• Dual ISPs with auto-failover
• Complete removal of AT&T router ("residential gateway") from the picture

• Disaggregation of routing and wifi into separate solutions
• Switched managed Ethernet
• Redundancy
• Power over Ethernet to allow centralized UPS

• VLAN separation of Guest, Primary, IOT, Neighbor, and VOIP networks

• Centrally managed access points
• Roaming / Hand-off improvements
• Higher overlapping coverage at lower radio power rates

• Port Forwarding over VLAN
• Secure DNS

• 1 x Mikrotik RB5009UPr+s+IN Router using RouterOS 7.15beta8 [arm64]
• 2 x Mikrotik CRS109-8G-1S-2HnD Router/Switch/APs running RouterOS 7.15beta8 [mips]
• 3 x Mikrotik cAP AC (RBcAPGi-5acD2nD) using RouterOS 7.15beta8 + wireless-qcom-ac [arm]

VLAN  |IP                |Usage
------|------------------|-----------------
 100  |192.168.100.0/24  |Base / Management
 200  |192.168.120.0/24  |Normal LAN 
 300  |192.168.130.0/24  |Guest / IOT 
 400  |192.168.140.0/24  |VOIP
 500  |192.168.150.0/24  |Neighbor

• For each subnet addresses `.1` through `.39` are reserved for static IP assignment. `.1` is the router.
• The WAN ports are not on VLANs
• Once configured, you will need to make a port be on `VLAN 100` to use WinBox.

• `192.168.100.1`
• The EAP Authentication protocol requires a set system clock. DHCP requires EAP. NTP requies DHCP. This means you can't set the clock over the internet because of a chicken-n-egg problem. Make sure `mikro1.rsc` is modified with the current time before programming it. Or, if you have a local NTP server, use that.
• You will need to coax your authentication keys out of your AT&T gateway so you can run in `supplicant mode`.
• DNS is setup to use DNS over HTTP (DOH) which requires some certificates and hurdles.

• `192.168.100.2`
• `192.168.100.3`
• The radio in the switches are not part of CapsMAN
• I create a "backup" SSID out of these that should work if I need to hookup the old router, or if for some other reason CapsMAN fails.
• One of the APs is chained off of `sw1` due to physical topology'
• Uplink is ether0 to because that is the POE IN port

• `192.168.100.11`
• `192.168.100.12` (config not included)
• `192.168.100.13` (config not included)

• `/system reset-configuration run-after-reset=wap.rsc` does not seem to work. I still had to manually load the file after reset
• Resetting into CAP mode (hold reset button till it gets to it's second mode after blinking) is a better starting point
• Certificates will be auto-provisioned by CapsMAN
• Whenever you do a `/system reset-configuration` on the router, it doesn't have the ability of saving the certificate keys, so unless you are managing your certificates outside of RouterOS, you'll need to clear the certs on EACH access point
  • `/interface wireless cap set enabled=no`
  • `/certificate print`
  • `/certificate remove numbers=1,0`
  • `/interface wireless cap set enabled=yes`
• I scripted the mode button so that it will toggle the LEDs between "always on" and "turn off after 1h"

• DFS is the middle part of the spectral sandwich which requires fancy driver support and regulatory signoff
• 802.11ac requires 80MHz channels, made up of 4 x 20MHz channels
• For any given 80 MHz chunk, there are 4 possible assignments, depending on which one you make the control channel
  • This is what gives you the `Ceee` `eCee` `eeCe` `eeeC` "walking ones" pattern. I tried to depict this above
  • I only defined the channels that worked for my region
• I use WiFi analyzer (Windows, Android) to do a survey of least-busy bands at each AP physical location

• https://www.youtube.com/watch?v=37aff6d14Xk
• https://www.youtube.com/watch?v=vkWPlsuyuKE
• https://www.reddit.com/r/mikrotik/comme ... fi_wave_2/
• viewtopic.php?t=202578
• viewtopic.php?t=205552
• viewtopic.php?t=202476
• viewtopic.php?t=202565

• https://wiki.mikrotik.com/wiki/Manual:C ... Management
• https://help.mikrotik.com/docs/display/ ... figuration

• https://mum.mikrotik.com/presentations/ ... 151116.pdf

• https://wiki.mikrotik.com/wiki/Manual:C ... with_VLANs
• https://wiki.mikrotik.com/wiki/Manual:S ... sMAN_setup
• viewtopic.php?t=152188
• https://wiki.mikrotik.com/wiki/Manual:CAPsMAN_tips
• https://mum.mikrotik.com/presentations/BR14/Uldis.pdf
• viewtopic.php?t=158379
• https://www.reddit.com/r/mikrotik/comme ... n_cap_man/
• viewtopic.php?t=155429
• https://www.gonscak.sk/?p=575

• viewtopic.php?t=136476
• viewtopic.php?t=125026
• https://wiki.mikrotik.com/wiki/Manual:Spectral_scan
• viewtopic.php?t=150463
• viewtopic.php?f=7&t=149815&p=737784#p737784
• http://www.revolutionwifi.net/revolutio ... nning.html
• https://netbeez.net/blog/dfs-channels-wifi/
• https://en.wikipedia.org/wiki/IEEE_802.11ac
• https://en.wikipedia.org/wiki/List_of_W ... j/n/ac/ax)
• http://www.revolutionwifi.net/revolutio ... -with.html
• https://systemzone.net/mikrotik-wifi-fr ... planation/

• viewtopic.php?t=127742
• viewtopic.php?t=132817
• https://forum.openwrt.org/t/mikrotik-ca ... t/57828/28
• https://github.com/openwrt/openwrt/pull/3037

• viewtopic.php?t=143620
• viewtopic.php?t=155266
• viewtopic.php?t=163650
• viewtopic.php?t=160224

• `arm64` - `RB5009` Router. No wireless driver
• `arm` - `capAC` WAP. `wifi-qcom-ac` driver
• `mips` - `crs109`. `wireless` driver

brew tap homebrew/cask-versions                                                                                                                                
brew install --cask --no-quarantine wine-devel
killall wineserver                                                                                                                                                       
wine64 winbox64.exe

• wireless-qcom-ac on a cAPac, new CapsMAN, 3 SSIDs on 3 VLANs. The 2 VLAN solution is already a kludge.

I know that on the bridge vlan config, the untagged are automatically added but I like to see them in the config so that I can track them visually. To me they appear to be missing and its mildly confusing LOL. OP preference I suppose, no argument.

On the input chain I do have some points.
Discussion: There is absolutely no need on security principles to let any user on any vlan full access to the router. Limit it only to the admin.
Any services that users may need, provide access to the router for those services.
As for the last rule, thats what I use, so your third last rule - drop anything not coming from the LAN, is useless as the last rule already covers that and more.

Discussion, ipsec rules should go before fastrack. The port forwarding rules and extra bloat blocking were confusing at best and way to complex. Simplify to a clear allow port forwarding rule. The drop all rule covers everything else not explicitly permitted so you are done!! :-)

ip firewall filter
# input services the local router only at all the .1 addresses
add chain=input   action=accept               connection-state=established,related,untracked
add chain=input   action=drop                 connection-state=invalid
add chain=input   action=accept               protocol=icmp
add chain=input   action=accept               dst-port=53 in-interface-list=VLAN protocol=udp
add chain=input   action=accept               dst-port=53 in-interface-list=VLAN protocol=tcp
add chain=input   action=accept               in-interface-list=BASE comment="Allow Management Vlan Full Access"
add chain=input   action=drop

# forward services the NAT / Routing
add chain=forward action=accept               ipsec-policy=in,ipsec
add chain=forward action=accept               ipsec-policy=out,ipsec
add chain=forward action=fasttrack-connection connection-state=established,related
add chain=forward action=accept               connection-state=established,related,untracked
add chain=forward action=drop                 connection-state=invalid
add chain=forward action=accept               connection-state=new in-interface-list=VLAN out-interface-list=WAN
add chain=forward action=accept               connection-state=new in-interface-list=BASE out-interface-list=WAN
add chain=forward action=accept               connection-nat-state=dstnat comment="For port forwarding to VLANs"
add chain=forward action=drop

Dont know about proprietary crap but I use firewall rules to allow users on vlans to access a printer on another vlan.

• DOH is a lot more stable w/ 6.48
• Moved switch port uplink to ethernet0 since that's the POE in port. Recently bought a big UPS, so moved everything over to POE to centralize the power point.

It was a serious pain in the ass and took a lot of hours. Good news is the EAP supplicant stuff just worked, no fiddling.

Welp... my RB4011 bit the dust :/

Capacs take minutes to setup and dont change very often

The only reason to use capsman is two fold.
a. You have all AX devices and thus can really benefit from all standards to make handover smoother.