Wifi -> ETH LAN

utook · March 4, 2022, 2:19pm

Hello,

I’m using Chateau-LTE RouterOS v7.1beta5 and am very happy with it, everything seems to be working fine except for local network traffic if originating on WiFi. There are no issues with accessing internet on WiFi and ETH.

Basically I’ve noticed that I had difficulties accessing my Synology NAS which is connected to Chateau over ETH from PC on WiFi. Initially I’ve looked for Synology related tips but nothing seemed to help. I’ve checked on Linux and noticed that it also has difficulties when accessing NAS from WiFi comparing to ETH cable. What changed recently is that I’ve moved my NAS and connected it directly to Chateau (it went through a non-managed switch before) and got a MAC which doesn’t have a ETH connector so relied on WiFi more. This is when I’ve started observing problems.

After investigating further I’ve decided to run iperf3 between a MAC and Linux PC in network of which I’m attaching logs. All of them copied from Linux side.
The most interesting tests are #2, #3, #8 - so when client is on Wifi and server is on ETH. Test #3 is an exception as test #7 which is the same setup with Linux being the client it works well… Usually I’d just suspect WiFi signal strength and do something about this but here, on WiFi I get speedtest results of 15Mbps on Linux and >40Mbps on Mac. So this is good for me and my LTE speed.

Basically it seems like I’m having are some issues with routing traffic from WiFi to local ETH when the initiator side is on WiFi. The test was performed on 2 MAC (2011 MBP and 2021 Macbook Air) and some Acer laptop running Linux. My network settings are super simple with additional guest WiFi, a hex router under Capsman and firewall as in attached screenshot. Nothing really exotic, and it works. I’ve tried to disable “defconf: drop all not coming from LAN” temporarily but nothing really changed. Also attaching my NAS resource monitor at the time I try to copy a file from a MAC to it - nothing really happens though I’ve mounted it via SMB and can even read files! Also there’s no issues with accessing the Synology NAS web panel over HTTP, be it WiFi or ETH.

I’m bit hesitatnt about updating RouterOS to test because v7.1beta5 gave me the best possible LTE performance that any other version didn’t as you can see in http://forum.mikrotik.com/t/two-chateau-lte12-same-operator-different-speeds/150230/1
What else could I do to fix this? Seems like local network is not accessible from WiFi in my case and it’s not related to the devices being both ends of the exchange, just routing between interfaces.
Screenshot from 2022-03-04 15-16-56.png
Screenshot from 2022-03-04 14-56-49.png
mikrotik-chateau-wifi-vs-eth-tests.txt (12.1 KB)

bpwl · March 4, 2022, 7:05pm

Test info is OK. But what is the network setup?
I see hEX, CAPsMAN and Chateau. What is the data flow? (CAPsMAN where? Local forwarding ? What goes through the firewall? Bridged, routed? …)

It is more productive if you share the config of hEX and Chateau (“export hide-sensitive file=yoursavefilename”). Mask remaining sensitive data.

utook · March 4, 2022, 9:06pm

Thank you for your reply.

The network setup is the following:

Chateau running main LTE+ETH+WIFI and as CapsMan master device
hAP ac² (which I previously mistakenly named Hex) used as CapsMan slave to extend WiFi + as ETH switch. Connected to Chateau with ETH cable.
“guest-wifi” is not allowed to “my-wifi”, but the other way around is enabled
- The 5GHz WiFi networks are disabled as I wasn’t using them anyways. 2.4GHz works much better in my case

When testing I’m closer to the Chateau than hAP ac² but it doesn’t probably matter as it’s one network in the end.
The settings export From Chateau looks as pasted below. Unfortunately I don’t know how to connect to CapsMan slave to export the settings as under CapsMan ssh nor WebFig are no longer available. Also comment about the DNS - 192.168.1.2 is not a typo as I’m testing separate pinhole DNS + I’ve checked that it has no impact on my issue.

[admin@MikroTik] > /export hide-sensitive
# ... by RouterOS 7.1beta5
# software id = ...
#
# model = RBD53G-5HacD2HnD
# serial number = ...

/interface bridge
add admin-mac=... auto-mac=no comment=defconf name=bridge
add name=bridge-guest
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=my-country disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    my-wifi wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=my-country distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    my-wifi-5GHz wireless-protocol=802.11
/interface lte
set [ find ] allow-roaming=no name=lte1
/caps-man configuration
add country=my-country datapath.bridge=bridge name=Config security.authentication-types=wpa2-psk .encryption=aes-ccm ssid=my-wifi
add country=my-country datapath.bridge=bridge-guest name=Config-guest security.authentication-types=wpa2-psk .encryption=aes-ccm ssid=guest-wifi
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=profile-guest supplicant-identity=MikroTik
/interface wireless
add mac-address=... master-interface=wlan2 name=wlan3-guest-5GHz security-profile=profile-guest ssid=guest-wifi
add disabled=no mac-address=... master-interface=wlan1 name=wlan4-guest-2.4GHz security-profile=profile-guest ssid=guest-wifi
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
add name=dhcp-guest ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=local
add address-pool=dhcp-guest disabled=no interface=bridge-guest name=dhcp-guest
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
add disabled=no interface=bridge-guest
add interface=ether1
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config
/interface bridge filter
# wlan3-guest-5GHz not ready
# in/out-bridge-port matcher not possible when interface (wlan3-guest-5GHz) is not slave
add action=drop chain=forward in-interface=wlan3-guest-5GHz
# wlan3-guest-5GHz not ready
# in/out-bridge-port matcher not possible when interface (wlan3-guest-5GHz) is not slave
add action=drop chain=forward out-interface=wlan3-guest-5GHz
add action=drop chain=forward in-interface=wlan4-guest-2.4GHz
add action=drop chain=forward out-interface=wlan4-guest-2.4GHz
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge-guest interface=wlan3-guest-5GHz
add bridge=bridge-guest interface=wlan4-guest-2.4GHz
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface lte settings
set external-antenna=both
/interface wireless cap
set bridge=bridge interfaces=wlan1
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
add address=10.10.10.1/24 interface=bridge-guest network=10.10.10.0
/ip dhcp-server lease
add address=192.168.1.3 client-id=... mac-address=... server=local
add address=192.168.1.4 client-id=... mac-address=...
add address=192.168.1.2 client-id=... mac-address=... server=local
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=8.8.8.8,9.9.9.9 gateway=10.10.10.1
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.2,192.168.1.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.2
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.0/24 list=local
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=10.10.10.0/24
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=bridge-guest src-address=10.10.10.0/24
/ip ipsec policy
add dst-address=0.0.0.0/0 src-address=0.0.0.0/0 template=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/City
/system routerboard settings
set cpu-frequency=auto
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

bpwl · March 4, 2022, 10:32pm

No experience with CAPsMAN and certainly not with “CAP in CAPsMAN” (see case studies at the bottom of in: https://wiki.mikrotik.com/wiki/Manual:Simple_CAPsMAN_setup, on “caps-man manager interface”)

The use of the bridge filter is irrelevant for my-wifi, but a bit strange to me, as the bridges “bridge” and “bridge-guest” are not bridged together, but routed and so their inter-bridge traffic does pass the IP firewalls.

There is clearly a wifi performance problem. WLAN1 settings are probably not used, but the CAPsMAN settings. I don’t know the defaults used , but …
For 2.4GHz don’t use 40 MHz wide channels unless the scan showed no other wifi around
Don’t use 802.11b , only use “b” if there is a clear need (very old client devices that only support “b”)
Idem dito for “auto” frequency. Do the scan and make a proper selection manually
Do verify the registration table. The shown test throughputs are very low. Registration table shows the interface rate including /*S/ streams, CCQ, throughput, signal strength, SNR, …

holvoetn · March 5, 2022, 8:00am

Looks indeed like you have capsman activated but no further config.
So as default as it can get …

Wondering: why do you want to use capsman ?
For a limited number of APs it might be easier to handle them manually (actually: it IS easier … you will have more control on what’s happening on each device).
Disclaimer: I also have one setup with 2 APs on a remote location where I use Capsman.
But:

that’s really from an educational point of view so I can learn about it
no one near me in almost 1km so I can goof around with the wireless settings as much as I want

In case you do want to pursue using capsman, this is very good reading material, especially the part on where you need to set what.
https://mum.mikrotik.com/presentations/EU18/presentation_5155_1523286214.pdf

But personally, I’d use the Hap ac2 as a standalone device, dhcp client, no dhcp server.
And then you can tweak all wireless settings to the optimal situation for your environment.
At home I also have one just like that connected to Hex.

utook · March 5, 2022, 11:57am

Thank you bpwl, holvoetn

I will process all the information you sent. It seems like it’s possibly the way to a solution.
Similarly to you holvoetn I’m using Capsman mainly for education purposes. Noto ruling out that I’ll be throwing in another AP or two in some new future for better outdoor coverage. I’m tempted sometimes to just restore the hAP ac² to defaults and manage it as separate device but want to learn while working with CapsMan so choosing the harder way

bpwl · March 5, 2022, 12:50pm

Should do that as well, test CAPsMAN. But lack of control is stopping me so far. (Why having very advanced like “HW retries”, “Frame Lifetime” and not AMSDU, A-MPDU, WMM, “Skip DFS CAC10min” ???) Well I need “AP-bridge” also.

hAP ac2 as simple AP? Use Quickset (absolute exception to advice for use of Quickset ) , select “WISP AP , mode BRIDGE” , then adjust further classical way, never go back to QuickSet.

utook · March 6, 2022, 2:52pm

I’ve tried disabling WiFi on Chateau and while being on CapsMan WiFi from hAP ac² I was able to transfer something to my NAS! So it’s clearly something related to both WiFi interfering OR the Chateau WiFi not being bridged correctly - is it even possible? Normally, when conducting my tests I’m physically significantly closer to Chateau than to hAP ac² but apparently the hAP ac² is also strong enough here to also be workable, eg. write this post

bpwl · March 6, 2022, 3:43pm

As @holvoetn said, your Chateau wifi is not configured. The CAPsMAN wifi configuration lacks some settings, all is just default.
The CAP interface connection on Chateau might need this from the wiki “you will have enable all CAPsMAN on all interfaces and forbid any interface that you don’t want”

In the “registration table” you can see to what unit you are connected and how good or bad that connection is.
If via CAPsMAN it is in the CAPsMAN registration table, otherwise it is in the Wireless registration table.
The client device decides where to connect, based on it’s own criteria.

utook · March 12, 2022, 9:14pm

After all your suggestions and eventually finding the great guide https://grzegorzkowalik.com/mikrotik-od-zera-capsman-w-domu-14/ (its in Polish but documents step by step in an awesome way) and finally configured CapsMan correctly! I think my main mistake was that I didn’t put my Chateau WLANs under Capsman and used the same SSID. Of course along with the channels not being configured. Now I can use my NAS under WiFi! After some tweaking I even made my guest WiFi work so it’s all good.

Thank you very much for your help @bpwl, @holvoetn - I wouldn’t know where to look for source of the issue if it wasn’t for your posts.