Hi there,
ROS 6.34, freshly installing CAPsMAN CM2:
The goal is to let a station connect thru CAP in manager forwarding mode and then thru a bridge (no routing involved in CAPsMAN apparatus) to the rest of the infrastructure/the Internet. The infrastructure provides all the DHCP, NAT, … The infrastructure has been used here for 5+ years. CAPsMAN in forwarding mode should only remove some pitfalls with security in future.
Ether1 is both for management of CAPsMAN itself and for connectivity between CAPsMAN and CAPs.
Ether3 is connected to the internet incl. external DHCP server. It should be bridged to CAPs’ dynamically created interface.
When I connect to an AP with a station, it associates correctly, it gets thru an IP/mask/gateway correctly but then mysteriously pinging from the station can’t be even torched on the dynamically created interface nor eduroam bridge.
The same setup of the network works fine when bridged on an autonomous AP…
I promise there is no filter, not even port security, ARP inspection or any catch like that in the rest of the infrastructure.
Please, can anyone spot a problem?
The pieces of config that’s IMHO relevant:
/caps-man channel
add band=2ghz-onlyn extension-channel=disabled name=auto-N2-20
/interface bridge
add mtu=1500 name=eduroam protocol-mode=none
/interface ethernet
set [ find default-name=ether3 ] comment=“eduroam "classic"”
/caps-man datapath
add bridge=eduroam client-to-client-forwarding=no local-forwarding=no name=eduroam-managerforwarding
/caps-man security
add authentication-types=wpa2-eap eap-methods=passthrough eap-radius-accounting=yes encryption=aes-ccm group-encryption=aes-ccm name=eduroam-security passphrase=“there is no eap”
/caps-man configuration
add channel=auto-N2-20 country=“czech republic” datapath=eduroam-managerforwarding guard-interval=any mode=ap multicast-helper=default name=eduroam2g-cfg rx-chains=0,1 security=eduroam-security security.eap-radius-accounting=yes ssid=cm2-eduroam2g
tx-chains=0,1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/caps-man access-list
add action=accept disabled=yes interface=all signal-range=-80..120 ssid-regexp=“”
add action=reject disabled=yes signal-range=-120..-81 ssid-regexp=“”
/caps-man manager
set ca-certificate=CA certificate=CAPsMAN-005056B66B39 enabled=yes package-path=/upgrades upgrade-policy=require-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=eduroam2g-cfg name-format=prefix-identity name-prefix=2G
/interface bridge port
add bridge=eduroam interface=ether3
/interface bridge settings
set allow-fast-path=no
/ip address
add address=192.168…/22 interface=ether1 network=192.168…
/radius
add address=… this works fine