But then, I must input password while setting up interfaces when using WPA/WPA2-PSK. If using security profile i donāt know where to add groups I createdā¦
What I noticed, with this configuration when connecting with the password from the first ACL it allows to connect but canāt obtain IP address because wifi interface gets untagged for VLAN1 instead of the correct VLAN.
When trying to connect with password from other two groups it says that it canāt authenticate.
I left old password in security, only selected WPA/WPA2.
[admin@MikroTik] /interface/wifi/security> p
Flags: X - disabled
0 name="PPSK" authentication-types=wpa-psk,wpa2-psk
multi-passphrase-group=VLANS
but still no luckā¦ Now interfaces donāt say that password is needed when I apply security profile and when entering password router accepts it but it doesnāt untag correct VLAN. It always untag VLAN1, never VLAN itās suppose to untagā¦ Both wifi interfaces are set to VLAN1 and admit all
EDIT:
Little bit of snooping around, so this is output from registration table for each password:
test1234:
[admin@MikroTik] /interface/wifi/registration-table> pr d
Flags: A - authorized
0 A interface=wifi1 ssid="MikroTik" mac-address=FE:D9:AD:F0:3D:7F uptime=5s
last-activity=0ms signal=-39 auth-type=ft-wpa2-psk band=5ghz-ax vlan-id=20
test12345:
[admin@MikroTik] /interface/wifi/registration-table> pr d
Flags: A - authorized
0 A interface=wifi1 ssid="MikroTik" mac-address=FE:D9:AD:F0:3D:7F uptime=2s
signal=-24 auth-type=ft-wpa2-psk band=5ghz-ax vlan-id=30
test123456:
[admin@MikroTik] /interface/wifi/registration-table> pr d
Flags: A - authorized
0 A interface=wifi1 ssid="MikroTik" mac-address=FE:D9:AD:F0:3D:7F uptime=2s
signal=-24 auth-type=ft-wpa2-psk band=5ghz-ax vlan-id=40
So it seems that VLANs are assigned correctly but for some reason bridge donāt untag them at all.
The idea about setting vlan-id in wifi driver is that wifi driver handles the VLAN tags, not bridge (bridge only filters traffic according to existing VLAN tags). Which IMO means you have a few errors in your setup. One is use of multiple datapaths (just noticed you only have them defined but not used), one should be enough. Default wifi access is tagless, which should be fine. My own philosophy, when it comes to VLAN setup, is to go all-tagged though, in this case this means setting datapath.vlan-id on wifi interfaces.
Then you have to let bridge know which tagged VLANs should be allowed to pass wifi ports:
Of course adding wifi1 and wifi2 to all relevant VLANs, including the one used for default wifi access. If you go with untagged default wifi access, then be careful PVID setting of wifiX bridge port (default is PVID=1, which is fine but you have to be aware of it as there is no āuntaggedā frame on bridge the switch-like entity as soon as bridge is set with vlan-filtering=yes, at least not conceptually).
Iām an idiotā¦ I didnāt even noticed that I didnāt tag wireless interfaces to VLANsā¦ I foolishly presumed something more complicated is wrongā¦ I did what you suggested and now PPSK is working like itās supposed to.
Now under bridge/vlans wifi interfaces are still dynamically untagged for VLAN1 (I presume that is because I left PVID on 1 and set to admit all) but correct VLAN gets untagged and there is internet connectivity (I presume this is where wireless assign correct PVID based on password I input)
If you go with untagged default wifi access, then be careful PVID setting of wifiX bridge port (default is PVID=1, which is fine but you have to be aware of it as there is no āuntaggedā frame on bridge the switch-like entity as soon as bridge is set with vlan-filtering=yes, at least not conceptually).
I never leave any port on PVID 1 when using āadmit only untaggedā, when Iām using VLANs i never left any port on PVID1. I generally untag them for mgmt network and disable them if they are not used.
I disabled datapath i created and still everything is working like it should. How can I have only one datapath for multiple VLANs ? I didnāt know that is possible ? I can add only one VLAN per datapath.
Do you actually have to add multiple VLAN IDs in datapath? My impression is that datapath VLAN ID is a default, but if other mechanisms set it differently (e.g. ppsk settings or radius reply) then wifi-qcom (the non-ac) driver will apply that exception to appropriate frames. Resulting tagged (or untagged without vlan-id set on datapath) frames will flow over configured bridge (as per single datapath config). And we already know now how to properly configure bridge port now, right?
I always had an impression that things under /interface/wifi/datapath were only profiles and only got used if one of wifi interfaces (either physical or virtual) was explicitly configured to use one of them. And itās only possible to assign one profile of a kind to any interface IIRC.
What I donāt even imagine is how all of this would be provisioned via CAPsMAN. It could be that that wouldnāt be a problem either if bridge on CAP isnāt vlan-enabled (and it hence simply doesnāt care about 802.1Q headers) ā¦ meaning that a single datapath is enough.
vlan-id (none | integer 1..4095)
Default VLAN ID to assign to client devices connecting to this interface (only relevant to interfaces in AP mode).
When a client is assigned a VLAN ID, traffic coming from the client is automatically tagged with the ID and only packets tagged with with this ID are forwarded to the client.
Default: none
802.11ac chipsets do not support this type of VLAN tagging , but they can be configured as VLAN access ports in bridge settings.
Guess you are right here, only one datapath seems to be required and that default VLAN can be 1, then when client get VLAN ID by for eg. PPSK then only packets with that VLAN ID will be forwarded.
In my case datapath is clearly not needed and i didnāt test capsman yetā¦ I have spare hap ax lite that could act as a CAP for testing purposes.
Tested PPSK with CAPsMAN and itās working like a charm. Only modification is to tag port where CAPs are connected, create datapath with PVID1 and interface bridge and add that into configuration.
Ah, so bridge is ignorant about VLANs on CAP device ā¦ just as I thought. So as long as L2MTU is higher than around 1518, itāll blindly pass ethernet frames left and right without ever looking at VLAN ID in 802.1Q headers ā¦ which means you have to be careful about vlan-id setting on datapath (it might mean that wifi-qcom driver will tad frames with VLAN ID 1 and that wouldnāt go nicely with default settings or router where everything has pvid set to 1).
You always need one datapath (simply to add CAPsMAN-provisioned wifi radio to CAPās bridge) ā¦ either as datapath profile or static datapath. settings on wifi interface directly (which with CAPsMAN-provisioned CAPs isnāt an option obviously). And I guess if CAP is simply configured to be CAPsMAN-driven CAP (e.g. by pressing the button at the right moment for the right duration), then it doesnāt matter how bridge is configured. In worst case user will connect some PCs to free ether ports and if those PCs will be running windows (with their inadequate NIC drivers who simply strip off 802.1Q headers), they might get confused a bit (e.g. they might end up with multiple IPv6 prefixes, some of them not being usable due to wrong VLAN).
OTOH if admin wants/needs something less straight-forward on CAP location, then admin will have to manually configure bridge anyway. In this case itās probably safe to enable vlan-filtering on bridge ā¦ and it would be interesting to see if wifi interface is added to bridge (by CAPsMAN) together with correct tagged VLAN membership. If not, then it might be necessary to manually add wifi interface to correct VLANs (but I donāt know how that would survive reboots).
So it seems weāll need some more experimenting (somehow I feel youāre eager to do it yourself )
[admin@MikroTik] > interface bridge port pr
Flags: I - INACTIVE; D - DYNAMIC; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, HORIZON
# INTERFACE BRIDGE HW PVID PRIORITY HORIZON
;;; defconf
0 H ether1 bridgeLocal yes 1 0x80 none
;;; defconf
1 H ether2 bridgeLocal yes 1 0x80 none
;;; defconf
2 I H ether3 bridgeLocal yes 1 0x80 none
;;; defconf
3 I H ether4 bridgeLocal yes 1 0x80 none
4 D wifi1 bridgeLocal 1 0x80 none
And this is when I force my device to connect to CAP (by disabling local wireless interfaces on CAPsMAN) and after tagging bridgelocal and ether1 for VLANs i have:
[admin@MikroTik] > interface bridge vlan pr d
Flags: X - disabled, D - dynamic
0 D ;;; added by pvid
bridge=bridgeLocal vlan-ids=1 tagged=wifi1
untagged=bridgeLocal,ether2,ether1 mvrp-forbidden="" current-tagged=wifi1
current-untagged=bridgeLocal,ether2,ether1
1 bridge=bridgeLocal vlan-ids=20,30,40 tagged=bridgeLocal,ether1 untagged=""
mvrp-forbidden="" current-tagged=bridgeLocal,ether1 current-untagged=""
2 D ;;; added by wifi
bridge=bridgeLocal vlan-ids=30 tagged=wifi1 untagged="" mvrp-forbidden=""
current-tagged=wifi1 current-untagged=""
Tested with all VLANs, works like a charm.
One thing I noticed. When I forget network (so I can connect with another password) first time entering password it displays an error on the phone to enter password again. When I enter password second time it connects immediately.
So it seems weāll need some more experimenting (somehow I feel youāre eager to do it yourself > > )
Of course, my goal is always to learn more, otherwise I would use some other brand that is plug and play but where is the fun in thatā¦
I can think of several reasons for that but not necessarily any of them is actually true:
PPSK machinery has to add wifi interface to a new VLAN ID ā¦ and bridge (having RSTP enabled) takes a few seconds to actually enable it. During that time, wifi station times out waiting for anything meaningful to happen
After a station with non-default PSK (and hence custom VLAN ID) connects to AP, does wifi interface become member of that non-default VLAN?
wifi driver VLAN handling machinery misses a few early frames to be handled by non-default VLAN ID
Iām not sure how this would explain the fact that second entering of password then works
etc.
I guess the most probable cause is the last item from my list above
Itās always so fun when somebody else does the testing ā¦ not.
No, there is nothing visible on CAP or CAPsMAN VLANs, wireless interface never show up when this error occurs. Itās probably to fast to show in winbox.
If I understand your comment in one of previous posts, this is what happens:
When you try to connect station using ānon-standardā password, connection initially fails. When you try to do it second time (a few seconds later), entering very same non-standard password, connection actually succeeds. So then your wifi connection works.
Or did I get things wrong?
After that, what does /interface/bridge/vlan/print show? Still nothing about wifi interface and VID belonging to that non-standard password?
So I have three passwords, test1234 for VLAN20, test12345 for VLAN30 and test123456 for VLAN40.
If I go to forget network so I can connect with another password, select SSID, phone prompts me to input password, I input another password and first try I get following on my phone:
And in logs I get this:
2024-10-03 06:14:14 wireless,debug FE:D9:AD:F0:3D:7F@cap-wifi1 associated, signal strength -20
2024-10-03 06:14:14 wireless,debug FE:D9:AD:F0:3D:7F@cap-wifi1 disassociated, connection lost, signal strength -18
/interface/bridge/vlan/print shows that wifi1 is tagged for vlan1 until I input password again, then it gets untagged for the correct VLAN.
I waited about a minute after forgetting network before connecting again and same thing happens.
What I also noticed, devices were turned off for the night and when I plugged them in on hap ax lite dhcp client was missing and connection couldnāt be establishedā¦ rebooting hap ax solved the problemā¦
)
