I have a few CAPs which have management on vlan99, and use local forwarding to drop the wireless traffic straight onto VLAN 54 (guest) or 52 (internal) depending on the SSID.
I am using the VLAN mode in the CAPS config so that I can use an access rule in CAPSMAN to force certain MAC addresses (eg. Kids devices and IOT) onto particular VLANs without having several different SSIDs and bridges.
This is all working fine on the CAPs. However on my main router, I suspect the Bridge-vlans is conflicting with all the other VLANS and bridges already set up. For example I have Bridge-VLANS with a bridge port interface of Ether1. But I also have VLANS 54 and 52 defined on ether 1 separately. I've configured the main router CAP to use the discovery bridge instead of the vlan directly.
The symptom is when I connect a laptop to the SSID on the hAP-ac I don't get an ip address, so I don't think the traffic has been dropped onto the correct vlan properly.
How should I configure the CAP on the main router to use the CAPSMAN config?
Thanks for wading through this!
remote CAP config
Code: Select all
/interface bridge
add name=Bridge-vlans
/interface bridge port
add bridge=Bridge-vlans interface=ether1
/interface vlan
add interface=ether1 name="vlan99-Management" vlan-id=99
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=vlan99-Management
/interface wireless cap
set bridge=Bridge-vlans discovery-interfaces=vlan99-Management enabled=yes interfaces=wlan1,wlan2
/system ntp client
set enabled=yes primary-ntp=192.168.99.254
Local CAP on main router config looks like this
Code: Select all
set bridge=Bridge-vlans discovery-interfaces=bridge-99-Management enabled=yes interfaces=wlan1,wlan2
Code: Select all
/caps-man configuration
add channel.band=2ghz-b/g/n channel.extension-channel=eC country="united kingdom" datapath.client-to-client-forwarding=no datapath.local-forwarding=yes datapath.vlan-id=52 datapath.vlan-mode=use-tag mode=ap name=cfg_ssid1 security.authentication-types=wpa2-psk security.encryption=aes-ccm security.group-encryption=aes-ccm \
security.group-key-update=1h security.passphrase=*** ssid=ssid1
add channel.band=5ghz-a/n/ac channel.extension-channel=eCee country="united kingdom" datapath.client-to-client-forwarding=no datapath.local-forwarding=yes datapath.vlan-id=52 datapath.vlan-mode=use-tag mode=ap name=cfg_ssid1_5GHz security.authentication-types=wpa2-psk security.encryption=aes-ccm security.group-encryption=aes-ccm \
security.group-key-update=1h security.passphrase=*** ssid=ssid1
add channel.band=2ghz-b/g/n channel.extension-channel=eC country="united kingdom" datapath.client-to-client-forwarding=no datapath.local-forwarding=yes datapath.vlan-id=54 datapath.vlan-mode=use-tag mode=ap name=cfg_guest security.authentication-types=wpa2-psk security.encryption=aes-ccm security.group-encryption=aes-ccm \
security.group-key-update=1h security.passphrase=**** ssid=guest
add channel.band=5ghz-a/n/ac channel.extension-channel=eCee country="united kingdom" datapath.client-to-client-forwarding=no datapath.local-forwarding=yes datapath.vlan-id=54 datapath.vlan-mode=use-tag mode=ap name=cfg_guest_5GHz security.authentication-types=wpa2-psk security.encryption=aes-ccm security.group-encryption=aes-ccm \
security.group-key-update=1h security.passphrase=**** ssid=guest
/caps-man access-list
add action=accept disabled=no interface=all signal-range=-75..120 ssid-regexp=""
add action=reject disabled=no interface=all signal-range=-120..-90 ssid-regexp=""
/caps-man manager
set enabled=yes package-path=/pub upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=cfg_ssid1 name-format=prefix-identity name-prefix=2G slave-configurations=cfg_guest
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=cfg_ssid1_5GHz name-format=prefix-identity name-prefix=5G slave-configurations=cfg_guest_5GHz
[admin@hAPac-Main Router] /caps-man configuration> print
0 name="cfg_ssid1" mode=ap ssid="ssid1" country=united kingdom security.authentication-types=wpa2-psk security.encryption=aes-ccm security.group-encryption=aes-ccm security.group-key-update=1h security.passphrase="***" datapath.client-to-client-forwarding=no datapath.local-forwarding=yes datapath.vlan-mode=use-tag
datapath.vlan-id=52 channel.band=2ghz-b/g/n channel.extension-channel=eC
1 name="cfg_ssid1_5GHz" mode=ap ssid="ssid1" country=united kingdom security.authentication-types=wpa2-psk security.encryption=aes-ccm security.group-encryption=aes-ccm security.group-key-update=1h security.passphrase="***" datapath.client-to-client-forwarding=no datapath.local-forwarding=yes datapath.vlan-mode=use-tag
datapath.vlan-id=52 channel.band=5ghz-a/n/ac channel.extension-channel=eCee
2 name="cfg_guest" mode=ap ssid="guest" country=united kingdom security.authentication-types=wpa2-psk security.encryption=aes-ccm security.group-encryption=aes-ccm security.group-key-update=1h security.passphrase="****" datapath.client-to-client-forwarding=no datapath.local-forwarding=yes datapath.vlan-mode=use-tag
datapath.vlan-id=54 channel.band=2ghz-b/g/n channel.extension-channel=eC
3 name="cfg_guest_5GHz" mode=ap ssid="guest" country=united kingdom security.authentication-types=wpa2-psk security.encryption=aes-ccm security.group-encryption=aes-ccm security.group-key-update=1h security.passphrase="****" datapath.client-to-client-forwarding=no datapath.local-forwarding=yes datapath.vlan-mode=use-tag
datapath.vlan-id=54 channel.band=5ghz-a/n/ac channel.extension-channel=eCee
Other config looks like this
Code: Select all
/interface vlan
add disabled=yes interface=ether1-LAN name=vlan1-TPLink vlan-id=1
add interface=ether1-LAN name=vlan10-LAN vlan-id=10
add interface=ether1-LAN name=vlan51-Client-Admin vlan-id=51
add interface=ether1-LAN name=vlan52-Client-Parents vlan-id=52
add interface=ether1-LAN name=vlan53-Client-Kids vlan-id=53
add interface=ether1-LAN name=vlan54-Client-Guest vlan-id=54
add interface=ether1-LAN name=vlan61-IOT-Media vlan-id=61
add interface=ether1-LAN name=vlan62-IOT-HA vlan-id=62
add interface=ether1-LAN name=vlan63-IOT-CCTV vlan-id=63
add interface=ether1-LAN name=vlan71-Servers-General vlan-id=71
add interface=ether1-LAN name=vlan81-Servers-DMZ vlan-id=81
add interface=ether1-LAN name=vlan82-VOIP vlan-id=82
add interface=ether1-LAN name=vlan99-Management vlan-id=99
add interface=ether1-LAN name=vlan101-Guest vlan-id=101
/interface bridge
add name=Bridge-vlans
add name=bridge-51-Client-Admin
add name=bridge-52-Client-Parents
add name=bridge-53-Client-Kids
add name=bridge-54-Client-Guest
add name=bridge-61-IOT-Media
add name=bridge-62-IOT-HA
add name=bridge-63-IOT-CCTV
add name=bridge-71-Servers-General
add name=bridge-81-Servers-DMZ
add name=bridge-82-VOIP
add name=bridge-99-Management
add fast-forward=no name=bridgeGuest
add fast-forward=no name=bridgeIOT
add fast-forward=no name=bridgeLAN
/interface bridge filter
add action=accept chain=forward disabled=yes in-bridge=bridge-63-IOT-CCTV
add action=accept chain=input comment=BridgeLAN-Input disabled=yes in-bridge=bridgeLAN
add action=accept chain=forward comment=BridgeLAN-Forward disabled=yes in-bridge=bridgeLAN out-bridge=bridgeLAN
add action=accept chain=input comment=BridgeManagement-Input disabled=yes in-bridge=*C
add action=accept chain=forward comment=BridgeManagement-Forward disabled=yes in-bridge=*C
add action=accept chain=forward comment="Safe Accept" disabled=yes
add action=accept chain=forward comment=BridgeLAN->BridgeGuest disabled=yes in-bridge=bridgeLAN out-bridge=bridgeGuest
add action=drop chain=input disabled=yes log-prefix=BridgeLAN-DropInput
add action=drop chain=forward disabled=yes log=yes log-prefix=BridgeLAN-DropForward
/interface bridge port
add bridge=bridgeLAN interface=vlan10-LAN
add bridge=bridgeGuest interface=vlan101-Guest
add bridge=bridge-51-Client-Admin interface=vlan51-Client-Admin
add bridge=bridge-52-Client-Parents interface=vlan52-Client-Parents
add bridge=bridge-53-Client-Kids interface=vlan53-Client-Kids
add bridge=bridge-54-Client-Guest interface=vlan54-Client-Guest
add bridge=bridge-61-IOT-Media interface=vlan61-IOT-Media
add bridge=bridge-62-IOT-HA interface=vlan62-IOT-HA
add bridge=bridge-63-IOT-CCTV interface=vlan63-IOT-CCTV
add bridge=bridge-71-Servers-General interface=vlan71-Servers-General
add bridge=bridge-81-Servers-DMZ interface=vlan81-Servers-DMZ
add bridge=bridge-82-VOIP interface=vlan82-VOIP
add bridge=Bridge-vlans interface=ether1-LAN
add bridge=bridge-99-Management interface=vlan99-Management
[admin@hAPac-Main Router] /interface bridge>