Community discussions

MikroTik App
 
LoneGunMan
just joined
Topic Author
Posts: 11
Joined: Sun Jul 29, 2018 9:58 pm

Two SSID, Two DHCP servers

Sun Feb 03, 2019 2:12 pm

(This was originally posted on the wireless networking side but I wasn't getting any response, so I am hoping maybe I get more audience under the general forum. Please lock if cross posting is not acceptable and I do apologize)

I have a working hAP AC2, with the wireless bits all managed under CAPsMAN, and it's been working great for quite a while.

Lately, I find myself in need to setup another AP, but which requires that there be two SSIDs and VLAN'd off from each other. Let's call them admin vs. guest; eventually the webfig page will only be accessible from the admin side, and so on. Both network will go to internet through this device, sort of like the cafe staff vs. guest scenario in the Mikrotik tutorial except there is only one device.

So I started with my hAP config as a base, and added VLANs, bridges for the VLANs (use tag = true), new provisioning, config and datapaths for the two sides, all with tag 10 = admin, 20 = guest. Then I created new DHCP servers configured with admin pool = 10.0.10.x vs guest = 10.0.20.x, and bound the DHCP servers to the respective bridge.

They should all work, I think, except they didn't (of course). I can't get any IP address when my phone or laptop try to connect to either of the new SSIDs, and there is barely any hint of traffic. One thing I do notice is that the wireless interfaces generated by the CAPsMAN slave configurations are all bound to the original "bridge" ports, even though both config and datapaths have explicitly be set against the newly created admin/guest bridges.

Below is the config dump; I would appreciate if someone can point out to me what I have done wrong.
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface vlan
add interface=bridge-vlan-admin name=vlan-admin vlan-id=10
add interface=bridge-vlan-guest name=vlan-guest vlan-id=20

/interface wireless
# managed by CAPsMAN
# channel: 2442/20-Ce/gn(30dBm), SSID: SSID_HERE, local forwarding
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge name=wlan2.4-iface ssid=SSID_HERE wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5260/20-Ceee/ac(23dBm), SSID: SSID_HERE, local forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country="hong kong" disabled=no distance=indoors frequency=auto mode=ap-bridge name=wlan5-iface ssid=SSID_HERE wireless-protocol=802.11
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik

/caps-man channel
add band=2ghz-g/n extension-channel=Ce name=2ghz-cap-channel reselect-interval=5m
add band=5ghz-a/n/ac extension-channel=Ceee name=5ghz-cap-channel reselect-interval=5m

/caps-man datapath
add client-to-client-forwarding=yes interface-list=LAN local-forwarding=yes name=share-datapath
add bridge=bridge-vlan-guest client-to-client-forwarding=yes local-forwarding=yes name=vlan-guest-datapath vlan-id=20 vlan-mode=use-tag
add bridge=bridge-vlan-admin client-to-client-forwarding=yes local-forwarding=yes name=vlan-admin-datapath vlan-id=10 vlan-mode=use-tag

/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=default-security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=guess-wifi-security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=admin-wifi-security

/caps-man configuration
add channel=2ghz-cap-channel datapath=vlan-guest-datapath datapath.bridge=bridge-vlan-guest name=guest-wifi-config-2ghz security=guess-wifi-security ssid=guest-test
add channel=5ghz-cap-channel datapath=vlan-guest-datapath datapath.bridge=bridge-vlan-guest name=guest-wifi-config-5ghz security=guess-wifi-security ssid=guest-test
add channel=2ghz-cap-channel datapath=vlan-admin-datapath datapath.bridge=bridge-vlan-admin name=admin-wifi-config-2ghz security=admin-wifi-security ssid=admin-test
add channel=5ghz-cap-channel datapath=vlan-admin-datapath datapath.bridge=bridge-vlan-admin name=admin-wifi-config-5ghz security=admin-wifi-security ssid=admin-test
add channel=2ghz-cap-channel datapath=share-datapath name=2ghz-config security=default-security ssid=SSID_HERE
add channel=5ghz-cap-channel datapath=share-datapath name=5ghz-config security=default-security ssid=SSID_HERE

/caps-man manager
set enabled=yes

/caps-man provisioning
add action=create-dynamic-enabled comment="2ghz vlans" hw-supported-modes=gn,g,b master-configuration=2ghz-config name-format=prefix-identity name-prefix=2ghz-vlan slave-configurations=admin-wifi-config-2ghz,guest-wifi-config-2ghz
add action=create-dynamic-enabled comment="5ghz vlans" hw-supported-modes=an,ac,a master-configuration=5ghz-config name-format=prefix-identity name-prefix=5ghz-vlan slave-configurations=admin-wifi-config-5ghz,guest-wifi-config-5ghz
add action=create-dynamic-enabled comment="2ghz provision" hw-supported-modes=gn,g,b master-configuration=2ghz-config name-format=prefix-identity name-prefix=2ghz
add action=create-dynamic-enabled comment="5ghz provision" hw-supported-modes=an,ac,a master-configuration=5ghz-config name-format=prefix-identity name-prefix=5ghz



/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
add name=pool-admin ranges=10.0.10.2-10.0.10.100
add name=pool-guest ranges=10.0.20.2-10.0.20.100
add name=dhcp_pool3 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=pool-admin disabled=no interface=bridge-vlan-admin name=dhcp-admin
add address-pool=pool-guest disabled=no interface=bridge-vlan-guest name=dhcp-guest
add address-pool=dhcp disabled=no interface=bridge name=dhcp-default

/interface bridge
add admin-mac=CC:2D:E0:EB:62:51 auto-mac=no comment=defconf name=bridge
add name=bridge-vlan-admin pvid=10 vlan-filtering=yes
add name=bridge-vlan-guest pvid=20 vlan-filtering=yes

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan2.4-iface
add bridge=bridge comment=defconf interface=wlan5-iface
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-wan list=WAN
/interface wireless cap
# 
set bridge=bridge discovery-interfaces=bridge enabled=yes interfaces=wlan2.4-iface,wlan5-iface

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=10.0.10.1/24 comment="bridge vlan admin  address" interface=bridge-vlan-admin network=10.0.10.0
add address=10.0.20.1/24 comment="bridge vlan guest address" interface=bridge-vlan-guest network=10.0.20.0

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1-wan

/ip dhcp-server lease
add address=192.168.88.198 client-id=1:0:9:b0:cf:83:82 mac-address=00:09:B0:CF:83:82

/ip dhcp-server network
add address=10.0.10.0/24 comment="admin vlan network" dns-server=8.8.8.8,8.8.4.4 gateway=10.0.10.1
add address=10.0.20.0/24 comment="guest vlan network" dns-server=8.8.8.8,8.8.4.4 gateway=10.0.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 domain=home gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="CAPsMAN local" src-address-type=local
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal

/ipv6 dhcp-server
add address-pool=ISP-ipv6 interface=bridge lease-time=30m name=mikrotik-dhcp-server-v6
/ipv6 pool
add name=internal-pool prefix=2001:db8::/62 prefix-length=64
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ipv6 address
add address=::1 from-pool=ISP-ipv6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=ether1-wan pool-name=ISP-ipv6 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked 
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=yes interface=bridge managed-address-configuration=yes other-configuration=yes ra-lifetime=15m
/ipv6 nd prefix
add interface=bridge
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two SSID, Two DHCP servers

Sun Feb 03, 2019 4:15 pm

I dont use capsman for my two APs running from a hex, but it looks like you have the correct full vlan setup for each vlan (four items).
ip address /ip pool /dhcp-server / dhcp-server network

one thing I noticed...........
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-wan list=WAN
where is vlan10 interface=LAN ??????????
and vlan20=LAN ??????????

Also dont see any config for the following?????????
/interface bridge vlan
 
Redmor
Member Candidate
Member Candidate
Posts: 256
Joined: Wed May 31, 2017 7:40 pm
Location: Italy

Re: Two SSID, Two DHCP servers

Sun Feb 03, 2019 6:56 pm

I don't use VLAN for separate wireless networks with CAPsMAN, I just need to add the guest ones in another bridge on CAPsMAN RB manager, my guests can't even see L2 neighbors because in the guest bridge there aren't ethernets.
 
neutronlaser
Member
Member
Posts: 445
Joined: Thu Jan 18, 2018 5:18 pm

Re: Two SSID, Two DHCP servers

Sun Feb 03, 2019 7:57 pm

I wonder what language that was in.
 
LoneGunMan
just joined
Topic Author
Posts: 11
Joined: Sun Jul 29, 2018 9:58 pm

Re: Two SSID, Two DHCP servers

Sun Feb 03, 2019 8:57 pm

I dont use capsman for my two APs running from a hex, but it looks like you have the correct full vlan setup for each vlan (four items).
ip address /ip pool /dhcp-server / dhcp-server network

one thing I noticed...........
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-wan list=WAN
where is vlan10 interface=LAN ??????????
and vlan20=LAN ??????????

Also dont see any config for the following?????????
/interface bridge vlan
RouterOS automatically/dynamically adds the bridge definition for me, and they look right. Also two interfaces, though they look to have come from the original "working" SSID (the master configuration). I added two LAN devices on the bridge, modeled after the default bridge, after your reply, but that does not seem to work (think i might have tried that before already). I have also tried adding all the newly provisioned interfaces into the list to no avail. The current print looks like this.
[admin@monkey] /interface bridge vlan> print 
Flags: X - disabled, D - dynamic 
 #   BRIDGE              VLAN-IDS  CURRENT-TAGGED           CURRENT-UNTAGGED
 0 D bridge-vlan-admin   10                                 bridge-vlan-admin
 1 D bridge-vlan-guest   20                                 bridge-vlan-guest
[admin@monkey] /interface bridge vlan> /interface list member 
[admin@monkey] /interface list member> print 
Flags: X - disabled, D - dynamic 
 #   LIST                             INTERFACE
 0   ;;; defconf
     LAN                               bridge
 1   ;;; defconf
     WAN                              ether1-wan
 2 D LAN                              5ghz-vlan-monkey-1
 3 D LAN                              2ghz-vlan-monkey-1
 4   LAN                               bridge-vlan-guest
 5   LAN                               bridge-vlan-admin
(yes, i name my devices after animals :) )
edit: reformatted the code print a bit.
 
LoneGunMan
just joined
Topic Author
Posts: 11
Joined: Sun Jul 29, 2018 9:58 pm

Re: Two SSID, Two DHCP servers

Sun Feb 03, 2019 9:40 pm

Could this actually be a bug, that that bridge definition of the datapath in CAPsMAN is not being followed?

Per the datapath configuration, shouldn't the dynamic ports created for the slave configurations to be bound to the VLAN bridges?
[admin@monkey] /caps-man datapath> export 
# feb/04/2019 03:37:05 by RouterOS 6.43.8
# model = RouterBOARD D52G-5HacD2HnD-TC
/caps-man datapath
add client-to-client-forwarding=yes interface-list=dynamic local-forwarding=yes name=share-datapath
add bridge=bridge-vlan-guest client-to-client-forwarding=yes interface-list=dynamic local-forwarding=yes name=vlan-guest-datapath vlan-id=20 vlan-mode=use-tag
add bridge=bridge-vlan-admin client-to-client-forwarding=yes interface-list=dynamic local-forwarding=yes name=vlan-admin-datapath vlan-id=10 vlan-mode=use-tag
And yet, here are the ports, and they dynamic ones from the wireless interfaces towards the end are defined over the "default" bridge".
[admin@monkey] /interface bridge port> print 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                  BRIDGE                               HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON 
 0   H ;;; defconf
       ether2                     bridge                               yes    1     0x80         10                 10       none 
 1 I H ;;; defconf
       ether3                     bridge                               yes    1     0x80         10                 10       none 
 2 I H ;;; defconf
       ether4                     bridge                               yes    1     0x80         10                 10       none 
 3 I H ;;; defconf
       ether5                     bridge                               yes    1     0x80         10                 10       none 
 4     ;;; defconf
       wlan2.4-iface              bridge                                      1     0x80         10                 10       none 
 5     ;;; defconf
       wlan5-iface                bridge                                      1     0x80         10                 10       none 
 6  D  wlan49                     bridge                                     10     0x80         10                 10       none 
 7  D  wlan50                     bridge                                     20     0x80         10                 10       none 
 8  D  wlan51                     bridge                                     10     0x80         10                 10       none 
 9  D  wlan52                     bridge                                     20     0x80         10                 10       none 
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two SSID, Two DHCP servers

Mon Feb 04, 2019 6:02 am

The more I read, the more it seems capsman should be avoided unless absolutely necessary. It seems very complex and probably without a decent user guide as so many seem to have difficulties due to trying to use capsman.
 
LoneGunMan
just joined
Topic Author
Posts: 11
Joined: Sun Jul 29, 2018 9:58 pm

Re: Two SSID, Two DHCP servers

Mon Feb 04, 2019 6:27 am

The more I read, the more it seems capsman should be avoided unless absolutely necessary. It seems very complex and probably without a decent user guide as so many seem to have difficulties due to trying to use capsman.
The final deployment will have CAP on the network.
 
User avatar
baragoon
Member Candidate
Member Candidate
Posts: 294
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA
Contact:

Re: Two SSID, Two DHCP servers

Mon Feb 04, 2019 8:13 am

set
local-forwarding=no
for guest ap
 
LoneGunMan
just joined
Topic Author
Posts: 11
Joined: Sun Jul 29, 2018 9:58 pm

Re: Two SSID, Two DHCP servers

Mon Feb 04, 2019 10:24 am

set
local-forwarding=no
for guest ap
:shock: That's it. It's working now. Thanks!

As I suspected, the bridge ports created for the provisioned wireless interfaces are automatically bound to the respective VLANs

But... why ? Sadly the distinction between data plane and control plane is still a bit confusing to me :(.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Two SSID, Two DHCP servers

Mon Feb 04, 2019 12:32 pm

Sadly the distinction between data plane and control plane is still a bit confusing to me :(.

This is more or less basics of capsman operation ... if you want to use capsman efficiently, you'll have to learn and understand the underlying logical topology.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two SSID, Two DHCP servers

Mon Feb 04, 2019 7:22 pm

and where may that be documented MKX??
 
LoneGunMan
just joined
Topic Author
Posts: 11
Joined: Sun Jul 29, 2018 9:58 pm

Re: Two SSID, Two DHCP servers

Tue Feb 05, 2019 11:16 am

This is more or less basics of capsman operation ... if you want to use capsman efficiently, you'll have to learn and understand the underlying logical topology.
I have no doubt it is.

Mechanically, I can sort of understand why binding the port to the VLAN bridge makes it work. Why does switching on and off local forwarding changes how the port of a provisioned intertace is created, as opposed to doing it as I directed it to in the datapath setting?

Suppose that there is one capsman at the very center of a network, say my HAP AC2, connecting to say a bunch of dumb L2 switches, and behind them a bunch of CAP. My understanding of the difference between local forwarding vs. caps forwarding is that that local forwarding allows the caps interfaces to effectively route packets between each other without needing the packet to first be processed through the CAPSMAN layer. When local forwarding is disabled, then, the CAPSMAN processing becomes the bottleneck as all packets will need to be centrally processed. What else does capsman forwarding do? Also, is that just a logical abstraction, or does it really mean LL network traffic must first be processed by the CAPSMAN device, and thus making it a real bottleneck?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Two SSID, Two DHCP servers

Tue Feb 05, 2019 11:51 am

Suppose that there is one capsman at the very center of a network, say my HAP AC2, connecting to say a bunch of dumb L2 switches, and behind them a bunch of CAP. My understanding of the difference between local forwarding vs. caps forwarding is that that local forwarding allows the caps interfaces to effectively route packets between each other without needing the packet to first be processed through the CAPSMAN layer. When local forwarding is disabled, then, the CAPSMAN processing becomes the bottleneck as all packets will need to be centrally processed.

That's about it. I'm sure there are cases when capsman processing is preferred due to some reasons. Performance obviously is not one of them. Traffic separation might be, specially if the other infrastructure supports "wildcard" VLANs which makes easier to handle large number of cAPs...

Who is online

Users browsing this forum: adimihaix, coreshock, Railander, sted and 69 guests