i have an RB2011UAS-2HnD as main router and capsman v2 master, and a hap-lite and cap2n as cap clients..
i have the capsman ap’s in bridge with separate ip (else i got a loop message in log)
dhcp server is assigned to the wifi-bridge
and the networks shows in routes
the nat rules works and i can se all my wireless cameras from intrenet (but not when connected to wifi)
(i have a local bind server, that enables me to use the same adress locally)
the problem is that i cant reach wireless clients from other wireless clients if they are connected to another AP..
IE i cant reach my ChromeCast from my Phone if they are connected to different AP’s
here is some parts of my config
# jul/09/2015 15:43:00 by RouterOS 6.29.1
# software id = MELS-KKWL
#
/caps-man channel
add frequency=2437 name=channel6 width=20
add frequency=2467 name=channel12 width=20
add frequency=2452 name=channel9 width=20
add frequency=2422 name=channel3 width=20
add frequency=2412 name=channel1 width=20
/interface bridge
add name=Wifi-Bridge protocol-mode=none
add admin-mac=D4:CA:6D:97:8C:EE auto-mac=no mtu=1500 name=bridge-local
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(30dBm), SSID: DragonSlayer WiFi, CAPsMAN forwarding
set [ find default-name=wlan1 ] l2mtu=1600 mode=ap-bridge name=WLAN
/interface ethernet
set [ find default-name=ether6 ] name=FE6
set [ find default-name=ether7 ] master-port=FE6 name=FE7-HomePlug
set [ find default-name=ether8 ] master-port=FE6 name=FE8-U5
set [ find default-name=ether9 ] master-port=FE6 name=FE9
set [ find default-name=ether10 ] master-port=FE6 name=FE10
set [ find default-name=ether1 ] name=G1-WAN
set [ find default-name=ether2 ] name=G2-LAN
set [ find default-name=ether3 ] name=G3-NAS
set [ find default-name=ether4 ] name=G4-W12
set [ find default-name=ether5 ] name=G5
set [ find default-name=sfp1 ] disabled=yes name=SFP speed=100Mbps
/ip neighbor discovery
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(30dBm), SSID: DragonSlayer WiFi, CAPsMAN forwarding
set WLAN discover=no
/caps-man configuration
add country=no_country_set datapath.bridge=Wifi-Bridge name=cfg1 \
security.encryption=aes-ccm,tkip ssid="DragonSlayer WiFi"
/caps-man interface
#
add arp=enabled channel=channel6 configuration=cfg1 disabled=no l2mtu=1600 \
mac-address=E4:8D:8C:F1:63:85 master-interface=none mtu=1500 name=RBcAP2n \
radio-mac=E4:8D:8C:F1:63:85
#
add arp=enabled channel=channel9 configuration=cfg1 disabled=no l2mtu=1600 \
mac-address=4C:5E:0C:E7:8C:68 master-interface=none mtu=1500 name=\
hAP-lite radio-mac=4C:5E:0C:E7:8C:68
#
add arp=enabled channel=channel1 configuration=cfg1 disabled=no l2mtu=1600 \
mac-address=D4:CA:6D:97:8C:F7 master-interface=none mtu=1500 name=\
rb2011wireless radio-mac=D4:CA:6D:97:8C:F7
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=none
/ip pool
add name=dhcp ranges=192.168.2.2-192.168.2.254
add name=vpn-pool ranges=10.10.10.2-10.10.10.254
add name=wifi-pool ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp always-broadcast=yes disabled=no interface=\
bridge-local lease-time=3d name=default
add add-arp=yes address-pool=wifi-pool always-broadcast=yes disabled=no \
interface=Wifi-Bridge lease-time=3d name=Wifi
/port
set 0 name=usb1
set 1 baud-rate=9600 data-bits=8 flow-control=none name=usb1 parity=none \
stop-bits=1
set 2 name=usb3
/interface ppp-client
add apn=online.telia.se default-route-distance=10 dial-on-demand=no disabled=\
no name=Telia_E220 port=usb3
/ppp profile
set [ find name=default ] name=default
set [ find name=default-encryption ] dns-server=8.8.8.8,192.168.2.12 \
local-address=10.10.10.1 name=default-encryption remote-address=vpn-pool
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/interface bridge port
add bridge=bridge-local interface=G2-LAN
add bridge=bridge-local interface=G3-NAS
add bridge=bridge-local interface=G4-W12
add bridge=bridge-local interface=G5
add bridge=bridge-local interface=FE6
/ip settings
set accept-redirects=yes
/interface l2tp-server server
set authentication=chap,mschap1,mschap2 enabled=yes
/interface wireless cap
set caps-man-addresses=127.0.0.1 certificate=CAPsMAN-CA-D4CA6D978CEC enabled=\
yes interfaces=WLAN
/ip address
add address=192.168.2.1/24 comment="default configuration" interface=\
bridge-local network=192.168.2.0
add address=192.168.1.1/24 comment="default configuration" interface=\
Wifi-Bridge network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
no interface=SFP
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
no interface=G1-WAN
/ip dhcp-server network
add address=192.168.1.0/24 comment=Wifi-Network dns-server=\
192.168.2.12,8.8.8.8 domain=dragonslayer.se gateway=192.168.1.1 netmask=\
24 ntp-server=192.36.134.17 wins-server=192.168.2.1
add address=192.168.2.0/24 comment="default configuration" dns-server=\
192.168.2.12 domain=dragonslayer.se gateway=192.168.2.1 netmask=24 \
ntp-server=192.36.134.17 wins-server=192.168.2.1
/ip firewall filter
add action=drop chain=input comment="Drop IPs from Blacklist" \
src-address-list=BlackList
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input comment="Remote admin using winbox" dst-port=8291 protocol=\
tcp src-address-list=TrustedIP
add chain=input comment=IPSEC dst-port=1701 protocol=udp
add chain=input comment=NAT-Traversal dst-port=4500 protocol=udp
add chain=input comment=ESP dst-port=50 protocol=udp
add chain=input comment=IPSEC dst-port=500 protocol=udp
add chain=input comment="Remote admin using webfig 8780" dst-port=8780 \
protocol=tcp
add chain=input comment="Remote admin using api" dst-port=8728 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=SFP
add action=drop chain=input comment="default configuration" in-interface=\
G1-WAN
/ip firewall mangle
add action=add-src-to-address-list address-list=BlackList chain=prerouting \
comment="BlackList IPs accessing port 21 (ftp)" dst-port=21 protocol=tcp \
src-address-list=!TrustedIP
add action=add-src-to-address-list address-list=BlackList chain=prerouting \
comment="BlackList IPs accessing port 22 (ssh)" dst-port=22 protocol=tcp \
src-address-list=!TrustedIP
add action=add-src-to-address-list address-list=BlackList chain=prerouting \
comment="BlackList IPs accessing port 23 (telnet)" dst-port=23 protocol=\
tcp src-address-list=!TrustedIP
add action=add-src-to-address-list address-list=BlackList chain=prerouting \
comment="BlackList IPs accessing 3306 (mysql)" dst-port=3306 protocol=tcp \
src-address-list=!GoodGay
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=SFP
# Telia_E220 not ready
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=Telia_E220
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=G1-WAN to-addresses=0.0.0.0
add action=dst-nat chain=dstnat disabled=yes dst-address=78.69.49.180 \
dst-port=53 in-interface=G1-WAN protocol=tcp to-addresses=192.168.2.12 \
to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-address=78.69.49.180 \
dst-port=53 in-interface=G1-WAN protocol=udp to-addresses=192.168.2.12 \
to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-address=78.69.49.180 \
dst-port=6080 in-interface=G1-WAN protocol=tcp to-addresses=192.168.2.60 \
to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=78.69.49.180 \
dst-port=6021 in-interface=G1-WAN protocol=tcp to-addresses=192.168.2.60 \
to-ports=21
add action=dst-nat chain=dstnat disabled=yes dst-address=78.69.49.180 \
dst-port=6180 in-interface=G1-WAN protocol=tcp to-addresses=192.168.2.61 \
to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=78.69.49.180 \
dst-port=6121 in-interface=G1-WAN protocol=tcp to-addresses=192.168.2.61 \
to-ports=21
add action=dst-nat chain=dstnat comment=WWW dst-port=80 in-interface=G1-WAN \
protocol=tcp to-addresses=192.168.2.12 to-ports=80
add action=dst-nat chain=dstnat comment=POP3 dst-port=110 protocol=tcp \
to-addresses=192.168.2.12 to-ports=110
add action=dst-nat chain=dstnat comment=IMAP dst-address=95.109.69.54 \
dst-port=143 in-interface=SFP protocol=tcp to-addresses=192.168.2.12 \
to-ports=143
add action=dst-nat chain=dstnat dst-port=993 in-interface=SFP protocol=tcp \
to-addresses=192.168.2.12 to-ports=993
add action=dst-nat chain=dstnat comment=WebMail dst-address=95.109.69.54 \
dst-port=9998 in-interface=SFP protocol=tcp to-addresses=192.168.2.12 \
to-ports=9998
add action=dst-nat chain=dstnat comment=SMTP dst-address=95.109.69.54 \
dst-port=25 in-interface=SFP protocol=tcp to-addresses=192.168.2.12 \
to-ports=25
add action=dst-nat chain=dstnat comment=SMTP dst-address=95.109.69.54 \
dst-port=587 in-interface=SFP protocol=tcp to-addresses=192.168.2.12 \
to-ports=587
add action=dst-nat chain=dstnat disabled=yes dst-port=8021 in-interface=\
G1-WAN protocol=tcp to-addresses=192.168.2.25 to-ports=21
add action=dst-nat chain=dstnat disabled=yes dst-port=8023 in-interface=\
G1-WAN protocol=tcp to-addresses=192.168.2.25 to-ports=23
add action=dst-nat chain=dstnat comment=VoIP dst-address=95.109.69.54 \
dst-port=5060-5061 protocol=tcp to-addresses=192.168.2.10 to-ports=\
5060-5061
add action=dst-nat chain=dstnat comment=Kamera1 dst-address=95.109.69.54 \
dst-port=99 protocol=tcp to-addresses=192.168.1.231 to-ports=99
add action=dst-nat chain=dstnat comment=Kamera2 dst-address=95.109.69.54 \
dst-port=100 protocol=tcp to-addresses=192.168.1.232 to-ports=100
add action=dst-nat chain=dstnat comment=Kamera3 dst-address=95.109.69.54 \
dst-port=101 protocol=tcp to-addresses=192.168.2.233 to-ports=101
add action=dst-nat chain=dstnat comment=Kamera4 dst-address=95.109.69.54 \
dst-port=98 protocol=tcp to-addresses=192.168.1.234 to-ports=98
/ip service
set telnet address=192.168.2.0/24
set ftp address=192.168.2.0/24
set www address=\
85.197.152.129/32,192.168.2.0/24,192.168.1.0/24,85.197.139.215/32 port=\
8780
set ssh address=192.168.2.0/24
set api address=192.168.2.0/24,192.168.1.0/24
set winbox address=\
85.197.152.129/32,192.168.2.0/24,192.168.1.0/24,85.197.139.215/32
set api-ssl address=192.168.2.0/24,192.168.1.0/24
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add disabled=yes interface=G1-WAN type=external
add interface=bridge-local type=internal
add interface=SFP type=external
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Stockholm
/system clock manual
set time-zone=+01:00
/system identity
set name=DragonSlayer.RB
/system ntp client
set enabled=yes primary-ntp=192.36.134.17 secondary-ntp=192.36.134.25
/system routerboard usb
set usb-mode=force-host
/tool bandwidth-server
set authenticate=no enabled=no