hello
my setup is pretty straightforward
I have a cAP ac connected to a hAP ac^2 by cable
the hAP is the main router
the cAP is just redirecting all dhcp request to the hAP, cAP mostly behave a like a switch
I have removed hardware offload on both and I activated tracking connection in the ip firewall
right now if I have a wireless client connected to the cAP and try to connect to a device that is also connection to the cAP i don't see the connection happening in the ip firewall in the hAP, i see it in the cAP.
is there a way to force all connection to go through the hAP. Main reason is my firewall rule / address list are only in the hAP and if possible I don't want to duplicate all of it in the cAP. I want the cAP to be dumb as possible.
Re: making sure the main router manage all connection?
If the cAP behaves like a switch, clients in the same subnet have no reason to take the long way via the hAP and back since they can see each other on L2. If they are in different subnets (and thus probably on different SSIDs), you'd have to use policy routing to prevent them from using local routes on the cAP.
So export the configuration of the cAP to get a useful advice. Check my automatic signature below before posting it.
So export the configuration of the cAP to get a useful advice. Check my automatic signature below before posting it.
Re: making sure the main router manage all connection?
I don't see the reason to do that...I have removed hardware offload on both
You miss one important thing, the devices within the same Broadcast Domain are communicating to each other in the Layer 2, using MAC addresses. Layer 2 Traffic, does not pass through the Firewall. Layer 3 Traffic on the other hand will pass through the Firewall.
The only reason that would explain disabling hardware offload is the use of Bridge Firewall, which forces the traffic passing the Bridge to flow through the prerouting, forward and postrouting chains... But that would be of use if we wanted to filter the Layer 2 traffic... Is that something you want to do ?
Re: making sure the main router manage all connection?
here it isSo export the configuration of the cAP to get a useful advice. Check my automatic signature below before posting it.
Code: Select all
[admin@MikroTik-W] > export hide-sensitive
# apr/26/2020 15:52:08 by RouterOS 6.46.4
# model = RouterBOARD cAP Gi-5acD2nD
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-g/n channel-width=20/40mhz-XX country=canada2 disabled=no distance=indoors frequency=2442 installation=indoor l2mtu=1598 mode=ap-bridge name=interface-WLAN1 ssid=MikroTik-2.4-P \
wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-n/ac bridge-mode=disabled channel-width=20/40/80mhz-XXXX country=canada2 disabled=no distance=indoors installation=indoor l2mtu=1598 mode=ap-bridge name=interface-WLAN2 ssid=\
MikroTik-5-P wireless-protocol=802.11 wps-mode=disabled
/interface bridge
add admin-mac=CC:2D:E0:10:1B:90 auto-mac=no fast-forward=no name=bridge-WLAN protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] name=interface-LAN1 poe-out=off
set [ find default-name=ether1 ] name=interface-WAN
/interface list
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
/snmp community
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge-WLAN hw=no interface=interface-WAN
add bridge=bridge-WLAN interface=interface-WLAN1
add bridge=bridge-WLAN interface=interface-WLAN2
add bridge=bridge-WLAN hw=no interface=interface-LAN1
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=strict
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=bridge-WLAN
/ip firewall filter
add action=accept chain=forward disabled=yes log=yes
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no
/ip smb shares
set [ find default=yes ] disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-autodetect=no time-zone-name=America/Toronto
/system identity
set name=MikroTik-W
/system ntp client
set enabled=yes
/system routerboard settings
set silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool mac-server ping
set enabled=no
Re: making sure the main router manage all connection?
i want all traffic to go through the hAP even if it could stay inside the cAP for performance / speed / efficiency / etcI don't see the reason to do that...I have removed hardware offload on both
You miss one important thing, the devices within the same Broadcast Domain are communicating to each other in the Layer 2, using MAC addresses. Layer 2 Traffic, does not pass through the Firewall. Layer 3 Traffic on the other hand will pass through the Firewall.
The only reason that would explain disabling hardware offload is the use of Bridge Firewall, which forces the traffic passing the Bridge to flow through the prerouting, forward and postrouting chains... But that would be of use if we wanted to filter the Layer 2 traffic... Is that something you want to do ?
Re: making sure the main router manage all connection?
The traffic anyways will go through the HAP when it must go through the HAP...i want all traffic to go through the hAP
HAP is your Router, when traffic needs to be routed will go through it...
Other than that, HAP can handle Layer 2 traffic and CAP can do it as well...
For example, when 2 wireless clients connected to CAP want to talk to each other, that type of traffic is Layer 2 and will never pass through the HAP because there is no reason for such thing to happen...
Re: making sure the main router manage all connection?
if what i'm trying to do is not possible, my next question would be how to bring dynamic address list from the hAP to the cAP
bringing static address list are easy and firewall rule is easy, just not fun to maintain when thing changes, this is what i'm trying to avoid.
bringing static address list are easy and firewall rule is easy, just not fun to maintain when thing changes, this is what i'm trying to avoid.
Re: making sure the main router manage all connection?
ultimately, my goal is allowing some wireless client on the cAP to access some device that are connected directly to the cAP and blocking other based on dynamic address listThe traffic anyways will go through the HAP when it must go through the HAP...i want all traffic to go through the hAP
HAP is your Router, when traffic needs to be routed will go through it...
Other than that, HAP can handle Layer 2 traffic and CAP can do it as well...
For example, when 2 wireless clients connected to CAP want to talk to each other, that type of traffic is Layer 2 and will never pass through the HAP because there is no reason for such thing to happen...
I already have everything setup on the hAP, i wish to avoid duplicating configuration and i simply don't know how to bring dynamic address into the cAP
Re: making sure the main router manage all connection?
Blocking others from doing what ?Blocking other based on dynamic address list
Accessing the Internet ? Some local hosts ?
Last edited by Zacharias on Sun Apr 26, 2020 11:44 pm, edited 1 time in total.
Re: making sure the main router manage all connection?
The "other device connected to cAP" is connected also wirelessly or to the remaining Ethernet port?
Re: making sure the main router manage all connection?
both but to be more specific, i want to make sure some wireless client doesn't get to the remaining port, the other way around for now is not important (would be a nice to have i guess)The "other device connected to cAP" is connected also wirelessly or to the remaining Ethernet port?
Re: making sure the main router manage all connection?
So, you re telling that up to now you were using a Dynamic Address List to block Wireless clients accessing Local Resources (Layer 2 Traffic )using the Firewall... And now you want to extend that on CAP...
You know that this is possible only by using Bridge Firewall right ?
Otherwise you blocked nothing...
Anyways, the most effective setup to me would be to Create 2 VLANs, one for your WiFi Clients and one for your personal use...
You know that this is possible only by using Bridge Firewall right ?
Otherwise you blocked nothing...
Anyways, the most effective setup to me would be to Create 2 VLANs, one for your WiFi Clients and one for your personal use...
Re: making sure the main router manage all connection?
i'm able to use the ip firewall to block since i removed the hardware offloading (i have tested it)So, you re telling that up to now you were using a Dynamic Address List to block Wireless clients accessing Local Resources (Layer 2 Traffic )using the Firewall... And now you want to extend that on CAP...
You know that this is possible only by using Bridge Firewall right ?
Otherwise you blocked nothing...
Anyways, the most effective setup to me would be to Create 2 VLANs, one for your WiFi Clients and one for your personal use...
I know vlan could be a solution but i'm not familiar on how vlan work inside the router, so having vlan working between 2 devices would be a huge learning curve.
(if a lan port have a computer running multiple VM, how to set specific VLAN for each vm, this where i would have to start...)
right now i'm using dynamic/static address list and ip firewall to manage access
Re: making sure the main router manage all connection?
Then you have enabled the Bridge Firewall under Bridge Settings...i'm able to use the ip firewall to block since i removed the hardware offloading (i have tested it)
Again, the Firewall does not capture Layer 2 traffic.... The only way to achieve that is to enable the Bridge Firewall and force that traffic to pass through prerouting, forward and postrouting chains of the Firewall Filter... Which ofcorse has an impact on performance...
In case a wireless client on the CAP tries to reach your other device that is lets say connected to the eth port of CAP, you can't block it with the rules that exist on the HAP...
So you should enable Bridge firewall to CAP as well and make the appropriate configuration...
But if your other device is connected to the HAP, then it will work because the HAPs firewall will catch the traffic...
Re: making sure the main router manage all connection?
If @Spirch original requirement was
Would the best solution be to use CAPsMAN on the hAP to manage all the wireless interfaces and set the datapath to disable local forwarding?a way to force all connection to go through the hAP. Main reason is my firewall rule / address list are only in the hAP and if possible I don't want to duplicate all of it in the cAP. I want the cAP to be dumb as possible.
Re: making sure the main router manage all connection?
Yes, that would be an option too...
CapsMan to Forwarding Mode so that he makes use of the Bridge Filtering on the HAP...
However the Best certainly not...
A proper segmentation of the Network would consist of VLAN configuration and proper Firewall configured...
CapsMan to Forwarding Mode so that he makes use of the Bridge Filtering on the HAP...
However the Best certainly not...
A proper segmentation of the Network would consist of VLAN configuration and proper Firewall configured...
Re: making sure the main router manage all connection?
i will look into capsman, thanks
Re: making sure the main router manage all connection?
thanks this was it i think.Would the best solution be to use CAPsMAN on the hAP to manage all the wireless interfaces and set the datapath to disable local forwarding?
i never looked into capsman, tookme 30-45 minutes to get it up and working, nice to see that all 4 wireless (2 per device) are now under one ssid too
now time to read a little bit more about what should be done to have a properly configured capsman server / cap client, to be sure what i have done is ok
Re: making sure the main router manage all connection?
I would go back to the beginning and forget about the equipment at least we know you have three devices and by the way, the hapac2 should be the main router it has a much better CPU while the HAP is an excellent wifi device and a better choice for switch and just use the cap ac as an access point.
Be that as it may, the config is actually determined by the use cases, something sorta hinted at a bit, but not properly and fully detailed..
how many groups of users do you have
Are they wired or wireless or both
What are their requirements - need access too.
What dont you want them to have access to.
Do you have lot devices (wired or wirless or both)
Any other special considerations - servers, shared printers etc.........
Once you outlined the functionality of the users and devices, the config will fall naturally.
Be that as it may, the config is actually determined by the use cases, something sorta hinted at a bit, but not properly and fully detailed..
how many groups of users do you have
Are they wired or wireless or both
What are their requirements - need access too.
What dont you want them to have access to.
Do you have lot devices (wired or wirless or both)
Any other special considerations - servers, shared printers etc.........
Once you outlined the functionality of the users and devices, the config will fall naturally.
Re: making sure the main router manage all connection?
after testing around with capsman, i made it work ok but after searching online, i can see that the issue of slowness that affect me, affect a lot other people
i went back to what it was for now and i will continue looking into a way to route the wireless data/connection from the cAP into the hAP so the hAP firewall can do it thing
(i will also be looking to see if there is a solution for capsman)
i went back to what it was for now and i will continue looking into a way to route the wireless data/connection from the cAP into the hAP so the hAP firewall can do it thing
(i will also be looking to see if there is a solution for capsman)
Re: making sure the main router manage all connection?
Take a look at VLANs as already suggested ... using VLANs you can split your network into separate parts and configure it so that only main router can pass traffic between different VLANs. It is not that complicated (about the same as capsman) ... You'll need it for your VMs as you already mentioned
Re: making sure the main router manage all connection?
What would you suggest here @mkx, Bridge VLAN filtering thus losing the HW Offload or SW Filtering ?
Re: making sure the main router manage all connection?
Since the only path between the switch chip and the wireless interface goes via CPU anyway, the hardware VLAN filtering on the cAP only handles frames between the two Ethernet ports. On the other hand, even if you don't activate vlan-filtering=yes on the bridge, you can still let the wireless interfaces tag the frames when forwarding them from the air to the bridge and untag them in the opposite direction, so the vlan-filtering may stay on no on the bridge unless you want to policy which VLANs will be allowed on the Ethernet ports.
Re: making sure the main router manage all connection?
i'm not sure how to create a network diagram but mostly;
on the cAP: wireless access point
lan1 connected to hAP
lan2 connected to dumb switch that provide POE power / access to multiple security camera
on the hAP: second wireless access point, main device, dhcp server
lan1 connected to isp
lan2 connected to desktop with multiple vm
lan3 connected to iptv
lan4 connected to nas with possible vm, security camera record video on the nas
lan5 connected to cAP
main issue;
making sure only specific wireless client on the cAP can access the security camera
i want to block some vm from having access to the camera
so far i was able to do everything with the ip firewall, if i go with vlan, i will have to learn / understand how to do all of this and i'm sure some firewall rule can be removed
mostly, right now i use the cAP as a dumb switch and wireless access point, i think going vlan i would have to add configuration on it too
on the cAP: wireless access point
lan1 connected to hAP
lan2 connected to dumb switch that provide POE power / access to multiple security camera
on the hAP: second wireless access point, main device, dhcp server
lan1 connected to isp
lan2 connected to desktop with multiple vm
lan3 connected to iptv
lan4 connected to nas with possible vm, security camera record video on the nas
lan5 connected to cAP
main issue;
making sure only specific wireless client on the cAP can access the security camera
i want to block some vm from having access to the camera
so far i was able to do everything with the ip firewall, if i go with vlan, i will have to learn / understand how to do all of this and i'm sure some firewall rule can be removed
mostly, right now i use the cAP as a dumb switch and wireless access point, i think going vlan i would have to add configuration on it too
Re: making sure the main router manage all connection?
@sindy i was thinking of VLAN Filtering on the Main Router...
But now that you said that, the example here https://wiki.mikrotik.com/wiki/Manual:C ... rding_Mode suits perfectly in the situation...
But now that you said that, the example here https://wiki.mikrotik.com/wiki/Manual:C ... rding_Mode suits perfectly in the situation...
Re: making sure the main router manage all connection?
ok, i will take a look at vlan
any recommended link (other the mikrotik wiki)? text or video.
link that can be useful for me, having cAP and hAP, hAP being the main device
like link for beginner with kind of best practice, i don't want to follow a guide that will leave security or performance on the side to make thing "just work"
thanks
any recommended link (other the mikrotik wiki)? text or video.
link that can be useful for me, having cAP and hAP, hAP being the main device
like link for beginner with kind of best practice, i don't want to follow a guide that will leave security or performance on the side to make thing "just work"
thanks
Who is online
Users browsing this forum: Amazon [Bot], Bing [Bot], CGGXANNX, gerryho, go4030, techcomtecnico, Techsystem and 42 guests