Ether2 as untagged (access port) on CapAX in CAPSMAN mode running wifi-qcom?

RouterOS Wireless Networking
1

Hi,
im a bit puzzled, trying to utilize the second ethernet port on one of my two cap AX APs.


My goal: Wire my Sonos Play:1 (which is mounted right next to the CAP (AP2) to ether2 of the CAP. So it gets an IP via VLAN20 DHCP server running on RB5009.
My Issue: I’m using VLANs.
VLAN10 - WIFI/Trusted for all regular devices in my network
VLAN20 - IoT for all IoT Devices
VLAN50 - Management VLAN for accessing router/AP

In the Mikrotik Documentation for the MWE (minimal working example) using Capsman with Cap-AX, the CAP does not do any VLAN filtering on its bridge:

/interface bridge
add name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add interface=bridgeLocal disabled=no

So how do I archieve this then? I created the Datapath on the RB5009 (capsman), and configuration working properly on both cAPs (client traffic is correctly channeled through VLAN10 and VLAN20 for Wifi/IoT devices).

Hence the CAP bridge has no VLAN Filtering enabled, I use VLAN50 for Managment
Cap (AP2)

/interface bridge
add admin-mac=[REDACTED] auto-mac=no name=BR-MAIN
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - Router"
set [ find default-name=ether2 ] name="ether2 - Sonos" poe-out=off
/interface vlan
add interface=BR-MAIN name=VLAN50_MGMT vlan-id=50
/interface wifi datapath
add bridge=BR-MAIN disabled=no name=DP_MAIN
/interface bridge port
add bridge=BR-MAIN interface="ether2 - Sonos" pvid=20
add bridge=BR-MAIN interface=wifi1
add bridge=BR-MAIN interface=wifi2
add bridge=BR-MAIN interface="ether1 - Router"
/interface bridge vlan
add bridge=BR-MAIN tagged="ether1 - Router,BR-MAIN" vlan-ids=50
add bridge=BR-MAIN tagged="ether1 - Router,BR-MAIN" untagged="ether2 - Sonos" vlan-ids=20

My Capsman (RB5009) relevant config:

/interface bridge vlan
add bridge=BR-MAIN comment=Management tagged="BR-MAIN,ether2 - AP1,ether3 - AP2" vlan-ids=50
add bridge=BR-MAIN comment=IoT tagged="BR-MAIN,ether2 - AP1,ether3 - AP2" \
    untagged="ether4 - Printer,ether5 - Zigbee,ether7 - Home Assistant" \
    vlan-ids=20
add bridge=BR-MAIN comment=WiFi tagged="BR-MAIN,ether2 - AP1,ether3 - AP2" \
    untagged="ether8 - Office" vlan-ids=10

Tried to enable VLAN filtering on the CAP Bridge, but either it disconnects me (safe mode rolls back - so not locked out) , or DHCP/DNS requests from clients are not passed through.
Can anybody give me a hint what i’m missing?

2

cleaned up initial posting :slight_smile: hope its a bit more concise and clear whats the issue.
Is my assumption correct, that I might have to reconfigure the APs like the CAP-AC example? (do not use datapath VLAN assignment on CAPSMAN)?

3

No.

Thats to be expected. On activation of VLAN Filtering you will be disconnected temporarily.

Your filtering config on Cap seems fine so if clients dont get an DHCP IP you might have an issue with your wifi config.
Also check what your bridge on cap says for vlan ids on the wifi interfaces AFTER you enable vlan filtering.

p.s. its always recommended to post full config.

4

Hi,
thanks for your reply.
Im running all devices on 7.19.1
I’ll post the configuration from my CAPsMAN:

/interface bridge
add admin-mac=xxxx auto-mac=no frame-types=admit-only-vlan-tagged name=BR-MAIN protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - WAN" poe-out=off
set [ find default-name=ether2 ] name="ether2 - AP1"
set [ find default-name=ether3 ] name="ether3 - AP2"
set [ find default-name=ether4 ] name="ether4 - Printer" poe-out=off
set [ find default-name=ether5 ] name="ether5 - Zigbee"
set [ find default-name=ether6 ] disabled=yes poe-out=off
set [ find default-name=ether7 ] name="ether7 - Home Assistant"
set [ find default-name=ether8 ] name="ether8 - Office" poe-out=off
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=BR-MAIN name=VLAN10_WIFI vlan-id=10
add interface=BR-MAIN name=VLAN20_IOT vlan-id=20
add interface=BR-MAIN name=VLAN50_MGMT vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add disabled=no frequency=2412 name="CH 1 (2412)" width=20mhz
add disabled=no frequency=2437 name="CH 6 (2437)" width=20mhz
add disabled=no frequency=2462 name="CH 11(2462)" width=20mhz
add disabled=no frequency=5180 name="CH 36 (5180)" width=20/40/80mhz
add disabled=no frequency=5260 name="CH 52 (5260)" width=20/40/80mhz
add disabled=no frequency=5500 name="CH 100 (5500)" width=20/40/80mhz
add disabled=no frequency=5680 name="CH 136 (5680)" width=20/40/80mhz
add disabled=no frequency=5745 name="CH 149 (5745) SRD" width=20/40/80mhz
/interface wifi datapath
add bridge=BR-MAIN disabled=no name=DP_WIFI vlan-id=10
add bridge=BR-MAIN disabled=no name=DP_IOT vlan-id=20
/interface wifi security
add authentication-types=wpa2-psk disabled=no encryption="" ft=yes ft-mobility-domain=0x100 ft-over-ds=yes name=SEC_WIFI wps=disable
add authentication-types=wpa2-psk disabled=no ft=no ft-over-ds=no name=SEC_IOT wps=disable
/interface wifi configuration
add channel="CH 36 (5180)" channel.skip-dfs-channels=all country=Austria datapath=DP_WIFI disabled=no name=WIFI-AP1-CH36 security=SEC_WIFI security.ft-preserve-vlanid=yes ssid=Owcahome
add channel="CH 52 (5260)" channel.skip-dfs-channels=10min-cac country=Austria datapath=DP_WIFI disabled=no name=WIFI-AP2-CH52 security=SEC_WIFI security.ft-preserve-vlanid=yes ssid=Owcahome
add channel="CH 1 (2412)" channel.skip-dfs-channels=all country=Austria datapath=DP_IOT disabled=no name=IOT-AP1-CH1 security=SEC_IOT ssid=IoT
add channel="CH 6 (2437)" channel.skip-dfs-channels=all country=Austria datapath=DP_IOT disabled=no name=IOT-AP2-CH6 security=SEC_IOT ssid=IoT
/ip pool
add name=POOL_WIFI ranges=10.10.10.2-10.10.10.254
add name=POOL_MGMT ranges=10.10.50.2-10.10.50.254
add name=POOL_IOT ranges=10.10.20.2-10.10.20.254
/ip dhcp-server
add address-pool=POOL_WIFI interface=VLAN10_WIFI lease-time=1d name=DHCP_WIFI
add address-pool=POOL_MGMT interface=VLAN50_MGMT lease-time=1d name=DHCP_MGMT
add address-pool=POOL_IOT interface=VLAN20_IOT lease-time=1d name=DHCP_IOT
/interface bridge port
add bridge=BR-MAIN comment="AP Kitchen" frame-types=admit-only-vlan-tagged interface="ether2 - AP1"
add bridge=BR-MAIN comment="AP Playroom" frame-types=admit-only-vlan-tagged interface="ether3 - AP2"
add bridge=BR-MAIN comment="Printer" frame-types=admit-only-untagged-and-priority-tagged interface="ether4 - Printer" pvid=20
add bridge=BR-MAIN comment="Zigbee Gateway" frame-types=admit-only-untagged-and-priority-tagged interface="ether5 - Zigbee" pvid=20
add bridge=BR-MAIN comment=unused disabled=yes interface=ether6
add bridge=BR-MAIN comment="Home Assistant" frame-types=admit-only-untagged-and-priority-tagged interface="ether7 - Home Assistant" pvid=20
add bridge=BR-MAIN comment=Office frame-types=admit-only-untagged-and-priority-tagged interface="ether8 - Office" pvid=10
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=BR-MAIN comment=Management tagged="BR-MAIN,ether2 - AP1,ether3 - AP2" vlan-ids=50
add bridge=BR-MAIN comment=IoT tagged="BR-MAIN,ether2 - AP1,ether3 - AP2" untagged="ether4 - Printer,ether5 - Zigbee,ether7 - Home Assistant" vlan-ids=20
add bridge=BR-MAIN comment=Main tagged="BR-MAIN,ether2 - AP1,ether3 - AP2" untagged="ether8 - Office" vlan-ids=10
/interface list member
add comment=defconf interface=VLAN10_WIFI list=LAN
add comment=defconf interface="ether1 - WAN" list=WAN
add interface=VLAN20_IOT list=LAN
add interface=VLAN50_MGMT list=LAN
add interface=VPN list=LAN

/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=VLAN50_MGMT package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled comment="5 GHZ WIFI - AP1 CH36" disabled=no master-configuration=WIFI-AP1-CH36 name-format=Wifi-%I radio-mac=xxx slave-configurations="" supported-bands=5ghz-ax
add action=create-dynamic-enabled comment="2.4 GHZ IOT - AP1 CH1" disabled=no master-configuration=IOT-AP1-CH1 name-format=IoT-%I radio-mac=xxx slave-configurations="" supported-bands=2ghz-g
add action=create-dynamic-enabled comment="5GHZ WIFI - AP2 CH100" disabled=no master-configuration=WIFI-AP2-CH52 name-format=Wifi-%I radio-mac=xxx supported-bands=5ghz-ax
add action=create-dynamic-enabled comment="2.4GHZ - AP2 CH6" disabled=no master-configuration=IOT-AP2-CH6 name-format=IoT-%I radio-mac=xxx supported-bands=2ghz-g

/ip address
add address=10.10.10.1/24 interface=VLAN10_WIFI network=10.10.10.0
add address=10.10.20.1/24 interface=VLAN20_IOT network=10.10.20.0
add address=10.10.50.1/24 interface=VLAN50_MGMT network=10.10.50.0
add address=10.10.99.1/24 comment=VPN interface=VPN network=10.10.99.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add comment=defconf interface="ether1 - WAN"
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=10.10.50.0/24 gateway=10.10.50.1
/ip dns
set allow-remote-requests=yes cache-size=20480KiB mdns-repeat-ifaces=VLAN10_WIFI,VLAN20_IOT
/ip dns adlist
add ssl-verify=no url=https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.10.10.0/24 list=Wifi
add address=10.10.20.20 list=SONOS
add address=10.10.20.21 list=SONOS
add address=10.10.20.22 list=SONOS
add address=10.10.20.23 list=SONOS
add address=10.10.20.24 list=SONOS
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow Wireguard" dst-port=31337 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Wifi LAN to Sonos" dst-address-list=SONOS dst-port=1400,3400,3401,3500,4070,4444 port="" protocol=tcp src-address-list=Wifi
add action=accept chain=forward comment="Wifi LAN to Sonos (UDP)" dst-address-list=SONOS dst-port=1900,1901,2869,10243,10280,5353,6969 protocol=udp src-address-list=Wifi
add action=accept chain=input comment="Allow mDNS" dst-address=224.0.0.251 dst-port=5353 log-prefix=mDNS protocol=udp src-port=5353
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

/ip service
set ftp disabled=yes
set telnet disabled=yes
set www-ssl disabled=no
set api address=10.10.20.2/32
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp interfaces
add interface=VLAN10_WIFI type=internal
add interface=VLAN20_IOT type=internal
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/system clock
set time-zone-name=Europe/Vienna
/system logging
set 0 topics=info,!wireguard
add topics=wireless,info
add topics=debug,poe-out

/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

in the meantime, I removed the wifi interfaces from the bridge on the CAP, and adjusted the VLAN filtering (only admit tagged traffic whenever its necessary) on Capsman and Cap - still not working properly. When I enable VLAN filtering on CAP Bridge, clients no longer receive a DHCP lease. I stay connected on cap, and tagged/untagged is populated on bridge. Maybe just don’t see it :wink:

CAP (AP2) config:

/interface bridge
add admin-mac=xxx auto-mac=no name=BR-MAIN
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - Router"
set [ find default-name=ether2 ] disabled=yes name="ether2 - Sonos" poe-out=off
/interface vlan
add interface=BR-MAIN name=VLAN50_MGMT vlan-id=50
/interface list
add comment=defconf name=LAN
/interface wifi datapath
add bridge=BR-MAIN disabled=no name=DP_MAIN
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.manager=capsman .mode=ap .ssid=MikroTik-F8B834 datapath=DP_MAIN disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.manager=capsman .mode=ap .ssid=MikroTik-F8B835 datapath=DP_MAIN disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface bridge port
add bridge=BR-MAIN interface="ether2 - Sonos" pvid=20 frame-types=admit-only-untagged-and-priority-tagged
add bridge=BR-MAIN frame-types=admit-only-vlan-tagged interface="ether1 - Router"
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=BR-MAIN comment="Trunk Port" tagged="ether1 - Router,BR-MAIN" vlan-ids=10,50
add bridge=BR-MAIN comment=Sonos tagged="BR-MAIN,ether1 - Router" untagged="ether2 - Sonos Playroom" vlan-ids=20
/interface list member
add interface=BR-MAIN list=LAN
add interface=VLAN50_MGMT list=LAN
/interface wifi cap
set discovery-interfaces=VLAN50_MGMT enabled=yes slaves-datapath=DP_MAIN
/ip dhcp-client
add interface=VLAN50_MGMT
/ip dns
set allow-remote-requests=yes
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=AP2
/system leds settings
set all-leds-off=immediate
/system routerboard mode-button
set on-event=dark-mode
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
5

You should enable VLAN filtering on the CAP device.

6

Thanks erlinden.
The point is, as soon as I enable vlan filtering on cap, clients do not receive an ip via dhcp anymore and basically the AP is not working. Until I can figure out what’s going wrong, I have disabled it for now. Maybe something wrong on the config, what I can’t spot

7

Might have to do with the fact it is an accesspoint acting as router (why?). If you really want to have it acting as accesspoint, just reset it to CAPS Mode and add VLAN as you have done already. That should be it.

8

yes, maybe your’re right. It was out of pure possibility and convenience.
I was curious and got my old HeX-S out of the box again.
Ive put ether8 as trunk port (routing vlan10,20,50 to it) and configured it (mostly) exactly like the cap, and everything works as it should.

config:

/interface bridge
add admin-mac=xxx auto-mac=no frame-types=admit-only-vlan-tagged name=BR-MAIN protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - Router"
set [ find default-name=ether2 ] name="ether2 - Workplace"
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes poe-out=off
set [ find default-name=sfp1 ] advertise="10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" disabled=yes
/interface vlan
add interface=BR-MAIN name=VLAN50_MGMT vlan-id=50
/interface bridge port
add bridge=BR-MAIN comment=Router frame-types=admit-only-vlan-tagged interface="ether1 - Router" 
add bridge=BR-MAIN frame-types=admit-only-untagged-and-priority-tagged interface="ether2 - Workplace" pvid=10
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=BR-MAIN tagged="ether1 - Router,BR-MAIN" vlan-ids=50
add bridge=BR-MAIN tagged="ether1 - Router,BR-MAIN" untagged="ether2 - Workplace" vlan-ids=10
/ip dhcp-client
add interface=VLAN50_MGMT
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name="Office Bench"

typing this from hex-s ether2. got an IP directly from router. So i assume it might be related to the wifi configuration on the cap.