CAPsMAN, RB4011-RB960PGS-cAP AX/wAP ac

I need some VLAN help. I run a router with 2 VLAN’s: 50 (HOME) and 51 (Guests). I use CAPsMAN to manage my 2 cAP AX and 1 wAP ac.

One cAP AX is connected to the RB4011 directly, the second (and the wAP ac) are conencted through the RB 960PGS.
All devices are connected through trunk ports (VLAN 50 and 51).
Relevant config:

RB4011

# 2024-08-10 12:40:42 by RouterOS 7.16rc1
# software id = 3EBJ-1MI6
#
# model = RB4011iGS+
# serial number = redacted
/interface bridge
add admin-mac=redacted auto-mac=no ingress-filtering=no name=bridge-LAN priority=0 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] name=ether2-trunk-eetkamer
set [ find default-name=ether3 ] name=ether3-printer
set [ find default-name=ether4 ] name=ether4-nassie
set [ find default-name=ether5 ] name=ether5-nassie
set [ find default-name=ether6 ] name=ether6-solar
set [ find default-name=ether7 ] name=ether7-hue
set [ find default-name=ether8 ] name=ether8-tv-boven
set [ find default-name=ether9 ] name=ether9-trunk-woonkamer
set [ find default-name=ether10 ] name=ether10-ap-boven
set [ find default-name=sfp-sfpplus1 ] name=sfp1-WAN
/interface vlan
add interface=bridge-LAN name=GUEST_VLAN vlan-id=51
add interface=bridge-LAN name=HOME_VLAN vlan-id=50
/interface bridge port
add bridge=bridge-LAN interface=ether2-trunk-eetkamer internal-path-cost=10 path-cost=10
add bridge=bridge-LAN interface=ether3-printer internal-path-cost=10 path-cost=10 pvid=50
add bridge=bridge-LAN interface=ether10-ap-boven internal-path-cost=10 path-cost=10
add bridge=bridge-LAN interface=ether7-hue internal-path-cost=10 path-cost=10 pvid=50
add bridge=bridge-LAN interface=ether8-tv-boven internal-path-cost=10 path-cost=10 pvid=50
add bridge=bridge-LAN interface=LCAP_DS1019+ internal-path-cost=10 path-cost=10 pvid=50
add bridge=bridge-LAN interface=ether9-trunk-woonkamer internal-path-cost=10 path-cost=10
/interface bridge vlan
add bridge=bridge-LAN tagged=bridge-LAN,ether2-trunk-eetkamer,ether9-trunk-woonkamer,ether10-ap-boven untagged=ether3-printer,ether7-hue,ether8-tv-boven,LCAP_DS1019+ vlan-ids=50
add bridge=bridge-LAN tagged=bridge-LAN,ether2-trunk-eetkamer,ether9-trunk-woonkamer,ether10-ap-boven vlan-ids=51
/interface wifi capsman
set enabled=yes interfaces=bridge-LAN package-path=/packages require-peer-certificate=no upgrade-policy=none

RB960PGS

# aug/10/2024 12:37:31 by RouterOS 6.49.13
# software id = R7TG-X42S
#
# model = 960PGS
# serial number = redacted
/interface bridge
add admin-mac=redacted auto-mac=no name=bridge-lan priority=0x4000
/interface ethernet
set [ find default-name=ether1 ] name=ether1-trunk
set [ find default-name=ether2 ] name=ether2-tv
set [ find default-name=ether3 ] name=ether3-nuc
set [ find default-name=ether4 ] name=ether4-amp
set [ find default-name=ether5 ] name=ether5-ap-beneden poe-out=forced-on
set [ find default-name=sfp1 ] disabled=yes
/interface ethernet switch port
set 0 vlan-mode=secure
set 1 default-vlan-id=50 vlan-mode=secure
set 2 default-vlan-id=50 vlan-mode=secure
set 3 default-vlan-id=50 vlan-mode=secure
set 4 vlan-mode=secure
set 5 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge-lan interface=ether1-trunk
add bridge=bridge-lan interface=ether2-tv
add bridge=bridge-lan interface=ether3-nuc
add bridge=bridge-lan interface=ether4-amp
add bridge=bridge-lan interface=ether5-ap-beneden
/ip neighbor discovery-settings
set discover-interface-list=all
/interface ethernet switch vlan
add independent-learning=no ports=ether1-trunk,ether2-tv,ether3-nuc,ether4-amp,ether5-ap-beneden switch=switch1 vlan-id=50
add independent-learning=no ports=ether1-trunk,ether5-ap-beneden switch=switch1 vlan-id=51
add independent-learning=yes ports=ether1-trunk,ether5-ap-beneden switch=switch1 vlan-id=1

My question: On the RB960PGS I have to add the VLAN ID 1 (which makes sense) and have to set learning independent-enabled to be able to manage the CAP. Is this the way it should be configured? As I don’t do anything with VLAN ID 1 on the router explicitely.

Unless you configure management VLAN on the RB4011, the RB960PGS and the APs, VLAN1 as a mean of access to the APs should suffice.

As a side note, please consider enabling ingress-filtering and configuring frame-types on the RB4011 ports as follows:

frame-types=allow-only-vlan-tagged for trunk ports (except for the RB960PGS facing one due to its hybrid nature)
frame-types=allow-only-untagged-and-priority-tagged for access ports

Yeah…as it seams. Remains the question…why should I add the “independent-learning=yes” for VLAN 1 on the switch?

And thanks for the addition, I added this indeed.

Perhaps it’s an arising conflict between VLAN 1 and 51 because they both have analogous configuration (same ports, none of which has untagged traffic) and at least one common MAC address is learned by both of them

Bringing this topic back to live. I made all the adjustments to get rid of the VLAN ID = 1 necessity.
All is working well, except for wireless and VLAN.

For some reason I see in ARP and DHCP (leases) that wireless clients do sometimes get both IP addresses from the HOME or Guest VLAN AND the MGT VLAN. Showing 192.168.99.xxx address with interface HOME_VLAN and/or GUEST_VLAN, while this should only be assigned on the MGT_VLAN.

Any directions on debugging this situation are very welcome!

Where both cAP XL ac are replaced by the cAP AX.

erlinden,

Here is the export for that switch at the kitchen in my 60GHZ success post.

/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether4 ] comment="Kitchen AP" name=ether4-BMFAP
set [ find default-name=ether5 ] comment=WAP60G name=ether5-PtP
/interface ethernet switch port
set 0 default-vlan-id=254 vlan-mode=secure
set 1 default-vlan-id=254 vlan-mode=secure
set 2 default-vlan-id=1 vlan-mode=secure
set 3 default-vlan-id=1 vlan-mode=secure
set 4 default-vlan-id=1 vlan-mode=secure
set 5 default-vlan-id=1 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4-BMFAP
add bridge=bridge interface=ether5-PtP
add bridge=bridge disabled=yes interface=sfp1
/interface ethernet switch vlan
add independent-learning=no ports=ether3,ether4-BMFAP,ether5-PtP,switch1-cpu switch=switch1 vlan-id=1
add independent-learning=no ports=ether3,ether4-BMFAP,ether5-PtP,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=no ports=ether3,ether4-BMFAP,ether5-PtP,switch1-cpu switch=switch1 vlan-id=69
add independent-learning=no ports=ether3,ether4-BMFAP,ether5-PtP,switch1-cpu switch=switch1 vlan-id=192
add independent-learning=no ports=ether1,ether2,ether3,ether4-BMFAP,ether5-PtP,switch1-cpu switch=switch1 vlan-id=254
/ip dhcp-client
add interface=bridge
/snmp
set enabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=Markoff_Kitchen_Switch
/system logging
add topics=poe-out
/system note
set show-at-login=no
/tool romon
set enabled=yes

Its setup so 5 is the uplink.

But in the event of a blow out on that side of the farm… they can hook up the old System to Port 1 and connect something to port 2 in the same subnet.

The only thing I see in your config that jumps out at me is the independent-learning value.

Thanks gotsprings !

Another difference I notice is that you have switch1-cpu added to all your /interface ethernet switch vlan
May I ask what is the purpose of that?

Probably because it wasn’t working until I added that.

Ok, I have adjusted as you configured it and removed the learning part.
Will monitor if this is of any help…thanks!

If using /interface/ethernet/switch config subtree for wired VLANs, then it's necessary to add all VLANs, somehow handled by CPU, to switchX-cpu switch port. Which includes VLANs for wifi interfaces. The reason is that ROS doesn't implicitly handle anything in this configuration subtree ... on the other hand, from switch chip point of view switchX-cpu is "yet another switch port" (albeit its default name doesn't fit the etherX naming convention) and has to be properly manually set up just like other switch ports.

Unlike bridge, which is overloaded with multiple functionalities ... one being "CPU facing switch port" and another being "switch facing CPU interface", switchX-cpu is simply "CPU facing switch port" (bridge interface remains the "switch facing CPU interface") ... and wifi ports are added to bridge (the third personality, the switch-like entity), so in this case switchX-cpu port acts as (trunk) interconnect between switch chip and (software) bridge. And has to be configured as such.

Thanks as well, @mkx. Really appreciate your help!

This is my current config:

/interface bridge
add admin-mac=xxxxxxxxxxxx auto-mac=no name=bridge-lan
/interface ethernet
set [ find default-name=ether1 ] name=ether1-trunk
set [ find default-name=ether2 ] name=ether2-camera-rechts
set [ find default-name=ether3 ] name=ether3-ap-buiten
set [ find default-name=ether4 ] name=ether4-schuur
set [ find default-name=ether5 ] name=ether5-camera-links
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge-lan name=MGT-VLAN vlan-id=99
/interface ethernet switch port
set 0 vlan-mode=secure
set 1 default-vlan-id=52 vlan-mode=secure
set 2 default-vlan-id=99 vlan-mode=secure
set 3 default-vlan-id=50 vlan-mode=secure
set 4 default-vlan-id=52 vlan-mode=secure
set 5 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge-lan interface=ether1-trunk
add bridge=bridge-lan interface=ether2-camera-rechts
add bridge=bridge-lan interface=ether3-ap-buiten
add bridge=bridge-lan interface=ether4-schuur
add bridge=bridge-lan interface=ether5-camera-links
/ip neighbor discovery-settings
set discover-interface-list=all
/interface ethernet switch vlan
add independent-learning=no ports=\
    ether1-trunk,ether3-ap-buiten,ether4-schuur,switch1-cpu switch=switch1 vlan-id=50
add independent-learning=no ports=ether1-trunk,ether3-ap-buiten,switch1-cpu switch=switch1 vlan-id=51
add independent-learning=no ports=ether1-trunk,ether2-camera-rechts,ether5-camera-links,switch1-cpu switch=switch1 vlan-id=52
add independent-learning=no ports=ether1-trunk,ether3-ap-buiten,switch1-cpu switch=switch1 vlan-id=99
/ip dhcp-client
add disabled=no interface=MGT-VLAN
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=switch-buiten
/system ntp client
set enabled=yes
/system package update
set channel=long-term

Though it seems to be working better, VLAN assignment on the wifi-qcom-ac seems to be broken: the guest interfaces are dynamically created instead of using the interfaces with the VLAN ID 51.

Yup, that's a known "feature" of wifi-qcom-ac ... the only way to get its interfaces part of a VLAN is to use vlan-enabled bridge and set appropriate PVID to each of wifi interfaces (real and virtual). Or (even uglier) play with a hybrid between what you have now and "one bridge per vlan" approach (which should work on CAPs in CAPsMAN environment).

I did configure it with VLAN on the bridge, and the HOME network is working perfectly with VLAN ID 50, GUEST on VLAN ID 51 isn’t (actually, it created interfaces dynamically with VLAN ID 1 for the GUEST network, hence there were MGT VLAN IP addresses assigned, as that is the untagged VLAN on eth0 of the wAP ac. Where is the wAP AX???

Considering the "features" and "quirks" a long with the actual radio performance...

I took down the wAP AC and swapped it for XV2-23T on our patios.

PXL_20240819_144039340~2.jpg1180×1848 597 KB

Removing and adding the slave interfaces did the trick…working as expected and befor.
Will stick to MikroTik longer.

WAP AX coming soon

Remember… this is my job.

Vaporware means nothing to me.

Unvetted devices don’t count either.

Lastly… I have to complete installs on time. And have been installing wifi6 indoors and outdoors since 2020.