CAPsMAN with VLANs Help

Zacharias · October 22, 2019, 7:43am

I followed this simple guide for VLAN with Capsman in Capsman Forwarding mode, although its simple i can’t achieve isolation between the two wireless clients, one connected in each vlan…
I can ping the wireless client computer connected in VLAN with vlan id 10 although i am in VLAN with vlan id 20
Everything else works just fine…

I followed this guide step by step https://wiki.mikrotik.com/wiki/Manual:CAPsMAN_with_VLANs
Here is my export with just the important configuration lines…

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
/caps-man configuration
add channel=channel1 country=greece datapath.bridge=bridge1 \
    datapath.client-to-client-forwarding=yes datapath.vlan-id=10 \
    datapath.vlan-mode=use-tag distance=dynamic mode=ap name=cfg1 security=\
    security1 ssid=zach10
add channel=channel1 country=greece datapath.bridge=bridge1 \
    datapath.client-to-client-forwarding=yes datapath.vlan-id=20 \
    datapath.vlan-mode=use-tag distance=dynamic mode=ap name=cfg2 security=\
    security1 ssid=zach20
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=vlan10 name=dhcp1
add address-pool=dhcp_pool3 disabled=no interface=vlan20 name=dhcp2
/caps-man manager
set enabled=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=10,20
/interface wireless cap
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1
/ip address
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0

Zacharias · October 23, 2019, 9:27pm

Any help? There must be someone that has worked with capsman and vlans…

mkx · October 23, 2019, 10:28pm

I’ve done my (testing) capsman and vlan installation and it’s working as expected. The difference between your case and mine is that in my case CAP and CAPsMAN are different devices.

And you didn’t post firewall filter rules to check those … because: if L2 works fine (you get correct IP address according to SSID used), then it must be L3 leaking (even if both IP subnets shared same L2 network connection would have to pass router/firewall as per configured default gateway).

Zacharias · October 24, 2019, 5:41am

mkx thanks for your reply…

I tried the same configuration above with a second cap, i thought that there might be a problem there… Everything worked again just fine except the isolation between the vlans… DHCP, internet, IP all perfect…

And you didn’t post firewall filter rules to check those

Wait, there is no firewall configured… Do i need to block the traffic trhough VLANS from firewall?

Edit: i missed that i should block the VLAN L3 traffic from firewall as VLAN works ofcorse in layer2…