Community discussions

MikroTik App
 
GiovanniG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Sun Nov 15, 2015 4:12 pm

Help on wiring solution

Mon Jan 25, 2021 6:45 pm

Hi, I need to build up a network for a restaurant, it consist of internet access, a main switch where all terminals/office PC are connected and hotspots. Each hotspot should broadcast the main local office network, plus it needs provide internet access for guests. For guret access there will be necessary a second IP domain managed by the internet router (provided by provider) on the same interface port, that will allow access only after identification process. I need to know if these configurations may be valid, please correct me if Idescribing it I'll be wrong, have a look:
conf1.jpg
Simple configuration, 3 mikrotik (on edge) routers are connected to a CAPSMAN which broadcast the main and secondary IP domain on 2 different SSID, on their 2nd LAN port there is connected a Terminal (to the main IP domain, yellow triangles). On the gateway interface of CAPSMAN there will be both IP domains with gateway (the internet access, red circle), by a simple switch (blue hexagon). The brown links should be configured as VLAN, each VLAN should be assigned to a different bridge, if I understood correctly.

A second possible connection is this:
conf2.jpg
THe CAPSMAN will output the VLAN to the switch too (does this work on a unmanaged switch? or does it dicards pakets?), this is more convenient because only 2 wires should be placed for the router, and in this case I can install many more hotspots without the limitation of the 4 availabe ports on router. Can it work?

Thank you a lot for help
You do not have the required permissions to view the files attached to this post.
 
GiovanniG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Sun Nov 15, 2015 4:12 pm

Re: Help on wiring solution

Mon Jan 25, 2021 7:01 pm

I've just read that an unmanaged switch will not accept VLAN packets since they are 4 bytes bigger than standard, so the last solution will not be possible. I'll buy a 8 port router in case I need more than 4 edge hotspots.

By the way, should I really need to use VLANs in such process? 2 different IP domains may be present in the same bridge, but when I tried that with CAPS I had several problems, it worked only on CAPSMAN
 
tdw
Forum Veteran
Forum Veteran
Posts: 712
Joined: Sat May 05, 2018 11:55 am

Re: Help on wiring solution

Mon Jan 25, 2021 7:54 pm

The recommended setup for Mikrotiks with VLANs is to use a single VLAN-aware bridge, there is a good primer in the forum viewtopic.php?t=143620

If the wired client connections (what you have called terminals) are on one network you can use CAPsMAN forwarding to segregate the wireless network instead of VLANs, although this does potentially reduce throughput and increase CPU load on the APs and CAPsMAN controller due to the traffic encapsulation it uses.

VLAN-tagged traffic is just a different ethertype and slightly larger packet, which although more than the original ethernet standards, is handled by many unmanaged switches unless they use very old chipsets.

It isn't clear what you mean by "second IP domain managed by the internet router" - is this a second IP address on one subnet, a second subnet provided on a different port or VLAN on the internet router, or something else.
 
GiovanniG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Sun Nov 15, 2015 4:12 pm

Re: Help on wiring solution

Mon Jan 25, 2021 11:01 pm

Thanks for answer, the internet router will provide 2 subnets on one link (I think that is possible) with 2 gateways, one is for office, second (filtered by authorization) for guests.
So you tell me I can avoid use VLAN, on CAPSMAN I can connect only ethernet1 to the main switch, assign every IP subnet to a different bridge, and in CAPS setup associate office SSID to office bridge, public SSID to public bridge. Output the CAPSMAN to the same eth1 (internet connection will be only 20 megabits, so one port can do physically all), configure other AP with an IP of the office subnet, and accept CAPSMAN from the main router IP..
Does it work like that?
My experience (never solved yet) is that not using VLAN but 2 IP subnets on the same bridge created problems on the remote CAPS, only if I disable the second SSID (from CAPSMAN) the main first worked.. that was really strange, never had time after to fix it, but one day I should
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6171
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help on wiring solution

Mon Jan 25, 2021 11:22 pm

Suggest that you hire someone to do this right. This is a business and not an experiment to see what you can do without any training.
I hope you are not thinking of using capsman and MT wifi devices as well?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
GiovanniG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Sun Nov 15, 2015 4:12 pm

Re: Help on wiring solution

Tue Jan 26, 2021 11:28 pm

Thanks for answer,
why only an expert with long training can do that? Why the process can't be described here? I can test it but I just need a basic guide.. which is the right way I need to follow to reach the goal.
I need 2 SSID managed by capsman, each SSID should broadcast a different IP domain, is that possible? How? Should I configure each subnet on different bridge? Only one etherent port? No need for VLAN? Thanks for suggestions!

Using logic, if I can guess, there are needed 2 bridges on the CAPSman, assign office's subnet to default bridge and guest's subnet to a new one, both bridges should be linked to eth 1 (connected to the internet gateways) to receive traffic, in the CAPS configuration the office SSID will be assigned to the main office bridge, the guest's SSID to the other bridge.
In the first case/scheme (CAPS directly connected to the CAPSMAN by eth2, 3, 4..) the other ethernets ports should be assigned to the office bridge only, on CAPS there will be only the default bridge with an IP from the office subnet. All eth ports on the sabe bridge so I can connect terminals too on the same ethernet broadcast domain.
Maybe, to semplify the wiring, I can connect CAPS to the switch without change the config, and the CAPSMAN will use the eth1 also for sending CAPS the encapsulated traffic, with advantage that capsman will not concentrate (level2) all terminals on one only uplink, only SSIDs traffic will flow on it.
Thank you a lot for your comments
 
GiovanniG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Sun Nov 15, 2015 4:12 pm

Re: Help on wiring solution

Thu Jan 28, 2021 12:38 pm

I'm asking kind soul to help me showing the right way, thanks
 
tdw
Forum Veteran
Forum Veteran
Posts: 712
Joined: Sat May 05, 2018 11:55 am

Re: Help on wiring solution

Thu Jan 28, 2021 8:04 pm

Having two subnets on one link without VLANs is possible but is unusual - it doesn't provide isolation, and DHCP can only be used to assign dynamic addresses to one subnet.

Other than this weird internet connection the normal way of implementing this would be to use a single VLAN-aware bridge on the Mikrotik running the CAPsMAN controller, then either ethernet connections with VLANs to the other Mikrotiks with local forwarding, or just the main network with no VLANs to the other Mikrotiks with CAPsMAN forwarding.

Other than the forum topic mentioned previously on VLANs there are some outline examples in the Wiki https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering (sections 11.1, 11.2, 11.3 & 11.4) and https://wiki.mikrotik.com/wiki/Manual:C ... with_VLANs
 
GiovanniG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Sun Nov 15, 2015 4:12 pm

Re: Help on wiring solution

Thu Jan 28, 2021 11:00 pm

I'm really glad for your kind help! Yes yoi said something wise.. I can't have 2 subnets running on one link due of DHCP issues.. so my question is, can we forget about VLANs and consider this circuit:
conf2.jpg
The CAPSMAN router is connected with eth1 to the switch, as all other CAPs, and on eth2 directly to the internet access for the guest's subnet. I'll create a new brigde assigned to eth2, now can I add the slave CAP SSID to the bridge2 and output all CAPSMAN to the eth1? I suppose yes.. cause CAPS don't mind on level2 but on target IP..
Other CAPS will have the main subnet configured.. so all other LAN ports may be used for terminals..
You do not have the required permissions to view the files attached to this post.
 
tdw
Forum Veteran
Forum Veteran
Posts: 712
Joined: Sat May 05, 2018 11:55 am

Re: Help on wiring solution

Fri Jan 29, 2021 12:46 am

No, one VLAN aware bridge. Then make the port connected to the guest network on the router (blue line) an access port for the guest VLAN. As the unmanaged switch may not pass tagged traffic make all the other Mikrotik ports access ports too, and use CAPsMAN forwarding to encapsulate the guest traffic.
 
GiovanniG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Sun Nov 15, 2015 4:12 pm

Re: Help on wiring solution

Fri Jan 29, 2021 10:18 am

Thanks for answer, sorry mate my english is not good enough to undrestand well you..
You suggested me to use VLAN everywhere? eth1 and eth2 of the CAPSMAN with VLAN? Connected directly to the internet provider? And all other CAPS with VLAN too?
Why I need to use VLAN? Can I have all working without using VLANs?

CAPSMAN should be used also for the office subnet WiFi, maybe I've not explained me well.. I need 2 SSID with CAPSMAN function (roaming between AP), the master SSID connected to the office subnet, the slave SSID to the guest subnet. I also need the office subnet on the ethernet ports of APs.
In the link between CAPSMAN and CAPS should be capsman encapsulation + office subnet traffic..
 
GiovanniG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Sun Nov 15, 2015 4:12 pm

Re: Help on wiring solution

Tue Feb 02, 2021 2:52 am

May you please explain me better? Thank you a lot!
 
GiovanniG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Sun Nov 15, 2015 4:12 pm

Re: Help on wiring solution

Tue Feb 02, 2021 4:56 pm

I kindly need help, I'm not sure if I understood ok, on the CAPSMAN I?ve to create a new bridge and assign it to a VLAN (while for the office subnet I won't do nothing), configure lsave SSID on CAPs settings to that brigde.. and create a NAT between networks to allow internet to the VLAN bridge..
SOrry I can't understand with such few words :((
 
GiovanniG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Sun Nov 15, 2015 4:12 pm

Re: Help on wiring solution

Thu Feb 18, 2021 9:31 pm

Hi, I hope somebody can give me some sogguestions, thank you
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6171
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help on wiring solution

Thu Feb 18, 2021 9:46 pm

Yes I did earlier,
Any person that does not know an un-managed switch cannot handle vlans is like a mother who doesnt know that a baby needs warm milk from a bottle, like coming out of an warm blooded teat!! :-)
In other words you have no business setting up a network for a business.

I am being a kind soul and saving you from headaches, embarrassment and failure when people are depending upon you.
Hire an MT consultant and get it done right, and quickly and then perhaps with some added time in the contract the consultant can explain the setup and also help you maintain it for example.

Just guessing but pick your relevant area........
https://mikrotik.com/consultants/europe/italy
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
sindy
Forum Guru
Forum Guru
Posts: 6873
Joined: Mon Dec 04, 2017 9:19 pm

Re: Help on wiring solution

Thu Feb 18, 2021 10:18 pm

First, CAPsMAN is a way to make your life easier when provisioning multiple APs and to reduce the requirements on the transport network capabilities. It is not necessary to make roaming possible, nor does it make it easier or faster. The stations (clients) may roam among individually configured APs that use the same SSID with the same ease (or complexity) as among APs centrally configured by CAPsMAN.

Second, I'll try to rephrase @tdw's last post and extend it a bit. With standalone APs, or with CAPsMAN-configured APs with local-forwarding set to yes, you need one VLAN per SSID on the path between the AP and the central router to keep the networks isolated, which means that the transport network must support VLANs. I haven't seen a "dumb" switch which would not handle VLAN-tagged frames (i.e. 1518-byte ones) yet, but better safe than sorry. So if you use local-forwarding=no, the frames from the APs get transported to the CAPsMAN device encapsulated and encrypted in UDP with an internal information of the wireless interface they belong to, so VLAN tagging on transport between the AP and the CAPsMAN device is not necessary, and the eventual conversion of wireless interface (SSID) to VLAN ID, if necessary at all, can be done at the CAPsMAN device. So you can use a dumb switch to connect more APs to the CAPsMAN device if the bandwidth allows.

But maybe the VLANs may be omitted completely - if I got you right, the guest SSID will be L2-transparently connected to the LAN side of the ISP gear, which will provide DHCP etc. to the guests. So on the CAPsMAN you can use a dedicated bridge, let's say br-guest, and make the wireless interfaces with SSID guest member ports of this bridge along with the Ethernet port connected to the ISP gear. And the wireless interfaces with SSID "company" can be made meber ports of another bridge, on which the CAPsMAN device will provide DHCP, routing etc.

Regarding @anav's remark on using Mikrotik cAPs, the point is that recently several competitors provide better throughput on wireless APs than the Mikrotik devices, especially in the 5 GHz band. My private opinion is that this is only worth considering where the uplink bandwidth is so generous that the wireless throughput could become a bottleneck. So neither for a guest WiFi in a restaurant, nor for the mobile terminals used by staff to collect orders and payments, this should be any issue. Leaving aside that you'll have multiple APs and the uplink bandwidth will be shared by all of them. So two APs with 500 Mbit/s (which Mikrotik can easily do on 5 GHz) will consume all the bandwidth of a 1 Gbit/s uplink.

What can be an issue is the roaming speed as the waiters run fast between the hotspots. The roaming is not controlled by the APs but by the terminals, which monitor signal strength and switch over to better signal when available for long enough. But it is critical that forwarding to/from the individual wireless interfaces connected to a bridge is not suppressed, by some flavor of spanning tree protocol running on the bridge, each time the last station unregisters from the wireless interface and that interface thus becomes inactive. So if there is maximum one Ethernet port on the bridge, you can simply set protocol-mode to none on that bridge; if you need the spanning tree protocol to run on the bridge because there is more than one Ethernet, you have to configure the wireless ports as edge ones (and maybe some other settings are necessary too, I've seen something relevant here a few days ago) so that when the wireless port goes up again, the bridge starts forwarding immediately on it and doesn't watch for spanning tree BPDUs for some 15 seconds first.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6171
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help on wiring solution

Thu Feb 18, 2021 11:40 pm

Sindy is like the guru of MT knowledge, when he breathes I learn stuff through osmosis ;-)
That being said, I do disagree about using Capacs in a mixed environment
MT WIFI=PISSED OFF USERS.

The reason I went to same price TPLINK EAP245 was not for speed but for stability and reliability of all types of devices connecting, apple and android.
The CAPAC was horrible for my daughter trying to study for med school, and it was not good for the mother-in-law with multiple calls about weird performance.
Replaced many months ago, and NOT A PEAP or complaint about wifi. Just happy users. So throw out tech speak, and listen to a dose of real life experience.
(you could go on the forums and see a plethora of complaining but why bother its just depressing).

Finally the capac is underpowered for upgrades that would allow wifi improvements shown in the latest beta firmware
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
GiovanniG
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Sun Nov 15, 2015 4:12 pm

Re: Help on wiring solution

Fri Feb 19, 2021 12:03 am

Thank you Sindy for your lovely post, I promise to focus on it deeply soon, now it's late and I go sleep.
Seems I have different ways to create my way, and VLAN on switch is the thing that scary me less, first Ill try with direct wires and eventually later insert a switch between them. I need to try hard on Caps settings to reach my goal.
Mates I don't care about badwith, here we don't have plenty of it, there may be only 10-20 megabits, please lets'a stay on topic.. and focusing on Caps/bridges/VLAN settings instead, if your discussion about wireless performance will not affect my goal and devices that will connect.. so let's avoid that now, thanks.
I figured out how roaming works and what can affect it, in my previous experiment I've used a minimul signal steght under that the Capsman kiks the user, help him hurrying to find always a stronger signal, the level should be accurately chosen.
Thank you again and good night )
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6171
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help on wiring solution

Fri Feb 19, 2021 12:34 am

A very good document for your reading on vlans follows.
My personal belief is that you leave capsman to the very end, it adds a layer of complication that is unnecessary while figuring out the BASICS of configuring WIFI on MT device and figuring out the BASICS of configuring vlans. Once you have both mastered, then you may decide why bother with capsman, or then be brave enough and have the ability to fall back to a working config at any time if you get stuck implement capsman. I have two capacs, and never bothered with capsman as running another process was simply not necessary and its easy to bugger up the config.

viewtopic.php?f=13&t=143620
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: mkx, mrthner, sindy, tdw and 161 guests