RB4011 as CAP does not join 'localhost' CAPSMAN

Mattie · October 10, 2020, 11:56am

Hi there,

I have a RB4011iGS+5HacQ2HnD that I have running as a CAPsMAN. A couple of wAP / wAP ACs are joint without problem all with the Mikrotik default “CAP” config (discovery on bridge-local). However the RB4011 won’t join “itself”.

Both interfaces are displayed as “managed by CAPsMAN”

[admin@home.xx-xx.nl] /interface wireless cap> print
                            enabled: yes
                         interfaces: wlan1,wlan2
                        certificate: none
                   lock-to-caps-man: no
               discovery-interfaces: bridge-local
                 caps-man-addresses:
                     caps-man-names:
  caps-man-certificate-common-names:
                             bridge: bridge-local
                     static-virtual: no

However when I look at capsman->remote cap I only see my wAPs not the RB4011 itself. From my previous config I remember this used to work. Am I missing something simple here? It should discover on bridge-local right? If I remove the discovery-interface and set it to 127.0.0.1 it still does not work.

edit:
If I enable/reenable CAP then the only thing in the logs is “CAP configuration changed by admin”

sindy · October 10, 2020, 12:29pm

The local cAPs connect to the local CAPsMAN via local loop interface, whose existence is however hidden in RouterOS, using the localhost address 127.0.0.1:

[me@MyTik] > ip firewall connection print where src-address~"^127"
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat
 #          PR.. SRC-ADDRESS           DST-ADDRESS           TCP-STATE   TIMEOUT     ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS
 0  SAC     udp  127.0.0.1:35133       127.0.0.1:5247                    2m59s         7.8kbps  17.7kbps      582 588      497 332
 1  SAC     udp  127.0.0.1:35313       127.0.0.1:5246                    2m58s         2.7kbps   1744bps      171 334      171 336

So even if you haven’t configured your own firewall rules: although the default firewall rules of a few recent RouterOS releases already contain a rule src-address=127.0.0.0/8 dst-address=127.0.0.0/8 action=accept in chain=input of /ip firewall filter, it wasn’t always the case. So if you’ve installed your router with some older release and just kept upgrading it without any reset to default configuration while running one of the recent releases (why should one do that), you have to add such a rule manually.

Mattie · October 10, 2020, 12:40pm

Well that is strange, I literally reset my entire router 2 weeks ago and I did not got the 127.0.0.1 firewall rule. However I manually added the rule now and yes indeed it works so that is fantastic. Just ony thing. It did not accept the /8 but only the /32 works fine. Thank you for you assistance!