Setup cAP ax With Multiple SSIDs for VLANs

RouterOS Wireless Networking
1

I’m about to replace all of my networking gear (adding dozens of IP cams and MikroTik POE switches was recommended). I’m starting with a couple of cAP ax’s.

How do I set up separate SSIDs for each VLAN grouping? Here is what I need:

The IoT and Guest networks need 2.4 GHz only.


Here is what I have so far:

# 2023-11-01 18:51:51 by RouterOS 7.11.2
# software id = WU0A-I8IJ
#
# model = cAPGi-5HaxD2HaxD
# serial number = HEG08MMG27J
/interface bridge
add name=bridge1
/interface wifiwave2
set [ find default-name=wifi1 ] configuration.country="United States" \
    .hide-ssid=no .manager=local .mode=ap .ssid=JPInternal disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] configuration.country="United States" .mode=\
    ap .ssid=JPInternal disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk
/interface bridge port
add bridge=bridge1 interface=all
/ip dhcp-client
add interface=bridge1
/system clock
set time-zone-name=America/New_York
/system identity
set name=cAPax01
/system note
set show-at-login=no
2

Are you going to use CAPsMAN ?

3

Why the eff would he want to do that and explode the config x3 with additional complexity. LOL
Setting up a cap takes minutes..

For easy capax setup with vlans and SSIDs… The key is that only the management or trusted vlan has to be idenfied on the capax. The rest of the vlans are trunk in on ether1, and untagged out the WLAN they need to be associated with.

Read this → https://forum.mikrotik.com/viewtopic.php?t=182276

4

Yeah, it’s true that there is additional complexity but it’s not that bad to configure… I mean I’m running CAPsMAN and I’m not some kind of an expert. Also there is roaming. (don’t know if that is possible without capsman :confused: )

5

Yup, capsman2 (with wave2 CAPs) definitely improves mobility (roaming), so it’s sensible to run capsman2 even for only 2 compatible APs. And since capsman2 shares quite some configuration with local wifiwave2 instance, I wouldn’t be so negative about using capsman anymore (this was way different for legacy wireless/capsman where configuration was completely unrelated and benefits of running capsman in small instalations mostly nonexistant).

6

Setup is all done on the device acting as capsman controller, so it’s only a one-time effort.
For caps devices it is merely reset to caps mode and done.

At home I use my 2 AX devices still standalone but when we move end of this year to our new home, I plan to use capsman as well.
At work having a setup with almost 20 devices acting as cap, it’s a no brainer to use capsman (warehouse environment with order pickers using Symbol handgun scanners).

And yes, roaming works very nice using capsman controlled devices (or local radio on capsman controller).

7

I would definitely like to employ centralized management. I will eventually add a number of PoE MikroTik switches to add another VLAN for the IP cams. It will be a pain to administer all these nodes individually.

From what I’ve read on the forum, it seems people were discouraging the use of CAPsMAN for two APs. They said three is the tipping point for going through the hassle. Also, CAPsMAN2 is hard to search for. The many tutorials I’ve found are for the previous implementation.

Roaming in the building is a concern. I’m making a separate post on it. One AP should be able to cover the area I require, but there is a bank vault in the middle of my floor plan. I need two APs on opposite corners, as the concrete and steel mass in the center casts a dead-zone shadow on the other side. Meanwhile, clients in the remaining two corners have a full-strength connection to both APs.


I need help to understand your point. I need to segment my traffic into multiple networks. This network grew over many years into the mess I’m trying to rectify now. Currently, I have six consumer-grade APs tied to 3 SSIDs on separate subnets. Roaming is a constant issue, but setting up the APs and tagging the switch ports for the IoT and Guest VLANs was a trivial, one-time effort.

8

I’m using 2 cAP ax and RB5009 as CAPsMAN controller and while I can’t speak for CAPsMAN with legacy drivers with wifiwave2 drivers I have no problem, devices are roaming without a problem. I have multiple SSIDs for IoT, CCTV, etc and each one is on separate VLAN.

After Mikrotik sorted things out with wifi performance in earlier versions of ROS i never had any problem with my wireless networks.

9

WHERE IS THE TRUTH ABOUT ROAMING??
I would go with capsman based on what others have stated IF, IF roaming was super important.
Do you expect people to wander around with cell phones doing work that is critical, if not EFF capsman

And by the way capsman lovers → isnt wifiwave2 also now supposed to use the standards that are like 40 years old and finally implemented to improve roaming 802.11 r/k/v which have nothing to do with capsman.… ???

So please be honest, is roaming improved by r/k/v or magically by capsman ???

Also what does PMK caching have to do with roaming improvement and does MT WIFI have it???

++++++++++++++++
The only point I agree upon at the moment is that capsman is effective and should be used when you need more granular control over wifi users, and basically to block wifi user to wifi user access and wifi user to wired user access when all in the same subnet. ( to put it another way, to stop L2 connectivity within the same subnet )

10

@gigabyte091 can you point me to an example for setting up CAPsMAN2? Should I go ahead and purchase a PoE switch, or can I run CAPsMAN2 on one of these APs?

I found this tutorial for setting up SSIDs with VLANs, but I can’t put my trusted network onto a VLAN. It is the long-term plan, but it’s currently on older, unmanaged switches.

11

Unfortunately, roaming is super important. Our crappy point of sale was never designed for wireless. If the connection drops, which is often the case rounding the corner of the vault, the POS crashes, and the user has to start over. They opt to leave their laptops stationary and walk back and forth around the vault.

I don’t have any intra-subnet concerns. I only need access control between IoT and customer/employee-owned devices and the trusted network.

12

Sounds reasonable, now to ascertain if its capsman that improves roaming OR the new standards implemented within MT (really old standards). The usual suspects are quiet so far, and what about PMK caching???

Note: It appears 802.11 R, BSS transition is coupled with capsman to provide some benefit
https://www.youtube.com/watch?v=vkWPlsuyuKE&t=29s

From Docs: Properties related to 802.11r fast BSS transition only apply to interfaces in AP mode. Wifiwave2 interfaces in station mode do not support 802.11r.
For a client device to successfully roam between 2 APs, the APs need to be managed by the same instance of RouterOS. For information on how to centrally manage multiple APs, see CAPsMAN

BUT its 802.11 k/v that are most geared towards roaming.
How are they setup on wifiwave2 ??

13

You can start here: https://help.mikrotik.com/docs/display/ROS/WifiWave2#WifiWave2-WifiWave2CAPsMAN

And then if you get stuck you can always ask here.

14

Yes, for example

  1. REF the STEERING Properties
    Are the settings RRM and WNM
    available in regular WIFIWAVE2 settings or are only available in capsman?

  2. REF BSS Fast Transition, it would appear that this selection is ONLY available in capsman and if the device is in AP mode?
    But are they talking about BSS FT over ethernet as I though BSS FT over air (client to device was also possible and without capsman).

So the question remains can I invoke BSS FT in normal wifiwave2 settings??

All gears eigabyte , err all ears gigabyte. :wink:

15

Bss ft can be invoked for radios under control of the same Ros instance.
Clear enough ? :laughing:

That means capsman but also local radios on the same device.
Not between separate devices acting standalone.

16

Yes, that part I already got, and noted several times. The question I asked which you FAILED to answer is if BSS FT parameter can be set on wifiwave2 setttings, outside of capsman, to obtain over the air BSS FT. It would appear that BSS FT over ethernet is the part that at a minimum requires capsman.

(Your post added nothing to the conversation )

17

Read again.
The answer is there.

BSS FT is for wifi, has nothing to do with ethernet.

And 40 years ago internet didn’t even exist, let be wifi…

18

Is same possible on TP-Link without Omada controler ? Or on Ubiquiti when they are working as standalone AP ?

For ubiquiti i know that for roaming you need to have controler.

Why such “hate” towards CAPsMAN ?

19

I was just thinking the same…
Anav, please enlighten us ?
It is an honest question.

20

I’m kind of stuck at the beginning. I can’t find an example where eth1 is a hybrid trunk. I know it’s better to use all VLANs, but I can’t. I also don’t understand how to set up the bridge table. Again, no hybrid examples. Plus, I’m going to virtual SSIDs, not physical eth ports.

I also don’t understand why they use separate SSIDs for the 2.4 and 5 GHz radios. Don’t you want clients to seamlessly go from the 5 to 2.4 GHz radio (and back again)? What are the pros and cons of using the same IDs for each radio?

Still, I took a shot at it. The first AP, cAPax01, will host the CAPsMAN. The second AP, cAPax02, will receive settings from cAPax01. I really don’t understand the example where it looks like each CAP would be running its own DHCP server, but I don’t have to worry about that since my firewall will be the DHCP server and handle access control between the base subnet and VLAN subnets.

Only Internal needs 2.4 and 5 GHz. All the other SSIDs can be 2.4 GHz only.

This is the CAPsMAN2 portion I’ve cobbled together so far:

#On cAPax01, after reset with no default config   
/interface bridge 
add name=bridge1

/interface vlan
add interface=bridge1 name=VLAN20 vlan-id=20
add interface=bridge1 name=VLAN30 vlan-id=30

#Does internal base network need a datapath
/interface wifiwave2 datapath
add bridge=br name=VLAN20 vlan-id=20
add bridge=br name=VLAN30 vlan-id=30

#create a security profile
/interface wifiwave2 security
add name=secInternal authentication-types=wpa2-psk,wpa3-psk passphrase="demo123?"
add name=secIoT authentication-types=wpa2-psk,wpa3-psk passphrase="demo456?"
add name=secPublic authentication-types=wpa2-psk,wpa3-psk passphrase="Pwd12345"

#create configuraiton profiles to use for provisioning
/interface wifiwave2 configuration
add channel=CH country="United States" name=5gInternal security=secInternal ssid=JPInternal
add channel=CH country="United States" name=2gInternal security=secInternal ssid=JPInternal
add channel=CH country="United States" name=2gIoT security=secIoT ssid=JPIoT
add channel=CH country="United States" name=2gPublic security=secPublic ssid=JPPublic

 
#configure provisioning rules, configure band matching as needed
/interface wifiwave2 provisioning
add action=create-enabled master-configuration=5gInternal supported-bands=5ghz-ax
add action=create-dynamic-enabled master-configuration=2gInternal slave-configurations=2gIoT,2gPublic supported-bands=2ghz-ax
 
/ip dhcp-client 
add interface=bridge1
#??? add interface=VLAN20
#??? add interface=VLAN30


#??? /interface bridge port

#??? /interface bridge vlan

/interface bridge
add name=br vlan-filtering=yes

#enable CAPsMAN service
/interface wifiwave2 capsman
set ca-certificate=auto enabled=yes

/system identity 
set name=cAPax01

And here is the CAP:

#On cAPax02, after reset with no default config  

/interface bridge 
add name=bridge1

/interface wifiwave2 datapath
add bridge=bridge1 comment=defconf disabled=no name=capdp

/interface wifiwave2 cap 
set enabled=yes

/interface wifiwave2 
set wifi1,wifi2 configuration.manager=capsman-or-local datapath=capdp disabled=no

#??? /interface bridge port

/interface wifiwave2 cap
set discovery-interfaces=bridge1 enabled=yes slaves-datapath=capdp

/ip dhcp-client 
add interface=bridge1
#??? add interface=VLAN20
#??? add interface=VLAN30

/system identity 
set name=cAPax02