VLAN + RB + cAP ac = unable to connect with Winbox

codebreaker · December 2, 2019, 9:43am

I’m setting up my network from scratch with VLANs.
This is my current (WIP) configuration

# dec/02/2019 10:02:31 by RouterOS 6.45.1
# software id = GYLW-MC9Q
#
# model = RB4011iGS+
# serial number = AAAF0A95696C
/caps-man configuration
add country=croatia datapath.local-forwarding=yes datapath.vlan-id=10 datapath.vlan-mode=use-tag name=Config_WORK security.authentication-types=wpa-psk,wpa2-psk ssid=WiFi_WORK
add country=croatia datapath.local-forwarding=yes datapath.vlan-id=20 datapath.vlan-mode=use-tag name=Config_GUEST security.authentication-types=wpa-psk,wpa2-psk ssid=WiFi_GUEST
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_UPLINK
set [ find default-name=ether10 ] name=ether10_cAP
/interface vlan
add interface=BR1 name=MANAGEMENT_VLAN vlan-id=10
add interface=BR1 name=TRUSTED_VLAN vlan-id=20
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=MANAGEMENT_POOL ranges=172.29.10.200-172.29.10.254
add name=TRUSTED_POOL ranges=172.29.20.100-172.29.20.254
/ip dhcp-server
add address-pool=MANAGEMENT_POOL disabled=no interface=MANAGEMENT_VLAN name=MANAGEMENT_DHCP
add address-pool=TRUSTED_POOL disabled=no interface=TRUSTED_VLAN name=TRUSTED_DHCP
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config_WORK slave-configurations=Config_GUEST
/interface bridge port
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3 pvid=20
add bridge=BR1 interface=ether4 pvid=10
add bridge=BR1 interface=ether5 pvid=20
add bridge=BR1 interface=sfp-sfpplus1
add bridge=BR1 interface=ether10_cAP
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,ether10_cAP vlan-ids=10,20
/ip address
add address=192.168.1.3/24 interface=ether1_UPLINK network=192.168.1.0
add address=172.29.10.1/24 interface=MANAGEMENT_VLAN network=172.29.10.0
add address=172.29.20.1/24 interface=TRUSTED_VLAN network=172.29.20.0
/ip dhcp-server network
add address=172.29.10.0/24 dns-server=1.1.1.1 gateway=172.29.10.1
add address=172.29.20.0/24 dns-server=1.1.1.1 gateway=172.29.20.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_UPLINK
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=RB01

With it cAP ac is configured and I’m able to connect to the wifi and ping connected devices. There’s only one problem - I’m unable to connect to the cAP using winbox. I’m only able to connect to it using mac-telnet.

If I change these configuration options, I’m able to connect to cAP ac with winbox but the wifi does not work (wifi signal is there but when I connect to it I get an ip that I should’t have)

# Wifi works, Winbox does not
/interface bridge port add bridge=BR1 interface=ether10_cAP
/interface bridge vlan add bridge=BR1 tagged=BR1,ether2,ether10_cAP vlan-ids=10,20

# Winbox works, wifi does not
/interface bridge vlan add bridge=BR1 tagged=BR1,ether2 vlan-ids=10,20
/interface bridge port add bridge=BR1 interface=ether10_cAP pvid=10

cAP ac config

# jan/02/1970 03:02:25 by RouterOS 6.45.1
# software id = 0N34-HG05
#
# model = RBcAPGi-5acD2nD
# serial number = B9320A0A64A1
/interface bridge
add name=cap_bridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=cap_bridge interface=ether1
/interface wireless cap
set bridge=cap_bridge discovery-interfaces=cap_bridge enabled=yes interfaces=wlan1,wlan2
/ip address
add address=172.29.10.2/24 interface=ether1 network=172.29.10.0
/ip route
add check-gateway=ping distance=1 gateway=172.29.10.1
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=cAPac01

Whats wrong here? How to have CAPsMAN working with the ability to connect to cAP ac with winbox?

mkx · December 2, 2019, 1:14pm

You have to decide if you want cAP’s wireless on the same VLAN as cAP’s management.

Currently cAP’s management is configured to be untagged on ethernet. While wireless is configured to be tagged on ethernet (both work on VLAN 10 and guest on VLAN 20). In “winbox works” configuration you’re setting ether10 to PVID=10 … meaning it will tag all tagless packets with VLAN ID 10 on ingress and untag them on egress … and wireless wants them tagged. In “wifi works” you don’t set PVID on ether10 meaning that ingress untagged frames don’t get VLAN tag but RB4011 with two tagged interfaces actually doesn’t know what to do with untagged packets.

I’m guessing you want to have management of cAP over VLAN10 … so you have to change cAP configuration as follows:

add vlan interface with vlan-id=10:

/interface vlan add interface=cap_bridge name=MANAGEMENT_VLAN vlan-id=10

move IP setup (address etc.) from cap_bridge interface to MANAGEMENT_VLAN interface
change discovery-interface in /interface wireless cap to MANAGEMENT_VLAN
with regards to bridge vlan, set your RB4011 to the first option (“WiFi works, Winbox does not”)

Pozdrav u Hrvatsku!

codebreaker · December 2, 2019, 2:27pm

That did it. Thank you very much!

Pozdrav!