Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

CAPsMAN VLAN mode works on remote CAP, but not main router

Locked
 
a752412341
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Sat Feb 14, 2015 8:01 pm

CAPsMAN VLAN mode works on remote CAP, but not main router

Mon Sep 04, 2017 4:26 pm

I have a hAP-ac as my main home router. It runs CAPsMAN

I have a few CAPs which have management on vlan99, and use local forwarding to drop the wireless traffic straight onto VLAN 54 (guest) or 52 (internal) depending on the SSID.
I am using the VLAN mode in the CAPS config so that I can use an access rule in CAPSMAN to force certain MAC addresses (eg. Kids devices and IOT) onto particular VLANs without having several different SSIDs and bridges.

This is all working fine on the CAPs. However on my main router, I suspect the Bridge-vlans is conflicting with all the other VLANS and bridges already set up. For example I have Bridge-VLANS with a bridge port interface of Ether1. But I also have VLANS 54 and 52 defined on ether 1 separately. I've configured the main router CAP to use the discovery bridge instead of the vlan directly.

The symptom is when I connect a laptop to the SSID on the hAP-ac I don't get an ip address, so I don't think the traffic has been dropped onto the correct vlan properly.

How should I configure the CAP on the main router to use the CAPSMAN config?

Thanks for wading through this!



remote CAP config
Code: Select all
/interface bridge
add name=Bridge-vlans

/interface bridge port
add bridge=Bridge-vlans interface=ether1

/interface vlan
add interface=ether1 name="vlan99-Management" vlan-id=99

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=vlan99-Management

/interface wireless cap
set bridge=Bridge-vlans discovery-interfaces=vlan99-Management enabled=yes interfaces=wlan1,wlan2

/system ntp client
set enabled=yes primary-ntp=192.168.99.254

Local CAP on main router config looks like this
Code: Select all
set bridge=Bridge-vlans discovery-interfaces=bridge-99-Management enabled=yes interfaces=wlan1,wlan2
CAPsMAN config looks like this
Code: Select all
/caps-man configuration
add channel.band=2ghz-b/g/n channel.extension-channel=eC country="united kingdom" datapath.client-to-client-forwarding=no datapath.local-forwarding=yes datapath.vlan-id=52 datapath.vlan-mode=use-tag mode=ap name=cfg_ssid1 security.authentication-types=wpa2-psk security.encryption=aes-ccm security.group-encryption=aes-ccm \
    security.group-key-update=1h security.passphrase=*** ssid=ssid1
add channel.band=5ghz-a/n/ac channel.extension-channel=eCee country="united kingdom" datapath.client-to-client-forwarding=no datapath.local-forwarding=yes datapath.vlan-id=52 datapath.vlan-mode=use-tag mode=ap name=cfg_ssid1_5GHz security.authentication-types=wpa2-psk security.encryption=aes-ccm security.group-encryption=aes-ccm \
    security.group-key-update=1h security.passphrase=*** ssid=ssid1
add channel.band=2ghz-b/g/n channel.extension-channel=eC country="united kingdom" datapath.client-to-client-forwarding=no datapath.local-forwarding=yes datapath.vlan-id=54 datapath.vlan-mode=use-tag mode=ap name=cfg_guest security.authentication-types=wpa2-psk security.encryption=aes-ccm security.group-encryption=aes-ccm \
    security.group-key-update=1h security.passphrase=**** ssid=guest
add channel.band=5ghz-a/n/ac channel.extension-channel=eCee country="united kingdom" datapath.client-to-client-forwarding=no datapath.local-forwarding=yes datapath.vlan-id=54 datapath.vlan-mode=use-tag mode=ap name=cfg_guest_5GHz security.authentication-types=wpa2-psk security.encryption=aes-ccm security.group-encryption=aes-ccm \
    security.group-key-update=1h security.passphrase=**** ssid=guest
/caps-man access-list
add action=accept disabled=no interface=all signal-range=-75..120 ssid-regexp=""
add action=reject disabled=no interface=all signal-range=-120..-90 ssid-regexp=""
/caps-man manager
set enabled=yes package-path=/pub upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=cfg_ssid1 name-format=prefix-identity name-prefix=2G slave-configurations=cfg_guest
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=cfg_ssid1_5GHz name-format=prefix-identity name-prefix=5G slave-configurations=cfg_guest_5GHz




[admin@hAPac-Main Router] /caps-man configuration> print
 0 name="cfg_ssid1" mode=ap ssid="ssid1" country=united kingdom security.authentication-types=wpa2-psk security.encryption=aes-ccm security.group-encryption=aes-ccm security.group-key-update=1h security.passphrase="***" datapath.client-to-client-forwarding=no datapath.local-forwarding=yes datapath.vlan-mode=use-tag 
   datapath.vlan-id=52 channel.band=2ghz-b/g/n channel.extension-channel=eC 

 1 name="cfg_ssid1_5GHz" mode=ap ssid="ssid1" country=united kingdom security.authentication-types=wpa2-psk security.encryption=aes-ccm security.group-encryption=aes-ccm security.group-key-update=1h security.passphrase="***" datapath.client-to-client-forwarding=no datapath.local-forwarding=yes datapath.vlan-mode=use-tag 
   datapath.vlan-id=52 channel.band=5ghz-a/n/ac channel.extension-channel=eCee 

 2 name="cfg_guest" mode=ap ssid="guest" country=united kingdom security.authentication-types=wpa2-psk security.encryption=aes-ccm security.group-encryption=aes-ccm security.group-key-update=1h security.passphrase="****" datapath.client-to-client-forwarding=no datapath.local-forwarding=yes datapath.vlan-mode=use-tag 
   datapath.vlan-id=54 channel.band=2ghz-b/g/n channel.extension-channel=eC 

 3 name="cfg_guest_5GHz" mode=ap ssid="guest" country=united kingdom security.authentication-types=wpa2-psk security.encryption=aes-ccm security.group-encryption=aes-ccm security.group-key-update=1h security.passphrase="****" datapath.client-to-client-forwarding=no datapath.local-forwarding=yes datapath.vlan-mode=use-tag 
   datapath.vlan-id=54 channel.band=5ghz-a/n/ac channel.extension-channel=eCee


Other config looks like this
Code: Select all
/interface vlan
add disabled=yes interface=ether1-LAN name=vlan1-TPLink vlan-id=1
add interface=ether1-LAN name=vlan10-LAN vlan-id=10
add interface=ether1-LAN name=vlan51-Client-Admin vlan-id=51
add interface=ether1-LAN name=vlan52-Client-Parents vlan-id=52
add interface=ether1-LAN name=vlan53-Client-Kids vlan-id=53
add interface=ether1-LAN name=vlan54-Client-Guest vlan-id=54
add interface=ether1-LAN name=vlan61-IOT-Media vlan-id=61
add interface=ether1-LAN name=vlan62-IOT-HA vlan-id=62
add interface=ether1-LAN name=vlan63-IOT-CCTV vlan-id=63
add interface=ether1-LAN name=vlan71-Servers-General vlan-id=71
add interface=ether1-LAN name=vlan81-Servers-DMZ vlan-id=81
add interface=ether1-LAN name=vlan82-VOIP vlan-id=82
add interface=ether1-LAN name=vlan99-Management vlan-id=99
add interface=ether1-LAN name=vlan101-Guest vlan-id=101




/interface bridge
add name=Bridge-vlans
add name=bridge-51-Client-Admin
add name=bridge-52-Client-Parents
add name=bridge-53-Client-Kids
add name=bridge-54-Client-Guest
add name=bridge-61-IOT-Media
add name=bridge-62-IOT-HA
add name=bridge-63-IOT-CCTV
add name=bridge-71-Servers-General
add name=bridge-81-Servers-DMZ
add name=bridge-82-VOIP
add name=bridge-99-Management
add fast-forward=no name=bridgeGuest
add fast-forward=no name=bridgeIOT
add fast-forward=no name=bridgeLAN
/interface bridge filter
add action=accept chain=forward disabled=yes in-bridge=bridge-63-IOT-CCTV
add action=accept chain=input comment=BridgeLAN-Input disabled=yes in-bridge=bridgeLAN
add action=accept chain=forward comment=BridgeLAN-Forward disabled=yes in-bridge=bridgeLAN out-bridge=bridgeLAN
add action=accept chain=input comment=BridgeManagement-Input disabled=yes in-bridge=*C
add action=accept chain=forward comment=BridgeManagement-Forward disabled=yes in-bridge=*C
add action=accept chain=forward comment="Safe Accept" disabled=yes
add action=accept chain=forward comment=BridgeLAN->BridgeGuest disabled=yes in-bridge=bridgeLAN out-bridge=bridgeGuest
add action=drop chain=input disabled=yes log-prefix=BridgeLAN-DropInput
add action=drop chain=forward disabled=yes log=yes log-prefix=BridgeLAN-DropForward
/interface bridge port
add bridge=bridgeLAN interface=vlan10-LAN
add bridge=bridgeGuest interface=vlan101-Guest
add bridge=bridge-51-Client-Admin interface=vlan51-Client-Admin
add bridge=bridge-52-Client-Parents interface=vlan52-Client-Parents
add bridge=bridge-53-Client-Kids interface=vlan53-Client-Kids
add bridge=bridge-54-Client-Guest interface=vlan54-Client-Guest
add bridge=bridge-61-IOT-Media interface=vlan61-IOT-Media
add bridge=bridge-62-IOT-HA interface=vlan62-IOT-HA
add bridge=bridge-63-IOT-CCTV interface=vlan63-IOT-CCTV
add bridge=bridge-71-Servers-General interface=vlan71-Servers-General
add bridge=bridge-81-Servers-DMZ interface=vlan81-Servers-DMZ
add bridge=bridge-82-VOIP interface=vlan82-VOIP
add bridge=Bridge-vlans interface=ether1-LAN
add bridge=bridge-99-Management interface=vlan99-Management
[admin@hAPac-Main Router] /interface bridge>
Top
 
a752412341
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Sat Feb 14, 2015 8:01 pm

Re: CAPsMAN VLAN mode works on remote CAP, but not main router

Thu Sep 07, 2017 12:25 am

Hopefully a diagram will help.

Here's what I've configured. The portion in black and the remote CAPS work perfectly. The red shows what I am trying to do on my main router. I also tried attaching the CAP on the main router to ether 2, but that did not work either.

Any help much appreciated. Thanks!
MikrotikNetwork (1).png
You do not have the required permissions to view the files attached to this post.
Top
 
uldis
MikroTik Support
MikroTik Support
Posts: 3446
Joined: Mon May 31, 2004 2:55 pm

Re: CAPsMAN VLAN mode works on remote CAP, but not main router

Thu Sep 07, 2017 10:59 am

You need to move the Vlan inferface from the ether1 to the bridge interface as that ether1 interface is a part of the bridge interface.
Top
 
a752412341
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Sat Feb 14, 2015 8:01 pm

Re: CAPsMAN VLAN mode works on remote CAP, but not main router

Thu Sep 07, 2017 11:27 am

Hi Uldis, thanks for the reply. Would you mind clarifying please? Do you mean add a bridge port to "Bridge-vlans" on the main router to one of the vlans instead of directly to ether 1?

If I do that, then which vlan do I use? I am changing the vlan in an CAPS access list rule like this
Code: Select all
/caps-man access-list
add action=accept comment="Kids Tablet 1" disabled=no mac-address=D8:50:E6:****** ssid-regexp="" vlan-id=53 vlan-mode=use-tag
thanks
Top
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: CAPsMAN VLAN mode works on remote CAP, but not main router

Thu Sep 07, 2017 2:51 pm

Hi Uldis, thanks for the reply. Would you mind clarifying please? Do you mean add a bridge port to "Bridge-vlans" on the main router to one of the vlans instead of directly to ether 1?
I'm not Uldis, but I think what he's saying is that, you create a vlan interface, and add that to the bridge, a native bridge. I ran into this when creating a guest wifi over trunk ports.

So, my understanding is that you need at least two bridges, both with different IP schemes assigned to them. One bridge is for untagged, and the other for tagged (or however you want). Then you'll create a VLAN interface assigned to a physical port, then you add the physical port as a member of the vlan bridge, and the vlan interface itself should be a member of the native bridge. See my example in the link.
Top
 
uldis
MikroTik Support
MikroTik Support
Posts: 3446
Joined: Mon May 31, 2004 2:55 pm

Re: CAPsMAN VLAN mode works on remote CAP, but not main router

Thu Sep 07, 2017 5:46 pm

I am wringin about this part below. I suggest to put vlan not on the ether1 but on the Bridge-vlan1.
Code: Select all
/interface bridge port
add bridge=Bridge-vlans interface=ether1

/interface vlan
add interface=ether1 name="vlan99-Management" vlan-id=99
Top
 
a752412341
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Sat Feb 14, 2015 8:01 pm

Re: CAPsMAN VLAN mode works on remote CAP, but not main router

Sat Sep 09, 2017 2:54 am

Hi Uldis, I am sorry I am not clear - I think your reply says to change the configuration on the remote CAP. However, the remote CAP works fine. My devices will be put on the correct vlan according to the access list rule.

I have found your powerpoint - pages 33 to 36
https://mum.mikrotik.com/presentations/BR14/Uldis.pdf

My question is how to get the radios in the main router which also runs CAPSMAN to use the same CAPSMAN profiles?


Are you suggesting this configuration shown in red? This has the Bridge directly on Ether1, and then the VLANS and the CAP above it.
MikrotikNetwork (5).png

Hi PCunite, thank you for your reply. Unless I've misunderstood, I am not using the configurations in the diagrams linked from your post. I am using an access list rule in CAPSMAN which runs on the CAP and dynamically places the traffic directly on a vlan without needing the /interface vlans added in.

Thank you for your patience!
You do not have the required permissions to view the files attached to this post.
Top
 
a752412341
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Sat Feb 14, 2015 8:01 pm

Re: CAPsMAN VLAN mode works on remote CAP, but not main router

Sun Sep 10, 2017 1:48 am

I tried configuring as per my revised diagram, and everything now works.

Thanks for the pointer Uldis and PCunite.

I have one remaining issue where 2 of my wireless devices do not get IP addresses and DHCP remains in the "offered" state. I will raise another thread for that one.
Top
Locked

Who is online

Users browsing this forum: No registered users and 29 guests
  4. RouterOS
  5. Beginner Basics