I currently have a working home config with a Wifi Capsman router/ap (hap ax3,) and several hap ax2/ and hap ax lite APs (all 7.20.2), but I am wondering if the config could be made easier.
Situation: 2 SSIDS (Secure (main) and Guest (virtual) networks) which are provisioned by Capsman to the APs, with a Datapath that dynamially adds the wifi interfaces to a bridge. There is a L2 separation on the guest network (allow only routed access to the internet, no switching of traffic). Client Isolation is used to prevent guest communication on the same radio per AP, and Bridge filtering is used to prevent other connections between 2 devices on the guest network. However, bridge filtering disables fast-track on the ax3 router, so on the router, the Bridge Horizon option is used instead, to specifically block the 2.4 Ghz and 5 Ghz guest SSID ports from being able to communicate.
Problem: To setup the bridge horizon option, the Wifi interfaces must be manually added to the bridge, instead of using the Datapth-bridge option which adds a dynamic entry that cannot be edited. However, it seems impossible to overrule the “Datapath-Bridge“ to use no bridge at all for the virtual guest wifi SSID on the hap ax3. Due to this problem, I cannot reuse the wifi configuration that are used for provisioning the APs, and I use a separate wifi configuration on the router/AP. This is ugly because it is exactly the same wifi configuration, but with and empty datapath-bridge option.
Question: 1) Is it correct that the datapath-bridge option can not be overruled in some way to not add any bridge wifi ports? If this cannot be done, would this be a valid feature request? 2) Are there any other/better ways to separate the 2.4Ghz and 5 Ghz Wifi interfaces on the router/AP without losing fast track?
You have to unset "datapath" on cap wifi interfaces if I am correct. It is the same issue you have when assigning vlan on a wifi-qcom-ac cap, you can't modify dynamic bridge port members (I had a long discussion on that with Mikrotik support, but it was insisted that dynamic entries can be modified, shrug).
Either unset datapath on main interfaces or set an empty slave-datapath on /interface/wifi/cap - I think this should remove the slave interfaces from the bridge as well.
Thank you for your rely. The problem is on the local slave wifi interface of my hap ax3 which acts as Capsman/AP/Router. When I unset the Datapath Bridge on the local wifi slave configuration, the slave interface is still added to the bridge (it probably takes the master wifi interface’s setting by default). I would like to overrule it to not add the slave interface to the bridge at all, so I can reuse the configurations I use to provision the CAPs.
I can't test it right now, but I think that if provisioning rule (under /interface/wifi/provisioning) is configured with action=create-enabled, then it is possible to change certain properties locally on CAP device ... and those changes remain over reboots etc. Such device is not considered truly dynamic any more.
@infabo The datapath on wifi master interfaces is already “unset”, it grabs the datapath from my wifi configuration. Currently, I indeed use a custom datapath/configuration to not add the master and slave wifi interfaces to the bridge. But this is ugly because of 2 reasons: 1) duplicate config/datapath (same properties but only the datapath-bridge option is unselected) 2) I still need to add the master interface bridge/vlan properties manually, whereas this could have been done automatically by datapath. I only want to change the horizon properties of the slave interfaces and I am fine with dynamic bridge ports for the master WiFi interface.
The /interface/wifi/cap is disabled on the capsman/router/AP. The manual mentions CAPsMAN cannot manage it's own wifi interfaces using configuration.manager=capsman, so I guess it should be disabled. I tried setting the "slave-datapath" anyway but without luck, and even if it would work, I still would have to make a duplicate datapath configuration.
I also tried the solution as suggested by @mkx . I think it is true you can change the properties of the WiFi interfaces when using the “action=create-enabled“ option. But this leads to the original question: how to change the settings? Specifically, how to set the datapath for the slave interface? In winbox 3.43, unsetting it makes it default to the master (which is “bridge”), and when setting it explicitly there’s only 1 option: set it to “bridge“. A ‘none‘ option is lacking here it seems, to not add the slave interface to any bridge
Thank you, setting the slave Datapath-Bridge value to 'none' solved my issue: now, the WiFi slave interface is no longer added to the bridge whereas the master interface is.
The option 'none' is not available on neither Winbox v3 nor v4 and is also not mentioned on the help website, hence my confusion: