Ciao a tutti,
This morning, just to break everything and have some fun, I tried disabling IPv6 — and I managed to destroy my WiFi in the process. Everything had been running smoothly for months, but after disabling IPv6 and rebooting the CAPsMAN (RB5009), the WiFi went down and triggered the 10-minute DFS CAC window, which is expected. After that, however, my DHCP seems to have stopped working.
Devices can connect to the SSID — as confirmed by the registration table — but the DHCP lease process appears to fail, regardless of whether the client has a reserved lease or not, on both networks. I have already tried rebooting each device and deleting the entire CAPsMAN configuration to start from scratch.
The CAP (wAP AX) is available and correctly bound to the manager, but the network is not working properly. Interestingly, Ethernet clients work flawlessly with DHCP — the very same DHCP server.
I also tried adding the "CAPsMAN control+data" firewall rule visible in the config, but nothing changed.
MANAGER (Router OS 7.21.3):
# model = RB5009UG+S+
/interface bridge
add admin-mac= auto-mac=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="WAN - LTE" l2mtu=1514
set [ find default-name=ether2 ] comment=MGMT l2mtu=1514
set [ find default-name=ether3 ] comment="to Switch" l2mtu=1514
set [ find default-name=ether4 ] comment="to Dragon01" l2mtu=1514
set [ find default-name=ether5 ] comment="to Rasp" l2mtu=1514
set [ find default-name=ether6 ] comment="to Xbox" l2mtu=1514
set [ find default-name=ether7 ] comment="to SoundBar" l2mtu=1514
set [ find default-name=ether8 ] comment="to TV" l2mtu=1514
set [ find default-name=sfp-sfpplus1 ] disabled=yes l2mtu=1514
/interface vlan
add interface=bridge name=DMZ vlan-id=11
add interface=bridge name=TRUST vlan-id=10
/interface list
add name=WAN
add name=LAN
add name=MGMT
add name=HWG
/interface wifi channel
add band=2ghz-n disabled=no name=2GHZ::AUTO reselect-time=04:00:00..05:00:00 width=20mhz
add band=5ghz-ax disabled=no frequency=5640 name=5GHZ::CH128 width=20/40/80/160mhz
/interface wifi datapath
add bridge=bridge comment=TRUST disabled=no name=datapath-trust vlan-id=10
add bridge=bridge client-isolation=yes comment=DMZ disabled=no name=datapath-dmz vlan-id=11
/interface wifi security
add authentication-types=wpa3-psk comment=TRUST disabled=no name=\
sec-PulziZyxel wps=disable
add authentication-types=wpa2-psk,wpa3-psk comment=DMZ disabled=no \
encryption="" name=sec-PulziOut wps=disable
/interface wifi configuration
add channel=5GHZ::CH128 comment="TRUST (Pulzi-5G)" country=Italy datapath=\
datapath-trust disabled=no mode=ap name=cfg-trust security=sec-PulziZyxel \
ssid=Pulzi-5G
add channel=2GHZ::AUTO channel.band=2ghz-n comment="DMZ (PulziOut)" country=\
Italy datapath=datapath-dmz disabled=no mode=ap name=cfg-dmz security=\
sec-PulziOut ssid=PulziOut tx-chains=0 tx-power=8
/ip pool
add comment=TRUST name=trust-pool ranges=172.16.20.20-172.16.20.29
add comment=DMZ name=dmz-pool ranges=172.16.21.3-172.16.21.29
/ip dhcp-server
add address-pool=trust-pool comment=TRUST interface=TRUST lease-time=1d name=dhcp-trust
add address-pool=dmz-pool comment=DMZ interface=DMZ lease-time=2h name=dhcp-dmz
/interface bridge port
add bridge=bridge comment=trust frame-types=\
admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=bridge comment=dmz frame-types=\
admit-only-untagged-and-priority-tagged interface=ether6 pvid=11
add bridge=bridge comment=dmz frame-types=\
admit-only-untagged-and-priority-tagged interface=ether7 pvid=11
add bridge=bridge comment=dmz frame-types=\
admit-only-untagged-and-priority-tagged interface=ether8 pvid=11
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=\
ether3
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=\
ether4
add bridge=bridge comment=trunk interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge comment=TRUST tagged=bridge,sfp-sfpplus1,ether3,ether4 \
untagged=ether5 vlan-ids=10
add bridge=bridge comment=DMZ tagged=bridge,ether3,sfp-sfpplus1,ether4 \
untagged=ether6,ether7,ether8 vlan-ids=11
/interface list member
add interface=ether1 list=WAN
add interface=TRUST list=LAN
add interface=wg-fireloop list=HWG
add interface=wg-fireloop list=MGMT
add interface=TRUST list=MGMT
add interface=wg-fireloop list=LAN
add interface=DMZ list=LAN
add interface=ether2 list=MGMT
add interface=ether2 list=LAN
/interface wifi capsman
set enabled=yes interfaces=TRUST
/interface wifi provisioning
add action=create-dynamic-enabled comment=TRUST disabled=no \
master-configuration=cfg-trust name-format=W5_D01 supported-bands=5ghz-ax
add action=create-dynamic-enabled comment=DMZ disabled=no \
master-configuration=cfg-dmz name-format=W2_D01 supported-bands=2ghz-ax
/ip address
add address=172.16.20.1/27 comment=TRUST interface=TRUST network=172.16.20.0
add address=172.16.21.1/27 comment=DMZ interface=DMZ network=172.16.21.0
add address=172.16.99.1/30 interface=ether2 network=172.16.99.0
/ip dhcp-client
add comment=Shield interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=172.16.20.30 comment="wAP AX - Dragon01" mac-address= server=dhcp-trust
/ip dhcp-server network
add address=172.16.20.0/27 comment=TRUST dns-server=172.16.20.2,172.16.10.2,172.16.0.2 domain=forttrust gateway=172.16.20.1 netmask=27
add address=172.16.21.0/27 comment=DMZ dns-server=172.16.21.1 domain=fortdmz gateway=172.16.21.1 netmask=27
/ip dns
set allow-remote-requests=yes cache-size=35000KiB servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="Admin access" dst-port=8291 \
in-interface-list=MGMT protocol=tcp
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=LAN \
protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="CAPsMAN control+data" disabled=yes \
dst-port=5246,5247 protocol=udp
add action=drop chain=input comment="DROP ALL ELSE"
add action=fasttrack-connection chain=forward comment=fasttrack \
connection-state=established,related
add action=accept chain=forward comment=\
"accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="Internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow intercomm WG" \
in-interface-list=HWG out-interface-list=MGMT
add action=accept chain=forward in-interface-list=MGMT out-interface-list=HWG
add action=accept chain=forward comment="accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment="Drop TRUST <-> DMZ" in-interface=\
TRUST out-interface=DMZ
add action=accept chain=forward in-interface=DMZ out-interface=TRUST
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="DROP ALL ELSE"
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="DROP ALL ELSE"
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="DROP ALL ELSE"
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=DragonKeep
/system ntp client
set enabled=yes
/system ntp server
set use-local-clock=yes
/system ntp client servers
add address=0.it.pool.ntp.org
add address=1.it.pool.ntp.org
add address=2.it.pool.ntp.org
add address=3.it.pool.ntp.org
add address=0.europe.pool.ntp.org
add address=1.europe.pool.ntp.org
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
CAP (RouterOS 7.21.3):
# model = wAPG-5HaxD2HaxD
/interface bridge
add admin-mac=04:F4:1C:C0:87:60 auto-mac=no name=bridgeLocal vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
/interface vlan
add interface=bridgeLocal name=DMZ vlan-id=11
add interface=bridgeLocal name=TRUST vlan-id=10
/interface wifi
# managed by CAPsMAN 04:F4:1C:1A:91:2F%TRUST, traffic processing on CAP
# mode: AP, SSID: PulziOut, channel: 2452/n
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=*1 disabled=no
# managed by CAPsMAN 04:F4:1C:1A:91:2F%TRUST, traffic processing on CAP
# mode: AP, SSID: Pulzi-5G, channel: 5220/ax/eeCeeeee/DI
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=*1 disabled=no
/interface bridge port
add bridge=bridgeLocal comment=trunk frame-types=admit-only-vlan-tagged \
interface=ether1
add bridge=bridgeLocal comment=trust frame-types=\
admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
/interface bridge vlan
add bridge=bridgeLocal comment=TRUST tagged=bridgeLocal,ether1 untagged=ether2 vlan-ids=10
add bridge=bridgeLocal comment=DMZ tagged=bridgeLocal,ether1 vlan-ids=11
/interface wifi cap set caps-man-addresses=172.16.20.1 caps-man-names=DragonKeep discovery-interfaces=TRUST enabled=yes
/ip dhcp-client add interface=TRUST
/system clock set time-zone-name=Europe/Rome
/system identity set name=Dragon01
Of course I’ve already changed back the IPv6 configuration, is now again active.
I’ve also tried to restore a 5 days backup with the latest configurations changes, on both devices, nothing has change.