Community discussions

 
Chouby
just joined
Topic Author
Posts: 18
Joined: Fri Apr 07, 2017 3:49 am

CAPsMAN

Fri May 05, 2017 1:00 am

Hello everyone!

The setup:
one RB750Gr2 under 6.39.1
two RBwAPG-5HacT2HnD under 6.39.1

I use my primary RB750Gr2 to manage my two AP with CAPsMAN...

I got 3 ssid configured, one "admin" 5Ghz, one "admin" 2.4 and one "guest" 2.4.

I see the three ssid, I'm able to connect to three of them and I got private 192.168.1.x address on both "admin" but no internet, I can only ping 192.168.1.1 (DHCP pool 192.168.1.100-254)
BUTT I have separate dhcp server for guest under 10.0.0.1 who serve 10.0.0.100-254 and it ping 8.8.8.8 and internet work well on guest only......

The configs are the "same", only dhcp binding and bridge is different..

Any idea?! ;)

Thanks

Dave
 
Revelation
Member
Member
Posts: 338
Joined: Fri Dec 25, 2015 5:59 am

Re: CAPsMAN

Fri May 05, 2017 1:03 am

Without seeing the rest of your conifg, I'd start with double-checking your NAT and Firewall.
 
Chouby
just joined
Topic Author
Posts: 18
Joined: Fri Apr 07, 2017 3:49 am

Re: CAPsMAN

Fri May 05, 2017 1:44 am

Without seeing the rest of your conifg, I'd start with double-checking your NAT and Firewall.
Sure,

Firewall
Image

NAT
Image
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: CAPsMAN

Fri May 05, 2017 3:44 pm

It does say nothing.
/export hide-sensitive
 
Chouby
just joined
Topic Author
Posts: 18
Joined: Fri Apr 07, 2017 3:49 am

Re: CAPsMAN

Fri May 05, 2017 8:08 pm

It does say nothing.
/export hide-sensitive
:-o
[admin@MikroTik] > /export hide-sensitive

# may/05/2017 13:14:16 by RouterOS 6.39.1
# software id = PGU7-MYBT
#
/interface bridge
add mtu=1500 name=Guest
add mtu=1500 name=OfficeNet
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/caps-man configuration
add datapath.bridge=OfficeNet name=OfficeNet security.authentication-types=wpa-psk,wpa-eap security.encryption=aes-ccm,tkip security.group-encryption=\
    aes-ccm ssid=Office
add datapath.bridge=Guest name=Guest security.authentication-types=wpa-psk,wpa-eap security.encryption=aes-ccm,tkip security.group-encryption=aes-ccm \
    ssid=Guesttata
/caps-man interface
add channel.band=2ghz-b/g/n configuration=OfficeNet configuration.hide-ssid=no configuration.mode=ap configuration.ssid=Testzouiz datapath.bridge=\
    OfficeNet disabled=no l2mtu=1600 mac-address=6C:3B:6B:B7:0B:48 master-interface=none name=cap1 radio-mac=6C:3B:6B:B7:0B:48 \
    security.authentication-types=wpa-psk security.encryption=aes-ccm,tkip security.group-encryption=aes-ccm
add channel.band=5ghz-a/n/ac configuration=OfficeNet configuration.hide-ssid=no configuration.mode=ap configuration.ssid=Test5 datapath.bridge=OfficeNet \
    disabled=no l2mtu=1600 mac-address=6C:3B:6B:B7:0B:47 master-interface=none name=cap2 radio-mac=6C:3B:6B:B7:0B:47 security.authentication-types=\
    wpa-psk security.encryption=aes-ccm,tkip security.group-encryption=aes-ccm
add channel.band=2ghz-b/g/n configuration=Guest configuration.hide-ssid=no configuration.mode=ap configuration.ssid="FBI Guest" datapath.bridge=Guest \
    disabled=no l2mtu=1600 mac-address=6E:3B:6B:B7:0B:48 master-interface=cap1 name=cap3 radio-mac=00:00:00:00:00:00 security.authentication-types=\
    wpa-psk security.encryption=aes-ccm,tkip security.group-encryption=aes-ccm
/ip firewall layer7-protocol
add name=Block regexp="^.+(youporn.com|pornhub.com).*\$"
add name=Youtube regexp="^.+(https://www.youtube.com).*\$"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des pfs-group=none
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.254
add name=vpn-pool ranges=192.168.10.10-192.168.10.20
add name=OfficeNet ranges=192.168.100.2-192.168.100.254
add name=GuestPool ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2-master-local name=default
add address-pool=dhcp disabled=no interface=OfficeNet name=CAP
add address-pool=GuestPool disabled=no interface=Guest name=dhcp2
/ppp profile
add dns-server=8.8.8.8 local-address=192.168.10.1 name=pptp_profile remote-address=vpn-pool use-encryption=yes
add change-tcp-mss=yes local-address=vpn-pool name=l2tp-profile remote-address=vpn-pool use-encryption=required
/queue tree
add disabled=yes name=Stable-Ping packet-mark=Ping-Packet parent=global
/system logging action
set 1 disk-file-name=log
/user group
add name=sniffer policy=ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes master-configuration=OfficeNet name-prefix=AP
/interface l2tp-server server
set authentication=mschap2 caller-id-type=ip-address default-profile=l2tp-profile enabled=yes max-mru=1460 max-mtu=1460 use-ipsec=yes
/ip accounting
set enabled=yes threshold=2560
/ip accounting web-access
set accessible-via-web=yes address=192.168.1.215/32
/ip address
add address=192.168.1.1/24 comment="default configuration" interface=ether2-master-local network=192.168.1.0
add address=192.168.1.1/24 interface=OfficeNet network=192.168.1.0
add address=10.0.0.1/24 interface=Guest network=10.0.0.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.1.81 comment="Insteon controller" mac-address=00:0E:F3:3C:B2:0A server=default
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1,8.8.8.8 gateway=10.0.0.1 netmask=24
add address=192.168.1.0/24 comment="default configuration" dns-server=192.168.1.1,8.8.8.8 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 name=router
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add action=accept chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
add action=reject chain=forward connection-limit=100,32 layer7-protocol=Youtube log-prefix=porn reject-with=icmp-network-unreachable tcp-flags=""
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=Stable-Ping passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=Stable-Ping new-packet-mark=Ping-Packet passthrough=no protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=masquerade chain=srcnat dst-address=192.168.1.50 dst-port=0-65000 out-interface=ether2-master-local protocol=tcp src-address=192.168.1.0/24
/ip ipsec peer
add address=0.0.0.0/0 comment=cs enc-algorithm=aes-256,aes-192,aes-128,3des,des exchange-mode=main-l2tp generate-policy=port-strict passive=yes
/ip route
add disabled=yes distance=1 gateway=172.102.16.153
/ip smb shares
set [ find default=yes ] directory=/pub
/ppp aaa
set use-radius=yes
/ppp secret
add name=davep profile=pptp_profile
/system clock
set time-zone-name=America/Toronto
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
[admin@MikroTik] > 
 
Chouby
just joined
Topic Author
Posts: 18
Joined: Fri Apr 07, 2017 3:49 am

Re: CAPsMAN

Mon May 08, 2017 12:07 am

Anyone?
 
Chouby
just joined
Topic Author
Posts: 18
Joined: Fri Apr 07, 2017 3:49 am

Re: CAPsMAN

Tue May 09, 2017 11:02 pm

My network is not working... Anyone pleaassee!! :) Only the guest wifi is working...
 
mikronsultiK
just joined
Posts: 23
Joined: Wed Feb 01, 2017 12:57 am
Location: Italy
Contact:

Re: CAPsMAN

Wed May 10, 2017 1:36 am

/ip route
add disabled=yes distance=1 gateway=172.102.16.153
why default gateway is disabled?
IP Networking / Mikrotik Consultant
mikronsultik [at] gmail.com
skype mikronsultik
 
Chouby
just joined
Topic Author
Posts: 18
Joined: Fri Apr 07, 2017 3:49 am

Re: CAPsMAN

Thu May 11, 2017 2:17 am

/ip route
add disabled=yes distance=1 gateway=172.102.16.153
why default gateway is disabled?
Because I had a static IP before.. I didn't delete it yet.. I'm DHCP from my isp now..
 
Chouby
just joined
Topic Author
Posts: 18
Joined: Fri Apr 07, 2017 3:49 am

Re: CAPsMAN

Mon May 15, 2017 7:04 pm

:-| :(
 
Chouby
just joined
Topic Author
Posts: 18
Joined: Fri Apr 07, 2017 3:49 am

Re: CAPsMAN

Mon May 15, 2017 8:37 pm

I'm trying to troubleshoot myself and I see this but I don't understand why it is not going out on WAN....

Image

It's my Google Pixel pinging google DNS... but no answer

Any idea?
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 928
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: CAPsMAN

Tue May 16, 2017 4:23 pm

Just a gut feeling:
What WAN-facing device is your router connected to?
Are you sure your dhcp-client receives a public IP address?
Could it be the device somehow fell back into "home router" mode and gives out addresses in the same range (192.168.1.0/24) as you are using?

-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data

Who is online

Users browsing this forum: MSN [Bot] and 32 guests