CAPsMAN unable to manage its own Wireless interface

aldoir · June 12, 2018, 1:54am

I’m trying to setup a CAPsMAN, configured the controller (RB2011) and the first CAP client (RB951Ui)

The client connects fine and is provisioned as expected

01:21:02 caps,info CAP selected CAPsMAN RB2011 (D4:CA:6D:62:FC:XX/11/0) 
01:21:05 caps,info CAP connected to RB2011 (D4:CA:6D:62:FC:XX/11/0) 
01:21:05 caps,info CAP joined RB2011 (D4:CA:6D:62:FC:XX/11/0)

But when I try to setup the controller’s own wireless interface, I get this message:

jun/11 22:44:54 caps,info CAP selected CAPsMAN RB2011 (::ffff:172.16.1.1:5246) 
jun/11 22:45:14 caps,info CAP connect to RB2011 (::ffff:172.16.1.1:5246) failed: timeout

Tried to disable all filter rules, no luck

Tried to manually specify the “CAPsMAN Addresses: 127.0.0.1” no luck, it still tries to connect to this address “::ffff:172.16.1.1”

How can I ensure it will connect using layer2 like the other client?

Thanks

Quaziee · June 12, 2018, 2:42am

/ip firewall filter
add action=accept chain=output dst-address=127.0.0.1 port=5246,5247 protocol=
udp src-address=127.0.0.1
add action=accept chain=input dst-address=127.0.0.1 port=5246,5247 protocol=
udp src-address=127.0.0.1
/interface wireless cap
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1

Sent from my LG-LS777 using Tapatalk

aldoir · June 12, 2018, 2:23pm

Didn’t work:

[admin@RB2011] /ip firewall filter> print terse 
 0    comment=CAP chain=output action=accept protocol=udp src-address=127.0.0.1 dst-address=127.0.0.1 port=5246,5247 log=no log-prefix="" 
 1    comment=CAP chain=input action=accept protocol=udp src-address=127.0.0.1 dst-address=127.0.0.1 port=5246,5247 log=no log-prefix=""

[admin@RB2011] /interface wireless cap> print
                            enabled: yes
                         interfaces: wlan
                        certificate: none
                   lock-to-caps-man: no
               discovery-interfaces: 
                 caps-man-addresses: 127.0.0.1
                     caps-man-names: 
  caps-man-certificate-common-names: 
                             bridge: bridge-local
                     static-virtual: no

11:21:59 caps,debug CAP discovery target list: 
11:21:59 caps,debug   ::ffff:127.0.0.1:5246 
11:22:02 caps,debug CAP discovery over, no results 
11:22:02 caps,debug CAP Discover->Select 
11:22:02 caps,debug CAP did not find suitable CAPsMAN 
11:22:02 caps,debug CAP Select->Sulking

I can see the connection on /ip firewall connections, but it still is unable to connect/provision.

Quaziee · June 13, 2018, 12:43am

How do you have them provisioned? Based on mac or Default 00.00.00.00.00.00? And have you tried to reboot after changing setting? Also might want to move firewall to the top of the list.
David Huizenga

uldis · June 13, 2018, 7:15am

you can add the log=yes option for the drop rules to see if the CAP connections are dropped by the firewall or not.

nickshore · June 13, 2018, 1:13pm

You don’t seem to have a discovery interface selected, probably because you are trying a layer3 connection.

I use:

/interface wireless cap set discovery-interfaces=bridge1 enabled=yes interfaces=wlan1

In your case it is probably bridge-local, and remove the capsman IP, then it will use L2 to find the capsman

aldoir · June 13, 2018, 1:32pm

Provisioned with detault 00:00:00:00:00:00 mac address.
Remember: I have two other RB951Ui on the same network working fine. My only problem is the local interface

Both rules are IDs 0 and 1 (topmost of the list)

Thanks for your help

aldoir · June 13, 2018, 1:39pm

I will add the logging, but my only drop rules are based on WAN interfaces.

As you can see on the attached image, the connection is estabilished, but for some reason it’s not provisioned

aldoir · June 13, 2018, 1:43pm

You don’t seem to have a discovery interface selected, probably because you are trying a layer3 connection.

I use:
/interface wireless cap set discovery-interfaces=bridge1 enabled=yes interfaces=wlan1
In your case it is probably bridge-local, and remove the capsman IP, then it will use L2 to find the capsman

This was my first attempt, but it still does L3

[admin@RB2011] /interface wireless cap> print
                            enabled: yes
                         interfaces: wlan
                        certificate: none
                   lock-to-caps-man: no
               discovery-interfaces: bridge-local
                 caps-man-addresses: 
                     caps-man-names: 
  caps-man-certificate-common-names: 
                             bridge: bridge-local
                     static-virtual: no

And the corresponding log

10:36:56 system,info CAP configuration changed by admin 
10:36:58 caps,info CAP selected CAPsMAN RB2011 (::ffff:172.16.1.1:5246) 
10:37:18 caps,info CAP connect to RB2011 (::ffff:172.16.1.1:5246) failed: timeout 
10:37:18 caps,info CAP failed to join RB2011 (::ffff:172.16.1.1:5246)

On other devices on the same network it does L2 as expected

13:19:00 caps,info CAP selected CAPsMAN RB2011 (D4:CA:6D:62:FC:XX/11/0) 
13:19:03 caps,info CAP connected to RB2011 (D4:CA:6D:62:FC:XX/11/0) 
13:19:03 caps,info CAP joined RB2011 (D4:CA:6D:62:FC:XX/11/0)

nickshore · June 13, 2018, 3:04pm

Did you make sure the interface was removed from capsman ?

The only time it should be doing it by IP is if you specify the IP of the capsman when setting up the cap.

aldoir · June 13, 2018, 4:25pm

You mean from Manager > Interfaces or Bridge > Ports?

[admin@RB2011] /caps-man manager interface> print
Flags: * - default, X - disabled, D - dynamic 
 #     INTERFACE                                                                 FORBID
 0 *   all                                                                       yes   
 1     bridge-local                                                              no

the wlan interface is not assigned to the bridge-local bridge

aldoir · June 14, 2018, 5:35pm

[admin@RB2011-ESCRITORIO] /caps-man manager interface> print
Flags: * - default, X - disabled, D - dynamic 
 #     INTERFACE                                                                 FORBID
 0 *   all                                                                       no

If I allow connections on all interfaces it does work, still thru L3

[admin@RB2011] /caps-man remote-cap> print brief 
 # ADDRESS                                                NAME     STATE         RADIOS
 0 4C:5E:0C:F2:6B:XX/55937                                [4C:5... Run                1
 1 172.16.1.1/50917                                       [D4:C... Run                1
 2 4C:5E:0C:F4:A1:XX/52692                                [4C:5... Run

IMHO this is a bug.

MockTurtle · June 15, 2018, 8:03pm

any luck? i’m in the same situation.
the client cap (cap ac) register fine but the only way i can get the on board (rb751g) to show up when setting forbid=no.
i think i got this working before… but yesterday i upgraded to 6.42.3…

evilworm · July 16, 2018, 12:13pm

same bug … have 3 mikrotik devices (hap ac, 6.42.6) - two of them connects to capsman without issues but the local cap->capsman does not work

edit:
this seems to have solved the issue for me: http://forum.mikrotik.com/t/capsman-manager-cant-manage-its-own-wireless/113821/1

MockTurtle · August 14, 2018, 8:33pm

doesn’t solve it for me. i’ve disabled all my filter rules. no bueno.
the only way for capsman to “see” the onboard wlan is to set forbid all to no in caps manager.

jrbenito · January 21, 2019, 2:54pm

Same here, added firewall rule and had to set forbid to no on all. For me this is a bug because someone upstream (wan) may try connect your CAPsMan (or at least know you are running it).

I think it would be logical to forbid CAPsman on all interfaces and allow it on some interfaces (especially if you only have caps comming through a single ethernet port)

gotsprings · January 28, 2019, 2:09pm

Had this working for several months now.

hAP AC2 is the main router and I wanted to add it to the cap config that it is running three cAP AC.

/interface wireless cap
set certificate=request discovery-interfaces=bridge enabled=yes interfaces=wlan1,wlan2