CAPsMAN VLANs not working properly

virtualdxs · December 26, 2019, 11:21pm

I’m having an issue with CAPsMAN and VLANs.

I have an RB4011 as a CAPsMAN manager that is also a CAP. I have 2 VLANs, vlan10 for the main network and vlan20 for the guest network. One SSID for each network, both on 2.4GHz and 5GHz. I also have a wAP up as a CAP.

The issue is that when I try to connect to either main or guest on the 4011 itself, the client doesn’t get DHCP. When connected to the wAP using the same config, the issue is not present and everything works.

Here is my config:

dec/26/2019 16:20:35 by RouterOS 6.44.6

software id = 8LZZ-6FN1

model = RB4011iGS+5HacQ2HnD

serial number = B8E20A5A1A11

/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=2.4-20MHz-ch11 tx-power=24
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=2.4-20MHz-ch6 tx-power=24
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=2.4-20MHz-ch1 tx-power=24
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=eeCe frequency=5785 name=5-80MHz-ch155
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=eeCe frequency=5220 name=5-80MHz-ch042
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=eeCe frequency=5300 name=5-80MHz-ch058-DFS-60 skip-dfs-channels=no
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=eeCe frequency=5700 name=5-80MHz-ch138-DFS-60 skip-dfs-channels=no
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=eeCe frequency=5540 name=5-80MHz-ch106-DFS-60 skip-dfs-channels=no
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=eeCe frequency=5620 name=5-80MHz-ch122-DFS-600 skip-dfs-channels=no
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=Main vlan-id=10 vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=Guest vlan-id=20 vlan-mode=use-tag
/caps-man configuration
add channel.band=5ghz-a/n/ac country=“united states3” datapath=Main installation=any mode=ap name=Main-5GHz ssid=Main
add channel.band=5ghz-a/n/ac country=“united states3” datapath=Guest installation=any mode=ap name=Guest-5GHz ssid=Guest
add channel.band=2ghz-b/g/n country=“united states3” datapath=Main installation=any mode=ap name=Main-2.4GHz ssid=Main
add channel.band=2ghz-b/g/n country=“united states3” datapath=Guest installation=any mode=ap name=Guest-2.4GHz ssid=Guest
/interface wireless

managed by CAPsMAN

channel: 5785/20-eeCe/ac(27dBm)+5210/80(27dBm), SSID: Main4011, local forwarding

set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=
ap-bridge secondary-channel=auto ssid=MikroTik-8CC956 wireless-protocol=802.11

managed by CAPsMAN

channel: 2412/20-Ce/gn(27dBm), SSID: Main-4011, local forwarding

set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge
ssid=MikroTik-E7A7D1 wireless-protocol=802.11
/interface bridge
add admin-mac=74:4D:28:8C:C9:4C auto-mac=no fast-forward=no name=Trunk vlan-filtering=yes
/caps-man interface
add configuration=Main-2.4GHz configuration.ssid=Main-4011 disabled=no l2mtu=1600 mac-address=B8:69:F4:E7:A7:D1 master-interface=none name=
Walling-RB4011-2.4GHz-Main radio-mac=B8:69:F4:E7:A7:D1 radio-name=B869F4E7A7D1
add channel=5-80MHz-ch155 configuration=Main-5GHz configuration.installation=any configuration.ssid=Main4011 datapath.bridge=Trunk datapath.vlan-mode=
use-tag disabled=no l2mtu=1600 mac-address=74:4D:28:8C:C9:56 master-interface=none name=Walling-RB4011-5GHz-Main radio-mac=74:4D:28:8C:C9:56 radio-name=
744D288CC956
add channel=2.4-20MHz-ch11 configuration=Main-2.4GHz configuration.installation=outdoor disabled=no l2mtu=1600 mac-address=B8:69:F4:F8:FB:BE
master-interface=none name=Walling-wAP-2.4GHz-Main radio-mac=B8:69:F4:F8:FB:BE radio-name=B869F4F8FBBE
add channel=5-80MHz-ch042 configuration=Main-5GHz disabled=no l2mtu=1600 mac-address=B8:69:F4:F8:FB:BD master-interface=none name=Walling-wAP-5GHz-Main
radio-mac=B8:69:F4:F8:FB:BD radio-name=B869F4F8FBBD
/interface vlan
add comment=Main interface=Trunk name=vlan10 vlan-id=10
add comment=Guest interface=Trunk name=vlan20 vlan-id=20
/caps-man interface
add configuration=Guest-2.4GHz configuration.ssid=Guest-4011 disabled=no l2mtu=1600 mac-address=BA:69:F4:E7:A7:D1 master-interface=
Walling-RB4011-2.4GHz-Main name=Walling-RB4011-2.4GHz-Guest radio-mac=00:00:00:00:00:00 radio-name=BA69F4E7A7D1
add configuration=Guest-5GHz configuration.ssid=Guest4011 disabled=no l2mtu=1600 mac-address=76:4D:28:8C:C9:56 master-interface=Walling-RB4011-5GHz-Main
name=Walling-RB4011-5GHz-Guest radio-mac=00:00:00:00:00:00 radio-name=764D288CC956
add configuration=Guest-2.4GHz configuration.installation=outdoor disabled=no l2mtu=1600 mac-address=BA:69:F4:F8:FB:BE master-interface=
Walling-wAP-2.4GHz-Main name=Walling-wAP-2.4GHz-Guest radio-mac=00:00:00:00:00:00 radio-name=BA69F4F8FBBE
add configuration=Guest-5GHz disabled=no l2mtu=1600 mac-address=BA:69:F4:F8:FB:BD master-interface=Walling-wAP-5GHz-Main name=Walling-wAP-5GHz-Guest
radio-mac=00:00:00:00:00:00 radio-name=BA69F4F8FBBD
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=Internet
add name=Trusted
add name=Guest
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=“Trunk DHCP” ranges=192.168.88.10-192.168.88.254
add name=“Main DHCP” ranges=192.168.10.50-192.168.10.250
add name=“Guest DHCP” ranges=192.168.20.50-192.168.20.250
/ip dhcp-server
add address-pool=“Trunk DHCP” disabled=no interface=Trunk name=Trunk
add address-pool=“Main DHCP” disabled=no interface=vlan10 lease-time=6h name=Main
add address-pool=“Guest DHCP” disabled=no interface=vlan20 name=Guest
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-enabled hw-supported-modes=a master-configuration=Main-5GHz name-format=identity slave-configurations=Guest-5GHz
add action=create-enabled hw-supported-modes=gn master-configuration=Main-2.4GHz name-format=identity slave-configurations=Guest-2.4GHz
/interface bridge port
add bridge=Trunk interface=ether6
add bridge=Trunk interface=ether7
add bridge=Trunk interface=ether8
add bridge=Trunk interface=ether9
add bridge=Trunk interface=ether10
/interface bridge settings
set allow-fast-path=no
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=Trunk tagged=Trunk,ether6,ether7,ether8,ether9,ether10 vlan-ids=10
add bridge=Trunk tagged=Trunk,ether6,ether7,ether8,ether9,ether10 vlan-ids=20
add bridge=Trunk vlan-ids=1
/interface list member
add interface=ether1 list=Internet
/interface wireless cap

set caps-man-addresses=192.168.88.1 certificate=request discovery-interfaces=Trunk enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.88.1/24 interface=Trunk network=192.168.88.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=9.9.9.9,149.112.112.112 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=9.9.9.9,149.112.112.112 gateway=192.168.20.1
add address=192.168.88.0/24 dns-server=9.9.9.9,149.112.112.112 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.0/24 list=Trusted
add address=192.168.10.0/24 list=Trusted
add address=192.168.10.0/24 list=Main
add address=192.168.20.0/24 list=Guest
add address=192.168.88.0/24 list=Trunk
/ip firewall filter
add action=accept chain=input comment=“Accept related, established, untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“Drop invalid” connection-state=invalid
add action=accept chain=input comment=“Accept ICMP” protocol=icmp
add action=accept chain=input comment=“Accept loopback for CAPsMAN” dst-address=127.0.0.1
add action=accept chain=input comment=“Accept from Trusted” src-address-list=Trusted
add action=drop chain=input
add action=accept chain=forward comment=“Accept from Trusted” src-address-list=Trusted
add action=reject chain=forward comment=“Reject from Guest to Trunk” dst-address-list=Trunk reject-with=icmp-admin-prohibited src-address-list=Guest
add action=reject chain=forward comment=“Reject from Guest to Main” dst-address-list=Main reject-with=icmp-admin-prohibited src-address-list=Guest
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward comment=“Accept related, established, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“Drop invalid” connection-state=invalid
add action=drop chain=forward comment=“Drop from Internet” connection-nat-state=!dstnat connection-state=new in-interface-list=Internet
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=Internet
/ip ssh
set always-allow-password-login=yes
/system clock
set time-zone-name=America/Phoenix
/system identity
set name=Walling-RB4011
/system leds
add interface=wlan2 leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=Trusted
/tool mac-server mac-winbox
set allowed-interface-list=Trusted
/tool romon
set enabled=yes
/tool sniffer
set filter-interface=Trunk filter-stream=yes memory-limit=100000KiB streaming-server=192.168.88.245

virtualdxs · December 30, 2019, 11:44pm

I hate bumping, but this radio is down until I can get this figured out.

CZFan · January 1, 2020, 10:27pm

Have you thought of making use of services offered by Mikrotik certified consultants?

raffav · January 2, 2020, 9:56am

Try adding on the wireless cap the bridge interface, you don’t need to user discovery interface as you are using L3 mode ( you have set up the CapsMan IP )

erlinden · January 2, 2020, 10:18am

Exactly this, took me a lot of time to find out…
https://wiki.mikrotik.com/wiki/Manual:CAPsMAN#CAPsMAN_v2

virtualdxs · January 27, 2020, 3:16am

Just tried that; same symptoms:

jan/26 20:12:23 dhcp,warning Main offering lease 192.168.10.235 for AC:AE:19:E6:39:6C without success

Export:

# jan/26/2020 20:14:26 by RouterOS 6.44.6
# software id = 8LZZ-6FN1
#
# model = RB4011iGS+5HacQ2HnD
# serial number = B8E20A5A1A11
/interface wireless cap
# 
set bridge=Trunk caps-man-addresses=192.168.88.1 certificate=request enabled=yes interfaces=wlan1,wlan2