WiFi Wave2 interface not untagging frames when a station-bridge connects

Gumdrop6769 · November 24, 2023, 10:01pm

I have the following WLAN setup using CAPsMAN on RB5009 and cAP ax connected directly to RB5009 using a trunk port:

# 2023-11-24 22:44:05 by RouterOS 7.12
# software id = E83S-AAZN
#
# model = RB5009UPr+S+
/interface wifiwave2 channel                                                                                                                                                                 
add frequency="" name=5ghz                                                                                                                                                                   
add name=2ghz width=20/40mhz                                                                                                                                                                 
/interface wifiwave2 datapath          
add bridge=bridge-lan name=vlan100 vlan-id=100
add bridge=bridge-lan name=vlan400 vlan-id=400
/interface wifiwave2 security      
add authentication-types=wpa2-psk,wpa3-psk name=sec-private
add authentication-types=wpa2-psk,wpa3-psk name=sec-guest
/interface wifiwave2 configuration                                                            
add country=Germany datapath=vlan400 name=wlan-guest-5ghz security=sec-guest ssid=Guest
add channel=5ghz country=Germany datapath=vlan100 name=wlan-private-5ghz security=sec-private ssid=Private
add channel=2ghz country=Germany datapath=vlan100 name=wlan-private-2ghz security=sec-private ssid=Private_2.4          
/interface wifiwave2 capsman                                                                                                                                                                 
set enabled=yes interfaces=vlan50
/interface wifiwave2 provisioning                                                                                                                                                            
add action=create-dynamic-enabled master-configuration=wlan-private-5ghz name-format=5ghz-%I slave-configurations=wlan-guest-5ghz supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=wlan-private-2ghz name-format=2ghz-%I supported-bands=2ghz-ax
/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,ether7-capax vlan-ids=400
add bridge=bridge-lan tagged=bridge-lan untagged=ether7-capax vlan-ids=50
add bridge=bridge-lan tagged=bridge-lan,ether7-capax untagged=ether1-desktop vlan-ids=100
/interface vlan
add comment=mgmt interface=bridge-lan name=vlan50 vlan-id=50
add comment=private interface=bridge-lan name=vlan100 vlan-id=100
add comment=guest interface=bridge-lan name=vlan400 vlan-id=400

It works as expected and I cannot inject 802.1Q VID 100 tagged frames when connected to the Guest network. However, when I was setting up my hAP ac^2 as a wifi repeater/extender connected to the Guest network and using the following configuration I noticed that a PC connected to one of the ports of the hap ac^2 was receiving 802.1Q frames tagged with VID 400:

# 1970-01-02 02:45:22 by RouterOS 7.13beta2
# software id = CGZZ-X439
#
# model = RBD52G-5HacD2HnD
/interface bridge
add admin-mac=3C:C5:1A:D6:87:D1 auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface wifi
set [ find default-name=wifi1 ] configuration.mode=station-bridge .ssid=notinuse name=wifi-station-2ghz
set [ find default-name=wifi2 ] configuration.mode=station-bridge .ssid=Guest datapath.bridge=bridge disabled=no name=wifi-station-5ghz
/interface bridge port
add bridge=bridge interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge interface=wifi-station-2ghz
add bridge=bridge interface=wifi-station-5ghz

I’ve tried multiple VLAN configurations on the PC and these are the results:

DHCP works on the untagged physical interface, but the replies that are recieved are 802.1Q tagged.
Sending untagged frames with ARP requests of the RB5009 IP on the vlan400 interface - the reply comes in from RB5009, but it is 802.1Q tagged and is ignored by the host.
Sending VID 100 tagged frames with ARP requests of the RB5009 IP on the vlan100 interface - no response.
Sending VID 400 tagged frames with ARP requests of the RB5009 IP on the vlan400 interface - no response.
Set the same IP on the VID 400 interface as on the physical interface and do an ARP ping. I’m now able to receive the ARP replies on the VID 400 interface, but they have to be send untagged by the physical interface.

Have I set up the datapaths incorrectly or is this a bug in VLAN untagging when using the 4-address frame format?

mkx · November 25, 2023, 10:31am

New wifi driver (wifi-qcom and wifi-qcom-ac, but the same was already in original wifiwave2 driver) can’t tag/untag frames. It’s in the new WiFi manual, section “Replacing ‘wireless’ package” under “Lost features”.

So it seems that the problem actually starts on cAP ax …

rextended · November 25, 2023, 10:51am

and also station-bridge is not supported on wifiwave2

holvoetn · November 25, 2023, 11:14am

Actually, since 7.12 it is.
Already tested it.

*) wifiwave2 - added station-bridge interface mode;

Gumdrop6769 · November 25, 2023, 12:29pm

What is doing the tagging/untagging then? The RB5009 does receive tagged frames on the ether7 interface and the stations connecting to the wifi networks do not see any VLAN tagged frames. Only when connected via the hap ac^2 in the station-bridge mode do the VLAN tagged frames appear.

rextended · November 25, 2023, 7:17pm

The following notable features are lost when running 802.11ac products with drivers that are compatible with the 'wifi' management interface

Compatibility with station-bridging as implemented in the 'wireless' package

Too much smoke on the eyes...

holvoetn · November 25, 2023, 8:30pm

Towards old Wireless, it says.

Gumdrop6769 · November 26, 2023, 12:30am

I upgraded the hAP to the beta version specifically to avoid to compatibility issues when running the old wireless with the new wifi. Also it does seem to me, like the main issue here is the cAP not untagging the frames. Why would the hAP even be able to know there is a VLAN in place in this configuration?

whatever · November 26, 2023, 8:03am

I didn’t go through your whole configuration, but as wave2 does no longer distinguish between “ap” and “ap-bridge” mode, this sounds like a huge security issue. If your observation is accurate, wireless clients could gain access to vlans they are not supposed to see, I suggest you raise a proper ticket at Mikrotik support.

mkx · November 26, 2023, 12:04pm

The posted config for RB5009 doesn’t seem complete to me so it’s not clear if anything is actually doing any tagging/untagging (and that includes 5009). Unless you sincerely post full config of all 3 involved devices (5009, cAP ax and hAP ac2), we’ll be just shooting ducks here …

Gumdrop6769 · November 26, 2023, 1:49pm

I further investigated the issue by using the sniffer and trying to arpping the RB5009 from the PC. The PC is connected to the ether1 interface of the hAP and the hAP is conncted to the Guest WiFi using the wifi-station-5ghz interface set as station-bridge. I discovered the following:

ARP request packets can be sniffed on all interfaces (locally on the PC, bridge-lan, wifi-station-5ghz and ether1) and no 802.1Q frames can be seen
ARP replies are received on the wifi-station-5ghz without any 802.1Q tagging
ARP replies are not visible in the bridge-lan interface
ARP replies are sent out ether1 interface with the 802.1Q tag

This is the sniffer configuration, where XXX was one of bridge-lan, wifi-station-5ghz and ether1:

/tool sniffer
set file-limit=50KiB filter-operator-between-entries=and filter-port=!ssh filter-stream=yes memory-limit=50KiB streaming-enabled=yes streaming-server=10.70.4.21 filter-interface=XXX

This suggests to me that the cAP is functioning properly as the frames received on wifi-station-5ghz are not tagged. Still, somehow the hAP is tagging the packets coming out of ether1 with the VLAN ID of the Guest VLAN.

Here is the cAP configuration:

# 1970-01-14 17:28:15 by RouterOS 7.11.2
# software id = YBL2-KN1A
#
# model = cAPGi-5HaxD2HaxD
/interface bridge
add admin-mac=71:9A:13:41:5E:65 auto-mac=no comment=defconf name=bridgeLocal
/interface wifiwave2 datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifiwave2
# managed by CAPsMAN
# mode: AP, SSID: Private, channel: 5680/ax/eCee
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp disabled=no
# managed by CAPsMAN
# mode: AP, SSID: Private_2.4, channel: 2437/ax/eC
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface wifiwave2 cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add interface=bridgeLocal
/system identity
set name=capax
/system note
set show-at-login=no

And the RB5009 configuration:

# 2023-11-26 14:28:51 by RouterOS 7.12
# software id = E83S-AAZN
#
# model = RB5009UPr+S+
/disk
set usb1 type=hardware
set usb2 type=hardware
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=no name=bridge-lan vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-desktop
set [ find default-name=ether7 ] name=ether7-capax
/interface vlan
add comment=mgmt interface=bridge-lan name=vlan50 vlan-id=50
add comment=private interface=bridge-lan name=vlan100 vlan-id=100
add comment=guest interface=bridge-lan name=vlan400 vlan-id=400
/interface list
add name=wan
add name=lan
add name=management
add name=private
add name=guest
/interface wifiwave2 channel
add frequency="" name=5ghz
add name=2ghz width=20/40mhz
/interface wifiwave2 datapath
add bridge=bridge-lan name=vlan100 vlan-id=100
add bridge=bridge-lan name=vlan400 vlan-id=400
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk name=sec-private
add authentication-types=wpa2-psk,wpa3-psk name=sec-guest
/interface wifiwave2 configuration
add country=Germany datapath=vlan400 name=wlan-guest-5ghz security=sec-guest ssid=Guest
add channel=5ghz country=Germany datapath=vlan100 name=wlan-private-5ghz security=sec-private ssid=Private
add channel=2ghz country=Germany datapath=vlan100 name=wlan-private-2ghz security=sec-private ssid=Private_2.4
/ip pool
add name=pool-vlan100 ranges=10.0.10.100-10.0.10.199
add name=pool-vlan400 ranges=10.0.40.100-10.0.40.199
add name=pool-vlan50 ranges=10.0.5.100-10.0.5.199
/ip dhcp-server
add address-pool=pool-vlan100 interface=vlan100 lease-script=dhcp2dns lease-time=1w name=dhcp-vlan100
add address-pool=pool-vlan400 interface=vlan400 lease-time=8h name=dhcp-vlan400
add address-pool=pool-vlan50 interface=vlan50 lease-time=1h name=dhcp-vlan50
/interface bridge port
add bridge=bridge-lan frame-types=admit-only-untagged-and-priority-tagged interface=ether1-desktop pvid=100
add bridge=bridge-lan interface=ether7-capax pvid=50
/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,ether7-capax vlan-ids=400
add bridge=bridge-lan tagged=bridge-lan untagged=ether7-capax vlan-ids=50
add bridge=bridge-lan tagged=bridge-lan,ether7-capax untagged=ether1-desktop vlan-ids=100
/interface list member
add interface=vlan100 list=lan
add interface=vlan400 list=lan
add interface=vlan100 list=management
add interface=vlan400 list=guest
/interface wifiwave2 capsman
set enabled=yes interfaces=vlan50
/interface wifiwave2 provisioning
add action=create-dynamic-enabled master-configuration=wlan-private-5ghz name-format=5ghz-%I slave-configurations=wlan-guest-5ghz supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=wlan-private-2ghz name-format=2ghz-%I supported-bands=2ghz-ax
/ip address
add address=10.0.40.1/24 interface=vlan400 network=10.0.40.0
add address=10.0.5.1/24 interface=vlan50 network=10.0.5.0
add address=10.0.10.1/24 interface=vlan100 network=10.0.10.0
/ip dhcp-client
add interface=ether8-wan
/ip dhcp-server network
add address=10.0.5.0/24 comment=vlan50 dns-server=10.0.30.12 domain=net.zdul.xyz gateway=10.0.5.1
add address=10.0.10.0/24 comment=vlan100 dns-server=10.0.30.12 domain=private.zdul.xyz gateway=10.0.10.1
add address=10.0.40.0/24 comment=vlan400 dns-server=10.0.30.12 gateway=10.0.40.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/system identity
set name=rb5009
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=management
/tool mac-server mac-winbox
set allowed-interface-list=management

As well as the hAP configuration:

# 1970-01-02 02:13:25 by RouterOS 7.13beta2
# software id = CGZZ-X439
#
# model = RBD52G-5HacD2HnD
/disk
set usb1 type=hardware
add parent=usb1 partition-number=1 partition-offset=512 partition-size="61 524 147 712" type=partition
/interface bridge
add admin-mac=3D:12:67:E1:23:4A auto-mac=no comment=defconf name=bridge-lan port-cost-mode=short
/interface wifi
set [ find default-name=wifi1 ] configuration.mode=station-bridge .ssid=notinuse name=wifi-station-2ghz
set [ find default-name=wifi2 ] configuration.mode=station-bridge .ssid=Guest disabled=no name=wifi-station-5ghz
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge-lan interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge-lan interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge-lan interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge-lan interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge-lan interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge-lan interface=wifi-station-2ghz
add bridge=bridge-lan interface=wifi-station-5ghz
/ip neighbor discovery-settings
set discover-interface-list=none
/ip address
add address=10.70.4.20/24 interface=bridge-lan network=10.70.4.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
/system note
set show-at-login=no
/tool sniffer

mkx · November 26, 2023, 3:06pm

hAP config has nothing about VLANs so according to config, it should not touch tags at all.

I’d netinstall hAP ac2 to be 100% sure it’s really VLAN-free (it seems that occasionally the internal configuration database gets out of sync with visible configuration and proper reset clears it … reset to factory defaults might do the trick as well, but netinstall is a more certain way).

Other than that … my experience with legacy capsman (I don’t have any hands-on experience with wave2 capsman) is that when local-forwarding is used (and AFAIK that’s the only forwarding supported by wave2 capsman for now), bridge named in datapath has to match bridge name on cap. So verify (using print command) that wifi interfaces are properly made members of cap’s bridge which is named differently than capsman setting implies.
Another thing: it’s a bit of a misty state regarding VLAN support in wave2/wifi driver … and using vlan-id in datapath does indicate that either driver would have to do the tagging/untagging or capsman-managed wifi interfaces would have to be set as access ports (pvid setting) of vlan-enabled bridge (which your cap doesn’t have). And it seems tgat currently the former method (wave2/wifi driver manipulating vlan tags) is not available.

Gumdrop6769 · November 28, 2023, 12:11am

I updated the cAP ax to 7.12 and it seems to have fixed the issue. I suspect the addition of station-bridge in this version also prompted some bug fixes on the AP mode implementation.