Hi,
I will setup an CapsMan v2 to provisioning many ac and ax CAP Antennas.
Now i set up an test in Lab.
Provisioning of Wireless is clear, but not the datapath (provisioning an Data)
CAP should be provisioned on vlan10 from CapsMan. Data for HotSpot-Users on CAPs should be going over vln20. This should work on ac and ax devices.
Of course, traffic on vlan20 should blocked from vlan10, but this is on clapsman and cap on the same bridge?
Is there any example for this?
Thanks
Christian
First, the way VLAN is configured for ac and ax devices differs. The ac devices cannot use the vlan-id configured on datapath, and you have to make the wifi interfaces access ports to the respective VLANs manually (or, since you provision many of them, using a script).
Regarding client isolation, the datapath setting client-isolation only prevents each wireless interface itself from forwarding L2 frames from one associated STAtion to another. If two STAtions are associated to different wireless interfaces, even the 2.4 GHz one and the 5 GHz one on the same device, an L2 frame from one of them to the other is seen as an air-to-wire or wire-to-air frame by both interfaces so the client-isolation setting doesn’t affect it. To ensure mutual isolation of guest STAtions associated to different wireless interfaces, you have to use bridge filter settings that only allow traffic to/from the MAC address of the gateway router within the guest VLAN.
Hi,
thank you. qcom and qcom-ac are diffgerent.
It’s a better way to make datapath on all caps directly manually?
My Config use vlan interfacecs, no bridge-vlan.
My Lab config:
capsman:
/interface bridge
add name=bridge1-hs-prov protocol-mode=none
add name=bridge2-hs-data protocol-mode=none
/interface ethernet
set [ find default-name=sfp1 ] name=sfp1-15s-ac
set [ find default-name=sfp2 ] name=sfp2-15s-ax
/interface vlan
add interface=sfp1-15s-ac name=vlan11-prov vlan-id=11
add interface=sfp2-15s-ax name=vlan11-prov2 vlan-id=11
add interface=sfp1-15s-ac name=vlan12-hs-data vlan-id=12
add interface=sfp2-15s-ax name=vlan12-hs-data2 vlan-id=12
/interface wifi security
add authentication-types="" disabled=no ft=yes name=free
/interface wifi steering
add disabled=no name=steering1 neighbor-group=hs1
/interface wifi configuration
add channel.band=5ghz-n .width=20/40mhz country=Germany datapath.client-isolation=no disabled=no name=5ghz-an security=free ssid=5ghz-an steering=steering1
add channel.band=2ghz-n .width=20/40mhz country=Germany datapath.client-isolation=no disabled=no name=2ghz-n security=free ssid=2ghz-n steering=steering1
add channel.band=2ghz-ax .width=20/40mhz country=Germany disabled=no name=2ghz-ax security=free ssid=2ghz-ax steering=steering1
add channel.band=5ghz-ax .width=20/40mhz country=Germany datapath.client-isolation=no disabled=no name=5ghz-ax security=free ssid=5ghz-ax steering=steering1
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge2-hs-data name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1-hs-prov horizon=1 interface=vlan11-prov
add bridge=bridge1-hs-prov horizon=1 interface=vlan11-prov2
add bridge=bridge2-hs-data horizon=2 interface=vlan12-hs-data
add bridge=bridge2-hs-data horizon=2 interface=vlan12-hs-data2
/interface ovpn-server server
add mac-address=FE:EF:9F:1A:2E:06 name=ovpn-server1
/interface wifi capsman
set ca-certificate=auto enabled=yes interfaces=bridge1-hs-prov package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=5ghz-an slave-configurations="" supported-bands=5ghz-n
add action=create-dynamic-enabled disabled=no master-configuration=5ghz-ax supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=2ghz-n name-format="" supported-bands=2ghz-n
add action=create-dynamic-enabled disabled=no master-configuration=2ghz-ax name-format="" supported-bands=2ghz-ax
/ip address
add address=192.168.88.1/24 interface=bridge2-hs-data network=192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1 gateway=192.168.88.1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system identity
set name=capsmanv2
AX_CAP:
/interface bridge
add name=bridge1-hs-data protocol-mode=none
/interface vlan
add interface=ether1 name=vlan11-prov vlan-id=11
add interface=ether1 name=vlan12-hs-data vlan-id=12
/interface wifi datapath
add bridge=bridge1-hs-data bridge-horizon=1 client-isolation=yes disabled=no name=datapath1
/interface wifi
# managed by CAPsMAN 18:FD:74:03:A1:8C%vlan11-prov, traffic processing on CAP
# mode: AP, SSID: 2ghz-n, channel: 2427/n/Ce
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap datapath=datapath1 disabled=no
# managed by CAPsMAN 18:FD:74:03:A1:8C%vlan11-prov, traffic processing on CAP
# mode: AP, SSID: 5ghz-an, channel: 5500/n/Ce/D
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap datapath=datapath1 disabled=no
/interface bridge port
add bridge=bridge1-hs-data interface=vlan12-hs-data
/interface wifi cap
set discovery-interfaces=vlan11-prov enabled=yes slaves-datapath=datapath1
/system identity
set name=15s-ax
AC-CAP
/interface bridge
add name=bridge1-hs-data protocol-mode=none
/interface vlan
add interface=ether1 name=vlan11-hs-prov vlan-id=11
add interface=ether1 name=vlan12-hs-data vlan-id=12
/interface wifi datapath
add bridge=bridge1-hs-data bridge-horizon=1 client-isolation=yes disabled=no name=datapath1
/interface wifi
# managed by CAPsMAN 18:FD:74:03:A1:8C%vlan11-hs-prov, traffic processing on CAP
# mode: AP, SSID: 2ghz-n, channel: 2447/n/Ce
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap datapath=datapath1 disabled=no
# managed by CAPsMAN 18:FD:74:03:A1:8C%vlan11-hs-prov, traffic processing on CAP
# mode: AP, SSID: 5ghz-an, channel: 5580/n/Ce/D
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap datapath=datapath1 disabled=no
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1-hs-data interface=vlan12-hs-data
/interface wifi cap
set discovery-interfaces=vlan11-hs-prov enabled=yes slaves-static=yes
/system identity
set name=15s-ac
Is this Config forbid on all points client-2-client transfer?
Thanks
Christian
I never tried to confiure the datapath properties on the CAP - I don’t think they override those provided from the CAPsMAN but I may be wrong. So client-isolation should be set to yes also on the CAPsMAN configuration rows, or at least not specified there. But you have to test that yourself.
The bridge horizon setting can indeed be used to isolate one wireless interface from another on the same CAP where the wireless interfaces act as access ports of the bridges. But on trunk ports to which the CAPs are connected, it would block traffic between two wireless interfaces on different CAPs in all VLANs, not just in the guest one, which may not be what you actually need. Plus it is not applicable in redundant L2 topologies (imagine an L2 ring consisting of just two CAPs and the CAPsMAN and analyse the necessary behavior when the ring is cut at one CAPsMAN port vs. when it is cut at the other CAPsMAN port).
Hi,
I want to add 20 devices “RBD22UGS-5HPacD2HnD” to the capsman v2.
Is this possible? Is this Board work with CapsManV2? When installing wifi-qcom-ac, it gives me an error about insufficient resources.
regards
Christian
It works but space will be limited.
To install it’s best to netinstall with wifi-qcom-ac
To be even more precise - if you want it to try without netinstall, you must first uninstall the wireless package, and only then you can try to install the wifi-qcom-ac one. If even that way it still says “not enough space”, netinstall is the only possibility.
It might even be simply the best option to start with netinstall.
So you´re sure nothing is left behind eating precious space.