Community discussions

MikroTik App
 
User avatar
alexvdbaan
Trainer
Trainer
Topic Author
Posts: 40
Joined: Sun Feb 22, 2015 12:12 pm
Location: Amsterdam, Netherlands
Contact:

CapsMAN Dynamic Radius VLAN's with bridged VLAN filtering

Sat May 05, 2018 3:49 pm

Hey guys,

This question came up after attempts to make this config even 'better'. I quote the better because the setup is working according to client spec but it would be nice to get it done the way I like. So hope to gain some valuable insights and suggestions from the forum.

Network is a multi-tenant, co-working space with various units. Each units receives its own private /24 over Cat6 ethernet plus dynamically assigned Radius WPA-PEAP assures that clients land in their own VLAN while using WiFi. The stack is made up of 1xCCR1009, 6xCRS326, 2xCRS112PoE, 8xwap ac & 1 Radius server, all running 6.42.1 RouterOS/Boot. Stack is not running (M)STP

Management Vlan 666 lives on Bridge called 'Core' together with IP config plus DHCP. Bridge Core is also CapsMAN enabled, it contains the management vlan as slaveport that feeds the switches. All clients have their own bridge (405,406 etc) that connect to the respective CapsMAN vlan and the switch vlan.

The reason for this post is that I would like to extend the Bridge-VLAN based approach to also include the CCR1009. In the current situation there is a demarcation between the CCR and the rest of

My guess is that it should be something related to access to the cpu when enabling vlan-filtering. I have tried adding the bridge throughout the network on all the vlans. However cpu access should not be necessary for the CRS326 customer vlans since that only service access ports to clients.

Thanks, Alex


CCR1009 (bridge vlan-filtering is disabled)

/interface bridge
add fast-forward=no name=Core protocol-mode=none
add fast-forward=no name=br405 protocol-mode=none
add fast-forward=no name=br406 protocol-mode=none
add fast-forward=no name=br407 protocol-mode=none
add fast-forward=no name=br408 protocol-mode=none
add fast-forward=no name=br409 protocol-mode=none
/interface bridge port
add bridge=br405-cust1 interface=s1.vlan405
add bridge=br405-cust1 interface=caps.vlan405
.. similar port config per customer ..
add bridge=Core interface=s1.core666
add bridge=Core interface=ether6 comment="Radius uplink"
/interface bridge settings
set allow-fast-path=no

/interface vlan
add interface=Core name=caps.vlan405 vlan-id=405
add interface=Core name=caps.vlan406 vlan-id=406
add interface=Core name=caps.vlan407 vlan-id=407
add interface=Core name=caps.vlan408 vlan-id=408
add interface=Core name=caps.vlan409 vlan-id=409
add interface=sfp-sfpplus1 name=s1.core666 vlan-id=666
add interface=sfp-sfpplus1 name=s1.vlan405 vlan-id=405
add interface=sfp-sfpplus1 name=s1.vlan406 vlan-id=406
add interface=sfp-sfpplus1 name=s1.vlan407 vlan-id=407
add interface=sfp-sfpplus1 name=s1.vlan408 vlan-id=408
add interface=sfp-sfpplus1 name=s1.vlan409 vlan-id=409

/caps-man datapath
add bridge=Core name=RadiusDatapath vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-eap eap-methods=passthrough encryption=aes-ccm group-encryption=aes-ccm name=Radius
/caps-man configuration
add country=netherlands datapath=RadiusDatapath distance=indoors mode=ap multicast-helper=full name=RadiusConfig security=Radius ssid=VLAN WiFi
CRS326 (bridge vlan-filtering is enabled)
/interface bridge
add fast-forward=no name=bridge1 protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether1 pvid=405
add bridge=bridge1 interface=ether2 pvid=406
add bridge=bridge1 interface=ether3 pvid=407
add bridge=bridge1 interface=ether24 pvid=666 comment=Management access
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
/interface bridge settings
set allow-fast-path=no
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2 untagged=ether1 vlan-ids=405
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2 untagged=ether2 vlan-ids=406
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2 untagged=ether3 vlan-ids=407
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1,sfp-sfpplus2 untagged=ether24 vlan-ids=666

/interface vlan
add interface=bridge1 name=s1.405 vlan-id=405
add interface=bridge1 name=s1.406 vlan-id=406
add interface=bridge1 name=s1.407 vlan-id=407
add interface=bridge1 name=s1.666 vlan-id=666
CRS112 (bridge vlan is enabled)
/interface bridge
add fast-forward=no name=bridge1 protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether1 pvid=666 comment=AP1
add bridge=bridge1 interface=ether2 pvid=666 comment=AP2
add bridge=bridge1 interface=ether3 pvid=666 comment=AP3
add bridge=bridge1 interface=ether4 pvid=666 comment=AP4
add bridge=bridge1 interface=sfp12 pvid=1
/interface bridge settings
set allow-fast-path=no
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether8 untagged=ether1,ether2,ether3,ether4 vlan-ids=666
Wap ac (bridge vlan is disabled since connected to access port)
/interface wireless cap
set certificate=request discovery-interfaces=ether1 enable
    wlan1,wlan2
 
User avatar
alexvdbaan
Trainer
Trainer
Topic Author
Posts: 40
Joined: Sun Feb 22, 2015 12:12 pm
Location: Amsterdam, Netherlands
Contact:

Re: CapsMAN Dynamic Radius VLAN's with bridged VLAN filtering

Sun May 06, 2018 12:13 am

This post: viewtopic.php?f=2&t=133821provided me with a good hint, simply adding the dynamically assigned capsman interfaces to the tagged list. I have setup a test on a hap ac and that worked. I will let you know if the customer site will also be successful.
 
User avatar
alexvdbaan
Trainer
Trainer
Topic Author
Posts: 40
Joined: Sun Feb 22, 2015 12:12 pm
Location: Amsterdam, Netherlands
Contact:

Re: CapsMAN Dynamic Radius VLAN's with bridged VLAN filtering

Mon May 07, 2018 10:21 am

I have setup a HAP ac with CapsMAN locally setup, external radius and various vlan's. When I tag the wireless interfaces in the bridge it all works. Unfortunately I cannot get the setup to work on the clients premises by simply adding the wireless interfaces to the tagged interface list. Hope that one of you sees something that i'm missing.
 
anuser
Long time Member
Long time Member
Posts: 601
Joined: Sat Nov 29, 2014 7:27 pm

Re: CapsMAN Dynamic Radius VLAN's with bridged VLAN filtering

Wed Jul 31, 2019 6:44 pm

Have you ever found a solution?

Who is online

Users browsing this forum: andreacar, Google [Bot] and 86 guests