Hi all,

I have a situation - I am not familiar with Mikrotik OS and I experience real challenges setting up my 2 Mikrotik Audience wifi mesh. I am close to return both products
The problem:
I need to extend my wifi coverage - i decided to replace my AeroHive AP230 Access Point with 2 Mikrotik Audience devices and use the mesh functionality for the spots where I cannot get ethernet cable connected to the second AP.

The current setup:
My network looks like this:

• OpnSense firewall (router) on wich I have 3 Vlans defined that will match each SSID I need (vlan id 10, 20, 30) and obviously a different DHCP network
• After the firewall, I have an ubiquity switch (Ubiquiti EdgeSwitch which is powering the AeroHive AP via POE on port 8. The switch port 8 is set as Trunk port. (acceps all 3 vlans)
• The current AP has the 3 vlans linked to each SSID (Lan_Wifi, guest_Wifi and IoT_Wifi) => clients connecting to these ssid receive IPs (dhcp) from 3 different networks.

Miktotik issue:
I am addresing only AP1 setup. The second one i didn’t even unpack
I started with setting up the first SSID - changing the default one. I added the vlan tag in the cnf and also created the vlan interface (under interfaces) & added to the bridge. It doesn’t work do receive IPs via SSID 1.
I definitely miss how this works. Can anyone explain to me how should I add Vlans to the bridges and how can I attached them to SSIDs ?

Thank you in advance.

don’t add VLAN interfaces to a bridge. and don’t create VLAN interfaces on Ethernet interfaces at all if you intend for the traffic to be bridged (rather than routed).

instead, add the Ethernet interfaces to the bridge and configure VLANs using “Bridge VLAN filtering” which is described here (with examples): https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering.

then you can create a VLAN interface attached to the bridge (/interface/vlan/add interface=mybridge name=vlan20 vlan-id=20) if you want, but if another device is providing DHCP and routing, you might not need to do that at all. L2 switching will work fine without it.

Thank you. I’ll do that.
I forgot to specify: both devices will work as AP. no routing and no dhcp (only relay)

another question - stupid maybe:
I see that the device has 3 wireless adapters - wlan1..3
I believe Wlan3 is used for mesh (CAPsMAN only), however the other 2 need to be members of the bridge?
In CAPsMAN I have 2 different interfaces and I cannot validate if these 2 are actually mapping the wlan1 and wlan2

wireless interfaces managed by CAPsMAN should not be added to the bridge manually; CAPsMAN will do that for you when it brings the interface up, including configuring the correct VLAN tags.

you can map the CAPsMAN interface to the AP’s interface name based on MAC address. for example, here is a CAPsMAN with some radios:

[admin@cr1.stm] /caps-man/radio> print
Flags: P - PROVISIONED
Columns: RADIO-MAC, INTERFACE, REMOTE-CAP-NAME, REMOTE-CAP-IDENTITY
#   RADIO-MAC          INTERFACE  REMOTE-CAP-NAME   REMOTE-CAP-IDENTITY
0 P C4:AD:34:18:B9:68  wr2.stm-1  CAP-C4AD3418B962  wr2.stm
1 P 74:4D:28:8E:70:CC  wr1.stm-1  CAP-744D288E70C6  wr1.stm
2 P 74:4D:28:8E:70:CB  wr1.stm-2  CAP-744D288E70C6  wr1.stm
3 P C4:AD:34:00:3D:A7  wr3.stm-1  CAP-C4AD34003DA1  wr3.stm
4 P 74:4D:28:8E:7A:8F  wr4.stm-1  CAP-744D288E7A89  wr4.stm

if we want to find out what interface is “wr2.stm-1”, log into that AP and run:

[admin@wr2.stm] /interface/wireless> :put [get [find where mac-address=C4:AD:34:18:B9:68] name]
wlan-5ghz

(in this case i renamed the wireless interfaces to “wlan-2.4ghz” and “wlan-5ghz”, if you didn’t do that then it would print “wlan1” or “wlan2”.)

as far as mesh goes, i’m not familiar with Audience specifically, but i understand it has three radios: low-gain 2.4GHz, low-gain 5GHz, and high-gain 5GHz. i think i would prefer to configure this so the two low-gain radios are managed by CAPsMAN and used for clients, and the high-gain 5GHz radio is not managed by CAPsMAN, instead used for a WDS mesh to interconnect the APs.

VLAN+WDS mesh configuration is like this. on all APs, configure the high-gain wireless interface (which is not managed by CAPsMAN) with the same SSID and other settings and set wds-mode=static-mesh:

/interface wireless security-profiles
add authentication-types=wpa2-psk disable-pmkid=yes name=my-mesh wpa2-pre-shared-key=XXX
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-Ce country="united kingdom" mode=ap-bridge security-profile=my-mesh ssid=XXXX wds-mode=static-mesh

now on first AP, add WDS link to second AP (using MAC address of the other AP’s WDS interface):

[admin@wr2.stm] > /interface/wireless/wds export
/interface wireless wds
add disabled=no master-interface=wlan-2.4ghz name=wr4-wds wds-address=74:4D:28:8E:7A:8E

on second AP, add WDS link to first AP:

[admin@wr4.stm] > /interface/wireless/wds export
/interface wireless wds
add disabled=no master-interface=wlan-2.4ghz name=wr2-wds wds-address=C4:AD:34:18:B9:67

check WDS link came up, it will log a message (“client connected, wants WDS”) and interface should have R flag:

[admin@wr4.stm] > /interface/wireless/wds print
Flags: X - disabled; R - running; D - dynamic
 0  R  name="wr2-wds" mtu=1500 l2mtu=1600 mac-address=74:4D:28:8E:7A:8E arp=enabled arp-timeout=auto master-interface=wlan-2.4ghz wds-address=C4:AD:34:18:B9:67

on both APs, add WDS interfaces to bridge (with VLAN filtering enabled):

[admin@wr4.stm] > /interface/bridge/port export
/interface bridge port
add bridge=lan frame-types=admit-only-vlan-tagged interface=wr2-wds

on both APs, add WDS interface as .1q tagged port in appropriate VLANs:

[admin@wr4.stm] > /interface/bridge/vlan/export
/interface bridge vlan
add bridge=lan tagged=lan,wr2-wds,wr3-wds,wr5-wds vlan-ids=100
add bridge=lan tagged=lan,wr2-wds,wr3-wds,wr5-wds vlan-ids=101
add bridge=lan tagged=lan,wr2-wds,wr3-wds,wr5-wds vlan-ids=102

now the WDS mesh acts as a .1q trunk between your APs, and tagged packets from the CAPsMAN-managed wireless interfaces will flow over WDS.

if you have 3+ APs meshed, make sure RSTP or MSTP is enabled on the bridge to avoid L2 loops. (edit: and make sure STP priority is correctly set so that the wired AP is chosen as the root bridge, otherwise your traffic flow will be weird.)

this can be a bit awkward to configure the first time. i suggest putting all the APs on your desk to set them up, and only physically install them once everything is working.

Thank you for the detailed explanation.
Much appreciated

I am too stupid to figure it out and super frustrated
so, after a factory reset I am trying to set the first SSID on AP1
By default the device is booting into Home Mesh mode and this enables by default CAPsMan
I connect it to the network (ubiquity switch trunk port) via ETH1. Seems ok as I get an ip from the corect dhcp server (serving wired connected devices and no Vlan)
So far is ok. I can access the device on the LAN IP - 172.16.10.x
all 3 wlan interfaces listed in the attached file.

Now, As CAPsMan already has a default setup, I am trying to change the default SSID into one I want to use and add a security profile as well.
/caps-man interface> print
Flags: M - master, D - dynamic, B - bound, X - disabled, I - inactive, R - running

NAME RADIO-MAC MASTER-INTERFACE

0 MDB 2ghz-MikroTik-1 2C:C8:1B:58:A2:EC none
1 MDB 5ghz-ac-MikroTik-1 2C:C8:1B:58:A2:ED none

[admin@MikroTik] /caps-man configuration> print
0 ;;; defconf
name=“cfg-2ghz” ssid=“MikroTik84A4BB-2” installation=indoor distance=indoors security=capSec datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes
channel.control-channel-width=20mhz channel.band=2ghz-b/g/n channel.extension-channel=XX
1 ;;; defconf
name=“cfg-5ghz-ac” ssid=“MikroTik84A4BB-5” installation=indoor distance=indoors security=capSec datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes channel.control-channel-width=20mhz channel.band=5ghz-a/n/ac channel.extension-channel=XXXX
2 ;;; defconf
name=“cfg-5ghz-an” ssid=“MikroTik84A4BB-5” installation=indoor distance=indoors security=capSec datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes
channel.control-channel-width=20mhz channel.band=5ghz-a/n channel.extension-channel=XX
po

Question 1:
If I change the security profile on cap interfaces am I messing with CAPsMan sync setup?
Question 2: If I add Vlan tag 10 to the bridge config I still don’t get ips from the right subnet and I also loose access to the device. not clear where to add it. I’ve seen there is a field on the cap interface config to specify Vlan id.

Question3:
Can can I add the second and the 3th SSID? From interfaces by adding a virtual one or from CAPsMan config?

apologies for the annoying questions. I really want to make this setup work and keep these devices.

is there anyone willing to have a remote session to help me config this?
I send unlimited beers

my suggestion is, don’t use QuickSet. it might be okay for simple setups, but i think it’s better to learn how to configure the device normally so you understand what’s going on. especially if the QuickSet configuration isn’t doing what you want

also, i noticed in your screenshot that you’re using the WebFig web interface. if you use the WinBox software instead, you can connect to the device over a pure L2 connection (MikroTik calls this “MAC-WinBox” and “MAC-SSH”) which means the connection will still work even if you mess up the L3 configuration. that’s pretty handy when you’re trying to configure a new device. by default i think this is only enabled on interfaces in the “LAN” interface-list, but you should change that to “all” while you’re setting it up:

/tool/mac-server/mac-winbox/set allowed-interface-list=all

If I change the security profile on cap interfaces am I messing with CAPsMan sync setup?

you can edit the CAPsMAN interfaces, but your changes will be lost if you reprovision, so you probably don’t want to do that. instead, create your new CAPsMAN configuration (security profile, channel, data path, etc.), and associate all of this with a configuration in

/caps-man/configuration

. then configure a provisioning rule in

/caps-man/provisioning

to associate each radio with the appropriate configuration. when you change the config, reprovision the radio using

/caps-man/radio/provision <number>

.

If I add Vlan tag 10 to the bridge config I still don’t get ips from the right subnet and I also loose access to the device. not clear where to add it. I’ve seen there is a field on the cap interface config to specify Vlan id.

create your bridge VLAN configuration for the wired network first and make sure all that is working before you do anything with wireless. (in fact, just disable wireless interfaces until you’ve done that.). getting wired VLANs working properly first will make it a lot easier to do VLANs in CAPsMAN afterwards, compared to setting up a non-VLAN wireless config and trying to retrofit VLANs into it.

Can can I add the second and the 3th SSID? From interfaces by adding a virtual one or from CAPsMan config?

additional SSIDs on the same radio are configured as slave configurations in the provisioning rules:

/caps-man/provisioning
add radio-mac=XX:XX:XX:XX:XX:XX action=create-dynamic-enabled master-configuration=my-main-ssid slave-configurations=my-other-ssid,my-alternative-ssid

because the slave configuration runs on the same radio as the master configuration, the radio parameters (frequency, channel width, etc.) should be the same on the master and all its slaves.

if you’re still having problems, post your whole config here using

/export hide-sensitive

so we can have a look at what might be wrong.

I will reset to factory everything and I will use a vm with windows so I can use winbox.
Thank you once again.

thank you for the details.
winbox is awsome. at least Is not disconnecting me every time I do something wrong

So far so good. AP1 works
moving to AP2 which I suppose will be automatically set via CAPsMan