Where does the Traffic Flow? Cap AC via local forwarding

RouterOS General
1

Hello all,

this is my first topic on this forum.
Although im not completly new to Mikrotik.

I've a question regarding Packet Flow. This is my szenario:

  • Left a Mikrotik Router with Capsman and with the WAN connection.
  • Right a Wifi AP - cap AC

The datapath in capsman is set to local forwarding

Router                                                             Cap AC
 _____  bridge_corp                                   bridgeLocal  _____
|     |-----------------------------------------------------------|     |
|_____| e10 - .254           10.16.8.0/24              .166 - e1  |_____|

I do not understand why there is no traffic going through the bridgeLocal on my cap AC.
The Interface ether1 is part of my bridgeLocal and my wifi2 is also part of this bridge ...
Does somebody know why this is?

20201117_182725_MEv-0002.png
20201117_182725_MEv-0002.png1135×1379 94.6 KB

Configuration below:

[admin@CapAC] > export compact
# nov/16/2020 18:56:07 by RouterOS 6.47.7
# software id = 10Z7-INS9
#
# model = RBcAPGi-5acD2nD
# serial number = xxxxxxxxxxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridgeLocal
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(15dBm), SSID: SSID-sec, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(20dBm), SSID: SSID-sec, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface wireless cap
# 
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes interfaces=\
    wlan1,wlan2
/ip dhcp-client
add comment=defconf disabled=no interface=bridgeLocal
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=CapAC
/system leds settings
set all-leds-off=immediate
/tool sniffer
set file-limit=10000KiB file-name=20201116-zoom-meeting-1 filter-ip-address=\
    10.16.8.170/32 filter-operator-between-entries=and memory-limit=100000KiB
[admin@CapAC] > 



[admin@Router] /caps-man> export compact
# nov/16/2020 19:00:34 by RouterOS 6.47.7
# software id = STD8-1UMG
#
# model = 2011UiAS-2HnD
# serial number = xxxxxxxxxxxxxxxx
/caps-man channel
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled frequency=2412 name=CH1 skip-dfs-channels=yes tx-power=17
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled frequency=2437 name=CH6 skip-dfs-channels=yes tx-power=17
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled frequency=2462 name=CH11 skip-dfs-channels=yes tx-power=17
add band=5ghz-a/n/ac extension-channel=disabled frequency=5180 name=CH36
add band=5ghz-a/n/ac extension-channel=disabled frequency=5200 name=CH40
add band=5ghz-a/n/ac frequency=5220 name=CH44
add band=5ghz-a/n/ac frequency=5240 name=CH48
add band=5ghz-a/n/ac frequency=5260 name=CH52
add band=5ghz-a/n/ac frequency=5280 name=CH56
add band=5ghz-a/n/ac frequency=5300 name=CH60
add band=5ghz-a/n/ac frequency=5320 name=CH64
add band=5ghz-a/n/ac frequency=5500 name=CH100
add band=5ghz-a/n/ac frequency=5520 name=CH104
add band=5ghz-a/n/ac frequency=5540 name=CH108
add band=5ghz-a/n/ac frequency=5560 name=CH112
add band=5ghz-a/n/ac frequency=5580 name=CH116
add band=5ghz-a/n/ac frequency=5600 name=CH120
add band=5ghz-a/n/ac frequency=5620 name=CH124
add band=5ghz-a/n/ac frequency=5640 name=CH128
add band=5ghz-a/n/ac frequency=5660 name=CH132
add band=5ghz-a/n/ac frequency=5680 name=CH136
add band=5ghz-a/n/ac frequency=5700 name=CH140
add band=5ghz-a/n/ac frequency=5745 name=CH149
add band=5ghz-a/n/ac frequency=5765 name=CH153
add band=5ghz-a/n/ac frequency=5785 name=CH157
add band=5ghz-a/n/ac frequency=5805 name=CH161
add band=5ghz-a/n/ac frequency=5825 name=CH165
add band=5ghz-n/ac extension-channel=XXXX frequency=5200 name=5-CH40+ reselect-interval=1h skip-dfs-channels=yes
add band=5ghz-n/ac extension-channel=XXXX frequency=5180 name=CH36+ reselect-interval=1h skip-dfs-channels=yes
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412,2437,2462 name=2-CH0 reselect-interval=1h skip-dfs-channels=yes tx-power=17
add band=5ghz-a/n/ac extension-channel=XXXX name=5-CH00+ reselect-interval=1h skip-dfs-channels=yes
/caps-man rates
add basic=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps name=2GDataRates supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
add basic=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps name=5GDataRates supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=security-corp passphrase="xxxxxxxxxxxxxxxxxxxxxxxx"
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=security-guest passphrase=xxxxxxxxxxxxxxxxxxxx
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=security-IoT passphrase=xxxxxxxxxxxxxxxxxxxxxx
/caps-man configuration
add channel=2-CH0 country=germany datapath=datapath-corp-local distance=indoors installation=indoor mode=ap name=cfg-corp security=security-corp ssid=SSID-sec
add country=no_country_set datapath=datapath-guest mode=ap name=cfg-guest security=security-guest ssid=SSID-Guest
add channel=5-CH00+ country=germany datapath=datapath-corp-local distance=indoors installation=indoor mode=ap name=cfg-corp-5g rates=5GDataRates security=security-corp ssid=SSID-sec
/caps-man datapath
add bridge=br-corp name=datapath-corp
add bridge=br-guest name=datapath-guest
add bridge=br-IoT name=datapath-IoT
add bridge=br-corp local-forwarding=yes name=datapath-corp-local
/caps-man interface
add channel.frequency=2412,2437,2462 configuration=cfg-corp disabled=no l2mtu=1600 mac-address=xx:xx:xx:xx:xx:xx master-interface=none name=2G-AP02-1 radio-mac=xx:xx:xx:xx:xx:xx radio-name=xxxxxxxxxx
add channel.frequency=2412,2437,2462 configuration=cfg-corp disabled=no l2mtu=1600 mac-address=xx:xx:xx:xx:xx:xx master-interface=none name=2G-AP03-1 radio-mac=xx:xx:xx:xx:xx:xx radio-name=xxxxxxxxxx
add configuration=cfg-corp-5g disabled=no l2mtu=1600 mac-address=xx:xx:xx:xx:xx:xx master-interface=none name=5G-AP02-1 radio-mac=xx:xx:xx:xx:xx:xx radio-name=xxxxxxxxxxx
add configuration=cfg-corp-5g disabled=no l2mtu=1600 mac-address=xx:xx:xx:xx:xx:xx master-interface=none name=5G-AP03-1 radio-mac=xx:xx:xx:xx:xx:xx radio-name=xxxxxxxxxxx
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=/pub upgrade-policy=suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no forbid=yes interface=e06-wan
add disabled=no interface=br-corp
/caps-man provisioning
add action=create-disabled hw-supported-modes=gn identity-regexp=AP master-configuration=cfg-corp name-format=prefix-identity name-prefix=2G
add action=create-disabled hw-supported-modes=ac identity-regexp=AP master-configuration=cfg-corp-5g name-format=prefix-identity name-prefix=5G
add master-configuration=cfg-corp name-format=prefix-identity name-prefix=d-cAP
[admin@Router] /caps-man>
2

At least on my devices, you won’t see the traffic go over the bridge other than management traffic. Especially with local forwarding, most of your traffic will be on ether1 and your wlan interfaces.

3

What makes things so confusing is the fact that the bridge (as in “virtual switch”) itself and the port of that bridge to which the upper layers of the networking stack are connected (as in “virtual port of a virtual switch”) are both referred to as “bridge”. This is nothing special to RouterOS, though - both the other *nix systems and Windows do the same.

So most of the traffic is forwarded between the wlan interface and the Ethernet one by the virtual switch, whereas the traffic statistics for a “bridge” is collected on the virtual port. Only traffic to/from the Mikrotik itself and traffic routed to/from other subnets passes through “bridge” as an interface; the cAP doesn’t route, so only the management traffic is present on that interface there.