I have a working hAP AC2, with the wireless bits all managed under CAPsMAN, and it's been working great for quite a while.
Lately, I find myself in need to setup another AP, but which requires that there be two SSIDs and VLAN'd off from each other. Let's call them admin vs. guest; eventually the webfig page will only be accessible from the admin side, and so on. Both network will go to internet through this device, sort of like the cafe staff vs. guest scenario in the Mikrotik tutorial except there is only one device.
So I started with my hAP config as a base, and added VLANs, bridges for the VLANs (use tag = true), new provisioning, config and datapaths for the two sides, all with tag 10 = admin, 20 = guest. Then I created new DHCP servers configured with admin pool = 10.0.10.x vs guest = 10.0.20.x, and bound the DHCP servers to the respective bridge.
They should all work, I think, except they didn't (of course). I can't get any IP address when my phone or laptop try to connect to either of the new SSIDs, and there is barely any hint of traffic. One thing I do notice is that the wireless interfaces generated by the CAPsMAN slave configurations are all bound to the original "bridge" ports, even though both config and datapaths have explicitly be set against the newly created admin/guest bridges.
Below is the config dump; I would appreciate if someone can point out to me what I have done wrong.
Code: Select all
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface vlan
add interface=bridge-vlan-admin name=vlan-admin vlan-id=10
add interface=bridge-vlan-guest name=vlan-guest vlan-id=20
/interface wireless
# managed by CAPsMAN
# channel: 2442/20-Ce/gn(30dBm), SSID: SSID_HERE, local forwarding
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge name=wlan2.4-iface ssid=SSID_HERE wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5260/20-Ceee/ac(23dBm), SSID: SSID_HERE, local forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country="hong kong" disabled=no distance=indoors frequency=auto mode=ap-bridge name=wlan5-iface ssid=SSID_HERE wireless-protocol=802.11
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
/caps-man channel
add band=2ghz-g/n extension-channel=Ce name=2ghz-cap-channel reselect-interval=5m
add band=5ghz-a/n/ac extension-channel=Ceee name=5ghz-cap-channel reselect-interval=5m
/caps-man datapath
add client-to-client-forwarding=yes interface-list=LAN local-forwarding=yes name=share-datapath
add bridge=bridge-vlan-guest client-to-client-forwarding=yes local-forwarding=yes name=vlan-guest-datapath vlan-id=20 vlan-mode=use-tag
add bridge=bridge-vlan-admin client-to-client-forwarding=yes local-forwarding=yes name=vlan-admin-datapath vlan-id=10 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=default-security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=guess-wifi-security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=admin-wifi-security
/caps-man configuration
add channel=2ghz-cap-channel datapath=vlan-guest-datapath datapath.bridge=bridge-vlan-guest name=guest-wifi-config-2ghz security=guess-wifi-security ssid=guest-test
add channel=5ghz-cap-channel datapath=vlan-guest-datapath datapath.bridge=bridge-vlan-guest name=guest-wifi-config-5ghz security=guess-wifi-security ssid=guest-test
add channel=2ghz-cap-channel datapath=vlan-admin-datapath datapath.bridge=bridge-vlan-admin name=admin-wifi-config-2ghz security=admin-wifi-security ssid=admin-test
add channel=5ghz-cap-channel datapath=vlan-admin-datapath datapath.bridge=bridge-vlan-admin name=admin-wifi-config-5ghz security=admin-wifi-security ssid=admin-test
add channel=2ghz-cap-channel datapath=share-datapath name=2ghz-config security=default-security ssid=SSID_HERE
add channel=5ghz-cap-channel datapath=share-datapath name=5ghz-config security=default-security ssid=SSID_HERE
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled comment="2ghz vlans" hw-supported-modes=gn,g,b master-configuration=2ghz-config name-format=prefix-identity name-prefix=2ghz-vlan slave-configurations=admin-wifi-config-2ghz,guest-wifi-config-2ghz
add action=create-dynamic-enabled comment="5ghz vlans" hw-supported-modes=an,ac,a master-configuration=5ghz-config name-format=prefix-identity name-prefix=5ghz-vlan slave-configurations=admin-wifi-config-5ghz,guest-wifi-config-5ghz
add action=create-dynamic-enabled comment="2ghz provision" hw-supported-modes=gn,g,b master-configuration=2ghz-config name-format=prefix-identity name-prefix=2ghz
add action=create-dynamic-enabled comment="5ghz provision" hw-supported-modes=an,ac,a master-configuration=5ghz-config name-format=prefix-identity name-prefix=5ghz
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
add name=pool-admin ranges=10.0.10.2-10.0.10.100
add name=pool-guest ranges=10.0.20.2-10.0.20.100
add name=dhcp_pool3 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=pool-admin disabled=no interface=bridge-vlan-admin name=dhcp-admin
add address-pool=pool-guest disabled=no interface=bridge-vlan-guest name=dhcp-guest
add address-pool=dhcp disabled=no interface=bridge name=dhcp-default
/interface bridge
add admin-mac=CC:2D:E0:EB:62:51 auto-mac=no comment=defconf name=bridge
add name=bridge-vlan-admin pvid=10 vlan-filtering=yes
add name=bridge-vlan-guest pvid=20 vlan-filtering=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan2.4-iface
add bridge=bridge comment=defconf interface=wlan5-iface
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-wan list=WAN
/interface wireless cap
#
set bridge=bridge discovery-interfaces=bridge enabled=yes interfaces=wlan2.4-iface,wlan5-iface
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=10.0.10.1/24 comment="bridge vlan admin address" interface=bridge-vlan-admin network=10.0.10.0
add address=10.0.20.1/24 comment="bridge vlan guest address" interface=bridge-vlan-guest network=10.0.20.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1-wan
/ip dhcp-server lease
add address=192.168.88.198 client-id=1:0:9:b0:cf:83:82 mac-address=00:09:B0:CF:83:82
/ip dhcp-server network
add address=10.0.10.0/24 comment="admin vlan network" dns-server=8.8.8.8,8.8.4.4 gateway=10.0.10.1
add address=10.0.20.0/24 comment="guest vlan network" dns-server=8.8.8.8,8.8.4.4 gateway=10.0.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 domain=home gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="CAPsMAN local" src-address-type=local
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
/ipv6 dhcp-server
add address-pool=ISP-ipv6 interface=bridge lease-time=30m name=mikrotik-dhcp-server-v6
/ipv6 pool
add name=internal-pool prefix=2001:db8::/62 prefix-length=64
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ipv6 address
add address=::1 from-pool=ISP-ipv6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=ether1-wan pool-name=ISP-ipv6 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=yes interface=bridge managed-address-configuration=yes other-configuration=yes ra-lifetime=15m
/ipv6 nd prefix
add interface=bridge