Feature Request: Simplified handling of Wifi Guest Networks in Capsman V2

epkulse · February 27, 2024, 8:43am

Hi,

I have seen the document regarding how to use VLAN to separate the Main wifi from Guest wifi. Following this guide is very complicated and difficult if one has a mixed network with managed and unmanaged switches and also non-Mtik equipment. I don´t expect a simple tickbox solution, but maybe some kind of low level communication enabling the Caspman Server to set this up a bit easier?

This is the VLAN wifi doc:
https://help.mikrotik.com/docs/pages/viewpage.action?pageId=46759946#WifiWave2(7.12andolder)-CAPsMAN-CAPVLANconfigurationexample:

/Uffe

epkulse · March 11, 2024, 5:24pm

Just made yet another attempt to set up a Guest Network - ending up in becoming locked out as I made an error on the VLAN activation on the bridge… Which i likely to happen to many junior users trying to set it up… Would really be nice to see a simpler way to get it done… Unfortunately “Safe Mode” did not work so I had to restore backup to get back… Junior error, but still…

mkx · March 11, 2024, 5:55pm

In legacy capsman it was possible to get it working in an easier way … because there was local-forwarding=no … which meant tgat all traffic from a CAP was tunneled to CAPsMAN. Which made the whole thing independent from LAN infrastructure. However, it came with a (hefty) price: wireless throughputs were far from stelar even if CAPsMAN machines were pretty powerful.

In current capsman, choice of forwarding variant is no longer available, so there is no easy way of constructing a guest “safe heaven” … because all the traffic is exposed to LAN infrastructure and it has to be ready/configured for it.

(Might compare it to getting a tank from point A to point B: in legacy capsman one had an option to use a tractor and trailer to carry the tank … hopefully local friendly police would only look at trailer tires and not any higher. With current capsman, tank has to drive from point A to point B self-propelled on its own tracks, some tank-friendly infrastructure better exists …)

epkulse · March 12, 2024, 10:59am

Yep. I need to read-up better regarding how to handle VLAN as that made it break for me. When I activated VLAN-filtering on the bridge I locked everything out (had to set some VLAN-settings and boom)…Shouldn´t be that difficult, have done VLAN´s before but not using Mtik… BUT, I am no guru…

carl0s · March 12, 2024, 9:56pm

You don’t have to use VLANs for a guest network.

Here is an example configuration that I put together today on a hAP ax2. This box is added to an existing network with Draytek router, and acts as WiFi access point for private network, a switch for till in coffee shop, and guest-wifi that is firewalled and NATed.

Of course if you have the Mikrotik as your only router then you will need to do things a little differently.

(Also, this is a single-AP solution. I imagine things would need to be different if using more than one AP. I did set that up (with VLANs over a single ethernet cable between cAP ax and hAP ax2 - I wrote/ranted about that a few months ago ). I think the things that have caught me out in the past are that the ‘datapath’ needs configuring on the CAP, and also the ‘slaves datapath’ again must be done on the CAP, not capsman)

It puts guest wifi in a subnet and does NAT /masquerade for guest wifi. You can see the ‘masquerade/srcnat’ rule is matching on src-ip = 192.168.200.0/24.
There is a firewall rule to block 192.168.200.0/24 → 192.168.0.0/16 (any 192.168 class C. This should probably be amended to suit 10.x.x.x/8 and 172.16 etc if needed)

For private WiFi, it does no natting and just acts as an access point.
All 5 ethernet ports are bridged so for the private side, the ethernet ports can be used as switch ports and also any of them can be connected to existing network.

For guest WiFi, it has a second bridge created which has a private IP 192.168.200.1. A DHCP server is created for that subnet. on the CAP configuration, ‘slaves datapath’ points to a datapath which has ‘guest-wifi bridge’ as the bridge.

DHCP client obtains IP and default route from network using any of the bridged ethernet ports.

Remember you have to set ‘manager = capsman’ for the wifi interfaces. For some reason this setting does not come out in the config export.

/interface bridge
add admin-mac=48:A9:8A:35:65:14 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
add name=guest_WiFi
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi datapath
add bridge=guest_WiFi disabled=no name=guestWiFi
add bridge=bridge disabled=no name=Private_WiFi
/interface wifi configuration
add country="United Kingdom" datapath=guestWiFi disabled=no mode=ap name=\
    "Guest WiFi" ssid=GuestWiFi
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=Private_WiFi passphrase=\
    Private_WiFi_Password
/interface wifi configuration
add channel.width=20mhz country="United Kingdom" datapath=Private_WiFi disabled=no \
    mode=ap name=Private_WiFi security=Private_WiFi security.ft=no ssid=Private_WiFi
/interface wifi
set [ find default-name=wifi1 ] configuration=Private_WiFi disabled=no
add configuration="Guest WiFi" disabled=no mac-address=4A:A9:8A:35:65:18 \
    master-interface=wifi1 name=wifi2
set [ find default-name=wifi2 ] configuration=Private_WiFi disabled=no
add configuration="Guest WiFi" disabled=no mac-address=4A:A9:8A:35:65:19 \
    master-interface=wifi2 name=wifi3
/ip pool
add name=guest-wifi ranges=192.168.200.11-192.168.200.200
/ip dhcp-server
add address-pool=guest-wifi interface=guest_WiFi lease-time=10m name=\
    guest-wifi
/interface bridge port
add bridge=bridge interface=ether1 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
/interface list member
add comment=defconf interface=bridge list=LAN
/interface wifi cap
set caps-man-addresses=127.0.0.1 discovery-interfaces=lo enabled=yes \
    slaves-datapath=guestWiFi
/interface wifi capsman
set enabled=yes interfaces=lo package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=Private_WiFi \
    slave-configurations="Guest WiFi"
/ip address
add address=192.168.200.1/24 interface=guest_WiFi network=192.168.200.0
/ip dhcp-client
add comment=defconf interface=bridge
/ip dhcp-server network
add address=192.168.200.0/24 comment="guest wifi" dns-server=8.8.8.8,8.8.4.4 \
    gateway=192.168.200.1
/ip firewall filter
add action=drop chain=forward comment="Drop Guest WiFi to LAN" dst-address=\
    192.168.0.0/16 log-prefix="drop gurest wifi to lan" src-address=\
    192.168.200.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="Guest WiFi masquerade" \
    out-interface=bridge src-address=192.168.200.0/24

epkulse · March 14, 2024, 10:12am

Thanks! I will have a look at it. I have 4 CAPs so a bit difficult, but…

/Uffe

gotsprings · March 14, 2024, 12:09pm

carl0s

Hold on… so the guest network is passing through the Draytek routers LAN to get to the WAN?

Is the Draytec where the Point of Sales gear sits?

dd22 · February 2, 2025, 7:56am

Carlos, gracias!
I want to thank you for this post. Your configuration with AP and separate internet router is the solution I was looking for. It helped a lot, more than Vlans that were very confusing for me. The key was not including the guest wifi interface in the main bridge, this is what I was doing wrong, but masquerade traffic from the guest wifi just into the lan bridge, and it will automatically be routed to the router.
Thxs