Slave SSID/VLAN not working with CAPsMAN and local forwarding

I am trying to set up a multi-SSID network using cAP ac’s with one of them acting as CAPsMAN (and also access point). You can see my configuration below. Not shown in the config below is that I have set the switch’s vlan-mode to secure and added some switch rules as was suggested here in order to achieve client isolation.

On the CAPsMAN, data from the master SSID does get emitted on the correct VLAN on ether1, but nothing is coming from the slave SSID (tcpdump -i eth0 -e “(vlan 52)” has no output).

I have already tried omitting the bridges and adding multiple bridges, one for each VLAN (bridge-vlan51, bridge-vlan52) with default configuration and set them in the datapaths, but neither did help.

# sep/13/2021 03:58:39 by RouterOS 6.47.9
# software id = HRRU-123U
#
# model = RBcAPGi-5acD2nD
# serial number = E2810...
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled name=ch_2.4
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=XXXX name=ch_5 skip-dfs-channels=yes
/interface bridge
add admin-mac=2C:C8:1C:12:8B:4F auto-mac=no comment=defconf name=bridge
/interface wireless
# managed by CAPsMAN
# channel: 2422/20/gn(18dBm), SSID: MYAP_test, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-612B3C wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(20dBm), SSID: MYAP_test, local forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-612B3D wireless-protocol=802.11
/caps-man datapath
add bridge=bridge local-forwarding=yes name=dp_myAP vlan-id=51 vlan-mode=use-tag
add bridge=bridge local-forwarding=yes name=dp_myAP_guest vlan-id=52 vlan-mode=use-tag
/caps-man rates
add basic=12Mbps name=rate_2.4 supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=sec_myAP
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=sec_myAP_guest
/caps-man configuration
add channel=ch_2.4 country=switzerland datapath=dp_myAP mode=ap name=cfg_myAP_2.4 rates=rate_2.4 security=sec_myAP ssid=MYAP_test
add channel=ch_2.4 country=switzerland datapath=dp_myAP_guest mode=ap name=cfg_myAP_guest_2.4 rates=rate_2.4 security=sec_myAP_guest ssid=MYAP-Guest_test
add channel=ch_5 country=switzerland datapath=dp_myAP mode=ap name=cfg_myAP_5 security=sec_myAP ssid=MYAP_test
add channel=ch_5 country=switzerland datapath=dp_myAP_guest mode=ap name=cfg_myAP_guest_5 security=sec_myAP_guest ssid=MYAP-Guest_test
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=cfg_myAP_2.4 name-format=prefix-identity name-prefix=2.4 slave-configurations=cfg_myAP_guest_2.4
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=cfg_myAP_5 name-format=prefix-identity name-prefix=5 slave-configurations=cfg_myAP_guest_5
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless cap
# 
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Is your main router mikrotik if so, better to move capsman to that…

No, my main router is a pfSense router which also acts as DHCP server. So far I had no issues with this setup as the CAPsMAN successfully provisions the configuration to the other CAP devices. Only the slave SSIDs are making trouble …

Your device has a messy mix of default configuration (which has ether1 as WAN interface, egress traffic is NATed, ingress traffic is firewalled) and of your attempt to make cAP a complex AP without routing and firewalling.

My suggestion: reset cAP to no config (you’ll have to use winbox to connect to it afterwards) and configure device from scratch.
The VLAN config is almost non-existing. It might work as is, but things are extensively undeterministic. Have a look at de-facto bible of VLAN setup on Mikrotik to get better idea about VLANs.

Thanks for the link. I have started from scratch roughly following this wiki page and it works! I hope everything is alright security-wise. I tried conncting to the WebFig and via SSH via Wi-Fi, but it seems safe.

/system identity
set name=CAPsMAN

/caps-man datapath
add client-to-client-forwarding=no local-forwarding=yes name=dp_myap vlan-id=2 vlan-mode=use-tag
add client-to-client-forwarding=no local-forwarding=yes name=dp_myap_guest vlan-id=3 vlan-mode=use-tag

/caps-man rates
add basic=12Mbps name=rate_2.4 supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps

/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=sec_myap passphrase=myappasswd
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=sec_myap_guest passphrase=myappasswd

/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled name=ch_2.4
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=XXXX name=ch_5 skip-dfs-channels=yes

/caps-man configuration
add channel=ch_2.4 country=germany datapath=dp_myap mode=ap name=cfg_myap_2.4 \
    rates=rate_2.4 security=sec_myap ssid=myap
add channel=ch_2.4 country=germany datapath=dp_myap_guest mode=ap name=\
    cfg_myap_guest_2.4 rates=rate_2.4 security=sec_myap_guest ssid=\
    myap-guest-test
add channel=ch_5 country=germany datapath=dp_myap mode=ap name=cfg_myap_5 \
    security=sec_myap ssid=myap
add channel=ch_5 country=germany datapath=dp_myap_guest mode=ap name=\
    cfg_myap_guest_5 security=sec_myap_guest ssid=myap-guest-test

/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    cfg_myap_2.4 name-format=prefix-identity name-prefix=2.4 \
    slave-configurations=cfg_myap_guest_2.4
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
    cfg_myap_5 name-format=prefix-identity name-prefix=5 slave-configurations=\
    cfg_myap_guest_5
    
/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge interface=ether1

/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge

/caps-man manager
set enabled=yes

/interface wireless cap
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2 bridge=bridge

/ip address
add address=192.168.51.2/24 interface=bridge network=192.168.51.0

/interface ethernet switch port
set 0 default-vlan-id=1 vlan-mode=secure

/interface ethernet switch rule
add ports=ether1 src-mac-address=A0:36:9F:81:21:4E/FF:FF:FF:FF:FF:FF switch=switch1 vlan-id=2
add ports=ether1 src-mac-address=A0:36:9F:81:21:4E/FF:FF:FF:FF:FF:FF switch=switch1 vlan-id=2 mac-protocol=arp
add new-dst-ports="" ports=ether1 switch=switch1 vlan-id=2
add ports=ether1 src-mac-address=A0:36:9F:81:21:4E/FF:FF:FF:FF:FF:FF switch=switch1 vlan-id=3
add ports=ether1 src-mac-address=A0:36:9F:81:21:4E/FF:FF:FF:FF:FF:FF switch=switch1 vlan-id=3 mac-protocol=arp
add new-dst-ports="" ports=ether1 switch=switch1 vlan-id=3

/interface ethernet switch vlan
add independent-learning=no ports=switch1-cpu,ether1,ether2 switch=switch1 vlan-id=1
add independent-learning=no ports=switch1-cpu,ether1,ether2 switch=switch1 vlan-id=2
add independent-learning=no ports=switch1-cpu,ether1,ether2 switch=switch1 vlan-id=3

I crowed too soon. CAPsMAN is not finding other CAP devices when using the reset button method. I can see both MikroTik devices in the neighbor list.

It does work when I allow the bridge for the CAPsMAN interface, i.e.

/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge

However, would that be unsafe?

Further, this setup does not work on a VLAN enabled switch with CAPsMAN’s port set to be untagged/access in a particular VLAN. I am not able to access it via the static IP on that VLAN.

CAP devices which are configured into CAPsMAN “slavery” by using button push are not VLAN aware. If you want to run VLANs in your network, then you have to configure wired part of CAPs manually. CAPsMAN only takes care of wireless interfaces.

And, BTW, explicit use of VLAN ID 1 is generally discouraged because VID 1 is implicit default used everywhere … and not shown in configuration exports. If one is not extra careful, it can stay set somewhere and cause random glitches which are extremely hard to spot.

This seems to be false because the VLAN traffic works as expected as long as the switch rules are disabled.

Try to delete the provisioning entry, delete the cap interfaces (if exists) and then try to create again the provisioning entry.