CAPsMAN with hAP AC Lite: wifi client dhcp address asignment not working

So I’ve got a CRS317 as a CAPsMAN with an hAP AC Lite as a CAP. Both running 6.41.4. I’m new to MikroTik RouterOS so I am probably just missing something.
The WIFI client on the CAP works great as long as local forwarding is on. If I turn off local forwarding, my wifi clients can no longer get an IP address.

Data path:

/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes comment=\
    "VLAN100 on default bridge" local-forwarding=yes name=DP_Vlan100 vlan-id=\
    100 vlan-mode=use-tag

Here is how the CAP connects to CAPsMAN

/interface wireless cap
#
set bridge=bridge1 caps-man-addresses=192.168.102.1 caps-man-names=core10 \
    enabled=yes interfaces=wlan1,wlan2

CAP interface (192.168.102.10) to connect to CAPsMAN (192.168.102.1) is on a separate, unrouted vlan not used for anything else.

/ip address
add address=192.168.75.53/24 interface=vlan100 network=192.168.75.0
add address=192.168.102.10/24 interface=vlan102 network=192.168.102.0

Ether2 on the CAP is physically connected to my SG220 switch. Vlan 102 is tagged on both CAP & CAPsMAN. Both are connected/trunked to a cisco SG220. Pinging between the CAP and CAPsMAN on 192.168.102.x (vlan 102) works just great.

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2,wlan1,wlan2 vlan-ids=100
add bridge=bridge1 tagged=bridge1,ether2 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether2 vlan-ids=90
add bridge=bridge1 tagged=bridge1,ether2 vlan-ids=102

From my understanding, it should work as such: when I do not do “Local Forwarding” in the datapath, it should tunnel the WIFI Client traffic to the CAPsMAN which would then put it out onto the wire. If I turn off local forwarding, I can see the client mac appear on the SG220 under the switchport of the CRS317 as I would expect (as opposed to local forwarding where I see the client mac on the SG220 port connected to the hAP AC lite)

Not sure why it’s not working since the SSID has vlan tag 100 and the CRS is allowed to tag vlan 100 traffic.

I hope this makes sense.

Thanks for any advice you guys can give me.

Where is the DHCP server serving VLAN 100? On the CAPsMAN machine (the CRS317), on the SG220, elsewhere?

It’s on a pfsense box on vlan 100 on another port on the sg220

The reason why I’ve asked was to exclude issues of Mikrotik’s own DHCP server which occured in 6.41.x when it the dhcp-server was attached to bridge or vlan interfaces.

As your ****

/interface bridge vlan

configuration above seems to come from the CAP, can you post also the ****

/interface export hide-sensitive

,

/interface print

, and

/interface bridge port print

from the CRS while the CAP’s interfaces are running with

datapath.local-forwarding=no

? As you’ve properly concluded, if

datapath.local-forwarding=no

, the packets from the CAP’s wireless interfaces are tagged and bridged at the CAPsMAN device, so the issue, if it is in the Mikrotik part, must be there.

Here you go..

/interface bridge
add admin-mac=CC:2D:E0:A3:3C:B3 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name="1: desktop2"
set [ find default-name=sfp-sfpplus13 ] comment=TO-DELL
set [ find default-name=sfp-sfpplus14 ] comment=TO-DELL_2 mac-address=CC:2D:E0:A3:3C:AF
set [ find default-name=sfp-sfpplus15 ] auto-negotiation=no comment=TO-CORE02 speed=1Gbps
set [ find default-name=sfp-sfpplus16 ] auto-negotiation=no comment=TO-CORE02_2 mac-address=CC:2D:E0:A3:3C:B1 \
    speed=1Gbps
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan75 vlan-id=75
add interface=bridge name=vlan80 vlan-id=80
add interface=bridge name=vlan90 vlan-id=90
add interface=bridge name=vlan99 vlan-id=99
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan101 vlan-id=101
add interface=bridge name=vlan102 vlan-id=102
/interface bonding
add mode=802.3ad name=bond0 slaves=sfp-sfpplus15,sfp-sfpplus16 transmit-hash-policy=layer-3-and-4
add mode=802.3ad name=bond1 slaves=sfp-sfpplus13,sfp-sfpplus14 transmit-hash-policy=layer-3-and-4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=\
    "1: desktop2" pvid=100
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus2 \
    pvid=100
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
add bridge=bridge comment=defconf interface=sfp-sfpplus5
add bridge=bridge comment=defconf interface=sfp-sfpplus6
add bridge=bridge comment=defconf interface=sfp-sfpplus7
add bridge=bridge comment=defconf interface=sfp-sfpplus8
add bridge=bridge comment=defconf interface=sfp-sfpplus9
add bridge=bridge comment=defconf interface=sfp-sfpplus10
add bridge=bridge comment=defconf interface=sfp-sfpplus11
add bridge=bridge comment=defconf interface=sfp-sfpplus12
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=bond0
/interface bridge vlan
add bridge=bridge comment="1-14, access vlan 100, bond0, bridge = tagged" tagged=bond0,bridge,bond1 untagged="1: \
    desktop2,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp-s\
    fpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,ether1" vlan-ids=100
add bridge=bridge comment="Internet (Static)" tagged=bond0,bridge,bond1 vlan-ids=10
add bridge=bridge tagged=bond0,bridge,bond1 vlan-ids=90
add bridge=bridge tagged=bond0,bridge,bond1 vlan-ids=75
add bridge=bridge tagged=bond0,bridge,bond1 vlan-ids=80
add bridge=bridge untagged=bond0,bridge,bond1 vlan-ids=1
add bridge=bridge tagged=bond0,bridge,bond1 vlan-ids=99
add bridge=bridge tagged=bond0,bridge,bond1 vlan-ids=101
add bridge=bridge tagged=bond0,bridge,bond1 vlan-ids=102

[admin@core10] > /interface p
Flags: D - dynamic, X - disabled, R - running, S - slave
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS
 0   S 1: desktop2                     ether            1500  1592      10218 CC:2D:E0:A3:3C:A3
 1   S ether1                              ether            1500  1592      10218 CC:2D:E0:A3:3C:B3
 2   S sfp-sfpplus2                        ether            1500  1592      10218 CC:2D:E0:A3:3C:A4
 3   S sfp-sfpplus3                        ether            1500  1592      10218 CC:2D:E0:A3:3C:A5
 4   S sfp-sfpplus4                        ether            1500  1592      10218 CC:2D:E0:A3:3C:A6
 5  RS sfp-sfpplus5                        ether            1500  1592      10218 CC:2D:E0:A3:3C:A7
 6   S sfp-sfpplus6                        ether            1500  1592      10218 CC:2D:E0:A3:3C:A8
 7   S sfp-sfpplus7                        ether            1500  1592      10218 CC:2D:E0:A3:3C:A9
 8   S sfp-sfpplus8                        ether            1500  1592      10218 CC:2D:E0:A3:3C:AA
 9   S sfp-sfpplus9                        ether            1500  1592      10218 CC:2D:E0:A3:3C:AB
10   S sfp-sfpplus10                       ether            1500  1592      10218 CC:2D:E0:A3:3C:AC
11   S sfp-sfpplus11                       ether            1500  1592      10218 CC:2D:E0:A3:3C:AD
12   S sfp-sfpplus12                       ether            1500  1592      10218 CC:2D:E0:A3:3C:AE
13   S ;;; TO-DELL
       sfp-sfpplus13                       ether            1500  1592      10218 CC:2D:E0:A3:3C:AF
14   S ;;; TO-DELL_2
       sfp-sfpplus14                       ether            1500  1592      10218 CC:2D:E0:A3:3C:AF
15   S ;;; TO-CORE02
       sfp-sfpplus15                       ether            1500  1592      10218 CC:2D:E0:A3:3C:B1
16  RS ;;; TO-CORE02_2
       sfp-sfpplus16                       ether            1500  1592      10218 CC:2D:E0:A3:3C:B1
17  RS bond0                               bond             1500  1592            CC:2D:E0:A3:3C:B1
18     bond1                               bond             1500  1592            CC:2D:E0:A3:3C:AF
19  R  ;;; defconf
       bridge                              bridge           1500  1592            CC:2D:E0:A3:3C:B3
20 D S mtwifi1-1                           cap              1500  1600            64:D1:54:87:52:93
21 D S mtwifi1-2                           cap              1500  1600            64:D1:54:87:52:92
22  R  vlan1                               vlan             1500  1588            CC:2D:E0:A3:3C:B3
23  R  vlan10                              vlan             1500  1588            CC:2D:E0:A3:3C:B3
24  R  vlan75                              vlan             1500  1588            CC:2D:E0:A3:3C:B3
25  R  vlan80                              vlan             1500  1588            CC:2D:E0:A3:3C:B3
26  R  vlan90                              vlan             1500  1588            CC:2D:E0:A3:3C:B3
27  R  vlan99                              vlan             1500  1588            CC:2D:E0:A3:3C:B3
28  R  vlan100                             vlan             1500  1588            CC:2D:E0:A3:3C:B3
29  R  vlan101                             vlan             1500  1588            CC:2D:E0:A3:3C:B3
30  R  vlan102                             vlan             1500  1588            CC:2D:E0:A3:3C:B3

[admin@core10] > /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
 #     INTERFACE                                              BRIDGE                                             HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0 I H ;;; defconf
       ether1                                                 bridge                                             yes    1     0x80         10                 10       none
 1 I H ;;; defconf
       1: desktop2                                        bridge                                             yes  100     0x80         10                 10       none
 2 I H ;;; defconf
       sfp-sfpplus2                                           bridge                                             yes  100     0x80         10                 10       none
 3 I H ;;; defconf
       sfp-sfpplus3                                           bridge                                             yes    1     0x80         10                 10       none
 4 I H ;;; defconf
       sfp-sfpplus4                                           bridge                                             yes    1     0x80         10                 10       none
 5   H ;;; defconf
       sfp-sfpplus5                                           bridge                                             yes    1     0x80         10                 10       none
 6 I H ;;; defconf
       sfp-sfpplus6                                           bridge                                             yes    1     0x80         10                 10       none
 7 I H ;;; defconf
       sfp-sfpplus7                                           bridge                                             yes    1     0x80         10                 10       none
 8 I H ;;; defconf
       sfp-sfpplus8                                           bridge                                             yes    1     0x80         10                 10       none
 9 I H ;;; defconf
       sfp-sfpplus9                                           bridge                                             yes    1     0x80         10                 10       none
10 I H ;;; defconf
       sfp-sfpplus10                                          bridge                                             yes    1     0x80         10                 10       none
11 I H ;;; defconf
       sfp-sfpplus11                                          bridge                                             yes    1     0x80         10                 10       none
12 I H ;;; defconf
       sfp-sfpplus12                                          bridge                                             yes    1     0x80         10                 10       none
13     bond0                                                  bridge                                             yes    1     0x80         10                 10       none
14 ID  mtwifi1-1                                              bridge                                             yes    1     0x80         10                 10       none
15 ID  mtwifi1-2                                              bridge                                             yes    1     0x80         10                 10       none

/interface bridge vlan
set [find vlan-ids=100] tagged=bond0,bridge,bond1,mtwifi1-1,mtwifi1-2

should do the trick.

I will give this a try, thank you! Is there a way to automatically make this happen via capsman provisioning?

Edit: This works! Shouldn’t this be set when local forwarding isn’t on in the datapath? Maybe a bug or do you think I missed a setting somewhere?
Edit 2: Actually, this can’t happen automatically until a CAP is made. In my case provisioning on CAPsMAN generates a CAP. Once it is generated, CAPsMAN should probably add that to the appropriate bridge if “datapath local forwarding” is not checked. Do you agree?

If I missed a setting somewhere, let me know. If not, I may just send this thread to mikrotik support.

So, on my hAP ac lite, under “cap → enabled” I’ve unchecked “enabled” to see what would happen to bridge 100 on the CAPsMAN.

In CAPsMAN webfig, I now see desktop-2 listed three times (see attachment)

in the cli i see “*64” and “*65” have replaced the Provisioning generated CAPS that are no longer available.
Also: i deleted bond1 and that is showing up as “*21”. Very strange.

/interface bridge vlan
add bridge=bridge comment="1-14, access vlan 100, bond0, bridge = tagged" tagged=bond0,bridge,*64,*65 untagged="1: desktop2,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfp\
    plus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp-sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,ether1" vlan-ids=100
add bridge=bridge comment="Internet (Static)" tagged=bond0,bridge,*21 vlan-ids=10
add bridge=bridge tagged=bond0,bridge,*21 vlan-ids=90
add bridge=bridge tagged=bond0,bridge,*21 vlan-ids=75
add bridge=bridge tagged=bond0,bridge,*21 vlan-ids=80
add bridge=bridge untagged=bond0,bridge,*21 vlan-ids=1
add bridge=bridge tagged=bond0,bridge,*21 vlan-ids=99
add bridge=bridge tagged=bond0,bridge,*21 vlan-ids=101
add bridge=bridge tagged=bond0,bridge,*21 vlan-ids=102

Going back into my hAP ac lite & going to “Wireless → CAP → Enabled” now it doesn’t get re-added to the bridge of vlan 100 and is broken again.
On the CAPsMAN, Going into “bridge → Vlan → bridge100” and adding the two dynamically created (from provisioning) caps to the bridge fixes things.

I hope this can help someone else. This appears to be a bug related to capsman → provisioning of caps & not adding them to the bridge/vlan if “capsman → datapath → local forwarding” is unchecked.

It’s a generic problem of configurations of stacks of virtual objects. If an object on one layer (in our case, the ****

/interface bridge port

) refers to an object on a lower layer (in your case, the

/interface bond name=bond0

, you as a developer can choose one of three approaches when a user wants to remove an object to which other objects refer:

• reject the request and tell the user to remove the referring objects first
• accept the request and drop the whole tree of referring objects as well
• accept the request, remove only the object itself and let the references hang in the air until the user replaces that object with another one

Each of these approaches has its pros and cons, and Mikrotik developers have chosen the last one, no point in asking them to change philosophy as it would annoy) a lot of people.
) substitute by whatever word you find more appropriate

This appears to be a bug related to capsman → provisioning of caps & not adding them to the bridge/vlan if “capsman → datapath → local forwarding” is unchecked.

I would hesitate to call it a bug. There is no easy method to automatically decide whether ot not to add a wireless interface as a member port of a VLAN. The packets on air cannot carry VLAN tags (except if uou tunnel L2 through wireless but that’s another can of worms), so the virtual interface would have to be inspected for any possible method of adding a VLAN tag when coming up and added to the appropriate item on the

/interface bridge vlan

list. And it is not only the basic configuration of the interface which would have to be checked - there are also the access list rules which permit you to assign to a particular client of an SSID a specific VLAN (in fact, nothing technicaly prevents you from e.g. assigning a VLAN ID depending on signal strength). So the algorithm for auto-addition would have to be quite complex.

Maybe gents in Riga have that in their roadmap, but even I could name several items on that list for which a much wider audience is waiting for than for this one.