Community discussions

MikroTik App
 
Ephiopez
just joined
Topic Author
Posts: 8
Joined: Sat Aug 10, 2019 4:13 pm

CAPsMAN with CAP onboard

Mon Jul 25, 2022 2:03 pm

Hi!
I have something like this:
CAPsMANwithCAP.jpeg
RouterOS 7.4

VLAN 110 - Home network
VLAN 190 - Guest network
VALN 3 - Management network

On HAPac:
Acts like switch with CAPsMAN and CAP onboard. Trunked with "main" L3-switch.
All ethernet ports bridged.
Wlan interfaces automaticaly bridged by CAPsMAN provisioning.
/interface/ethernet/switch/port> print 
Columns: NAME, SWITCH, VLAN-MODE, VLAN-HEADER, DEFAULT-VLAN-ID
# NAME         SWITCH   VLAN-MODE  VLAN-HEADER     DEFAULT-VLAN-ID
0 ether1       switch1  secure     add-if-missing                3
1 ether2       switch1  secure     always-strip                110
2 ether3       switch1  secure     always-strip                110
3 ether4       switch1  secure     always-strip                110
4 ether5       switch1  secure     always-strip                  3
5 switch1-cpu  switch1  secure     leave-as-is                   3

/interface/ethernet/switch/vlan> print
Columns: SWITCH, VLAN-ID, PORTS
# SWITCH   VLAN-ID  PORTS      
0 switch1      110  ether1     
                    ether2     
                    ether3     
                    ether4     
1 switch1      190  ether1     
2 switch1        3  ether1     
                    ether5     
                    switch1-cpu

/interface/bridge/port> print
Flags: I - INACTIVE; D - DYNAMIC; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
#     INTERFACE  BRIDGE   HW   PVID  PRIORITY  PATH-COST  INTERNAL-PATH-COST  HORIZON
0   H ether1     bridge1  yes     1  0x80             10                  10  none   
1 I H ether2     bridge1  yes     1  0x80             10                  10  none   
2 I H ether3     bridge1  yes     1  0x80             10                  10  none   
3 I H ether4     bridge1  yes     1  0x80             10                  10  none   
4 I H ether5     bridge1  yes     1  0x80             10                  10  none   
5  D  wlan1      bridge1        110  0x80             10                  10  none   
6  D  wlan3      bridge1        190  0x80             10                  10  none   
7  D  wlan2      bridge1        110  0x80             10                  10  none   
8  D  wlan4      bridge1        190  0x80             10                  10  none 

/interface/vlan> print 
Flags: R - RUNNING
Columns: NAME, MTU, ARP, VLAN-ID, INTERFACE
#   NAME      MTU  ARP      VLAN-ID  INTERFACE
0 R vlan110  1500  enabled      110  bridge1  
1 R vlan190  1500  enabled      190  bridge1  

Everything works fine, except that the clients of CAP3 do not receive IP-settings from the DHCP server.

What I am doing wrong?..
Please help!
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5318
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: CAPsMAN with CAP onboard

Mon Jul 25, 2022 3:40 pm

Without having a crystal ball and you not providing details on config, nobody can know.

/export hide-sensitive file=<anynameyouwish>
Post between [code ] quotes after reviewing the output for private info.
 
Ephiopez
just joined
Topic Author
Posts: 8
Joined: Sat Aug 10, 2019 4:13 pm

Re: CAPsMAN with CAP onboard

Mon Jul 25, 2022 4:24 pm

Ok.
Here it is:
# jul/25/2022 16:17:59 by RouterOS 7.4rc2
# software id = CJB9-4KHN
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 6F12066E9CD7
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether5 ] poe-out=off
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(17dBm), SSID: KNTP, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5980/20-Ceee/ac(28dBm), SSID: KNTP, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface vlan
add interface=bridge1 name=vlan110 vlan-id=110
add interface=bridge1 name=vlan190 vlan-id=190
/caps-man configuration
add country=russia4 datapath.bridge=bridge1 .local-forwarding=yes .vlan-id=\
    110 .vlan-mode=use-tag name=KNTP security.authentication-types=\
    wpa-psk,wpa2-psk ssid=KNTP
add country=russia4 datapath.bridge=bridge1 .local-forwarding=yes .vlan-id=\
    190 .vlan-mode=use-tag name=KNTP_Guest security.authentication-types=\
    wpa-psk,wpa2-psk ssid=KNTP_Guest
/caps-man interface
add configuration=KNTP disabled=no l2mtu=1600 mac-address=6C:3B:6B:73:E1:24 \
    master-interface=none name=HAPac_Admin-1 radio-mac=6C:3B:6B:73:E1:24 \
    radio-name=6C3B6B73E124
add configuration=KNTP_Guest disabled=no l2mtu=1600 mac-address=\
    6E:3B:6B:73:E1:24 master-interface=HAPac_Admin-1 name=HAPac_Admin-1-1 \
    radio-mac=00:00:00:00:00:00 radio-name=6E3B6B73E124
add configuration=KNTP disabled=no l2mtu=1600 mac-address=6C:3B:6B:73:E1:23 \
    master-interface=none name=HAPac_Admin-2 radio-mac=6C:3B:6B:73:E1:23 \
    radio-name=6C3B6B73E123
add configuration=KNTP_Guest disabled=no l2mtu=1600 mac-address=\
    6E:3B:6B:73:E1:23 master-interface=HAPac_Admin-2 name=HAPac_Admin-2-1 \
    radio-mac=00:00:00:00:00:00 radio-name=6E3B6B73E123
add configuration=KNTP disabled=no l2mtu=1600 mac-address=B8:69:F4:F8:FF:8A \
    master-interface=none name=WAPac_Boss-1 radio-mac=B8:69:F4:F8:FF:8A \
    radio-name=B869F4F8FF8A
add configuration=KNTP_Guest disabled=no l2mtu=1600 mac-address=\
    BA:69:F4:F8:FF:8A master-interface=WAPac_Boss-1 name=WAPac_Boss-1-1 \
    radio-mac=00:00:00:00:00:00 radio-name=BA69F4F8FF8A
add configuration=KNTP disabled=no l2mtu=1600 mac-address=B8:69:F4:F8:FF:89 \
    master-interface=none name=WAPac_Boss-2 radio-mac=B8:69:F4:F8:FF:89 \
    radio-name=B869F4F8FF89
add configuration=KNTP_Guest disabled=no l2mtu=1600 mac-address=\
    BA:69:F4:F8:FF:89 master-interface=WAPac_Boss-2 name=WAPac_Boss-2-1 \
    radio-mac=00:00:00:00:00:00 radio-name=BA69F4F8FF89
add configuration=KNTP disabled=no l2mtu=1600 mac-address=64:D1:54:07:D2:B4 \
    master-interface=none name=WAPac_Eatery-1 radio-mac=64:D1:54:07:D2:B4 \
    radio-name=64D15407D2B4
add configuration=KNTP_Guest disabled=no l2mtu=1600 mac-address=\
    66:D1:54:07:D2:B4 master-interface=WAPac_Eatery-1 name=WAPac_Eatery-1-1 \
    radio-mac=00:00:00:00:00:00 radio-name=66D15407D2B4
add configuration=KNTP disabled=no l2mtu=1600 mac-address=64:D1:54:07:D2:B3 \
    master-interface=none name=WAPac_Eatery-2 radio-mac=64:D1:54:07:D2:B3 \
    radio-name=64D15407D2B3
add configuration=KNTP_Guest disabled=no l2mtu=1600 mac-address=\
    66:D1:54:07:D2:B3 master-interface=WAPac_Eatery-2 name=WAPac_Eatery-2-1 \
    radio-mac=00:00:00:00:00:00 radio-name=66D15407D2B3
/interface ethernet switch port
set 0 default-vlan-id=3 vlan-header=add-if-missing vlan-mode=secure
set 1 default-vlan-id=110 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=110 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=110 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=3 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/caps-man manager
set enabled=yes upgrade-policy=suggest-same-version
/caps-man manager interface
add interface=bridge1
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=KNTP name-format=\
    identity slave-configurations=KNTP_Guest
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether2,ether3,ether4 switch=switch1 \
    vlan-id=110
add independent-learning=yes ports=ether1 switch=switch1 vlan-id=190
add independent-learning=yes ports=ether1,ether5,switch1-cpu switch=switch1 \
    vlan-id=3
/interface wireless cap
# 
set bridge=bridge1 caps-man-addresses=127.0.0.1 enabled=yes interfaces=\
    wlan1,wlan2
/ip address
add address=10.1.1.4/24 interface=bridge1 network=10.1.1.0
/ip dns
set servers=10.1.10.11
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.1.1.3 routing-table=main \
    suppress-hw-offload=no
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=HAPac_Admin
 
Ephiopez
just joined
Topic Author
Posts: 8
Joined: Sat Aug 10, 2019 4:13 pm

Re: CAPsMAN with CAP onboard

Tue Aug 02, 2022 10:35 am

Somebody help..
 
holvoetn
Forum Guru
Forum Guru
Posts: 5318
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: CAPsMAN with CAP onboard

Tue Aug 02, 2022 11:16 am

For some obscure reason I never got notifications from your post (and plenty of others ! Must be something with the forum sw)

Where is your DHCP server ? Other device ?

As for the VLAN-setup on that device, it is advised to use bridge for VLAN handling, not switch chip.
Can you reach other devices on those VLANs from that hap AC ? If not, the problem is there.
I have no experience using switch chip, so can not assist further.

See this post for more info / conceptual setup:
viewtopic.php?t=143620
 
User avatar
BrateloSlava
Member Candidate
Member Candidate
Posts: 167
Joined: Mon Aug 09, 2021 10:33 am
Location: Ukraine, Kharkiv

Re: CAPsMAN with CAP onboard

Tue Aug 02, 2022 12:49 pm

About the use of VLAN in general. The implementation of VLAN on switch chips makes sense only on "real" switches. CRS type. Where hardware offloading really gives noticeable results. For home conditions, as well as for small offices - it makes no sense. Wi-Fi modules are not connected to switch chips, so their traffic will still be processed through the central processor. And you won't win anything. I've done some experimentation with VLAN on bridges and switch chips. Therefore, I recommend that you abandon this scheme.

If you really want to - try switching from local forwarding CAPsMAN forwarding mode.
 
User avatar
woland
Member Candidate
Member Candidate
Posts: 258
Joined: Mon Aug 16, 2021 4:49 pm

Re: CAPsMAN with CAP onboard

Tue Aug 02, 2022 2:56 pm

About the use of VLAN in general. The implementation of VLAN on switch chips makes sense only on "real" switches. CRS type. Where hardware offloading really gives noticeable results. For home conditions, as well as for small offices - it makes no sense. Wi-Fi modules are not connected to switch chips, so their traffic will still be processed through the central processor. And you won't win anything. I've done some experimentation with VLAN on bridges and switch chips. Therefore, I recommend that you abandon this scheme.

If you really want to - try switching from local forwarding CAPsMAN forwarding mode.
Beware: HW bridging saves CPU+Power. You might be right on an edge AP, but I have seen improvement on different HEX and HAPac devices, where I avoid using software bridging for switching between the 5 ports. It also makes sense if you are chaining APs (CAPac, WAPac). Traffic from the chained AP does not use CPU on the first AP. Using of course different VLANs for management and WLAN traffic separation.
Also: don´t confuse L2 switching and L3 HW Offloading (which you don´t get with the previously mentioned devices)...

BR
W
 
Ephiopez
just joined
Topic Author
Posts: 8
Joined: Sat Aug 10, 2019 4:13 pm

Re: CAPsMAN with CAP onboard

Tue Aug 02, 2022 6:20 pm

Thank you all for your response!

DHCP-server lives on dedicated server in VLAN 110. And again: wireless clients (home and guest) connected to CAP1 and CAP2 receive ip-addresses without problems.
The wireless client connected to CAP3 does not have access to the wired network even if I manually specify the IP settings on the wireless client.
The probleme is somewhere between bridge1 and switch-chip. I guess..

Before configuring, I have read:
https://wiki.mikrotik.com/wiki/Manual:B ... _switching
https://wiki.mikrotik.com/wiki/Manual:S ... p_Features
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
https://wiki.mikrotik.com/wiki/Manual:C ... with_VLANs
..and I was sure that I did everything right.
I think I understand how the switch-chip works with "software" bridge. In particular, the work of the HAPac QCA8337 switch-chip.
However, wireless clients on CAP3 do not have access to the wired network.

I know that I may use only one ether-port and bridge, similar to other devices (WAPac`s).
But, my goal is to use the switched ports with VLAN switching on a hardware level, because the capabilities of HAPac allow it to be done. And besides I just need this "free" switched ports.
 
Ephiopez
just joined
Topic Author
Posts: 8
Joined: Sat Aug 10, 2019 4:13 pm

Re: CAPsMAN with CAP onboard

Fri Aug 05, 2022 11:26 am

About the use of VLAN in general. The implementation of VLAN on switch chips makes sense only on "real" switches. CRS type. Where hardware offloading really gives noticeable results. For home conditions, as well as for small offices - it makes no sense. Wi-Fi modules are not connected to switch chips, so their traffic will still be processed through the central processor. And you won't win anything. I've done some experimentation with VLAN on bridges and switch chips. Therefore, I recommend that you abandon this scheme.

If you really want to - try switching from local forwarding CAPsMAN forwarding mode.
Beware: HW bridging saves CPU+Power. You might be right on an edge AP, but I have seen improvement on different HEX and HAPac devices, where I avoid using software bridging for switching between the 5 ports. It also makes sense if you are chaining APs (CAPac, WAPac). Traffic from the chained AP does not use CPU on the first AP. Using of course different VLANs for management and WLAN traffic separation.
Also: don´t confuse L2 switching and L3 HW Offloading (which you don´t get with the previously mentioned devices)...

BR
W
I'm sorry, but do you have any ideas about solving my problem?
 
User avatar
woland
Member Candidate
Member Candidate
Posts: 258
Joined: Mon Aug 16, 2021 4:49 pm

Re: CAPsMAN with CAP onboard

Fri Aug 05, 2022 12:21 pm

I´m not entirely sure what your problem is. I am not that often configuring my MT devices, but without a guarantee I guess, it might be the following:
/interface ethernet switch port
set 0 default-vlan-id=3 vlan-header=add-if-missing vlan-mode=secure
set 1 default-vlan-id=110 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=110 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=110 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=3 vlan-mode=secure
vlan-header=always-strip should be changed to vlan-header=leave-as-is

https://help.mikrotik.com/docs/display/ ... switchchip
On QCA8337 and Atheros8327 switch chips, a default vlan-header=leave-as-is property should be used. The switch chip will determine which ports are access ports by using the default-vlan-id property. The default-vlan-id should only be used on access/hybrid ports to specify which VLAN the untagged ingress traffic is assigned to.
 
Ephiopez
just joined
Topic Author
Posts: 8
Joined: Sat Aug 10, 2019 4:13 pm

Re: CAPsMAN with CAP onboard

Fri Aug 05, 2022 4:33 pm

I´m not entirely sure what your problem is. I am not that often configuring my MT devices, but without a guarantee I guess, it might be the following:
/interface ethernet switch port
set 0 default-vlan-id=3 vlan-header=add-if-missing vlan-mode=secure
set 1 default-vlan-id=110 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=110 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=110 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=3 vlan-mode=secure
vlan-header=always-strip should be changed to vlan-header=leave-as-is

https://help.mikrotik.com/docs/display/ ... switchchip
On QCA8337 and Atheros8327 switch chips, a default vlan-header=leave-as-is property should be used. The switch chip will determine which ports are access ports by using the default-vlan-id property. The default-vlan-id should only be used on access/hybrid ports to specify which VLAN the untagged ingress traffic is assigned to.
Yes, I saw this point in the manual. And initially did exactly as you describe - configured "live-as-is". Unsuccessfully.
Therefore, I tried to tell the system explicitly what to do with the headers - "add-if-missing" and "always-strip". Unsuccessfully too..

Ok. Thank you anyway!
 
Ephiopez
just joined
Topic Author
Posts: 8
Joined: Sat Aug 10, 2019 4:13 pm

Re: CAPsMAN with CAP onboard  [SOLVED]

Sun Aug 07, 2022 5:37 pm

Ok. I found solution. Perhaps it will be useful to someone.

So, this part of config:
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether2,ether3,ether4 switch=switch1 vlan-id=110
add independent-learning=yes ports=ether1 switch=switch1 vlan-id=190
add independent-learning=yes ports=ether1,ether5,switch1-cpu switch=switch1 vlan-id=3
..should look like this:
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether2,ether3,ether4,switch1-cpu switch=switch1 vlan-id=110
add independent-learning=yes ports=ether1,switch1-cpu switch=switch1 vlan-id=190
add independent-learning=yes ports=ether1,ether5,switch1-cpu switch=switch1 vlan-id=3
In other words, switch1-cpu interface must be present in every "switch vlan" configuration.

Who is online

Users browsing this forum: ccrsxx, holvoetn and 34 guests