Help with setup (vlans and CAPsMAN

RouterOS Beginner Basics
1

Hi, I try to reconfigure a test lap.
But still struggle with VLANs, Bridges and CAPsMAN in mikrotik.
Documentation is hard to understand.
In Cisco I can configure it easy but in mikrotik I'm allways struggle.
I have 2 devices in my test lap. (2 RB 951 G 2HnD)
Try to set up CAPsMan and CAP.
but get no communication at all.
Her are the current configs (firmware 6.41.3)

CAPsMAN config:

Installation R01 (CCR1009-8G-1S-1S+PC)

Add an identity to the device

/system identity set name=R01

Add bridges and vlans and tagged and untagged ports (Trunks and access ports)

/interface bridge
add name=BR_LAN_MGMT vlan-filtering=yes
/interface bridge port
add bridge=BR_LAN_MGMT interface=ether1 pvid=9
add bridge=BR_LAN_MGMT interface=ether5 pvid=9
/interface bridge vlan
add bridge=BR_LAN_MGMT tagged=ether1,ether5 vlan-ids=9

/interface bridge
add name=BR_LAN_DATA vlan-filtering=yes
/interface bridge vlan
add bridge=BR_LAN_DATA tagged=ether1,ether5 vlan-ids=10

/interface bridge
add name=BR_WLAN_DATA vlan-filtering=yes
/interface bridge vlan
add bridge=BR_WLAN_DATA tagged=ether1,ether5 vlan-ids=12

/interface bridge
add name=BR_WLAN_GUEST vlan-filtering=yes
/interface bridge vlan
add bridge=BR_WLAN_GUEST tagged=ether1,ether5 vlan-ids=14

/interface bridge
add name=BR_WLAN_IOT vlan-filtering=yes
/interface bridge vlan
add bridge=BR_WLAN_IOT tagged=ether1,ether5 vlan-ids=15

/interface bridge
add name=BR_LAN_CAMERA vlan-filtering=yes
/interface bridge vlan
add bridge=BR_LAN_CAMERA tagged=ether1,ether5 vlan-ids=17

/interface bridge
add name=BR_WLAN_SP vlan-filtering=yes
/interface bridge vlan
add bridge=BR_WLAN_SP tagged=ether1,ether5 vlan-ids=19

/interface bridge
add name=BR_LAN_SERVER vlan-filtering=yes
/interface bridge vlan
add bridge=BR_LAN_SERVER tagged=ether1,ether5 vlan-ids=900

Add IP addresses to the bridges

/ip address
add address=172.16.0.1/25 network=172.16.0.0 interface=BR_LAN_MGMT
add address=172.16.1.1/24 network=172.16.1.0 interface=BR_LAN_DATA
add address=172.16.2.1/24 network=172.16.2.0 interface=BR_WLAN_DATA
add address=172.16.3.1/24 network=172.16.3.0 interface=BR_WLAN_GUEST
add address=172.16.4.1/26 network=172.16.4.0 interface=BR_WLAN_IOT
add address=172.16.5.1/25 network=172.16.5.0 interface=BR_LAN_CAMERA
add address=172.16.6.1/24 network=172.16.6.0 interface=BR_WLAN_SP
add address=172.16.0.129/27 network=172.16.0.128 interface=BR_LAN_SERVER

Add DHCP pools

/ip pool
add name=POOL_LAN_DATA ranges=172.16.1.100-172.16.1.200
add name=POOL_WLAN_DATA ranges=172.16.2.100-172.16.2.200
add name=POOL_WLAN_GUEST ranges=172.16.3.100-172.16.3.200
add name=POOL_WLAN_IOT ranges=172.16.4.10-172.16.4.60
add name=POOL_LAN_CAMERA ranges=172.16.5.10-172.16.5.120
add name=POOL_WLAN_SP ranges=172.16.6.100-172.16.6.200
add name=POOL_LAN_SERVER ranges=172.16.0.130-172.16.0.157
add name=POOL_LAN_VPN ranges=172.16.0.161-172.16.0.190

Add DHCP servers

/ ip dhcp-server
add address-pool=static-only disabled=no interface=BR_LAN_MGMT lease-time=7d name=DHCP_LAN_MGMT
/ip dhcp-server network
add address=172.16.0.0/25 dns-server=172.16.0.130,172.16.0.131 gateway=172.16.0.1 netmask=255.255.255.128
/ip dhcp-server
add address-pool=POOL_LAN_DATA disabled=no interface=BR_LAN_DATA lease-time=7d name=DHCP_LAN_DATA
/ip dhcp-server network
add address=172.16.1.0/24 dns-server=172.16.0.130,172.16.0.131 gateway=172.16.1.1 netmask=255.255.255.0
/ip dhcp-server
add address-pool=POOL_WLAN_DATA disabled=no interface=BR_WLAN_DATA lease-time=00:10:00 name=DHCP_WLAN_DATA
/ip dhcp-server network
add address=172.16.2.0/24 dns-server=172.16.0.130,172.16.0.131 gateway=172.16.2.1 netmask=255.255.255.0
/ip dhcp-server
add address-pool=POOL_WLAN_GUEST disabled=no interface=BR_WLAN_GUEST lease-time=00:10:00 name=DHCP_WLAN_GUEST
/ip dhcp-server network
add address=172.16.3.0/24 dns-server=8.8.8.8 gateway=172.16.3.1 netmask=255.255.255.0
/ip dhcp-server
add address-pool=POOL_WLAN_IOT disabled=no interface=BR_WLAN_IOT lease-time=7d name=DHCP_WLAN_IOT
/ip dhcp-server network
add address=172.16.4.0/25 dns-server=172.16.0.130,172.16.0.131 gateway=172.16.4.1 netmask=255.255.255.128
/ip dhcp-server
add address-pool=POOL_LAN_CAMERA disabled=no interface=BR_LAN_CAMERA lease-time=7d name=DHCP_LAN_CAMERA
/ip dhcp-server network
add address=172.16.5.0/25 dns-server=172.16.0.130,172.16.0.131 gateway=172.16.1.1 netmask=255.255.255.128
/ip dhcp-server
add address-pool=POOL_WLAN_SP disabled=no interface=BR_WLAN_SP lease-time=7d name=DHCP_WLAN_SP
/ip dhcp-server network
add address=172.16.6.0/24 dns-server=172.16.0.130,172.16.0.131 gateway=172.16.6.1 netmask=255.255.255.0
/ip dhcp-server
add address-pool=static-only disabled=no interface=BR_LAN_SERVER lease-time=7d name=DHCP_LAN_SERVER
/ip dhcp-server network
add address=172.16.0.128/27 dns-server=172.16.0.130,172.16.0.131 gateway=172.16.0.129 netmask=255.255.255.224


\

DNS Instellen

/ip dns set server=172.16.0.130,172.16.0.131 allow-remote-requests=yes

Default route toevoegen

/ip route add dst-address=0.0.0.0/0 gateway=172.16.0.125 distance=1 comment="Sonicwall TZ215 Ring 393"
/ip route add dst-address=0.0.0.0/0 gateway=172.16.0.126 distance=2 comment="R02 Mikrotik x86 Ring 225"

SNTP Client configureren

/system ntp client set primary-ntp=172.16.0.130 secondary-ntp=172.16.0.131 enabled=yes

IP SERVICES configureren

/ip service set api disabled=yes
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set api-ssl disabled=yes
/ip service set www address=172.16.0.0/21 disabled=no
/ip service set www-ssl certificate=WEB_CONF port=4443 disabled=no

Zet de tijdzone goed

/system clock set time-zone-name=Europe/Amsterdam

Setup HOTSPOT server with Radius for GUESTS

Setup Hotspot Profile

/ip hotspot profile
add hotspot-address=172.16.3.1 name=WLAN_GUEST use-radius=yes

Setup Hotspot Server

/ip hotspot
add address-pool=POOL_WLAN_GUEST disabled=no interface=BR_WLAN_GUEST name=HOTSPOT-WLAN_GUEST profile=WLAN_GUEST

Add user (Manager voor usermanger)

/ip hotspot user
add name=admin password="!@49er4All#$"

\

Einde HOTSPOT config

Enide HOTSPOT config

IP SERVICES configureren

/ip service set api disabled=yes
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set api-ssl disabled=yes
/ip service set www address=172.16.0.0/21
/ip service set www-ssl certificate=WEB_CONF disabled=no

CAPsMAN Configuration

/caps-man channel
add name="5GHZ Only AC" band=5ghz-onlyac extension-channel=eeeC control-channel-width=20mhz comment="Only 5GHZ AC"
add name="2GHZ Only N" band=2ghz-onlyn extension-channel=eC control-channel-width=20mhz comment="Only 2GHZ N"

/caps-man datapath
add bridge=BR_WLAN_DATA name=datapath_WLAN_DATA local-forwarding=yes vlan-id=12 vlan-mode=use-tag
add bridge=BR_WLAN_GUEST name=datapath_WLAN_GUEST local-forwarding=yes vlan-id=14 vlan-mode=use-tag
add bridge=BR_WLAN_IOT name=datapath_WLAN_IOT local-forwarding=yes vlan-id=15 vlan-mode=use-tag
add bridge=BR_WLAN_SP name=datapath_WLAN_SP local-forwarding=yes vlan-id=19 vlan-mode=use-tag

/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=sec_WLAN_DATA passphrase=WLAN_DATA
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=sec_WLAN_GUEST passphrase=WLAN_GUEST
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=sec_WLAN_IOT passphrase=WLAN_IOT
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=sec_WLAN_SP passphrase=WLAN_SP01

/caps-man configuration
add name="conf WLAN_DATA 5GHZ AC" channel="5GHZ Only AC" datapath=datapath_WLAN_DATA mode=ap security=sec_WLAN_DATA ssid=WLAN_DATA country=netherlands
add name="conf WLAN_GUEST 5GHZ AC" channel="5GHZ Only AC" datapath=datapath_WLAN_GUEST mode=ap security=sec_WLAN_GUEST ssid=WLAN_GUEST country=netherlands
add name="conf WLAN_IOT 5GHZ AC" channel="5GHZ Only AC" datapath=datapath_WLAN_IOT mode=ap security=sec_WLAN_IOT ssid=WLAN_IOT country=netherlands
add name="conf WLAN_SP 5GHZ AC" channel="5GHZ Only AC" datapath=datapath_WLAN_SP mode=ap security=sec_WLAN_SP ssid=WLAN_SP country=netherlands
add name="conf WLAN_DATA 2GHZ N" channel="2GHZ Only N" datapath=datapath_WLAN_DATA mode=ap security=sec_WLAN_DATA ssid=WLAN_DATA country=netherlands
add name="conf WLAN_GUEST 2GHZ N" channel="2GHZ Only N" datapath=datapath_WLAN_GUEST mode=ap security=sec_WLAN_GUEST ssid=WLAN_GUEST country=netherlands
add name="conf WLAN_IOT 2GHZ N" channel="2GHZ Only N" datapath=datapath_WLAN_IOT mode=ap security=sec_WLAN_IOT ssid=LAN_IOT country=netherlands
add name="conf WLAN_SP 2GHZ N" channel="2GHZ Only N" datapath=datapath_WLAN_SP mode=ap security=sec_WLAN_SP ssid=WLAN_SP country=netherlands

/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes

/caps-man provisioning
add hw-supported-modes=gn action=create-dynamic-enabled
master-configuration="conf WLAN_DATA 2GHZ N" name-format=identity
slave-configurations="conf WLAN_GUEST 2GHZ N,conf WLAN_IOT 2GHZ N,conf WLAN_SP 2GHZ N" comment="2 GHZ Only N"
add hw-supported-modes=ac action=create-dynamic-enabled
master-configuration="conf WLAN_DATA 5GHZ AC" name-format=identity
slave-configurations="conf WLAN_GUEST 5GHZ AC,conf WLAN_IOT 5GHZ AC,conf WLAN_SP 5GHZ AC" comment="2 GHZ Only AC"

CAPsMAN access-list

Laat alles toe op het WLAN_GUEST netwerk

/caps-man access-list add ssid-regexp=WLAN_GUEST signal-range=-80..80 action=accept comment="Allow all connections on WLAN_GUEST"

Blokkeer al het overige

/caps-man access-list add interface=all action=reject comment="Block all other requests"

EINDE CAPsMAN config




Config of the CAP:

###################################################################################

MMM MMM KKK TTTTTTTTTTT KKK

MMMM MMMM KKK TTTTTTTTTTT KKK

MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK

MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK

MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK

MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

###################################################################################

Installation SW12-Ring227 (wAP-AC)

Set the identity

/system identity set name="SW12 - Ring 227"

Add bridges and vlans and tagged and untagged ports (Trunks and access ports)

/interface bridge
add name=BR_LAN_MGMT vlan-filtering=yes
/interface bridge port
add bridge=BR_LAN_MGMT interface=ether1 pvid=9
/interface bridge vlan
add bridge=BR_LAN_MGMT tagged=ether1 vlan-ids=9
add bridge=BR_LAN_MGMT tagged=ether1 vlan-ids=10
add bridge=BR_LAN_MGMT tagged=ether1 vlan-ids=12
add bridge=BR_LAN_MGMT tagged=ether1 vlan-ids=14
add bridge=BR_LAN_MGMT tagged=ether1 vlan-ids=15


/interface bridge
add name=BR_LAN_DATA vlan-filtering=yes
/interface bridge vlan
add bridge=BR_LAN_DATA tagged=ether1,ether5 vlan-ids=10

Add an IP address for management

/ip address
add address=172.16.0.13/25 network=172.16.0.0 interface=BR_LAN_MGMT

#CAP Configuration
/interface wireless cap
set interfaces=wlan1 certificate=request discovery-interfaces=ether1
caps-man-address=172.16.0.1 bridge=BR_LAN_MGMT enabled=yes

Globele settings

SNTP Client configureren

/system ntp client set primary-ntp=172.16.0.130 secondary-ntp=172.16.0.131 enabled=yes

DNS settings

/ip dns set server=172.16.0.130,172.16.0.131

IP SERVICES configuration

/ip service set api disabled=yes
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set api-ssl disabled=yes
/ip service set www address=172.16.0.0/21 disabled=yes
/ip service set www-ssl certificate=WEB_CONF port=4443 disabled=no

Timezone settings

/system clock set time-zone-name=Europe/Amsterdam

Add route local network

/ip route add dst-address=172.16.0.0/21 gateway=172.16.0.1