I recently got a hAP ac and wAP ac, neither device is doing any routing/NAT, just simple bridging. The hAP is connected to my LAN by ether1 and the wAP is connected to the hAP on ether5 to utilise PoE. All ports on the hAP are configured as a switch. I’ve updated both boards to 6.41rc52 (primarily because of the bridge/switch changes on the hAP, but I’ve upgraded the wAP to the same).
I’m trying to get CAPsMAN configured to provision the wireless radios. I’m using the hAP as the manager and have configured both the hAP itself and the wAP to connect to it with the auto certificates feature, and this part is working, I can see both CAPs are connected. The setup I’m trying to achieve is have one SSID that is protected with WPA2 EAP using my existing RADIUS server that should forward all traffic on VLAN 1 (untagged) and another guest SSID that is protected with WPA2 PSK that should forward all traffic on VLAN 1003 (tagged). The reason for this is I have an existing Apple Airport that is configured in this way with two SSID’s so I’d like a simple swap for now without having to rejig the rest of my network. I’d like both of these to be available on 2 & 5 GHz and to just use local forwarding.
I’ve configured what I think are the various CAPsMAN profiles yet I can’t get the wireless interfaces to actually provision themselves, if I try “/caps-man remote-cap provision <0,1>” or “/caps-man radio provision <0,1,2,3>” it doesn’t seem to do anything, all I get from “/log print” are messages like “22:50:42 caps,info cap2: selected channel 5785/20-eeCe/ac(30dBm)” but the interface doesn’t seem to be configured in any useful way. This is my first time with RouterOS so I’ve probably missed something obvious, hopefully someone can help. Here’s the configuration from my hAP and wAP:
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz name=2ghz
add band=5ghz-a/n/ac control-channel-width=20mhz name=5ghz
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=lan vlan-id=1 vlan-mode=no-tag
add client-to-client-forwarding=yes local-forwarding=yes name=guest vlan-id=1003 vlan-mode=use-tag
/interface bridge
add admin-mac=6C:3B:6B:44:98:B8 auto-mac=no comment=defconf name=bridge protocol-mode=none
/interface wireless
# managed by CAPsMAN
# channel: 2447/20-eC/gn(30dBm), SSID: , CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-4498BF wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(17dBm), SSID: , CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-4498BE wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/caps-man interface
add disabled=no l2mtu=1600 mac-address=64:D1:54:87:DE:2F master-interface=none name=cap1 radio-mac=64:D1:54:87:DE:2F
add disabled=no l2mtu=1600 mac-address=64:D1:54:87:DE:2E master-interface=none name=cap2 radio-mac=64:D1:54:87:DE:2E
add disabled=no l2mtu=1600 mac-address=6C:3B:6B:44:98:BF master-interface=none name=cap3 radio-mac=6C:3B:6B:44:98:BF
add disabled=no l2mtu=1600 mac-address=6C:3B:6B:44:98:BE master-interface=none name=cap4 radio-mac=6C:3B:6B:44:98:BE
/interface vlan
add interface=bridge name=guest vlan-id=1003
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=guest passphrase=Password1
add authentication-types=wpa2-eap eap-methods=passthrough encryption=aes-ccm name=lan
/caps-man configuration
add channel=2ghz datapath=guest name=guest-2ghz security=guest ssid="Mikrotik Guest"
add channel=2ghz country="united kingdom" datapath=lan mode=ap name=lan-2ghz rx-chains=0,1,2 security=lan ssid="Mikrotik LAN" tx-chains=0,1,2
add channel=5ghz datapath=guest name=guest-5ghz security=guest ssid="Mikrotik Guest"
add channel=5ghz country="united kingdom" datapath=lan mode=ap name=lan-5gz rx-chains=0,1,2 security=lan ssid="Mikrotik LAN" tx-chains=0,1,2
/interface ethernet switch
set 0 name=switch
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes require-peer-certificate=yes upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=lan-2ghz slave-configurations=guest-2ghz
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=lan-5gz slave-configurations=guest-5ghz
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=sfp1
/ip settings
set ip-forward=no
/ipv6 settings
set forward=no
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether2,ether3,ether4,ether5 switch=switch vlan-id=1003
/interface wireless cap
#
set bridge=bridge caps-man-addresses=127.0.0.1 caps-man-certificate-common-names=CAPsMAN-6C3B6B4498B8 certificate=request discovery-interfaces=bridge enabled=yes interfaces=wlan1,wlan2 \
lock-to-caps-man=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge
/radius
add address=192.0.23.8 secret=secret service=wireless
/system clock
set time-zone-name=Europe/London
/system identity
set name=hap
/system ntp client
set enabled=yes primary-ntp=192.168.23.254
/system package update
set channel=release-candidate
/interface bridge
add admin-mac=64:D1:54:87:DE:2D auto-mac=no name=bridge protocol-mode=none
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(30dBm), SSID: , CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
# channel: 5785/20-eeCe/ac(30dBm), SSID: , CAPsMAN forwarding
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=ether1 name=guest vlan-id=1003
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge interface=ether1
/ip settings
set ip-forward=no
/ipv6 settings
set forward=no
/interface wireless cap
#
set bridge=bridge caps-man-addresses=192.168.23.200 caps-man-certificate-common-names=CAPsMAN-6C3B6B4498B8 certificate=request discovery-interfaces=ether1 enabled=yes interfaces=wlan1,wlan2 \
lock-to-caps-man=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge
/radius
add address=192.168.23.8 secret=secret service=wireless
/system clock
set time-zone-name=Europe/London
/system identity
set name=wap
/system ntp client
set enabled=yes primary-ntp=192.168.23.254
/system package update
set channel=release-candidate