I tried now different solutions and read different forum posts, wiki pages and also viewed different video’s on youtube but i think i don’t see the forest for the tree now because i tried to much. perhaps it’s only a small thing.
I had a RBcAPGi-5acD2nD (CAP AC) on one location and try to setup a ssid for a existing guest vlan on the firewall (OPNsense). As i read on different sites with wifi-qcom-ac and capsman set of vlan is not possible. Which is no problem for this location, because all manually for one time shoul’d be enough, the old ap was running good 10 years without change anything.
Currently i had installed router os 7.20.6 with package wifi-qcom-ac (i already tried it with the preinstalled wireless package also without sucess).
I tried the setup via webconfig because it’s easier for me at the moment. but here is my config when i export it, perhaps some stuff is not needed but some pages and video’s say i need this and some say not, so i’m confused.
/interface bridge add admin-mac=F4:1E:57:BB:23:05 auto-mac=no comment=defconf ingress-filtering=no name=bridge port-cost-mode=short vlan-filtering=yes
/interface vlan add comment=guest interface=ether1 name=vlan28-guest vlan-id=28
/interface ethernet switch port set 0 vlan-mode=fallback
/interface ethernet switch port set 1 vlan-mode=fallback
/interface ethernet switch port set 2 vlan-mode=fallback
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec_internal
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec_guest
/interface wifi configuration add disabled=no mode=ap name=cfg_internal security=sec_internal ssid=INTERNAL
/interface wifi configuration add disabled=no mode=ap name=cfg_guest security=sec_guest ssid=GUEST
/interface wifi set [ find default-name=wifi1 ] configuration=cfg_internal configuration.mode=ap disabled=no name=wifi_2g_internal
/interface wifi set [ find default-name=wifi2 ] configuration=cfg_internal configuration.mode=ap name=wifi_5g_internal
/interface wifi add configuration=cfg_guest configuration.mode=ap disabled=no mac-address=F6:1E:57:BB:23:06 master-interface=wifi_2g_internal name=wifi_2g_guest
/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10 trusted=yes
/interface bridge port add bridge=bridge ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10 trusted=yes
/interface bridge port add bridge=bridge interface=wifi_2g_guest pvid=28
/interface bridge port add bridge=bridge interface=wifi_2g_internal
/ip firewall connection tracking set udp-timeout=10s
/ip settings set max-neighbor-entries=8192
/ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan add bridge=bridge tagged=ether1,bridge untagged=wifi_2g_guest vlan-ids=28
/interface bridge vlan add bridge=bridge untagged=bridge,ether1,ether2,wifi_2g_internal vlan-ids=1
/interface ovpn-server server add auth=sha1,md5 mac-address=FE:EC:D5:3E:DC:4C name=ovpn-server1
/interface wifi cap set discovery-interfaces=ether1 slaves-static=yes
/interface wifi capsman set ca-certificate=auto certificate=auto interfaces=ether1 package-path="" require-peer-certificate=no upgrade-policy=suggest-same-version
/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client add interface=bridge
/ip dns set allow-remote-requests=yes
/ip dns static add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip ssh set always-allow-password-login=yes
/routing bfd configuration add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock set time-zone-name=Europe/Zurich
/system identity set name=abc-ch-xyz01-ap01
/system note set show-at-login=no
/system ntp client set enabled=yes
/system routerboard mode-button set enabled=yes on-event=dark-mode
/system routerboard settings set cpu-frequency=716MHz
/system script add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r
\n :if ([system leds settings get all-leds-off] = "never") do={\r
\n /system leds settings set all-leds-off=immediate \r
\n } else={\r
\n /system leds settings set all-leds-off=never \r
\n }\r
\n "
I see traffic on the Firewall on the corresponding vlan, but only communication like this via tcpdump:
10:05:40.357179 CDPv1, ttl: 121s, Device-ID 'abc-ch-xyz01-ap02', length 101
10:05:45.630789 CDPv1, ttl: 121s, Device-ID 'abc-ch-xyz01-ap01', length 101
10:05:45.630818 IP 0.0.0.0.5678 > 255.255.255.255.5678: UDP, length 153
10:06:10.360912 IP 0.0.0.0.5678 > 255.255.255.255.5678: UDP, length 153
No DHCP request packages or similar. Also when i go into Bridge => VLAN i think i shoul’d see “wifi_2g_guest” somewhere but i don’t see it.