Hi everyone,
I’m new to Mikrotik and would like some advice. I have a RBwAP2nDr2 connected to ETH5 (PoE) of a RB951Ui-2HnD. Using
https://youtu.be/Q9h00PYEzQM I setup CAPsMAN. Everything looks to be working ok but I could not do the config as described from https://youtu.be/Q9h00PYEzQM?t=341 here, ie locking the CAPs to the CAPsMAN and enabling certificates.
I have a few questions regarding this setup:
- Is it ok to run CAPs with CAPsMAN without the certificates and the CAPs locking?
- Is there a way to check what Frequencies and TX power of other CAPs each CAP can see. My client devices are jumping from one CAP to the other and I think this is because the cell overlap is to large. I would like to adjust TX power but would first like to know the level of the other CAP. (Hope that makes sense)
- Is it possible to connect to a CAP with Winbox? I’m using Winbox 3.11 and can see the wAP but can’t connect to it for some reason.The wAP is installed in a hard to reach place so it would be nice not to have to get the ladder to configure it (say to lock it to the CAPsMAN and setting up certificates)
- Would someone be willing to go over my configuration and highlight any potential security risks and or rules that might be giving me the the issue described in 2,3?
Below is an image of the neighbors list I see when starting Winbox 3.11. I can’t connect to the wAP with or without using my admin password.
Winbox311Neighbors.png
Thanks in advance; Here is my config listing:
# oct/03/2017 19:17:00 by RouterOS 6.40.3
# software id = 70DS-LL74
#
# model = 951Ui-2HnD
# serial number = 6433064F6A93
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2412 name=channel1
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2462 name=channel11
/interface bridge
add admin-mac=6C:3B:6B:4C:1B:DB auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=******** service-name=isp-10mbps use-peer-dns=\
yes user=username@isp.co.za
/interface wireless
# managed by CAPsMAN
# channel: 2462/20/gn(20dBm), SSID: MySSID, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country="south africa" distance=indoors mode=ap-bridge ssid=MySSID \
wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
/caps-man datapath
add bridge=bridge name=datapath1
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security1 \
passphrase=**********
/caps-man configuration
add country="south africa" datapath=datapath1 distance=indoors mode=ap name=\
cfg1 security=security1 ssid=MySSID
/caps-man interface
add channel=channel1 configuration=cfg1 datapath=datapath1 disabled=no l2mtu=\
1600 mac-address=6C:3B:6B:9B:F5:44 master-interface=none name=cap1 \
radio-mac=6C:3B:6B:9B:F5:44 security=security1
add channel=channel11 configuration=cfg1 datapath=datapath1 disabled=no \
l2mtu=1600 mac-address=6C:3B:6B:4C:1B:DF master-interface=none name=cap2 \
radio-mac=6C:3B:6B:4C:1B:DF security=security1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=********** \
wpa2-pre-shared-key=**********
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless cap
#
set bridge=bridge discovery-interfaces=bridge enabled=yes interfaces=wlan1
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=\
192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=pppoe-out1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24
set ssh address=192.168.88.0/24
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name="MikroTik Office"
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
