No internet acces after capsman setup CAP AX behind rb5009

rich099 · May 17, 2024, 11:50am

HI,

Perhaps someone can help me out.

I have a new (and updated) RB5009 and CAP AX. Later I want to install additional CAPs. Therefore this setup.

After a lot of trying, it seems the normal CapsMan menu in Winbox dd not working, but wireless did! So AX is now connected to RB5009. But since I lost my internet connection (and yes that i still live, I have checked).
For CapsMan I reviewed a lot, but mainly this link was most helpful:
https://wiki.mikrotik.com/wiki/Manual:Simple_CAPsMAN_setup#Option_#1,_using_Winbox

Here is my config:

# 2024-05-17 13:45:34 by RouterOS 7.14.3
# software id = XXXXXXXXXX
#
# model = RB5009UPr+S+
# serial number = xxxxxxxxxxx
/interface bridge
add admin-mac=xxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - WAN"
set [ find default-name=ether8 ] name="ether8 - MngMnt"
/caps-man configuration
add country=netherlands datapath.bridge=bridge distance=indoors installation=\
    indoor mode=ap name=CAPS01 security.authentication-types=wpa-psk,wpa2-psk \
    .encryption=aes-ccm ssid=SSID_SSID
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi configuration
add country=Netherlands datapath.bridge=bridge disabled=no name=MasterCfg \
    security.authentication-types=wpa2-psk,wpa3-psk .group-encryption=ccmp \
    ssid= SSID_SSID
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=CAPS01
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 trusted=yes
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface="ether8 - MngMnt"
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set wan-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="ether1 - WAN" list=WAN
/interface wifi cap
set caps-man-addresses=192.168.88.1 discovery-interfaces=bridge enabled=yes
/interface wifi capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=MasterCfg \
    name-format=cap
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=bridge
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=NAME_NAME
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp.time.nl
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Hope someone can help/spot the issue?
Richard

holvoetn · May 17, 2024, 12:07pm

Wrong link, that’s referring to capsman for legacy wifi.
All your settings are for legacy wifi so of no use for cap AX.

You need to use this:
https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-WiFiCAPsMAN

rich099 · May 17, 2024, 1:27pm

Thanks for the swift reply.

I have got it just to work, by resetting the RB5009 and follow the (wrong) link as I mentioned before. Just for the step# 2 and keeping the default config. 1 exception, make sure not fill in the mac address at all 0’s at step “Specify CAPsMAN to use the created configuration”.

But I will look at the correct link and adjust where necessary. For now, 1st going to backup this config

Thanks again!

anav · May 17, 2024, 10:24pm

I can help if you dont want the extra Years added on your life and loss of hair by using Capsman.
Setting up the AX without capsman on the AX and the RB5009 is SOoooooooooooooooooooo Simple.

holvoetn · May 18, 2024, 5:56am

You missed the point where he said he was going to add more APs

There’s not only the Anav-way…

anav · May 18, 2024, 1:57pm

So what LOL, the only advantage of capsman is slightly better roaming. I have to ask holve, do you run around your house with the cell phone in your hand, or only when you comment on your spouses cooking ;-PP