No client to client connection

RouterOS Wireless Networking
1

HI all,
I have a running network with VLANs, thanks to this forum. Part of this network are 2 Mikrotik AccessPoints (1x cAP and 1x wAP) managed bei capsman on my central router (RB3011). Assigning WiFi-Clients to VLANs inclulding according DHC-Lease and everything works just fine…at least I thought untill today. After spending quite some time to get a wifi-connected printer to run I found out that I can’t ping a Wifi-Client from another wifi-client, and as such, can’t print from a wifi-client to a wifi-printer. Going through the capsman-config, I couldn’t find anything that might help, withholding myself from trial-and-error chances. The only thing I did was to add “client-to-client-forwarding=yes” to the client, but without success.

Any ideas or leads what I’m doing wrong. Please find below the export from /caps-man on the central router (RB3011):

# oct/29/2021 20:30:28 by RouterOS 6.46.8
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled name=\
    channel24
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee name=\
    channel51 skip-dfs-channels=yes
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=datapath-LAN100 \
    vlan-id=100 vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=datapath-LAN200 \
    vlan-id=200 vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=datapath-LAN300 \
    vlan-id=300 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=securityprofile-WLAN100 passphrase=password1
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=securityprofile-WLAN200 passphrase=password2
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=securityprofile-WLAN300 passphrase=password3
/caps-man configuration
add channel=channel24 country=germany datapath=datapath-LAN100 installation=\
    indoor mode=ap name=cfg-ppwnp-24 security=securityprofile-WLAN100 ssid=ppwnp
add channel=channel51 country=germany datapath=datapath-LAN100 hide-ssid=yes \
    installation=indoor mode=ap name=cfg-ppwnp-51 security=\
    securityprofile-WLAN100 ssid=ppwnp
add channel=channel24 country=germany datapath=datapath-LAN200 installation=\
    indoor mode=ap name=cfg-ppwnk-24 security=securityprofile-WLAN200 ssid=ppwnk
add channel=channel51 country=germany datapath=datapath-LAN200 installation=\
    indoor mode=ap name=cfg-ppwnk-51 security=securityprofile-WLAN200 ssid=ppwnk
add channel=channel24 country=germany datapath=datapath-LAN300 installation=\
    indoor mode=ap name=cfg-ppwn-24 security=securityprofile-WLAN300 ssid=ppwn
add channel=channel51 country=germany datapath=datapath-LAN300 installation=\
    indoor mode=ap name=cfg-ppwn-51 security=securityprofile-WLAN300 ssid=ppwn
/caps-man access-list
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes \
    comment="Samsung Note9 -> VLAN100" disabled=no interface=all \
    mac-address=77:77:77:77:77:77 vlan-id=100 vlan-mode=use-tag
add action=accept comment="Laptop alt" interface=all mac-address=\
    88:88:88:88:88:88 vlan-id=100 vlan-mode=use-tag
add action=accept client-to-client-forwarding=yes comment=\
    "Samsung S20 -> VLAN100" interface=all mac-address=\
    99:99:99:99:99:99 vlan-id=100 vlan-mode=use-tag
add action=accept comment="Instar 6014 WLAN --> VLAN80" interface=all \
    mac-address=AA:AA:AA:AA:AA:AA vlan-id=80 vlan-mode=use-tag
add action=accept client-to-client-forwarding=yes comment=\
    "Laptop2 WLAN -> VLAN100" interface=all mac-address=\
    BB:BB:BB:BB:BB:BB vlan-id=100 vlan-mode=use-tag
add action=accept comment="Laptop1 -> VLAN100" interface=all \
    mac-address=CC:CC:CC:CC:CC:CC vlan-id=100 vlan-mode=use-tag
add action=accept comment="Pi-Box WiFi -> VLAN100" interface=all mac-address=\
    DD:DD:DD:DD:DD:DD vlan-id=100 vlan-mode=use-tag
add action=accept client-to-client-forwarding=yes comment=\
    "Samsung Tab -> VLAN100" interface=all mac-address=EE:EE:EE:EE:EE:EE \
    vlan-id=100 vlan-mode=use-tag
add action=accept client-to-client-forwarding=yes comment=\
    "Canon CP910 Fotodrucker" interface=all mac-address=FF:FF:FF:FF:FF:FF \
    vlan-id=100 vlan-mode=use-tag
/caps-man manager
set enabled=yes upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    cfg-ppwn-24 name-format=prefix-identity name-prefix=2.4g \
    slave-configurations=cfg-ppwnp-24,cfg-ppwnk-24
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
    cfg-ppwn-51 name-format=prefix-identity name-prefix=5g slave-configurations=\
    cfg-ppwnp-51,cfg-ppwnk-51
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    cfg-ppwn-24 name-format=prefix-identity name-prefix=2.4g \
    slave-configurations=cfg-ppwnp-24,cfg-ppwnk-24
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
    cfg-ppwn-51 name-format=prefix-identity name-prefix=5g slave-configurations=\
    cfg-ppwnp-51,cfg-ppwnk-51

I’m happy to provide an further config if required.

2

Are printer and device in the same IP scope?
Aka
Printer 192.168.1.25
Devices 192.168.1.101

3

Yes, same /24 IP-Addressrange and the the same vlan.

4

You changed the config to “client to client forwarding = yes”. Delete the interfaces in cap. Remove the remote radio.

Make sure your provision reads create enable.

Wait a few seconds and the caps will reprovision.

See if it works then.

5

Still doesn’t work. What I did was basically clean up the config by removing the unneeded SSIDs and restarting the APs in order to reprovision as @gotsprings mentioned.

My concept is to have 3-4 APs in the end, managed centrally by capsman on the RB3011. Clients connecting to the Wifi will be in VLAN300, except if the MAC-Adress is assigned in the access-list a different VLAN. This works so far, except that wifi-clients can’t directly connect to wifi-clients. In the datapath

client-to-client-forwarding=yes

and

local-forwarding=yes

have been set.

On the APs the vlan-config is:

 /interface bridge vlan print detail   
 ....
 5   bridge=bridge vlan-ids=100 tagged=ether1,ether2,wlan1,wlan2 untagged="" 
     current-tagged=ether1,wlan2,wlan1 current-untagged="" 

 6   bridge=bridge vlan-ids=200 tagged=ether1,ether2,wlan1,wlan2 untagged="" 
     current-tagged=ether1,wlan2,wlan1 current-untagged="" 

 7   bridge=bridge vlan-ids=300 tagged=ether1,ether2,wlan1,wlan2 untagged="" 
     current-tagged=ether1,wlan2,wlan1 current-untagged=""
...

Here is the updated capsman-export:

[admin@CoreRouter] > /caps-man export hide-sensitive 
# oct/31/2021 18:49:53 by RouterOS 6.46.8
# software id = X2B6-3S02
#
# model = RB3011UiAS
# serial number =....
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled name=channel24
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee name=channel51 skip-dfs-channels=yes

/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=datapath-LAN100 vlan-id=100 vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=datapath-LAN200 vlan-id=200 vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=datapath-LAN300 vlan-id=300 vlan-mode=use-tag

/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=securityprofile-WLAN300

/caps-man configuration
add channel=channel24 country=germany datapath=datapath-LAN300 installation=indoor mode=ap name=cfg-ppwn-24 security=securityprofile-WLAN300 ssid=ppwn
add channel=channel51 country=germany datapath=datapath-LAN300 installation=indoor mode=ap name=cfg-ppwn-51 security=securityprofile-WLAN300 ssid=ppwn

/caps-man access-list
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Samsung Note9 -> VLAN100" disabled=no interface=all mac-address=AA:AA:AA:AA:AA:AA vlan-id=100 vlan-mode=use-tag
add action=accept comment="laptop old" interface=all mac-address=BB:BB:BB:BB:BB:BB vlan-id=100 vlan-mode=use-tag
add action=accept client-to-client-forwarding=yes comment="Samsung S20 -> VLAN100" interface=all mac-address=CC:CC:CC:CC:CC:CC vlan-id=100 vlan-mode=use-tag
add action=accept comment="Camera --> VLAN80" interface=all mac-address=DD:DD:DD:DD:DD vlan-id=80 vlan-mode=use-tag
add action=accept client-to-client-forwarding=yes comment="Laptop1 WLAN -> VLAN100" interface=all mac-address=EE:EE:EE:EE:EE:EE vlan-id=100 vlan-mode=use-tag
add action=accept comment="Lenovo  Laptop -> VLAN100" interface=all mac-address=FF:FF:FF:FF:FF:FF vlan-id=100 vlan-mode=use-tag
add action=accept comment="Pi-Box WiFi -> VLAN100" interface=all mac-address=22:22:22:22:22:22 vlan-id=100 vlan-mode=use-tag
add action=accept client-to-client-forwarding=yes comment="Samsung Tab S6 -> VLAN100" interface=all mac-address=33:33:33:33:33:33 vlan-id=100 vlan-mode=use-tag
add action=accept client-to-client-forwarding=yes comment="Canon CP910 " interface=all mac-address=44:44:44:44:44:44 vlan-id=100 vlan-mode=use-tag

/caps-man manager
set enabled=yes upgrade-policy=suggest-same-version

/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=cfg-ppwn-24 name-format=prefix-identity name-prefix=2.4g
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=cfg-ppwn-51 name-format=prefix-identity name-prefix=5g
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=cfg-ppwn-24 name-format=prefix-identity name-prefix=2.4g
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=cfg-ppwn-51 name-format=prefix-identity name-prefix=5g

So my questions:

  1. When using
local-forwarding=yes

in the radio-config, what effect does the

client-to-client-forwarding=yes

have in the access list?
2) Could the issue be related to tagging/untaggin vlans on wifi1/2?
3) Any clues what I should be looking for?

Any help appreciated.

6

So, I finally found the solution and will post it here for others having the same issue.

The solution is that in your capsman configuration you need to set multicast-help=full. Not sure if I can explain why, but finally found the solution on google/stackexchange.

/caps-man configuration set multicast-helper=full

After setting this and re-provisioning the interfaces everything works fine, meaning: I have WiFi-Clients that are assigned to a VLAN by the acess-list in capsman and these clients can now be reached by each other (WiFi-Client to WiFi-Client)

Hope that helps,
have a nice week,
plani

7

I don’t have any setting for Multicast helper on a couple hundred caps that talk one client to the next.

/caps-man configuration
add country="united states3" datapath.client-to-client-forwarding=yes \
    datapath.local-forwarding=yes keepalive-frames=enabled mode=ap name=\
    MainWireless security.authentication-types=wpa2-psk security.encryption=\
    aes-ccm security.group-encryption=aes-ccm security.passphrase=password \
    ssid=Example
8

@plani never detailed what kind of client-to-client connections are failing. From the sollution he found one could assume tha devices are using broadcasts (bonjour or some such) to find each other. And for broadcasts flowing smoothly over wireless the setting mentioned does help.