reliable names for wifi slave interfaces on CAP

klaeuser · August 6, 2024, 9:00am

I’m using ROS 7.15.3 and have a CAPsMAN setup with a RB3011 and some hapAX2 CAPs.
Now I need to configure slave devices for some of the wifi interfaces on the CAPs.
I do this by just create provisioning rules on the CAPsMAN - and this works great.
The bad thing with that is, that the names of the slave devices change (on the CAP) at every shutdown/reboot.
Sometimes the are called just wifi7, wifi8, … , sometimes they are called wifi12, wifi22, … (where wifi1 and wifi2 are the names oft the master-interfaces).
I wouldn’t bother, but I need to put the names of the interfaces into the bridge configuration on the CAP, because I need to assign a certain VLAN ID to that interface.

/interface/bridge/port/add bridge=local-bridge interface=wifi22 pvid=12

However, because the name changes with every reboot, the interface now has a different name (it is called wifi6 now):

 /interface/wifi/pri
Flags: M - MASTER; D - DYNAMIC; B - BOUND; R - RUNNING
Columns: NAME, MASTER-INTERFACE, CONFIGURATION.MODE
#      NAME   MASTER-INTERFACE  CONFIGURATION.MODE
;;; managed by CAPsMAN
;;; mode: AP, SSID: hugo
0  DBR wifi6  wifi2

In the bridge I now have an orphaned entry in the bridge and the virtual (slave) interface no longer works as expected.

/interface/bridge/port/print
Flags: I - INACTIVE
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
 #   INTERFACE    BRIDGE        HW   PVID  PRIORITY  PATH-COST  INTERNAL-PATH-COST  HORIZON

...
16 I *20          local-bridge         12  0x80                                     none

I tried some workarounds, e.g. creating a slave-Interface before starting CAPsMAN, but that does not work. CAPsMAN always creates a new interface … with an odd name …

neki · August 6, 2024, 11:43am

AX devices can assign VLANs dynamically via datapath from CAPsMAN, so you don’t have to worry about the names…

klaeuser · August 6, 2024, 1:16pm

ah … ok, but how?

I put a VLAN id into the datapath of the slave configuration (on the CAPsMAN), but this does not work.

Is this related somehow to that ominous setting “slaves-datapath” on the CAP, which is not documented anywhere?

neki · August 6, 2024, 3:17pm

Post your configs… Both sides…

holvoetn · August 6, 2024, 3:55pm

Use dynamic ports on bridge on cap
They will be added automatically.

klaeuser · August 6, 2024, 3:57pm

In order not to make the whole thing too confusing, here are the configs for the 2GHz band. There are no slaves for the 5GHz band - that’s why I left it out.
Do you also need the configs for the VLAN bridges?

CAPsMAN:

/interface wifi channel add band=2ghz-ax disabled=no name="2GHz ax" width=20mhz

/interface wifi datapath add bridge=vlan-bridge1 disabled=no name=vlan-datapath
/interface wifi datapath add bridge=vlan-bridge1 disabled=no name=datapath_static_VLAN-IOT vlan-id=12

/interface wifi security add authentication-types=wpa-eap,wpa2-eap disabled=no eap-methods=tls,peap encryption=ccmp,gcmp,ccmp-256,gcmp-256 ft=yes ft-over-ds=yes ft-preserve-vlanid=yes group-encryption=ccmp management-protection=allowed name=Security_WPA2_EAP_WPA3_EAP_TLS_PEAP wps=disable
/interface wifi security add authentication-types=wpa2-psk disabled=no name=Security_WPA2_IOT wps=disable

/interface wifi configuration add channel="2GHz ax" country=Germany datapath=vlan-datapath disabled=no name=WPA_EAP_TLS_PEAP_2GHz_ax security=Security_WPA2_EAP_WPA3_EAP_TLS_PEAP ssid=GEHEIM
/interface wifi configuration add channel="2GHz ax" country=Germany datapath=datapath_static_VLAN-IOT disabled=no name="WPA2_f\FCr_IOT" security.authentication-types=wpa2-psk ssid=hugo

/interface wifi access-list add action=query-radius client-isolation=yes disabled=yes ssid-regexp=hugo vlan-id=none

/interface wifi capsman set ca-certificate=auto certificate=auto enabled=yes interfaces=vlan-bridge1 package-path="" require-peer-certificate=no upgrade-policy=none

/interface wifi provisioning add action=create-dynamic-enabled disabled=no master-configuration=WPA_EAP_TLS_PEAP_2GHz_ax radio-mac=48:fc:29:1b:e2:60 slave-configurations="WPA2_f\FCr_IOT" supported-bands=2ghz-ax
/interface wifi provisioning add action=create-dynamic-enabled disabled=no master-configuration=WPA_EAP_TLS_PEAP_2GHz_ax radio-mac=d4:4c:f6:b8:4d:9c slave-configurations="WPA2_f\FCr_IOT" supported-bands=2ghz-ax

CAP:

/interface wifi set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no name=wlan1 security.wps=disable
/interface wifi set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no name=wlan2 security.wps=disable
/interface wifi datapath add bridge=local-bridge disabled=no name=capdp
/interface wifi cap set caps-man-addresses=192.168.71.1 caps-man-certificate-common-names="" certificate=request discovery-interfaces=local-bridge enabled=yes lock-to-caps-man=no

neki · August 6, 2024, 6:50pm

You have to chose if you want to use VLANs or not, if you want them, you have to use them all the way…

datapath.bridge must be set on CAP not CAPsMAN.

CAPsMAN
/interface wifi datapath add bridge=vlan-bridge1 disabled=no name=vlan-datapath missing VLAN ID
/interface wifi datapath add bridge=vlan-bridge1 disabled=no name=datapath_static_VLAN-IOT vlan-id=12

CAP
/interface wifi set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap datapath.bridge=local-bridge disabled=no name=wlan1 security.wps=disable
/interface wifi set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap datapath.bridge=local-bridge disabled=no name=wlan2 security.wps=disable
/interface wifi datapath add bridge=local-bridge disabled=no name=capdp
You defined datapath configuration profile, but that profile wasn’t used.

klaeuser · August 7, 2024, 6:20am

You have to chose if you want to use VLANs or not, if you want them, you have to use them all the way…

datapath.bridge must be set on CAP not CAPsMAN.

CAPsMAN
/interface wifi datapath add bridge=vlan-bridge1 disabled=no name=vlan-datapath missing VLAN ID
/interface wifi datapath add bridge=vlan-bridge1 disabled=no name=datapath_static_VLAN-IOT vlan-id=12

CAP
/interface wifi set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap datapath.bridge=local-bridge disabled=no name=wlan1 security.wps=disable
/interface wifi set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap datapath.bridge=local-bridge disabled=no name=wlan2 security.wps=disable
/interface wifi datapath add bridge=local-bridge disabled=no name=capdp
You defined datapath configuration profile, but that profile wasn’t used.

Tanks for your update!
I’m using VLANs all the way but on the wifi master interfaces VLAN assignment is done dynamically by RADIUS/UserManager. To get this working I needed to put the wifi Interfaces into the bridge on the CAP and assign all needed VLANs (tagged) to that bridge ports. A static VLAN id on that interfaces is neither helpful nor needed. On the slave interfaces I don’t need dynamic VLANs, therefore a static VLAN id was perfect.
I’d rather assign a datapath to the slave interfaces on the CAP, but they are created at runtime … with a different name each time

neki · August 8, 2024, 7:23am

I don’t know man, your info is in very weird order.. Anyway, aren’t you looking for “slaves-static” ?