Multiple SSID AP with VLAN traffic not passing though the network

opieters · November 2, 2023, 10:08am

Hi

I am trying to set-up a virtual AP for guests (and network devices that should not access the main network). I found quite a few posts on this subject already here, but I am unable to get it fully working. I mainly followed this video: [https://www.youtube.com/watch?v=Q0-7yVnRq9U and also went over these wiki topics: https://wiki.mikrotik.com/wiki/Manual:CAPsMAN_with_VLANs, https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless and quite a few forum posts.

So, ideally the setup uses CAPsMAN to configure the virtual interfaces. All “normal” traffic should go over “bridge” is is not VLAN-tagged in network 192.168.88.0/24. All guest traffic should go over a separate guest bridge and network (192.168.89.0/24). To not overcomplicate things, local forwarding is disabled for the VLAN (since I do not want to create a bridge manually per AP). DHCP server etc is also configured and seems to be working, but I cannot access the internet. Moreover, connecting to the virtual AP is quite slow.

Hardware used: hEX PoE (RB960PGS) as router/CAPsMAN server and APs with wAP AC.

Any ideas on what is missing/misconfigured? Thanks!

Here’s my full configuration

/interface bridge
add admin-mac=08:55:31:33:B5:82 auto-mac=no comment=defconf name=bridge
add name=bridge-guest
/interface vlan
add interface=bridge-guest name=vlan-guest-20 vlan-id=20
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=\
    datapath-default
add bridge=bridge-guest client-to-client-forwarding=no local-forwarding=no \
    name=datapath-guest vlan-id=20 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=security-default
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=security-guest
/caps-man configuration
add channel.band=2ghz-b/g/n .control-channel-width=20mhz .extension-channel=\
    XX country=belgium datapath=datapath-default installation=indoor mode=ap \
    name=cfg-2ghz security=security-default ssid=polaris
add channel.band=5ghz-a/n/ac .control-channel-width=20mhz .extension-channel=\
    XXXX country=belgium datapath=datapath-default installation=indoor name=\
    cfg-5ghz-ac security=security-default ssid=polaris
add channel.band=5ghz-a/n .control-channel-width=20mhz .extension-channel=XX \
    country=belgium datapath=datapath-default installation=indoor name=\
    cfg-5ghz-an security=security-default ssid=polaris
add datapath=datapath-guest mode=ap name=cfg-guest security=security-guest \
    ssid=polaris-guest
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-default ranges=192.168.88.20-192.168.88.254
add name=dhcp-guest ranges=192.168.88.20-192.168.89.254
/ip dhcp-server
add address-pool=dhcp-default interface=bridge lease-time=10m name=\
    dhcp-default
add address-pool=dhcp-guest interface=vlan-guest-20 lease-time=10m name=\
    dhcp-guest
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=\
    require-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    cfg-2ghz name-format=prefix-identity name-prefix=2ghz \
    slave-configurations=cfg-guest
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
    cfg-5ghz-ac name-format=prefix-identity name-prefix=5ghz-ac
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
    cfg-5ghz-an name-format=prefix-identity name-prefix=5ghz-an
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.89.1/24 interface=vlan-guest-20 network=192.168.89.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.89.0/24 gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes servers="8.8.8.8,195.130.131.11,1.1.1.1,1.0.0.1,\
    2606:4700:4700::1111,2606:4700:4700::1001"
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Brussels
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes

anav · November 2, 2023, 4:03pm

Would gladly except you used capsman and for now, I see no purpose to using capsman in your scenario.
It adds too much complexity for any value it returns.
The only reason I can see to use is if you need extra control over wifi users so they cannot see each other or any wired users on the same subnet.

opieters · November 3, 2023, 3:09pm

Well, to the best of my knowledge WiFi roaming is only possible with CAPsMAN. This is one of the main reasons that I use it actually. Is is also possible to implement this without using CAPsMAN?

The long-term goal is indeed to get more control on which devices are able to see each other on the network. The main one (polaris) should just be a normal network, but the other one should be isolated from the first one on top of client isolation.

anav · November 3, 2023, 3:30pm

Yup Capsman is the way to go for roaming if you have several WIFIWAVE2 devices.

If your not using wifiwave2 I think your wasting your time.

( ps the assertion here is that wifiwave2 on AX devices finally makes capsman and roaming work and thus worthwhile, if you only have one device containing radios, or non wifiwave2 and non AX, it would appear that it would not be worth it ???)

gotsprings · November 3, 2023, 8:59pm

If you are using…

anav can see the punch line coming.