CapsManV2 prov. CAP over L2TP

christian178 · April 24, 2025, 12:29pm

Hi there,

I have read
https://help.mikrotik.com/docs/spaces/ROS/pages/224559120/WiFi#WiFi-CAPsMAN-CAPVLANconfigurationexample:

but my goal is al little bit different.
I Will provisioning AX/AC CAPs from CapsManV2 over L2TP via VLAN10.
The tunnel itself to the CapsMan Router worked. There is the L2TP Interface in a bridge. The Bridge has a VLAN10 on this is the CapsMan
The Caps are provisioned, but no Data from Clients are going to the HS Server.

Data should be going via VLAN11 via the L2TP also to the CapsMan Server an then to an extern HS-Server.
For AX and AC CAPs.

my Capsman:

/interface bridge
add name=bridge2-capsman-v2 vlan-filtering=yes

/interface vlan
add interface=bridge2-capsman-v2 name=vlan10-capsmanv2-prov vlan-id=10

/interface wifi datapath
add bridge=bridge2-capsman-v2 client-isolation=yes disabled=no name=datapath1 vlan-id=11
/interface wifi steering
add disabled=no name=steering1 neighbor-group=hs1
/interface wifi configuration
add channel.band=5ghz-n .width=20/40mhz country=Germany datapath=datapath1 datapath.client-isolation=no disabled=no distance=5 max-clients=30 mode=ap name=5ghz-an_open security.owe-transition-interface=auto ssid=hotspot2 station-roaming=yes steering=steering1 steering.neighbor-group=""
add channel.band=2ghz-n .width=20/40mhz country=Germany datapath=datapath1 datapath.client-isolation=no disabled=no distance=5 max-clients=30 mode=ap name=2ghz-n_open security.owe-transition-interface=auto ssid=hotspot2 station-roaming=yes steering=steering1 steering.neighbor-group=""
add channel.band=2ghz-ax .width=20/40mhz country=Germany datapath=datapath1 disabled=no distance=5 max-clients=30 mode=ap name=2ghz-ax_open security.owe-transition-interface=auto ssid=hotspot2 station-roaming=yes steering=steering1 steering.neighbor-group=""
add channel.band=5ghz-ax .width=20/40mhz country=Germany datapath=datapath1 datapath.client-isolation=no disabled=no distance=5 max-clients=30 mode=ap name=5ghz-ax_open security.owe-transition-interface=auto ssid=hotspot2 steering=steering1
add channel.band=5ghz-ax .width=20/40mhz country=Germany datapath=datapath1 datapath.client-isolation=no disabled=no distance=5 hide-ssid=yes max-clients=30 mode=ap name=5ghz-ax_OWE security.authentication-types=owe .owe-transition-interface=auto ssid=hotspot2_OWE steering=steering1
add channel.band=5ghz-n .width=20/40mhz country=Germany datapath=datapath1 datapath.client-isolation=no disabled=no distance=5 hide-ssid=yes max-clients=30 mode=ap name=5ghz-an_OWE security.authentication-types=owe .owe-transition-interface=auto ssid=hotspot2_OWE station-roaming=yes steering=steering1 \
    steering.neighbor-group=""
add channel.band=2ghz-n .width=20/40mhz country=Germany datapath=datapath1 datapath.client-isolation=no disabled=no distance=5 hide-ssid=yes max-clients=30 mode=ap name=2ghz-n_OWE security.authentication-types=owe .owe-transition-interface=auto ssid=hotspot2_OWE station-roaming=yes steering=steering1 \
    steering.neighbor-group=""
add channel.band=2ghz-ax .width=20/40mhz country=Germany datapath=datapath1 disabled=no distance=5 hide-ssid=yes max-clients=30 mode=ap name=2ghz-ax_OWE security.authentication-types=owe .owe-transition-interface=auto ssid=hotspot2_OWE station-roaming=yes steering=steering1 steering.neighbor-group=""
add channel.band=5ghz-ac .width=20/40mhz country=Germany datapath=datapath1 datapath.client-isolation=no disabled=no distance=5 max-clients=30 mode=ap name=5ghz-ac_open security.owe-transition-interface=auto ssid=hotspot2 station-roaming=yes steering=steering1
add channel.band=5ghz-ac .width=20/40mhz country=Germany datapath=datapath1 datapath.client-isolation=no disabled=no distance=5 hide-ssid=yes max-clients=30 mode=ap name=5ghz-ac_OWE security.authentication-types=owe .owe-transition-interface=auto ssid=hotspot2_OWE station-roaming=yes steering=steering1

/ppp profile
add bridge=bridge2-capsman-v2 bridge-horizon=5 bridge-port-vid=10 name=profile3-neue-geraete-capsman-v2 only-one=yes use-encryption=required use-ipv6=no

/interface bridge port
add bridge=bridge2-capsman-v2 frame-types=admit-only-vlan-tagged interface=ether4-zu-hs-capsmanv2

/interface bridge vlan
add bridge=bridge2-capsman-v2 tagged=ether4-zu-hs-capsmanv2,bridge2-capsman-v2 vlan-ids=11

/interface wifi access-list
add action=accept allow-signal-out-of-range=40s disabled=no interface=any signal-range=-90..120
add action=reject allow-signal-out-of-range=10s disabled=no interface=any signal-range=-100..-91
/interface wifi capsman
set ca-certificate=auto enabled=yes interfaces=vlan10-capsmanv2-prov package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=2ghz-n_open name-format=%I_ slave-configurations=2ghz-n_OWE slave-name-format=%I_virtualOWE_ supported-bands=2ghz-n
add action=create-dynamic-enabled disabled=no master-configuration=2ghz-ax_open name-format=%I_ slave-configurations=2ghz-ax_OWE slave-name-format=%I_virtualOWE_ supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=5ghz-ac_open name-format=%I_ slave-configurations=5ghz-ac_OWE slave-name-format=%I_virtualOWE_ supported-bands=5ghz-ac
add action=create-dynamic-enabled disabled=no master-configuration=5ghz-an_open name-format=%I_ slave-configurations=5ghz-an_OWE slave-name-format=%I_virtualOWE_ supported-bands=5ghz-n
add action=create-dynamic-enabled disabled=no master-configuration=5ghz-ax_open name-format=%I_ slave-configurations=5ghz-ax_OWE slave-name-format=%I_virtualOWE_ supported-bands=5ghz-ax

/ppp secret
add name=hs-test profile=profile3-neue-geraete-capsman-v2 service=l2tp

on CAPs:

/interface bridge
add name=bridge1
/interface wifi
# managed by CAPsMAN D4:CA:6D:0D:94:8F%bridge1, traffic processing on CAP
# mode: AP, SSID: hotspot2, channel: 2412/n/Ce
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN D4:CA:6D:0D:94:8F%bridge1, traffic processing on CAP
# mode: AP, SSID: hotspot2, channel: 5580/ac/Ce/D
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no
/interface wifi datapath
add bridge=bridge1 bridge-horizon=1 client-isolation=yes disabled=no name=datapath1 vlan-id=11
/ppp profile
add bridge=bridge1 name=profile1 use-encryption=yes use-ipv6=no
/interface l2tp-client
add connect-to=178.21.0.4 disabled=no max-mru=1400 max-mtu=1400 mrru=1614 name=l2tp-out1 profile=profile1 user=hs-test
/interface wifi cap
set discovery-interfaces=bridge1 enabled=yes slaves-datapath=datapath1
/ip dhcp-client
add default-route-tables=main interface=ether1
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=hs-test

The Caps ar ebe prov. but no Data from Clients on CAPs to HS on CapsMan Server Ether “ether4-zu-hs-capsmanv2” On The HS Server itself there is an VLAN11 to CapsMan. This Vlan11 ist DHCP,…

Can You see the problem?
Thank You
Christian

sindy · April 24, 2025, 1:28pm

When the L2TP connection is established, what does /interface bridge port print and /interface bridge vlan print show at both the CAPsMAN and the CAP?

christian178 · April 24, 2025, 1:48pm

I Think, there is the Problem. On Profile of the L2TP Connection i can only give an pvid of the Interface, not an vlan for dynamically added l2tp-port of the bridge? When i give pvid, then provisioning is not worked.
Is it better to work for datapath without any vlan (for qcom-ac and qcom - Package) and provisioning over a vlan over the L2TP?

sindy · April 24, 2025, 3:08pm

For years, the BCP mode of L2TP (and other PPP derivatives) used to be completely incompatible with VLAN filtering on the bridge. I haven’t had enough motivation to check the recent improvements in this regard brought by ROS 7.17, so I did now.

It turns out that now you can use one ppp profile per VLAN ID, one l2tp-client interface at the client side, and one ppp secret row at the server side to establish a dedicated BCP tunnel for each VLAN. If you do not specify bridge-port-pvid in the profile, it defaults to 1 which suggests there is no way to let a single BCP tunnel act as a trunk, which kind of makes sense, it would have to be possible to specify a list of permitted VLANs in trunk mode in the ppp profile.

The other approach is the one used before ROS 7.17, to use BCP to connect two auxiliary bridges with vlan-filtering set to no and ether-type set to 0x88a8, attach /interface vlan with use-service-tag=yes to these bridges, and make those /interface vlan member ports of the two basic bridges, setting their pvid and putting them on tagged lists on /interface bridge vlan rows as necessary. I don’t dare to guess which of these two approaches results in a lower CPU load, but if you use just a few VLANs, the one made available by 7.17 might be worth trying.

Off topic, the MPPE encryption that is enabled by setting use-encryption on the /ppp profile row to yes is a waste of CPU power that provides just a very weak security by today’s criteria. So it is much better to use IPsec with one of the encryption algorithms supported in hardware and disable MPPE in the ppp profile.