CAPsMAN with virtual AP on VLAN - No connectivity

ukzerosniper · Tue Jan 22, 2019 9:25 pm

Hi Guys,

I have a CAPsMAN setup which works fine for the Main SSID which is not on a VLAN. I am now trying to add a guest SSID and run it on its own VLAN, but I cant get any IP connectivity when I connect to the guest WiFi.

Here is what I have done.

Can someone help me understand the correct way to make this work?

If you need additional information please dont hesitate to let me know.

/interface bridge
add ageing-time=5m arp=enabled arp-timeout=auto auto-mac=yes dhcp-snooping=no disabled=no fast-forward=yes forward-delay=15s igmp-snooping=no max-message-age=20s mtu=auto name="LAN Bridge" priority=0x8000 protocol-mode=rstp transmit-hold-count=6 vlan-filtering=no

add ageing-time=5m arp=enabled arp-timeout=auto auto-mac=yes dhcp-snooping=no disabled=no fast-forward=yes igmp-snooping=no mtu=auto name=VLAN101 protocol-mode=none vlan-filtering=no

/ip address
add address=192.168.80.1/24 disabled=no interface="LAN Bridge" network=192.168.80.0
add address=192.168.90.1/24 disabled=no interface=VLAN101 network=192.168.90.0

/ip dhcp-server
add address-pool=dhcp authoritative=yes bootp-support=static disabled=no interface="LAN Bridge" lease-script="" lease-time=10m name=dhcp1 use-radius=no
add address-pool=dhcp_pool1 authoritative=yes bootp-support=static disabled=no interface=VLAN101 lease-script="" lease-time=10m name=Vlan101 use-radius=no

/ip dhcp-server network
add address=192.168.80.0/24 caps-manager="" dhcp-option="" dns-server="" gateway=192.168.80.1 netmask=24 ntp-server="" wins-server=""
add address=192.168.90.0/24 caps-manager="" dhcp-option="" dns-server="" gateway=192.168.90.1 ntp-server="" wins-server=""

/caps-man datapath
add bridge="LAN Bridge" client-to-client-forwarding=yes name=datapath1
add bridge=VLAN101 client-to-client-forwarding=no name=VLAN101 vlan-id=101 vlan-mode=use-tag

/caps-man configuration
add channel=5GHz country="united kingdom" datapath=datapath1 mode=ap name=5GHz security=security1 ssid=MikroTik
add country="united kingdom" datapath=VLAN101 mode=ap name=5Ghz_Guest security=security1 ssid=MikroTik_Guest

mkx · Tue Jan 22, 2019 10:41 pm

As VAPs are setup as tagged, all traffic artiving at bridge VLAN101 is tagged. For L3 configuration that's not acceptable, only untagged traffic is fine. And vlan interfaces do proper tagging/untagging:

/interface vlan
add name=vlan101port interface=VLAN101

and move IP configuration from VLAN101 to vlan101port.

BTW, no need to have separate bridges for both subnets, everything can go to single bridge (as stated before, VLAN101 frames live tagged inside bridge, normal LAN frames live untagged inside bridge and proper use of vlan interfaces makes sure correct separation).

ukzerosniper · Wed Jan 23, 2019 1:10 am

As VAPs are setup as tagged, all traffic artiving at bridge VLAN101 is tagged. For L3 configuration that's not acceptable, only untagged traffic is fine. And vlan interfaces do proper tagging/untagging:
Code: Select all
/interface vlan
add name=vlan101port interface=VLAN101
and move IP configuration from VLAN101 to vlan101port.

BTW, no need to have separate bridges for both subnets, everything can go to single bridge (as stated before, VLAN101 frames live tagged inside bridge, normal LAN frames live untagged inside bridge and proper use of vlan interfaces makes sure correct separation).

This worked perfectly. Can you tell me, do I need to add the vlan to the bridge on each CAP manually or only on the CAPsMAN manager?

Thanks again for the assistance.

AlainCasault · Wed Jan 23, 2019 1:36 am

As VAPs are setup as tagged, all traffic artiving at bridge VLAN101 is tagged. For L3 configuration that's not acceptable, only untagged traffic is fine. And vlan interfaces do proper tagging/untagging:
Code: Select all
/interface vlan
add name=vlan101port interface=VLAN101
and move IP configuration from VLAN101 to vlan101port.

BTW, no need to have separate bridges for both subnets, everything can go to single bridge (as stated before, VLAN101 frames live tagged inside bridge, normal LAN frames live untagged inside bridge and proper use of vlan interfaces makes sure correct separation).

Hello,

Sorry but this is wrong. You never assign an IP address to a slaved port, airways the master. So OP is right, IP goes on bridge.

Regards,

Sent from my cell phone. Sorry for the errors.

mkx · Wed Jan 23, 2019 11:47 am

As VAPs are setup as tagged, all traffic artiving at bridge VLAN101 is tagged. For L3 configuration that's not acceptable, only untagged traffic is fine. And vlan interfaces do proper tagging/untagging:
Code: Select all
/interface vlan
add name=vlan101port interface=VLAN101
and move IP configuration from VLAN101 to vlan101port.

BTW, no need to have separate bridges for both subnets, everything can go to single bridge (as stated before, VLAN101 frames live tagged inside bridge, normal LAN frames live untagged inside bridge and proper use of vlan interfaces makes sure correct separation).
Hello,

Sorry but this is wrong. You never assign an IP address to a slaved port, airways the master. So OP is right, IP goes on bridge.

Alain, vlan101port in my example is vlan interface off the bridge (master not slave). Please read also code snippet right above the text you just declared to be wrong. And relate it to other config posted in previous posts. "Interface" VLAN101, referred to in my code snippet, is actually a bridge carrying tagged frames ...

mkx · Wed Jan 23, 2019 11:50 am

Can you tell me, do I need to add the vlan to the bridge on each CAP manually or only on the CAPsMAN manager?

I don't have experience with CAPsMan, so the following might be wrong ... anyway, AFAIK CAPs are fully configured by CAPsManager so it shouldn't be necessary to configure manually anything there. Only CapsMan device has to be configured by hand.

AlainCasault · Wed Jan 23, 2019 1:03 pm

As VAPs are setup as tagged, all traffic artiving at bridge VLAN101 is tagged. For L3 configuration that's not acceptable, only untagged traffic is fine. And vlan interfaces do proper tagging/untagging:
Code: Select all
/interface vlan
add name=vlan101port interface=VLAN101
and move IP configuration from VLAN101 to vlan101port.

BTW, no need to have separate bridges for both subnets, everything can go to single bridge (as stated before, VLAN101 frames live tagged inside bridge, normal LAN frames live untagged inside bridge and proper use of vlan interfaces makes sure correct separation).
Hello,

Sorry but this is wrong. You never assign an IP address to a slaved port, airways the master. So OP is right, IP goes on bridge.
Alain, vlan101port in my example is vlan interface off the bridge (master not slave). Please read also code snippet right above the text you just declared to be wrong. And relate it to other config posted in previous posts. "Interface" VLAN101, referred to in my code snippet, is actually a bridge carrying tagged frames ...

Hello MKX,

Here's an example of what I did for my CAPsMAN setup. I hope I understood what you meant to say.

/interface bridge
add name=BR-TRUNK
add comment="serveurs et voip" name=BR-VLAN101

/interface vlan
add comment="serveurs et voip" interface=BR-TRUNK name=vlan101 vlan-id=101

/interface bridge port
add bridge=BR-TRUNK comment=HMO02R10 hw=no interface=ether1
add bridge=BR-VLAN101 interface=vlan101
add bridge=BR-VLAN101 hw=no interface=ether10

/ip address
add address=172.16.9.1/24 comment="VLAN101 (Serveurs et VoIP)" interface=BR-VLAN101 network=172.16.9.0

As you can see, bridge "BR-VLAN101" hosts vlan interface "vlan101 and an ethernet port. Anytime an interface is under a bridge, it is "slaved", as you can see with the "S" appearing when you look at the Interfaces window.

When that happens, you can't give THAT slaved interface an IP address. This happens often in my classes where people will assign a DHCP server or an IP address to an ether port which is under a bridge.

I'm not saying that your code snippet is wrong, just the fact that you suggest to assign the IP address to the interface vlan101 rather than the bridge.

I hope this clarifies my position.

For ukzerosnipper's question, you need do nothing on the CAPs besides:

/interface wireless cap
set discovery-interfaces=BR-VLAN100 enabled=yes interfaces=wlan1

Once properly set up, the only config you'll ever touch is on the CAPsMAN.

Cheers,

AlainCasault · Wed Jan 23, 2019 1:06 pm

As a bonus, here's my (partial) working setup for CAPsMAN.

/caps-man channel
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2412,2437,2462 name=channels-tous-n
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2412 name=channel1
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2437 name=channel6
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2462 name=channel11
add band=5ghz-onlyac control-channel-width=20mhz extension-channel=Ce \
    frequency=5180,5200,5220,5745 name=channel-tous-ac
add band=5ghz-onlyac control-channel-width=20mhz extension-channel=Ce \
    frequency=5180 name=channel36
add band=5ghz-onlyac control-channel-width=20mhz extension-channel=Ce \
    frequency=5220 name=channel40
add band=5ghz-onlyac control-channel-width=20mhz extension-channel=Ce \
    frequency=5220 name=channel44
add band=5ghz-onlyac control-channel-width=20mhz extension-channel=Ce \
    frequency=5745 name=channel149

/caps-man rates
add basic=1Mbps,24Mbps,36Mbps,48Mbps,54Mbps ht-basic-mcs=\
    mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-supported-mcs="mcs-3,mcs-4,mcs-5,mcs-6,mc\
    s-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15,mcs-16,mcs-17,mc\
    s-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-23" name=Rates-CSPE supported=\
    1Mbps,24Mbps,36Mbps,48Mbps,54Mbps vht-basic-mcs=mcs0-7 vht-supported-mcs=\
    mcs0-9
add basic=1Mbps,11Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps ht-basic-mcs=\
    mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-supported-mcs="mcs-3,mcs-4,mcs-5,mcs-6,mc\
    s-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15,mcs-16,mcs-17,mc\
    s-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-23" name=Rates-CSPE2 supported=\
    1Mbps,11Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps

/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    group-key-update=5m name=WPA2 passphrase=XXXX
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    group-key-update=5m name=invite passphrase=XXXX
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    group-key-update=5m name=CSPE-formel passphrase=XXXXX
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    group-key-update=5m name=guest passphrase=XXXXX
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    group-key-update=5m name=Nothing passphrase=XXXXXXX
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=admin passphrase=XXXXX

/caps-man configuration
add channel=channels-tous-n channel.tx-power=0 country="united states3" name=\
    G-Corpo-n.cfg rates=Rates-CSPE security=Nothing ssid=CSPE-blank
add channel=channel1 comment="===Locataires===" country="united states3" \
    datapath.bridge=BR-VLAN106 datapath.client-to-client-forwarding=yes name=\
    Locataires1.cfg rates=Rates-CSPE security=CSPE-formel ssid=CSPE-formel
add channel=channel6 country="united states3" datapath.bridge=BR-VLAN102 \
    datapath.client-to-client-forwarding=yes name=Corpo6.cfg rates=Rates-CSPE \
    security=WPA2 ssid=CoreDATA
add channel=channel11 country="united states3" datapath.bridge=BR-VLAN102 \
    datapath.client-to-client-forwarding=yes name=Corpo11.cfg rates=\
    Rates-CSPE security=WPA2 ssid=CoreDATA
add channel=channels-tous-n channel.tx-power=0 country="united states3" name=\
    G-Locataires-n.cfg rates=Rates-CSPE security=Nothing ssid=CSPE-blank
add channel=channel1 comment="===Corpo===" country="united states3" \
    datapath.bridge=BR-VLAN102 datapath.client-to-client-forwarding=yes name=\
    Corpo1.cfg rates=Rates-CSPE security=WPA2 ssid=CoreDATA
add channel=channel6 country="united states3" datapath.bridge=BR-VLAN106 \
    datapath.client-to-client-forwarding=yes name=Locataires6.cfg rates=\
    Rates-CSPE security=CSPE-formel ssid=CSPE-formel
add channel=channel11 country="united states3" datapath.bridge=BR-VLAN106 \
    datapath.client-to-client-forwarding=yes name=Locataires11.cfg rates=\
    Rates-CSPE security=CSPE-formel ssid=CSPE-formel
add channel=channels-tous-n channel.tx-power=0 country="united states3" name=\
    G-invites-n.cfg rates=Rates-CSPE security=Nothing ssid=CSPE-blank
add channel=channel1 comment="===Salle d'attente===" country="united states3" \
    datapath.bridge=BR-VLAN107 datapath.client-to-client-forwarding=yes name=\
    invites1.cfg rates=Rates-CSPE security=invite ssid=INVITE-CSPE
add channel=channel6 country="united states3" datapath.bridge=BR-VLAN107 \
    datapath.client-to-client-forwarding=yes name=invites6.cfg rates=\
    Rates-CSPE security=invite ssid=INVITE-CSPE
add channel=channel11 country="united states3" datapath.bridge=BR-VLAN107 \
    datapath.client-to-client-forwarding=yes name=invites11.cfg rates=\
    Rates-CSPE security=invite ssid=INVITE-CSPE
add channel=channel-tous-ac channel.tx-power=0 comment="===BIDON===" country=\
    "united states3" name=G-Corpo-ac.cfg rates=Rates-CSPE security=Nothing \
    ssid=CSPE-blank
add channel=channel36 country="united states3" datapath.bridge=BR-VLAN102 \
    datapath.client-to-client-forwarding=yes name=Corpo36.cfg rates=\
    Rates-CSPE security=WPA2 ssid=CoreDATA
add channel=channel40 country="united states3" datapath.bridge=BR-VLAN102 \
    datapath.client-to-client-forwarding=yes name=Corpo40.cfg rates=\
    Rates-CSPE security=WPA2 ssid=CoreDATA
add channel=channel44 country="united states3" datapath.bridge=BR-VLAN102 \
    datapath.client-to-client-forwarding=yes name=Corpo44.cfg rates=\
    Rates-CSPE security=WPA2 ssid=CoreDATA
add channel=channel149 country="united states3" datapath.bridge=BR-VLAN102 \
    datapath.client-to-client-forwarding=yes name=Corpo149.cfg rates=\
    Rates-CSPE security=WPA2 ssid=CoreDATA
add channel=channel11 channel.tx-power=6 country="united states3" \
    datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes \
    datapath.vlan-id=102 datapath.vlan-mode=use-tag name=Maison11.cfg rates=\
    Rates-CSPE security=WPA2 ssid=DSWLANr
add channel=channel1 channel.tx-power=6 comment="===Remote Maison===" \
    country="united states3" datapath.client-to-client-forwarding=yes \
    datapath.local-forwarding=yes datapath.vlan-id=102 datapath.vlan-mode=\
    use-tag name=Maison1.cfg rates=Rates-CSPE security=WPA2 ssid=DSWLANr
add channel=channel6 channel.tx-power=6 country="united states3" \
    datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes \
    datapath.vlan-id=102 datapath.vlan-mode=use-tag name=Maison6.cfg rates=\
    Rates-CSPE security=WPA2 ssid=DSWLANr
add channel=channel1 channel.tx-power=6 comment="===Remote guest Maison===" \
    country="united states3" datapath.client-to-client-forwarding=yes \
    datapath.local-forwarding=yes datapath.vlan-id=107 datapath.vlan-mode=\
    use-tag name=guestmaison1.cfg rates=Rates-CSPE security=guest ssid=guestr
add channel=channel6 channel.tx-power=6 country="united states3" \
    datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes \
    datapath.vlan-id=107 datapath.vlan-mode=use-tag name=guestmaison6.cfg \
    rates=Rates-CSPE security=guest ssid=guestr
add channel=channel11 channel.tx-power=6 country="united states3" \
    datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes \
    datapath.vlan-id=107 datapath.vlan-mode=use-tag name=guestmaison11.cfg \
    rates=Rates-CSPE security=guest ssid=guestr
add channel=channel11 country="united states3" datapath.bridge=BR-VLAN103 \
    datapath.client-to-client-forwarding=yes name=Admin11.cfg rates=\
    Rates-CSPE security=admin ssid=DSWLAN-adm
add channel=channel1 comment="===Admin r\E9seau===" country="united states3" \
    datapath.bridge=BR-VLAN103 datapath.client-to-client-forwarding=yes name=\
    Admin1.cfg rates=Rates-CSPE security=admin ssid=DSWLAN-adm
add channel=channel6 country="united states3" datapath.bridge=BR-VLAN103 \
    datapath.client-to-client-forwarding=yes name=Admin6.cfg rates=Rates-CSPE \
    security=admin ssid=DSWLAN-adm

/caps-man access-list
add allow-signal-out-of-range=10s comment="===HMO02R07===" disabled=no \
    mac-address=D4:CA:6D:93:2D:43 signal-range=-85..0 ssid-regexp=""
add allow-signal-out-of-range=10s comment=Alain-Laptop disabled=no \
    mac-address=68:17:29:ED:41:80 signal-range=-85..0 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment=\
    "***Default action***" disabled=no signal-range=-90..0 ssid-regexp=""

/caps-man manager
set enabled=yes upgrade-policy=suggest-same-version

/caps-man provisioning
add action=create-dynamic-enabled comment="HMO02R04-bureau AC" \
    master-configuration=Corpo11.cfg name-format=prefix-identity name-prefix=\
    CAPS radio-mac=D4:CA:6D:B2:66:53 slave-configurations=\
    Admin11.cfg,Locataires11.cfg
add action=create-dynamic-enabled comment="HMO02R04-bureau AC" disabled=yes \
    master-configuration=G-Corpo-n.cfg name-format=prefix-identity \
    name-prefix=CAPS radio-mac=D4:CA:6D:B2:66:53 slave-configurations=\
    G-Locataires-n.cfg
add action=create-dynamic-enabled comment="HMO02R08-salle d'attente" \
    master-configuration=Locataires6.cfg name-format=prefix-identity \
    name-prefix=CAPS radio-mac=E4:8D:8C:11:F7:47 slave-configurations=\
    invites6.cfg
add action=create-dynamic-enabled comment="HMO02R10-bureau HM (11n)" \
    master-configuration=Corpo1.cfg name-format=prefix-identity name-prefix=\
    CAPS radio-mac=E4:8D:8C:44:2D:43 slave-configurations=\
    Locataires1.cfg,invites1.cfg
add action=create-dynamic-enabled comment="HMO02R10-bureau HM (11ac)" \
    master-configuration=Corpo36.cfg name-format=prefix-identity name-prefix=\
    CAPS radio-mac=E4:8D:8C:44:2D:42
add action=create-dynamic-enabled comment=CAPSMAISON-10 disabled=yes \
    master-configuration=Maison11.cfg name-format=prefix-identity \
    name-prefix=CAPSMAISON radio-mac=00:0C:42:E5:03:F3 slave-configurations=\
    guestmaison11.cfg
add action=create-dynamic-enabled comment="==Default==" hw-supported-modes=gn \
    master-configuration=G-Corpo-n.cfg name-format=prefix-identity \
    name-prefix=TEMP
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
    G-Corpo-ac.cfg name-format=prefix-identity name-prefix=TEMP

Some of my config reflects some testing I was doing such as dropping traffic localy instead of going back to the CAPsMAN, so you may which to disregard it for now.

Of course, you'll need the rest such as IP addresses, DHCP servers, firewalls, etc.

Cheers,

mkx · Wed Jan 23, 2019 1:32 pm

Alain,

Here's an example of what I did for my CAPsMAN setup. I hope I understood what you meant to say.

I understand your concerns. But here's relevant part of OPs config:

/interface bridge
add name=VLAN101 vlan-filtering=no # and tons of other settings
/caps-man datapath
add bridge=VLAN101 client-to-client-forwarding=no name=VLAN101 vlan-id=101 vlan-mode=use-tag
/caps-man configuration
add datapath=VLAN101 mode=ap name=5Ghz_Guest # and other settings
# added by me as bridge VLAN101 carries tagged traffic while L3 setup requires untagged
/interface vlan
add name=vlan101port interface=VLAN101

It is clear that OP has slightly different setup than you ... the original bridge definition is so overloaded with different settings that it's quite easy to miss that VLAN101 is actually a bridge an not some slave interface.

I hope this clarifies my position.

I hope this clarifies mine

AlainCasault · Wed Jan 23, 2019 3:07 pm

Hello MKX,

Aaaah, the joy of offline discutions. Argh, it'd be so much easier "live". Oh well!

So, I got it that lowercase=vlan interface (vlan101port) and UPPERCASE=bridge. But I'm still confused as to what you're saying (post #2) since if vlan101port (vlan interface) is assigned to a bridge, I still think the IP should go on the bridge (VLAN101).

Am I missing something?

EDIT: REMOVED useless text following bad understanding on my part.

mkx · Wed Jan 23, 2019 6:17 pm

... since if vlan101port (vlan interface) is assigned to a bridge, I still think the IP should go on the bridge (VLAN101).

Interface vlan101port is not a slave member of a bridge (like ether1 would be), but it's on top of bridge.

Perhaps a poor chart would help:

cAPs datapath VLAN101 (tagged) ----> bridge VLAN101 (dumb, no VLAN filtering) --+
                                                                                |
       IP config <-------- (untagged on this side) interface vlan101port <------+

Again: remember that frames from cAP datapath enter bridge tagged! The vlan interface we're bitching about is there to untag/tag frames for router's L3 needs.

CAPsMAN with virtual AP on VLAN - No connectivity

CAPsMAN with virtual AP on VLAN - No connectivity

Re: CAPsMAN with virtual AP on VLAN - No connectivity

Re: CAPsMAN with virtual AP on VLAN - No connectivity

Re: CAPsMAN with virtual AP on VLAN - No connectivity

Re: CAPsMAN with virtual AP on VLAN - No connectivity

Re: CAPsMAN with virtual AP on VLAN - No connectivity

Re: CAPsMAN with virtual AP on VLAN - No connectivity

Re: CAPsMAN with virtual AP on VLAN - No connectivity

Re: CAPsMAN with virtual AP on VLAN - No connectivity

Re: CAPsMAN with virtual AP on VLAN - No connectivity

Re: CAPsMAN with virtual AP on VLAN - No connectivity

Who is online