Same problem? look here
http://forum.mikrotik.com/t/canon-wireless-printer-and-cap/101967/4

..just one question left..i wonder if the capsmans firewall still handles the traffic between the cap’s clients..but ill find out;P

Chease everyone.