I’m struggling with a config, not sure where I’m going wrong here. I previously got something like this to work on v6 with old capsman, but can’t get the new wifi to do the final piece of the config puzzle.
Device: hAP AX2
Objective 1 (working): Configure 2.4 & 5 Ghz network via provisioning profile for LAN connection (a bridge interface), and allow additional CAPs on LAN to join via provisioning rule.
Objective 2 (Partially Working): Configure slave config via provisioning rule that creates a 2nd SSID & network via provisioning rule (working). Configure slave network data path to bridge to a VLAN, this VLAN be tagged traffic and on ether1 (the “WAN” interface), while keeping regular WAN traffic going out ether1 as untagged traffic (not working).
I’ve tried creating a WAN bridge WANbr, adding ether1 to that bridge, setting the slave datapath to local processing with the vlan ID, and setting the vlan filtering
Yet whenever I try to connect, the dynamic wifi interface is correctly showing as a port to the WANbr, the VLAN tag is dynamically registered, but still the wireless device fails to contact DHCP and drops the connection after a few seconds.
[admin@MikroTik] > interface/bridge/vlan/prFlags: D - DYNAMICColumns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
;;; added by pvid
0 D WANbr 1 WANbr,ether1
1 WANbr 2 ether1
;;; added by wifi
2 D WANbr 2 shared5ghz
For testing I tried to create a vlan interface on ether1 and run a DHCP client on it, and it does pull DHCP from the VLAN network, so I’m pretty sure that my switch side is correct. /interface vlan add disabled=yes interface=ether1 name=vlan2 vlan-id=2 /ip dhcp-client add interface=vlan2 disabled=no
the disabled vlan was just to illustrate that when I added a VLAN + DHCP client to the ether1 interface, it pulls a valid IP from the network the way the wifi client should. That is not part of the actual config that I’m trying to create, but I included it in case there was a flaw in the testing method to ensure the switch side is correct that I’m overlooking.
I've never been sold on CAPsMAN forwarding, so you lose me at:
My preference is to treat access points the same as other RouterOS-based switch, so they have a bridge and use local-forwarding (on-cap). Since you have a hAPax2, the VLAN tagging should just work on bridge (assuming configured VLANs on switch to hAP, or used MVRP)
capsman forwarding was just an attempt to get it to work. I couldn’t get it to work with it off either, however in this case it’s kind of necessary if I’m going to add additional client APs because they would be on the LAN and the VLAN is on the WANbr
I'd work on cleaning up the bridge configuration. And make sure all the dynamic /interface/bridge/vlan print shows all the Wi-Fi interfaces, including slave-configurations.
More specifically, you can use just one bridge... and assign pvid= on all ports. Then in CAPsMAN always use a vlan-id‡. Just makes it cleaner to read config, than thinking about what is untagged here and tagged there, and on what bridge with what VLANs...
‡ Also keeping in mind that vlan tagging is not supported in wifi-qcom-ac, so you need a different approach for those. If everything is AX, VLAN tagging everything via CAPsMAN and using local-forwarding keeps things simple, IMO.
agggghhhh, it was the management-encryption all along. I’d assumed the auth was working when the device registration appeared, without doing any additional testing or validation, I turned off all VLAN / External mapping and realized it still wouldn’t connect, took about 2 minutes to figure out.
And just for the record, I haven’t been working on this for a month, I worked on it for a couple hours a month ago and then put the test equipment away, and just pulled it out again this afternoon.