Hello all.
We are diving deep into Mikrotik devices so the next step is setting up a stable CAPsMAN controlled WiFi. The CCR1072-1G-8S+ unit is our main router and CAPsMAN provider while the AP’s are the standard wAP device (RBwAP2nD). I setup 2 wireless vlans for internal office use and guest use. Unfortunately I had trouble from the get go with my testing machine getting a DHCP IP but not able to reach anything. Others didn’t see the same issue so I assumed it was a fluke. Now that the wireless networks have been deployed, I am getting complaints of disconnecting pretty regularly or not able to reach servers/internet. Checking the logs, I’m seeing multiple disconnect messages (extensive data loss, received disassoc: sending station leaving, received deauth: unspecified, group key timeout) I’m not sure if one of these in particular is the culprit or what. Here’s the wireless related configuration.
Thanks.
# sep/19/2017 16:24:22 by RouterOS 6.38.1
# software id = 7YIZ-4D96
#
/caps-man channel
add name=AutoChannel
/interface bridge
add name=PhoneBridge
add name=WiFiBridge
/interface ethernet
set [ find default-name=ether1 ] name=WAN
set [ find default-name=sfp-sfpplus1 ] comment=Lab-10G name=sfpplus1-Lab
set [ find default-name=sfp-sfpplus2 ] comment="Bottom 11 subnet" name=sfpplus2-Basement11
set [ find default-name=sfp-sfpplus3 ] name=sfpplus3
set [ find default-name=sfp-sfpplus4 ] name=sfpplus4
set [ find default-name=sfp-sfpplus5 ] name=sfpplus5
set [ find default-name=sfp-sfpplus6 ] name=sfpplus6
set [ find default-name=sfp-sfpplus7 ] name=sfpplus7
set [ find default-name=sfp-sfpplus8 ] comment="All other subnets" name=sfpplus8
/interface vlan
add interface=WiFiBridge name=WiFi vlan-id=7
add interface=WiFiBridge name=WiFi_Guest vlan-id=10
/caps-man datapath
add bridge=WiFiBridge name=WiFi_Datapath vlan-id=7 vlan-mode=use-tag
add bridge=WiFiBridge name=WiFi_Guest_datapath vlan-id=10 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=WiFi_Security passphrase=password
add authentication-types=wpa2-psk encryption=aes-ccm name=WiFi_Guest_Security passphrase=guestpassword
/caps-man configuration
add channel=AutoChannel country="united states" datapath=WiFi_Datapath mode=ap name=WiFi_Config security=\
WiFi_Security ssid=WiFi
add channel=AutoChannel country="united states" datapath=WiFi_Guest_datapath mode=ap name=WiFi_Guest_Config \
security=WiFi_Guest_Security ssid=Guest
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=WiFi_DHCP_Pool ranges=192.168.7.100-192.168.7.199
add name=WiFi_Guest_DHCP_Pool ranges=192.168.10.100-192.168.10.199
/ip dhcp-server
add address-pool=WiFi_DHCP_Pool disabled=no interface=WiFi lease-time=4h name=WiFi_DHCP
add address-pool=WiFi_Guest_DHCP_Pool disabled=no interface=WiFi_Guest lease-time=1h name=WiFi_Guest_DHCP
/queue simple
/snmp community
set [ find default=yes ] name=snmp
/user group
/caps-man access-list
add disabled=no signal-range=-120..120 time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=WiFi_Config slave-configurations=WiFi_Guest_Config
/interface bridge port
add bridge=PhoneBridge interface=PhoneSFP1
add bridge=PhoneBridge interface=PhoneSFP8
add bridge=WiFiBridge interface=sfpplus8
add bridge=WiFiBridge interface=sfpplus1-Lab
/ip address
add address=192.1.1.1/24 interface=Bottom network=192.1.1.0
add address=192.1.2.1/24 interface=Top network=192.1.2.0
add address=192.1.4.1/24 interface=Lab_4 network=192.1.4.0
add address=192.1.3.1/24 interface=Mez network=192.1.3.0
add address=192.168.7.1/24 interface=WiFi network=192.168.7.0
add address=192.168.9.1/24 interface=VPN network=192.168.9.0
add address=192.168.10.1/24 interface=WiFi_Guest network=192.168.10.0
/ip dhcp-server lease
add address=192.1.3.250 client-id=1:e4:8d:8c:5c:12:78 comment="Mikrotik AP - Mez" mac-address=E4:8D:8C:5C:12:78
add address=192.1.2.250 client-id=1:e4:8d:8c:5f:f8:14 comment="Mikrotik AP - Top" mac-address=E4:8D:8C:5F:F8:14 \
server=Top_DHCP
add address=192.1.4.250 client-id=1:e4:8d:8c:5e:db:68 comment="Mikrotik AP - Lab" mac-address=E4:8D:8C:5E:DB:68
add address=192.1.1.250 client-id=1:e4:8d:8c:64:b6:16 comment="Mikrotik AP - Bottom" mac-address=E4:8D:8C:64:B6:16 \
server=Bottom_DHCP
/ip dhcp-server network
add address=129.1.3.0/24 gateway=129.1.3.1
add address=192.1.1.0/24 dns-server=192.1.11.2,192.1.1.1 domain= gateway=192.1.1.1 wins-server=\
129.1.3.10
add address=192.1.2.0/24 dns-server=192.1.11.2,192.1.2.1 domain= gateway=192.1.2.1 wins-server=\
129.1.3.10
add address=192.1.3.0/24 dns-server=192.1.11.2,192.1.3.1 domain= gateway=192.1.3.1 wins-server=\
129.1.3.10
add address=192.1.4.0/24 dns-server=192.1.11.2,192.1.4.1 domain= gateway=192.1.4.1 wins-server=\
129.1.3.10
add address=192.168.2.0/24 dns-server=192.1.11.2 domain= gateway=192.168.2.1 wins-server=129.1.3.10
add address=192.168.7.0/24 dns-server=192.1.11.2 domain= gateway=192.168.7.1 wins-server=129.1.3.10
add address=192.168.8.0/24 dns-server=192.1.11.2 domain= gateway=192.168.8.1 netmask=24 wins-server=\
129.1.3.10
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=75.75.75.75,75.75.76.76,8.8.8.8
/ip firewall address-list
/ip firewall filter
add action=drop chain=forward comment="Block WiFi Guest from Network" out-interface=!WAN src-address-list=\
WiFiGuest_Subnet
add action=drop chain=input comment="Block WiFi Guests from accessing router website" dst-port=80,22,23 \
in-interface=WiFi_Guest protocol=tcp