Community discussions

MikroTik App
 
JiriCZ
just joined
Topic Author
Posts: 3
Joined: Wed Jun 09, 2021 11:48 am

Capsman, Guest SSID, simple VLANs - Basics

Wed Jun 09, 2021 6:03 pm

Hello,

I'm stuck with basic Capsman, VLANs configuration on my RB4011 (with WiFi - Routerboard MikroTik RB4011iGS+RM).

My goal is very simple, I would like to have RB4011 as primary firewall, with WiFi configured via Capsman, to have Guest network (and in future other like IOT networks), of course thinking to have separate VLANs for each usage.
I followed a lot of configuration, a lot of articles, but was unable get it working properly.

My issues/questions:
1, Have RB4011 configured (script below, trying to use simple as possible with default config + tutorial sample) - and with hAP ac2 connected I was able to see all WiFis and connect to them - get proper IPs via DHCP. But when I try to connect to my RB4011 Wifi (means local CAP, turning off ac2), only the master wifi - WORK is working, the slave - WiFi_GUEST is "connected", see it in Registration table, but I cannot get IP... cannot find why. Any idea? Although it takes minute to initialize 5G, but I think because the configuration is "simple" (testing config).

2, What is the best practice for this "simple" configuration - Like how many VLANS, Bridges, ...? Basic idea:
- LAN network - trusted devices connected via etherx + Wifi WORK - want have device visible, same network
- Guest network - Wifi GUEST devices only, not visible to each other
- Other network "copy" as Guest
- maybe there will be some visibility between networks, like accessing Printers via AirPrint, ...
I was thinking to have LAN on default VLAN (1) or untagged - bridge1 - and have only VLANS for separate networks - using separate bridge for each other network. I don't know on which etherX port will listen other APs.
And of course, I would like to have OpenVPN/L2TP access to LAN in some way, but this is another topic.
Note: WAN on ether1

Sample script, followed by https://wiki.mikrotik.com/wiki/Manual:C ... with_VLANs
# jun/09/2021 16:16:10 by RouterOS 6.48.3
# software id = GHKV-BM8V
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D43B0EB9B86B
/caps-man configuration
add country="czech republic" datapath.local-forwarding=yes datapath.vlan-id=\
    10 datapath.vlan-mode=use-tag name=Config_WORK \
    security.authentication-types=wpa-psk,wpa2-psk security.passphrase=\
    12345678 ssid=WiFi_WORK
add country="czech republic" datapath.local-forwarding=yes datapath.vlan-id=\
    20 datapath.vlan-mode=use-tag name=Config_GUEST \
    security.authentication-types=wpa-psk,wpa2-psk security.passphrase=\
    12345678 ssid=WiFi_GUEST
/interface bridge
add admin-mac=2C:C8:1B:08:40:B9 auto-mac=no comment=defconf name=bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge secondary-channel=auto ssid=MikroTik-0840C3 \
    wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2452/20-Ce/gn(17dBm), SSID: WiFi_WORK, local forwarding
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-E6ED0A wireless-protocol=802.11
/interface vlan
add interface=bridge name=VLAN10 vlan-id=10
add interface=bridge name=VLAN20 vlan-id=20
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool10 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool20 ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool10 disabled=no interface=VLAN10 name=dhcp10
add address-pool=dhcp_pool20 disabled=no interface=VLAN20 name=dhcp20
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config_WORK \
    slave-configurations=Config_GUEST
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 tagged=ether2,ether3 untagged=ether4 vlan-ids=10
add bridge=bridge1 tagged=ether2,ether3 untagged=ether5 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless cap
# 
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
add address=192.168.88.0/24 caps-manager=192.168.88.1 comment=defconf \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Prague
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I spent 4 days to find a solution, to learn MikroTik networking, but I'm stuck now. Any help appreciated.

George
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Capsman, Guest SSID, simple VLANs - Basics

Thu Jun 10, 2021 2:51 pm

Capsman when just starting out is not a good idea IMHO.
First learn how to configure the router and also learn how to configure WIFI on its own.
Learn how to handle vlans on its own.

Capsman is another layer of configuration on top that will slow you down, frustrate you and take much longer than needed.

For learning vlans read this article! It will get you 90% of the way to do what you need.
viewtopic.php?f=23&t=143620
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Capsman, Guest SSID, simple VLANs - Basics

Thu Jun 10, 2021 4:17 pm

In general I dont recommend using the bridge for anything but bridging and thus recommend removing the subnet from it and just putting it on another vlan.
Then it becomes much clearer what is going on............
 
JiriCZ
just joined
Topic Author
Posts: 3
Joined: Wed Jun 09, 2021 11:48 am

Re: Capsman, Guest SSID, simple VLANs - Basics

Fri Jun 18, 2021 12:20 pm

Hi,

Thanks for responses. Although I am new to networking, and especially MikoTik networking, I’m an IT guy (developer) and I understand the basic. And of course, I went through tons of articles and materials :-), but need to learn more, as always :-)

Finally, I was able to get it running, so now CAPsMan works on both devices - my primary RB4011 router and hAP ac2 (was working). The issue on CAPSMan on RB4011 was with my CAP configuration … to fix it I left with 1 bridge and 2 vlans under it.

Jiri
 
serkbugs
just joined
Posts: 1
Joined: Fri Jun 18, 2021 8:48 pm

Re: Capsman, Guest SSID, simple VLANs - Basics

Sun Jun 20, 2021 6:36 pm

Do you mind to post your final configuration?
I have the same dilemma and vlans drives me crazy :)
 
JiriCZ
just joined
Topic Author
Posts: 3
Joined: Wed Jun 09, 2021 11:48 am

Re: Capsman, Guest SSID, simple VLANs - Basics

Mon Jul 26, 2021 5:13 pm

Hi serkbugs,

sorry for late reply, but unfortunately I don't have access to the RB anymore, it's deployed.
The only think I did and I mentioned was select a proper bridge on the router, Wireless - Cap - Bridge. Then it started working also on "master" router.

Jiri

Who is online

Users browsing this forum: rplant and 33 guests