Sanity check on config CAPsMAN + VLANs on hEX S + ac2 + ax2

Hi All - After struggling with my unneccessarily ambitious setup for home, I think I have it stable and might be able to help a few people or get corrected here:

Setup is a nice mix of hEX S (Main router, running CAPsMAN) with 10 802.1q VLANs trunked into a backbone of 2 light managed Netgear switches and 2 slightly heavier managed CISCO switches. All Mikrotik devices are currently running ROS 7.21.1

The backbone trunk also connects to an older hAP ac2 and a new hAP ax2, each configured as CAPs but also as managed switches with bridge VLAN filtering in order to extract some of the VLANs locally from the ports independently of the WLAN functionality.

Currently I have two SSIDs (the usual main and guest) deployed, but the journey will eventually go Dot1X.

I got it all working following the manual and some additional reading, encountered the usual fun with the QCOM AC / non-AC drivers, etc.

For now I have the traffic processing on the CAPs.

The last problem I was having was that alternatingly either the AC or the AX AP would end up showing “client was disconnected because could not assign VLAN” on the CAPsMAN on all 4 profiles of that AP (2 SSIDs, 2 Bands).

I eventually seem to have solved it by setting “FT preserve VLAN ID” for the AX provisioning profiles but NOT setting it for the AC profiles (after spending considerable time studying the manual). Separate profiles for AC and AX are required due to the drivers handling VLANs differently (as the manual states).

And now the question: did I only cure the symptom and broke roaming in the process or is this the solution? I cannot figure it out with my WLAN clients. My devices seem™ to roam correctly between the APs.

Configuration can be posted, if helpful.

Thank you, Otto

Hi,

Please explain us how we could check configuration without reading it? Do you think that we could recreate it somehow? Would you be able to guess my configuration if I describe it as "I have OSPF+eBGP multisite network but on one router I see "blahblahblah" message".

In short: yes, post the configuration.

Easy solution.

image1024×1536 411 KB

Add four external antennas and put the device inside a glass globe?

@mtsu23

A Wizard of Mikrotiksea finding the hidden name that has power .... small tip: configuration**

If everyone thinks, it is easier to read…

VLAN 110 = home (W)LAN
VLAN 121 = guest (W)LAN
VLAN 236 = management LAN

CAPsMAN running on hEX S (RB760iGS), RouterOS on all devices 7.21.1 (sections rearranged for readability of bridge settings and wifi settings).

/interface bridge
add admin-mac=ma:ca:dd:re:ss:00 auto-mac=no comment="The one and only Bridge" fast-forward=no frame-types=\
    admit-only-vlan-tagged igmp-snooping=yes igmp-version=3 mld-version=2 multicast-querier=yes multicast-router=\
    permanent name=bridge pvid=236 vlan-filtering=yes

/interface vlan
add interface=bridge name="FB LAN VLAN 100" vlan-id=100
add interface=bridge name="MGMT VLAN 236" vlan-id=236
add interface=bridge name="MT Guest VLAN 121" vlan-id=121
add interface=bridge name="MT Main LAN VLAN 110" vlan-id=110

/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 pvid=236
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2 pvid=236
add bridge=bridge ingress-filtering=no interface=ether3 pvid=236
add bridge=bridge comment="WLAN uplink port" frame-types=admit-only-vlan-tagged interface=ether5 pvid=236

/ip address
add address=10.23.236.1/24 comment="MGMT Interface" interface="MGMT VLAN 236" network=10.23.236.0
add address=10.23.110.1/24 comment="Main trusted LAN GW" interface="MT Main LAN VLAN 110" network=10.23.110.0
add address=10.23.121.1/24 comment="MT Guest LAN" interface="MT Guest VLAN 121" network=10.23.121.0


/interface wifi datapath
add bridge=bridge disabled=no name=DP_AC
add bridge=bridge disabled=no name=DP_AX_Main vlan-id=110
add bridge=bridge disabled=no name=DP_AX_Guest vlan-id=121

/interface wifi interworking
add disabled=no esr=no hessid=ma:ca:dd:re:ss:00 internet=yes name=MT_inter network-type=private-with-guest uesa=\
    no

/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=SubmarineBridge_security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=MT_Gast_Security

/interface wifi configuration
add country=Germany datapath=DP_AC disabled=no installation=indoor name=MT_Main_WLAN_AC security=\
    SubmarineBridge_security security.ft=yes .ft-over-ds=yes .ft-preserve-vlanid=no ssid=SubmarineBridge
add datapath=DP_AC datapath.client-isolation=yes disabled=no name=MT_Guest_WLAN_AC security=MT_Gast_Security \
    security.ft=yes .ft-over-ds=yes .ft-preserve-vlanid=no ssid=MT_Gast
add datapath=DP_AX_Guest datapath.client-isolation=yes disabled=no name=MT_Guest_WLAN_AX security=\
    MT_Gast_Security security.ft=yes .ft-over-ds=yes .ft-preserve-vlanid=yes ssid=MT_Gast
add country=Germany datapath=DP_AX_Main disabled=no installation=indoor name=MT_Main_WLAN_AX security=\
    SubmarineBridge_security security.ft=yes .ft-over-ds=yes .ft-preserve-vlanid=yes ssid=SubmarineBridge

/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces="bridge,MGMT VLAN 236" package-path="" \
    require-peer-certificate=no upgrade-policy=suggest-same-version

/interface wifi provisioning
add action=create-dynamic-enabled comment=5GHz_PR_AX disabled=no identity-regexp=_AX_ master-configuration=\
    MT_Main_WLAN_AX slave-configurations=MT_Guest_WLAN_AX supported-bands=5ghz-ax
add action=create-dynamic-enabled comment=2GHz_PR_AX disabled=no identity-regexp=_AX_ master-configuration=\
    MT_Main_WLAN_AX slave-configurations=MT_Guest_WLAN_AX supported-bands=2ghz-ax
add action=create-dynamic-enabled comment=2GHz_PR_AC disabled=no identity-regexp=_AC_ master-configuration=\
    MT_Main_WLAN_AC slave-configurations=MT_Guest_WLAN_AC supported-bands=2ghz-n
add action=create-dynamic-enabled comment=5GHz_PR_AC disabled=no identity-regexp=_AC_ master-configuration=\
    MT_Main_WLAN_AC slave-configurations=MT_Guest_WLAN_AC supported-bands=5ghz-ac

CAP 1 hAP ac2 (RBD52G-5HacD2HnD)

/interface bridge
add admin-mac=ma:ca:dd:re:ss:00 auto-mac=no comment=defconf fast-forward=no frame-types=admit-only-vlan-tagged igmp-snooping=yes name=bridgeLocal pvid=236 vlan-filtering=yes

/interface vlan
add interface=bridgeLocal name="MT Guest" vlan-id=121
add interface=bridgeLocal name="MT LAN" vlan-id=110
add interface=bridgeLocal name=VLAN236 vlan-id=236

/interface list
add name="Trunk ports"
add name="FB Main"
add name="FB Guest"
add name="FB WAN"

/interface list member
add interface=ether1 list="Trunk ports"
add interface=ether5 list="Trunk ports"
add interface=ether2 list="FB WAN"
add interface=ether3 list="FB Main"
add interface=ether4 list="FB Guest"
add interface=bridgeLocal list="Trunk ports"

/interface bridge port
add bridge=bridgeLocal comment="Incoming Trunk" ingress-filtering=no interface=ether1 pvid=236
add bridge=bridgeLocal comment=MT_Guest frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=121
add bridge=bridgeLocal comment=MT_Guest frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=121
add bridge=bridgeLocal comment=MT_Main frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=110
add bridge=bridgeLocal comment="Outgoing Trunk" ingress-filtering=no interface=ether5 pvid=236
add bridge=bridgeLocal interface=wifi1 pvid=110
add bridge=bridgeLocal interface=wifi2 pvid=110
add bridge=bridgeLocal interface=wifi13 pvid=121
add bridge=bridgeLocal interface=wifi14 pvid=121

/interface bridge vlan
add bridge=bridgeLocal comment="Trunk ports" tagged="Trunk ports" vlan-ids=236,268,468,527,569,704
add bridge=bridgeLocal tagged="Trunk ports" untagged=wifi1,wifi2,ether4 vlan-ids=110
add bridge=bridgeLocal tagged="Trunk ports" untagged=wifi13,wifi14,ether2,ether3 vlan-ids=121

/ip address
add address=10.23.236.120/24 comment="MGMT Interface" interface=VLAN236 network=10.23.236.0

/interface wifi cap
set discovery-interfaces=bridgeLocal,VLAN236 enabled=yes slaves-static=yes
/interface wifi
# managed by CAPsMAN ma:ca:dd:re:ss:00%VLAN236, traffic processing on CAP
# mode: AP, SSID: SubmarineBridge, channel: 2427/n/Ce
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN ma:ca:dd:re:ss:00%VLAN236, traffic processing on CAP
# mode: AP, SSID: SubmarineBridge, channel: 5580/ac/Ceee/D
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN ma:ca:dd:re:ss:00%VLAN236, traffic processing on CAP
# mode: AP, SSID: MT_Gast
add disabled=no mac-address=ma:ca:dd:re:ss:00 master-interface=wifi1 name=wifi13
# managed by CAPsMAN ma:ca:dd:re:ss:00%VLAN236, traffic processing on CAP
# mode: AP, SSID: MT_Gast
add disabled=no mac-address=ma:ca:dd:re:ss:00 master-interface=wifi2 name=wifi14

CAP2 hAP ax2 (C52iG-5HaxD2HaxD)

/interface bridge
add admin-mac=ma:ca:dd:re:ss:00 auto-mac=no comment=defconf fast-forward=no igmp-snooping=yes name=bridgeLocal pvid=236 vlan-filtering=yes

/interface list
add name="Trunk ports"
add name="FB Main"
add name="FB Guest"
add name="FB WAN"

/interface list member
add interface=ether1 list="Trunk ports"
add interface=ether5 list="Trunk ports"
add interface=ether2 list="FB WAN"
add interface=ether3 list="FB Main"
add interface=ether4 list="FB Guest"
add interface=bridgeLocal list="Trunk ports"

/interface bridge port
add bridge=bridgeLocal comment="Incoming Trunk" ingress-filtering=no interface=ether1 pvid=236
add bridge=bridgeLocal comment="FB WAN" frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=42
add bridge=bridgeLocal comment="FB Main" frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=100
add bridge=bridgeLocal comment="FB Guest" frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=111
add bridge=bridgeLocal comment="Outgoing Trunk" ingress-filtering=no interface=ether5 pvid=236

/interface bridge vlan
add bridge=bridgeLocal comment="Trunk ports" tagged="Trunk ports" vlan-ids=236,268,468,527,569,704
add bridge=bridgeLocal tagged="Trunk ports" untagged="FB WAN" vlan-ids=42
add bridge=bridgeLocal tagged="Trunk ports" untagged="FB Main" vlan-ids=100
add bridge=bridgeLocal tagged="Trunk ports" untagged="FB Guest" vlan-ids=111
add bridge=bridgeLocal tagged="Trunk ports" vlan-ids=110
add bridge=bridgeLocal tagged="Trunk ports" vlan-ids=121

/ip address
add address=10.23.236.121/24 comment="MGMT Interface" interface=VLAN236 network=10.23.236.0

/interface wifi cap
set discovery-interfaces=bridgeLocal,VLAN236 enabled=yes slaves-datapath=capdp

/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp

/interface wifi
# managed by CAPsMAN ma:ca:dd:re:ss:00%VLAN236, traffic processing on CAP
# mode: AP, SSID: SubmarineBridge, channel: 5500/ax/Ceee/D
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp disabled=no
# managed by CAPsMAN ma:ca:dd:re:ss:00%VLAN236, traffic processing on CAP
# mode: AP, SSID: SubmarineBridge, channel: 2462/ax/eC
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no

Exports have been cleaned of irrelevant stuff. You should have all models, the bridges, the CAPsMAN settings, the CAP settings.

I left the SSIDs in since it is quite unlikely that someone will be in range and they will be changed with the move to DOT1X anyways.

This is mostly the example from the online documentation, with some bridge configuration thrown in to use the ports on the CAP devices as managed switch.

The setting that got rid of my last error message as mentioned in the original post is

.ft-preserve-vlanid=no in the wifi configuration which is NOT in the online manual under the CAPsMAN section, but is mentioned for devices with the wireless-qcom driver in the manual somewhere in the DOT1X or RADIUS section.

Hope this meets your expectations… Otto