Are the following true, if local forwarding for caps is enabled?
In a wifi network with multiple vlans (internal vlan and guest hotspot vlan), each cap would need to have a vlan enabled bridge and inter-vlan drop rules set on the firewall.
For the guest hotspot vlan, I would need to set guest isolation on each cap.
What else are the practical issues of Local vs Capsman forwarding for CAPS?
Why would one choose Local Forwarding? (the only one I can think of is improving network speed)
You need a bridge with the VLANs on it. It doesn’t have to be VLAN-aware, so it is possible to combine CAP with hardware switched ethernet ports.
As the CAP is likely to have a single managment IP on one VLAN you don’t need any firewall rules on the CAP as all the VLAN encapsulated traffic is passed to the router via your wired uplink interface.
- For the guest hotspot vlan, I would need to set guest isolation on each cap.
Isolation on a CAP (or any wireless AP) will prevent client-to-client traffic only on the AP to which clients are connected, a client on AP1 will still be able to communicate with a client on AP2. If you want to prevent all clients on a particular VLAN from communicating with each other you would need port isolation / split horizon / bridge filters in addition to client isolation on the APs.
- What else are the practical issues of Local vs Capsman forwarding for CAPS?
- Why would one choose Local Forwarding? (the only one I can think of is improving network speed)
Local forwarding is faster but requires more network configuration (bridges, VLANs, etc.). CAPsMAN forwarding also uses CPU on the management Mikrotik. There are probably more.
Just enabling CAP on an AP might allow easy wireless configuration, but you shouldn’t ignore the usual stuff (admin password, disabling non-required services, etc.) either.
Good point. I’m curious, how does a bridge process vlan data differently when you attach vlans to the bridge, but with (1) bridge vlan filtering enabled and (2) bridge vlan filtering disabled.
Isolation on a CAP (or any wireless AP) will prevent client-to-client traffic only on the AP to which clients are connected, a client on AP1 will still be able to communicate with a client on AP2. If you want to prevent all clients on a particular VLAN from communicating with each other you would need port isolation / split horizon / bridge filters in addition to client isolation on the APs.
I did not know that. I will explore more on the topic. Thank you.
When a bridge has vlan-filtering=no it will bridge packets with any ethertype, including those used by VLANs, so a tagged VLAN will pass through the bridge just like any other ethernet protocol, this would be equivalent to setting every port untagged + all VIDs tagged.
When a bridge has vlan-filtering=yes then any VLANs with the selected ether-type are handled differently, using the /interface bridge port PVID and /interface bridge vlan membership data.