CAPsMAN VLAN

Elliot · September 12, 2018, 12:30pm

Hi everyone,
I feel like a noob, but i’m having a difficult time setting up a separate VLANs on CAPsMAN. I need you guy to help me configure CAPsMAN and CAP so primary wlan is in VLAN10 and virtual wlan is in VLAN30.

Setup looks similar to this: CAP → Cisco SG500 → CAPsMAN
configuration of test CAPsMAN looks like this (I can ping MNGT VLAN 111 on CAP no problem)

/interface bridge
add fast-forward=no name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
    CC:2D:E0:20:B1:17
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
    CC:2D:E0:20:B1:18
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
    CC:2D:E0:20:B1:19
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
    CC:2D:E0:20:B1:1A
/interface vlan
add comment=kancelare interface=bridge1 name=vlan10 vlan-id=10
add comment=VoIP interface=ether1 name=vlan20 vlan-id=20
add comment=guest interface=ether1 name=vlan30 vlan-id=30
add comment=MNGT interface=ether1 name=vlan111 vlan-id=111
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=URAD_privat
add authentication-types=wpa2-psk encryption=aes-ccm name=URAD_guest
/caps-man configuration
add country="country" datapath.bridge=bridge1 datapath.local-forwarding=\
    yes datapath.vlan-id=10 datapath.vlan-mode=use-tag mode=ap name=URAD_privat \
    security=URAD_privat ssid=URAD_priva
add country="country" datapath.bridge=bridge1 datapath.local-forwarding=\
    yes datapath.vlan-id=30 datapath.vlan-mode=use-tag mode=ap name=URAD_guest \
    security=URAD_guest ssid=URAD_guest
/caps-man interface
add configuration=URAD_privat disabled=no l2mtu=1600 mac-address=\
    CC:2D:E0:1F:61:C5 master-interface=none name=URAD_privat radio-mac=\
    CC:2D:E0:1F:61:C5 radio-name=CC2DE01F61C5
add configuration=URAD_guest disabled=no l2mtu=1600 mac-address=\
    CE:2D:E0:1F:61:C5 master-interface=URAD_privat name=URAD_guest radio-mac=\
    00:00:00:00:00:00
/interface ethernet switch port
set 0 vlan-mode=fallback
set 4 vlan-mode=fallback
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.10.200
add name=dhcp_pool1 ranges=192.168.20.200
add name=dhcp_pool2 ranges=192.168.30.100-192.168.30.200
add name=dhcp_pool3 ranges=192.168.111.100-192.168.111.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan10 lease-time=1d name=\
    dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan20 lease-time=2d name=\
    dhcp2
add address-pool=dhcp_pool2 disabled=no interface=vlan30 lease-time=3d name=\
    dhcp3
add address-pool=dhcp_pool3 disabled=no interface=vlan111 lease-time=4d name=\
    dhcp4
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge1 interface=ether1 trusted=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=10,20,30,111
/ip address
add address=192.168.10.1/24 comment=employes interface=vlan10 network=\
    192.168.10.0
add address=192.168.20.1/24 comment=VoIP interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 comment=guest interface=vlan30 network=192.168.30.0
add address=192.168.111.1/24 comment=MNGT interface=vlan111 network=\
    192.168.111.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether2
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=10.1.255.1,10.1.255.2 gateway=\
    192.168.10.1
add address=192.168.20.0/24 dns-server=10.1.255.1,10.1.255.2 gateway=\
    192.168.20.1
add address=192.168.30.0/24 dns-server=10.1.255.1,10.1.255.2 gateway=\
    192.168.30.1
add address=192.168.111.0/24 dns-server=10.1.255.1,10.1.255.2 gateway=\
    192.168.111.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2
/system identity
set name=RTR-test

and this is my CAP configuration (keep in mind that I’ve basicaly played with VLAN config all the time and prayed that it would work, lol)

# model = RouterBOARD 941-2nD
# serial number = 7DE608609BBD
/interface bridge
add fast-forward=no name=bridge1 vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2452/20-Ce/gn(20dBm), SSID: URAD_priva, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
    CC:2D:E0:1F:61:C1
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
    CC:2D:E0:1F:61:C2
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
    CC:2D:E0:1F:61:C3
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
    CC:2D:E0:1F:61:C4
/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
add interface=ether1 name=vlan30 vlan-id=30
add comment=MNGT interface=ether1 name=vlan111 vlan-id=111
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1 trusted=yes
add bridge=bridge1 interface=wlan1 trusted=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=10,30,111
/interface ethernet switch vlan
add ports=ether1,switch1-cpu switch=switch1 vlan-id=10
add ports=ether1,switch1-cpu switch=switch1 vlan-id=30
add ports=ether1 switch=switch1 vlan-id=111
/interface wireless cap
# 
set bridge=bridge1 caps-man-addresses=192.168.111.1 discovery-interfaces=ether1 \
    enabled=yes interfaces=wlan1
/ip address
add address=192.168.111.2/24 interface=vlan111 network=192.168.111.0
/system identity
set name=cAP-test

Both CAPsMAN and CAP are RB941 (but in final configuration CAPsMAN will be CRS328 and CAPs will be cAP AC)
Anyway, what I need is for clients connecting to guest network to obtain IP address from VLAN30 DHCP network and for employes to obtain IP from VLAN10 DHCP network.
Also keep in mind that there will be some PCs connected directly to Cisco switches via copper cable, but I don’t suppose that matter since I’m confident I’ve configured everything just fine on Cisco switches.

Thank you guys for any advice.

Elliot · September 12, 2018, 5:03pm

It’s okey guys. I’ve troubleshoot the problem. I haven’t tagged wlan1 on CAP device in Bridge → VLAN.
I’ve noticed that guest network VLAN30 (virtual ap) was dinamically added to tagged port in Bridge → VLAN and I’ve even gotten IP from VLAN30 DHCP server but main wlan interface didn’t work. I’ve simply added wlan1 interface to bridge → VLAN vlans entry as tagged and everything just started working.

Anyway, this might help other people that are struggling with multiple SSIDs and VLANs on CAPsMAN.