Issues with CAPsMAN configuration. Need help

RouterOS Beginner Basics
1

Hi there!

  1. I need to configure Wi-Fi network with two VLANs. Clients in each network should be isolated between each other. I took as a base the config from the example, but I still can ping from network 192.168.10.0/24 to 192.168.20.0/24 and vice versa. Where I am wrong?
  2. Why interfaces wifi1 and wifi2 do not connected to CAPsMAN?
/interface bridge
add admin-mac=D0:01:C0:B0:0B:00 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface wifi
# no connection to CAPsMAN
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    disabled=no
# no connection to CAPsMAN
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
    disabled=no
/interface vlan
add interface=bridge name=GUEST vlan-id=20
add interface=bridge name=MAIN vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi datapath
add bridge=bridge client-isolation=yes disabled=no name=MAIN vlan-id=10
add bridge=bridge client-isolation=yes disabled=no name=GUEST vlan-id=20
/interface wifi security
add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes \
    group-encryption=ccmp group-key-update=40m name=Security_MAIN wps=disable
add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes \
    group-encryption=ccmp group-key-update=40m name=Security_GUEST wps=\
    disable
/interface wifi configuration
add datapath=MAIN disabled=no name=MAIN security=Security_MAIN ssid=MAIN_Network
add datapath=GUEST disabled=no name=GUEST security=Security_GUEST ssid=GUEST_Network
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool2 ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=yes interface=bridge name=dhcp1
add address-pool=dhcp_pool1 interface=MAIN name=dhcp2
add address-pool=dhcp_pool2 interface=GUEST name=dhcp3
/disk settings
set auto-media-interface=bridge
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=wifi1
add bridge=bridge comment=defconf disabled=yes interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi cap
set caps-man-addresses=127.0.0.1 enabled=yes
/interface wifi capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
    upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=MAIN \
    name-format=5G-%I slave-configurations=GUEST supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=MAIN \
    name-format=2G-%I slave-configurations=GUEST supported-bands=2ghz-ax
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
add address=192.168.10.1/24 interface=MAIN network=192.168.10.0
add address=192.168.20.1/24 interface=GUEST network=192.168.20.0
/ip dhcp-client
add comment=defconf default-route-tables=main interface=ether1 use-peer-dns=\
    no
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system note
set show-at-login=no
2

How many APs do you have or plan to manage by CAPsMAN ? If you have single device then CAPsMAN is not needed at all.

Default Mikrotik firewall rules allows communication between VLANs so that needs to be blocked in the forward chain of the firewall.

3

By default, local wifi intercases can’t be provisioned. Two options: set config on wifi1 and wifi2 or use the provision button on the Radios tab (after selecting the local interfaces).

4

That’s right, so in case you don’t have multiple APs CAPsMAN is really not needed. CAPsMAN is used when you have multiple APs and you want to manage them from the single controller.

Note: When using device as CAPsMAN controller, wireless interfaces of that device can’t be controlled by CAPsMAN but you will have roaming, etc. Because all wireless interfaces (both local and CAPs) are controlled by the same ROS istance.

5

Actually ... they don't connect to capsman but you CAN provision them. Local provisioning but provisioning nonetheless.
It's even in the documentation:

CAPsMAN cannot manage it's own wifi interfaces using configuration.manager=capsman, it is enough to just set the same configuration profile on local interfaces manually as you would with provisioning rules, and the end result will be the same as if they were CAPs.
That being said, it is also possible to provision local interfaces via /interface/wifi/radio menu, it should be noted that to regain control of local interfaces after provisioning, you will need to disable the matching provisioning rules and press "provision" again, which will return local interfaces to an unconfigured state.

6

How many APs do you have or plan to manage by CAPsMAN ?

10+ APs.

Default Mikrotik firewall rules allows communication between VLANs so that needs to be blocked in the forward chain of the firewall.

Can you give me an example? I tried to drop packets from 192.168.20.0/24 to 192.168.10.0/24, but without success.

By default, local wifi intercases can’t be provisioned. Two options: set config on wifi1 and wifi2 or use the provision button on the Radios tab (after selecting the local interfaces).

Config on wifi1 and wifi2 could be only for MAIN or GUEST, not both. Should this be some kind of intermediate configuration?
Using manual configuration by provisioning button is a better than nothing, but I am searching about some automation, if it real.

7

Try blocking by interface list, instead of by IP:
http://forum.mikrotik.com/t/help-with-denying-traffic-between-vlans/175702/1

8

Regarding firewall rules, you could modify default rules so that you put “drop invalid” rule after default “accept established,related, untracked” rule and at the end of the forward chain you put “drop all else rule”. Between you can put what traffic you want to allow.

With that rules in place inter-VLAN communication will be blocked on L3 and only traffic you allow will pass between subnets.

Then you can create separate interface lists for your guest network and you can use that to block or allow traffic or, if you want to pass certain IP addresses you can use Address lists.

Here is an example, I have this firewall on one of my sites:

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=SNMP dst-port=161-162 \
    in-interface-list=MGMT protocol=udp
add action=accept chain=input comment=Winbox dst-port=++++ in-interface-list=\
    MGMT protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=RADIUS_AUTH dst-port=1812 protocol=udp
add action=accept chain=input comment=EoIP protocol=gre src-address=10.0.0.1
add action=accept chain=input comment=DNS_TCP dst-port=53 in-interface-list=\
    LAN protocol=tcp
add action=accept chain=input comment=DNS_UDP dst-port=53 in-interface-list=\
    LAN protocol=udp
add action=accept chain=input comment= dst-port=++++ \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment=MIKROWIZARD_API dst-port=8728 \
    in-interface-list=MGMT log=yes log-prefix=mikrowizard protocol=tcp \
    src-address-list=MIKROWIZARD
add action=drop chain=input comment="drop all else" log=yes log-prefix=\
    drop_all
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=Internet in-interface-list=LAN \
    out-interface-list=WAN
add action=accept chain=forward comment= dst-address-list=\
    VPN_MGMT in-interface=wireguard1
add action=accept chain=forward comment=MGMT_VLAN_NA_LAN in-interface=VLAN_99 \
    out-interface-list=LAN
add action=accept chain=forward comment=PORT_FWD connection-nat-state=dstnat
add action=accept chain=forward comment= dst-address-list=AC_SZ \
    dst-port=+++++ in-interface=VLAN_10 out-interface=VLAN_200 protocol=tcp
add action=accept chain=forward comment= dst-port=5060 \
    out-interface=VLAN_10 protocol=udp src-address-list=VOIP
add action=accept chain=forward comment= dst-port=++++ \
    out-interface=wireguard1 protocol=tcp src-address-list=
add action=accept chain=forward comment= dst-address-list=\
    NVR_2 src-address-list=CCTV
add action=accept chain=forward comment= dst-address-list=CCTV \
    src-address-list=NVR_2
add action=drop chain=forward comment="drop all else" connection-nat-state="" \
    connection-state="" log=yes log-prefix=drop_all

As you can see, I allow only certain devices on certain ports and protocol between subnets.