I'm stuck with basic Capsman, VLANs configuration on my RB4011 (with WiFi - Routerboard MikroTik RB4011iGS+RM).
My goal is very simple, I would like to have RB4011 as primary firewall, with WiFi configured via Capsman, to have Guest network (and in future other like IOT networks), of course thinking to have separate VLANs for each usage.
I followed a lot of configuration, a lot of articles, but was unable get it working properly.
My issues/questions:
1, Have RB4011 configured (script below, trying to use simple as possible with default config + tutorial sample) - and with hAP ac2 connected I was able to see all WiFis and connect to them - get proper IPs via DHCP. But when I try to connect to my RB4011 Wifi (means local CAP, turning off ac2), only the master wifi - WORK is working, the slave - WiFi_GUEST is "connected", see it in Registration table, but I cannot get IP... cannot find why. Any idea? Although it takes minute to initialize 5G, but I think because the configuration is "simple" (testing config).
2, What is the best practice for this "simple" configuration - Like how many VLANS, Bridges, ...? Basic idea:
- LAN network - trusted devices connected via etherx + Wifi WORK - want have device visible, same network
- Guest network - Wifi GUEST devices only, not visible to each other
- Other network "copy" as Guest
- maybe there will be some visibility between networks, like accessing Printers via AirPrint, ...
I was thinking to have LAN on default VLAN (1) or untagged - bridge1 - and have only VLANS for separate networks - using separate bridge for each other network. I don't know on which etherX port will listen other APs.
And of course, I would like to have OpenVPN/L2TP access to LAN in some way, but this is another topic.
Note: WAN on ether1
Sample script, followed by https://wiki.mikrotik.com/wiki/Manual:C ... with_VLANs
Code: Select all
# jun/09/2021 16:16:10 by RouterOS 6.48.3
# software id = GHKV-BM8V
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D43B0EB9B86B
/caps-man configuration
add country="czech republic" datapath.local-forwarding=yes datapath.vlan-id=\
10 datapath.vlan-mode=use-tag name=Config_WORK \
security.authentication-types=wpa-psk,wpa2-psk security.passphrase=\
12345678 ssid=WiFi_WORK
add country="czech republic" datapath.local-forwarding=yes datapath.vlan-id=\
20 datapath.vlan-mode=use-tag name=Config_GUEST \
security.authentication-types=wpa-psk,wpa2-psk security.passphrase=\
12345678 ssid=WiFi_GUEST
/interface bridge
add admin-mac=2C:C8:1B:08:40:B9 auto-mac=no comment=defconf name=bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge secondary-channel=auto ssid=MikroTik-0840C3 \
wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2452/20-Ce/gn(17dBm), SSID: WiFi_WORK, local forwarding
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-E6ED0A wireless-protocol=802.11
/interface vlan
add interface=bridge name=VLAN10 vlan-id=10
add interface=bridge name=VLAN20 vlan-id=20
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool10 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool20 ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool10 disabled=no interface=VLAN10 name=dhcp10
add address-pool=dhcp_pool20 disabled=no interface=VLAN20 name=dhcp20
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config_WORK \
slave-configurations=Config_GUEST
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 tagged=ether2,ether3 untagged=ether4 vlan-ids=10
add bridge=bridge1 tagged=ether2,ether3 untagged=ether5 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless cap
#
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
add address=192.168.88.0/24 caps-manager=192.168.88.1 comment=defconf \
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Prague
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
George