"Congestion"

RouterOS Beginner Basics
1

I changed my home network for a couple of Mikrotik devices a few months back: a hap ac2 and cap ac. WAN is VDSL2 synced at 80/20 Mbps. I’ve been impressed with it so far, and the cap gives good continuous coverage on the side of the house where walls impede the signal from the hap.

The last couple of days I’ve noticed an issue where a pc was downloading software updates over a long period, connected via wifi. The download speed was 3-10 Mbps… pretty slow due to the server. My concern is this ruined connectivity for all other devices, both wired and wireless. For example, video call from mobiles gave poor quality picture, the rpi could not even stream from internet radio or spotify without continuously stopping to buffer, youtube streams were pixelated, teamviewer reported it could not connect to my account and webpages were slow or unresponsive. Stopped the download and all returned to normal; restart = same problem.

For this download + 1 audio stream: CPU load reported as 1-2 %, free RAM ~ 69 MB. 5 wifi clients, 2 wired clients.

The question is, where have I gone wrong in the config?

hap:
Eth1 = WAN
Eth2 = cap ac
Eth3 = xbox
Eth4 = rpi

There are 3 VLANs defined to keep IOT and guest apart from the main network.

Both hap and cap are on 6.46.2

/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz name=channel2g
add band=5ghz-a/n/ac extension-channel=XXXX name=channel5g
/interface bridge
add admin-mac=xxx auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] advertise=1000M-full
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=30 name=SSEbb use-peer-dns=yes user=xxxx
/interface wireless
# managed by CAPsMAN
# channel: 2447/20-eC/gn(17dBm), SSID: MxL, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce country="united kingdom" distance=indoors frequency=auto installation=indoor keepalive-frames=disabled mode=ap-bridge multicast-helper=disabled preamble-mode=short ssid=MOL wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5260/20-Ceee/ac/DP(20dBm), SSID: MxL, local forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country="united kingdom" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MxL wireless-protocol=802.11
# managed by CAPsMAN
# SSID: MxL Guest, CAPsMAN forwarding
add mac-address=76:4D:28:8B:99:30 master-interface=wlan2 mode=station name=wlan5
/interface vlan
add interface=bridge name=vlanGuest vlan-id=55
add interface=bridge name=vlanIOT vlan-id=33
add interface=bridge name=vlanMain vlan-id=88
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=securityMain
add authentication-types=wpa2-psk encryption=aes-ccm name=securityIOT
add authentication-types=wpa2-psk encryption=aes-ccm name=securityGuest
/caps-man configuration
add channel=channel5g country="united kingdom" datapath.bridge=bridge datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes name=CfgMain5g security=securityMain ssid=MxL
add country="united kingdom" datapath.bridge=bridge datapath.vlan-id=33 datapath.vlan-mode=use-tag name=CfgIOT security=securityIOT ssid="MxL IOT"
add channel=channel2g country="united kingdom" datapath.bridge=bridge datapath.client-to-client-forwarding=yes datapath.local-forwarding=no name=cfgMain2g security=securityMain ssid=MxL
add country="united kingdom" datapath.bridge=bridge datapath.vlan-id=55 datapath.vlan-mode=use-tag name=cfgGuest security=securityGuest ssid="MxL Guest"
/interface ethernet switch port
set 4 default-vlan-id=33 vlan-header=always-strip vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name="profile wlan3 IOT" supplicant-identity=MOL
/interface wireless
# managed by CAPsMAN
# SSID: MxL Guest, CAPsMAN forwarding
add area="" arp=enabled bridge-mode=enabled default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=0 default-forwarding=yes disable-running-check=no disabled=yes hide-ssid=no interworking-profile=disabled keepalive-frames=enabled l2mtu=1600 mac-address=xxxx \
    master-interface=wlan1 max-station-count=2007 mode=station mtu=1500 multicast-buffering=enabled multicast-helper=default name=wlan3 security-profile=default ssid=MikroTik station-bridge-clone-mac=00:00:00:00:00:00 station-roaming=enabled update-stats-interval=disabled vlan-id=1 vlan-mode=no-tag \
    wds-cost-range=50-150 wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled wmm-support=disabled wps-mode=push-button
# managed by CAPsMAN
# SSID: MxL IOT, CAPsMAN forwarding
add area="" arp=enabled bridge-mode=enabled default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=0 default-forwarding=yes disable-running-check=no disabled=yes hide-ssid=no interworking-profile=disabled keepalive-frames=enabled l2mtu=1600 mac-address=xxxx \
    master-interface=wlan1 max-station-count=2007 mode=station mtu=1500 multicast-buffering=enabled multicast-helper=default name=wlan4 security-profile=default ssid=MikroTik station-bridge-clone-mac=00:00:00:00:00:00 station-roaming=enabled update-stats-interval=disabled vlan-id=1 vlan-mode=no-tag \
    wds-cost-range=50-150 wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled wmm-support=disabled wps-mode=push-button
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.5-192.168.88.254
add name=poolVlanGuest ranges=192.168.55.10-192.168.55.200
add name=poolVlanIOT ranges=192.168.33.10-192.168.33.200
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=bridge lease-time=1d name=dhcpMain
add address-pool=poolVlanGuest disabled=no interface=vlanGuest lease-time=1h name=dhcpVlanGuest
add add-arp=yes address-pool=poolVlanIOT disabled=no interface=vlanIOT lease-time=3d name=dhcpVlanIOT
/ppp profile
set *0 use-compression=no use-encryption=no
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac,an master-configuration=CfgMain5g slave-configurations=cfgGuest
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=cfgMain2g slave-configurations=cfgGuest,CfgIOT
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=55,88,33
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=SSEbb list=WAN
/interface wireless cap
# 
set bridge=bridge caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2 static-virtual=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.55.1/24 interface=vlanGuest network=192.168.55.0
add address=192.168.33.1/24 interface=vlanIOT network=192.168.33.0
/ip dhcp-client
add comment=defconf interface=ether1 script=":if (\$bound=1) do {\
    \n\
    \n# the name (within the domain) to update -- must already exist!\
    \n:local host @\
    \n\
    \n# the domain name\
    \n:local domain mylittlemi.com\
    \n\
    \n# key for namecheap updates\
    \n:local password 784f045bcb3b4fe1a248b86735b62f6b\
    \n\
    \n# get wan IP (easy in the DHCP script)\
    \n:local wanip \$\"lease-address\"\
    \n\
    \n:log info \"DHCP got WAN IP of \$wanip\"\
    \n\
    \n:local url \"https://dynamicdns.park-your-domain.com/update\?host=\$host&domain=\$domain&password=\$password&ip=\$wanip\"\
    \n\
    \n#:log info \"URL args: \$url\"\
    \n\
    \n# this should to the deed! (note: no verification is done here, check namecheap yourself at first!)\
    \n/tool fetch url=\$url mode=https keep-result=no\
    \n\
    \n} else {\
    \n#:log info \"DHCP was unbound\"\
    \n}"
/ip dhcp-server lease
add address=192.168.88.241 client-id=1:44:d2:44:6e:bc:7 mac-address=44:D2:44:6E:BC:07 server=dhcpMain
add address=192.168.88.5 client-id=1:c4:ad:34:6d:43:4c mac-address=C4:AD:34:6D:43:4C server=dhcpMain
/ip dhcp-server network
add address=192.168.33.0/24 dns-server=1.1.1.1,4.4.4.4 domain=iot.xxx gateway=192.168.33.1 netmask=24
add address=192.168.55.0/24 dns-server=1.1.1.1,4.4.4.4 domain=guest.xxx gateway=192.168.55.1 netmask=24
add address=192.168.88.0/24 comment=dhcpMain dns-server=1.1.1.1,4.4.4.4,8.8.8.8 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="Accept local traffic to CAPsMAN" dst-port=5246,5247 in-interface-list=LAN protocol=udp src-address=127.0.0.1
add action=accept chain=input comment=Spotify connection-state=established,related dst-port=4070 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input in-interface-list=LAN protocol=icmp
add action=drop chain=input comment="defconf: accept ICMP" in-interface-list=WAN protocol=icmp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
add action=drop chain=forward in-interface=vlanIOT out-interface=vlanGuest
add action=drop chain=forward in-interface=vlanIOT out-interface=vlanMain
add action=drop chain=forward in-interface=vlanGuest out-interface=vlanMain
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route rule
add action=lookup-only-in-table dst-address=192.168.88.0/24 interface=vlanMain table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2222
set api disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/London
/system identity
set name=MxL
/system leds
add leds=user-led type=poe-fault
/system leds settings
set all-leds-off=after-1min
/system script
add dont-require-permissions=no name=dhcpMainDN owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":if (\$bound=1) do {\
    \n\
    \n# the name (within the domain) to update -- must already exist!\
    \n:local host @\
    \n\
    \n# the domain name\
    \n:local domain xxx\
    \n\
    \n# key for namecheap updates\
    \n:local password xxxx\
    \n\
    \n# get wan IP (easy in the DHCP script)\
    \n:local wanip \$\"lease-address\"\
    \n\
    \n:log info \"DHCP got WAN IP of \$wanip\"\
    \n\
    \n:local url \"https://dynamicdns.park-your-domain.com/update\?host=\$host&domain=\$domain&password=\$password&ip=\$wanip\"\
    \n\
    \n#:log info \"URL args: \$url\"\
    \n\
    \n/tool fetch url=\$url mode=https keep-result=no\
    \n\
    \n} else {\
    \n#:log info \"DHCP was unbound\"\
    \n}"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

Quick perusal, and the following bears looking at…

Your WLAN1 and WLAN2 are confusing a bit… not sure what they are assigned to
Will assume that wlan1 is for home “vlanMain” and wlan2 is for guest (vlanGuest).
You have a etherport5 but you dont say what its for??
ether2 is a trunk port going to the capac and will assume it has all three vlans main,guest, and iot
Then you have this very confusing HALF entity called vlan 88 MAIN. I am assuming it is designed mainly for home users and home wifi (not guest or iot wifi).
However you have not constructed it fully and are half subnet and half vlan in your setup for the main network.
The idea is to remove the bridge from any responsibility except for the vlan filtering.

Thus to complete the MAIN setup you need this…
/ip pool
add name=dhcpMain ranges=192.168.88.5-192.168.88.254
/ip dhcp-server
add add-arp=yes address-pool=dhcpMain disabled=no interface=vlanMain lease-time=1d name=dhcpMain
/ip address
add address=192.168.88.1/24 comment=defconf interface=vlanMain network=192.168.88.0
(ip dhcp-server network is okay)

With the above fixes implemented and my assumptions the following needs adjusting.
Also use the name of the wlans vice WLAN1 and WLAN noted in red
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 ingress-filtering=yes {trunk port to capac}
add bridge=bridge comment=defconf interface=ether3 pvid=88 frame-types=admit-only-untagged-and-priority-tagged {access port to xbox}
add bridge=bridge comment=defconf interface=ether4 pvid=88 frame-types=admit-only-untagged-and-priority-tagged {access port to ??)
add bridge=bridge comment=defconf interface=ether5 ???
add bridge=bridge comment=defconf interface=wlan1 pvid=88 frame-types= admit-only-untagged-and-priority-tagged {access port to home wifi}
add bridge=bridge comment=defconf interface=wlan2 pvid=55 frame-types=admit-only-untagged-and-priority-tagged {access port to guest wifi}

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 untagged=ether3,ether4,wlan1 vlan-ids=88
add bridge=bridge tagged=bridge,ether2 untagged=WLAN2 vlan-ids=55
add bridge=bridge tagged=bridge,ether2 vlan-ids=33

/interface list member (remove bridge entry)
add interface=vlanMain list=LAN
add interface=vlanGuest list=LAN
add interface=vlanIOT list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=SSEbb list=WAN

Two additional comments..

  1. What is the purpose of this rule??
    add action=accept chain=input comment=Spotify connection-state=established,related dst-port=4070 protocol=tcp
    (spotify is not a service the MT provides and thus confused)

  2. I would change your forward chain rules as such. Much simpler and cleaner.

Get rid of (you will note you have duplicates as the first two are the same… but both are removed below and removed with a clearer rule
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=“Drop incoming packets that are not NATted” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
add action=drop chain=forward in-interface=vlanIOT out-interface=vlanGuest
add action=drop chain=forward in-interface=vlanIOT out-interface=vlanMain
add action=drop chain=forward in-interface=vlanGuest out-interface=vlanMain

and replace with
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment=“Allow internet access”
add action=accept chain=forward connection-state=new connection-nat-state=dstnat comment=“Allow port forwarding” ( you can leave this disabled until you need port forwarding to a server )
add action=drop chain=forward comment=“Drop all else” (the last rule in the forward chain and any traffic you didnt allow above this rule will be dropped ! )

3

Thanks for your input and the tips on VLAN. I will test it all.

You quite rightly picked up on outstanding issues:

  1. Initially I used the out of the box setting to play/test and didn’t reset.
  2. The 88 vlan was incomplete since I didn’t make time.
  3. WLAN1/2 should be overridden by CAPsMAN.

As for the CAP ac assumption; it is out of the box CAPsMAN. I’ve not added any firewall rules yet… I don’t have anything on the IOT vlan (various devices waiting for my free time).

Ether 5 = not connected

Firewall spotify rule: without this rule the Spotify Connect devices (xbox, rpi) were unable to make connection / receive a stream. They are however detected on the local network by the Spotify applications. Any advice on improving this rule appreciated.

4

"_Two additional comments..

  1. What is the purpose of this rule??
    add action=accept chain=input comment=Spotify connection-state=established,related dst-port=4070 protocol=tcp
    (spotify is not a service the MT provides and thus confused)    _"

Yes you really didnt answer the question LOL.

Is there a spotify server on your LAN?
What are you trying to accomplish with this rule - what was your rationale??

5

Ah, I see your point. I had the issue that spotify connect (Rpi, xbox) would not work. I saw suggestions that incoming traffic on a service specific port should be permitted. It makes more sense if its on the forward chain. Anyway it all started working after adding this rule, which I cannot figure out.

I’ve tried your suggestions, although I did not understand why the pvid was added:

add bridge=bridge comment=defconf interface=wlan1 pvid=88 frame-types= admit-only-untagged-and-priority-tagged {access port to home wifi}
add bridge=bridge comment=defconf interface=wlan2 pvid=55 frame-types=admit-only-untagged-and-priority-tagged {access port to guest wifi}

My wifi is completely dictated by CAPsMAN on both devices. 3 SSIDs on 2.4g and 2 SSIDs on 5g.

Since trying the new config I have no wifi. I can occasionally see CAPsMAN assign interfaces to the cAP AC, which then disappear within seconds. The hap ac never gets an assignment from CAPsMAN!

/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz name=channel2g
add band=5ghz-a/n/ac extension-channel=XXXX name=channel5g
/interface bridge
add admin-mac=74:4D:28:8B:99:2A auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] advertise=1000M-full
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=30 \
    name=SSEbb use-peer-dns=yes user=x
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce \
    country="united kingdom" distance=indoors frequency=auto installation=\
    indoor keepalive-frames=disabled mode=ap-bridge multicast-helper=disabled \
    preamble-mode=short ssid=MOL wireless-protocol=802.11
# managed by CAPsMAN
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
    country="united kingdom" distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=MxL wireless-protocol=802.11
add mac-address=76:4D:28:8B:99:2E master-interface=wlan1 mode=station name=\
    wlan3
add mac-address=76:4D:28:8B:99:2F master-interface=wlan1 mode=station name=\
    wlan4
add mac-address=76:4D:28:8B:99:30 master-interface=wlan2 mode=station name=\
    wlan5
/interface vlan
add interface=bridge name=vlanGuest vlan-id=55
add interface=bridge name=vlanIOT vlan-id=33
add interface=bridge name=vlanMain vlan-id=88
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=securityMain
add authentication-types=wpa2-psk encryption=aes-ccm name=securityIOT
add authentication-types=wpa2-psk encryption=aes-ccm name=securityGuest
/caps-man configuration
add channel=channel5g country="united kingdom" datapath.bridge=bridge \
    datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes \
    name=CfgMain5g security=securityMain ssid=MxL
add country="united kingdom" datapath.bridge=bridge datapath.vlan-id=33 \
    datapath.vlan-mode=use-tag name=CfgIOT security=securityIOT ssid="MxL IOT"
add channel=channel2g country="united kingdom" datapath.bridge=bridge \
    datapath.client-to-client-forwarding=yes datapath.local-forwarding=no name=\
    cfgMain2g security=securityMain ssid=MxL
add country="united kingdom" datapath.bridge=bridge datapath.vlan-id=55 \
    datapath.vlan-mode=use-tag name=cfgGuest security=securityGuest ssid=\
    "MxL Guest"
/interface ethernet switch port
set 4 default-vlan-id=33 vlan-header=always-strip vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name="profile wlan3 IOT" \
    supplicant-identity=MOL
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcpMain ranges=192.168.88.5-192.168.88.254
add name=poolVlanGuest ranges=192.168.55.10-192.168.55.200
add name=poolVlanIOT ranges=192.168.33.10-192.168.33.200
/ip dhcp-server
add add-arp=yes address-pool=dhcpMain disabled=no interface=vlanMain \
    lease-time=1d name=dhcpMain
add address-pool=poolVlanGuest disabled=no interface=vlanGuest lease-time=1h \
    name=dhcpVlanGuest
add add-arp=yes address-pool=poolVlanIOT disabled=no interface=vlanIOT \
    lease-time=3d name=dhcpVlanIOT
/ppp profile
set *0 use-compression=no use-encryption=no
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=ether2
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac,an \
    master-configuration=CfgMain5g slave-configurations=cfgGuest
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    cfgMain2g slave-configurations=cfgGuest,CfgIOT
/interface bridge port
add bridge=bridge comment="Trunk to CAPac" ingress-filtering=yes interface=\
    ether2
add bridge=bridge comment=Xbox interface=ether3 pvid=88
add bridge=bridge comment=rpi interface=ether4 pvid=88
add bridge=bridge comment="Not in use" frame-types=admit-only-vlan-tagged \
    interface=ether5
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wlan1
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,wlan1,wlan2 untagged=ether3,ether4 \
    vlan-ids=88
add bridge=bridge tagged=ether2,wlan1,wlan2,bridge vlan-ids=55
add bridge=bridge tagged=ether2,wlan1,wlan2,bridge vlan-ids=33
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=SSEbb list=WAN
add interface=vlanMain list=LAN
add interface=vlanGuest list=LAN
add interface=vlanIOT list=LAN
/interface wireless cap
# 
set bridge=bridge caps-man-addresses=127.0.0.1 enabled=yes interfaces=\
    wlan1,wlan2 static-virtual=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=vlanMain network=\
    192.168.88.0
add address=192.168.55.1/24 interface=vlanGuest network=192.168.55.0
add address=192.168.33.1/24 interface=vlanIOT network=192.168.33.0
/ip dhcp-client
add comment=defconf interface=ether1 script=":if (\$bound=1) do {\
    \n\
    \n# the name (within the domain) to update -- must already exist!\
    \n:local host @\
    \n\
    \n# the domain name\
    \n:local domain \
    \n\
    \n# key for namecheap updates\
    \n:local password \
    \n\
    \n# get wan IP (easy in the DHCP script)\
    \n:local wanip \$\"lease-address\"\
    \n\
    \n:log info \"DHCP got WAN IP of \$wanip\"\
    \n\
    \n:local url \"https://dynamicdns.park-your-domain.com/update\?host=\$host&d\
    omain=\$domain&password=\$password&ip=\$wanip\"\
    \n\
    \n#:log info \"URL args: \$url\"\
    \n\
    \n# this should to the deed! (note: no verification is done here, check name\
    cheap yourself at first!)\
    \n/tool fetch url=\$url mode=https keep-result=no\
    \n\
    \n} else {\
    \n#:log info \"DHCP was unbound\"\
    \n}"
/ip dhcp-server lease
add address=192.168.88.241 client-id=1:44:d2:44:6e:bc:7 mac-address=\
    44:D2:44:6E:BC:07 server=dhcpMain
add address=192.168.88.5 client-id=1:c4:ad:34:6d:43:4c mac-address=\
    C4:AD:34:6D:43:4C server=dhcpMain
/ip dhcp-server network
add address=192.168.33.0/24 dns-server=1.1.1.1,4.4.4.4 domain=\
   x gateway=192.168.33.1 netmask=24
add address=192.168.55.0/24 dns-server=1.1.1.1,4.4.4.4 domain=\
    x gateway=192.168.55.1 netmask=24
add address=192.168.88.0/24 comment=dhcpMain dns-server=1.1.1.1,4.4.4.4,8.8.8.8 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="Accept local traffic to CAPsMAN" \
    dst-port=5246,5247 in-interface-list=LAN protocol=udp src-address=127.0.0.1
add action=accept chain=forward comment=Spotify connection-state=\
    established,related disabled=yes dst-port=4070 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input in-interface-list=LAN protocol=icmp
add action=accept chain=forward comment="Allow internet access" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding" \
    connection-nat-state=dstnat connection-state=new disabled=yes
add action=drop chain=input comment="defconf: accept ICMP" in-interface-list=\
    WAN protocol=icmp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip route rule
add action=lookup-only-in-table dst-address=192.168.88.0/24 interface=vlanMain \
    table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2222
set api disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/London
/system identity
set name=MxL
/system leds
add leds=user-led type=poe-fault
/system leds settings
set all-leds-off=after-1min
/system script
add dont-require-permissions=no name=dhcpMainDN owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":if\
    \_(\$bound=1) do {\
    \n\
    \n# the name (within the domain) to update -- must already exist!\
    \n:local host @\
    \n\
    \n# the domain name\
    \n:local domain \
    \n\
    \n# key for namecheap updates\
    \n:local password \
    \n\
    \n# get wan IP (easy in the DHCP script)\
    \n:local wanip \$\"lease-address\"\
    \n\
    \n:log info \"DHCP got WAN IP of \$wanip\"\
    \n\
    \n:local url \"https://dynamicdns.park-your-domain.com/update\?host=\$host&d\
    omain=\$domain&password=\$password&ip=\$wanip\"\
    \n\
    \n#:log info \"URL args: \$url\"\
    \n\
    \n# this should to the deed! (note: no verification is done here, check name\
    cheap yourself at first!)\
    \n/tool fetch url=\$url mode=https keep-result=no\
    \n\
    \n} else {\
    \n#:log info \"DHCP was unbound\"\
    \n}"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
6

Log shows port flapping on ether2 so will need to check out a suspect cable, this may explain why the capac goes offline

7

Again, I no nothing about capsman.
ALso you never answered my questions regarding spotify?
What were you trying to accomplish??

Spotify is a music service? What does it have to do with Rpi whatever that is, or xbox??
Unless you host a spotify server on your LAN (other people are going to come in on your WANIP and access your spotify server) there is no need for any extra rules??
We use spotify all the time in our house for example.
What is different in your case??

8

Ok, well I sorted the issue with main wifi not working: I forgot to add the VLAN ID to the CAPsMAN config. Now devices can get an IP address.

Also needed to reinstate the firewall rules that prevent cross VLAN access.

The rpi (Raspberry Pi, apologies I thought it was a commonly known abbrieviation) and xbox are Spotify Connect devices (please refer to Spotify website). This means that Spotify streams can be offloaded to those devices (without login) when the stream is started through the Spotify app. The audio is output locally on the device selected.

9

Thanks for your assistance so far, much appreciated.

The CAP issue - local to the hap ac - puzzles me. Its as though it cannot connect to get the config. Need to look into the debug/log options

10

LIke any device aka smart phone playing spotify, the request goes outward from your LAN to spotify and the returns are allowed back in as per any other traffic.
Thus it should work without any extra rules. Your spotify rule was misplaced.
To allow unsolicited traffic to a server one needs destination nat rules. (however that is not the type of traffic we are talking about).

Basically
for a wifi router or a cap AC.

the bridge ports identified included wired and wlans (they are treated the same, access ports are access ports, trunk ports are trunk ports)
the wlans are going to devices that are not vlan smart so they are access ports and thus require vlan tags added upon ingress to the router when they communicate
similarly on the bridge vlan we identify which are access ports by untagging, so on egress tells the router to remove vlan tags before hitting the devices on the wlan

You should reread the ref! http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Please post the config of the capac…



The port going to the capac would be a trunk port
The port coming from the hapac to the capac would be a trunk port

11

Thanks for the additional reading - I’ll run through it.

Tested Spotify this afternoon - the Spotify Connect is now working absolutely fine as expected.

My CAP ac on ether2 is the one thing working flawlessly and automatically via CAPsMAN. I found that now I cannot get access via wifi since the VLAN change. I could use ether5 on vlanid 1 I suppose, or connect via the second ethernet port on the CAP ac. I’m afraid it will have to wait for the weekend, then I can look at the config.

I found a couple of topics that describe my problem with the HAP ac2, however the combinations of solutions I’ve tried have not changed the outcome. Wlan1-5 are shown as managed by CAPsMAN but disabled.
http://forum.mikrotik.com/t/capsman-unable-to-manage-its-own-wireless-interface/120395/1
http://forum.mikrotik.com/t/capsman-manager-cant-manage-its-own-wireless/113821/1

12

Well my advice is to PHUCK capsman as all I see are frustrated beginner users.
My capacs are rock solid without it and I use vlans. I would say get it working first.

Then read many threads on capsman before tackling it. Its like biting off more than one can chew at once!!
I have zero desire to use capsman

13

I’m tempted to ditch it, however when it works its brilliant.

So the log repeats:
CAP Sulking->Discover
CAP discovery target list:
127.0.0.1:5246
CAP discovery over, no results
CAP Discover->Select

So, no route to localhost?!

Firewall allows input to 5246/5247 (manager, traffic) from LAN; that list includes: wlan1, wlan2, the vlans. Even if the bridge is tossed in, the refrain is unchanged.

So, from which interface does the CAP request originate?? I don’t have any other interfaces.

Yet if I disable my firewall rule drop input in-list !LAN, suddenly the local CAP can connect to CAPsMAN…
To recap, the CAP request to CAPsMAN does not originate from the following interfaces:

  • vlan
  • WLAN
  • bridge

I guess that it is CAP interface then? They don’t exist (on the interface list) until a valid CAPsMAN config is downloaded. How can I modify the firewall rules to permit input from local CAP?

14

Note on my rules, the accept to CAPsMAN is one of the first rules. All drop rules are at the table end.

Tried using address based filter, not successful.

So settled for changing the accept CAPsMAN rule in-interface from LAN to !WAN. It works. For a more secure (enterprise) network I guess this not so ideal.