Community discussions

MikroTik App
 
TomtiLaBan
just joined
Topic Author
Posts: 6
Joined: Thu Aug 07, 2014 12:39 am

Issues with WiFi/VLAN config

Sun Sep 26, 2021 8:57 am

Every time I try something new with this hardware I swear I'm too dumb to be using it :)

To setup VLANs I referenced this guide: https://github.com/hallzhallz/hallzhall ... %20hEX%20S
For the most part everything looks to be working.
- All devices that should have internet access, have it. (and those that shouldn't don't)
- All wired devices in the same vlan can communicate with each other (aka file sharing works)
- Devices on the internet only vlan look to correctly only have internet access.

Issues
- WiFi devices can not communicate with each other (client to client forwarding is enabled, and they are on the same vlan [based on ip given])
- WiFi and hardwired devices can not communicate
- I can't access the access point configs (even via WinBox) without plugging directly into them, and then I can access both of them.


I know its something I've configured wrong, but I'm lost and can't figure it out.

Initially I had issues getting CAPsMAN to work at all.
what made it function was setting the ProCurve VLAN1 from exclude to untag on ports 1-4
also needed to set the hEX-S Bridge Port <ether3> PVID to 1

Because hEX-S ether5 is unused, the ProCurve can be bypassed while testing is done to get one cAP-ac working, afterwards I'll ether need to reconnect to the ProCurve or get a switch(dumb?) to connect the access points to the hEX-S (preferably through the ProCurve as in the future I'll be running a fiber line to serve the workshop, which needs wired and wireless)

Hardware:
hEX-S, cAP-ac, RB951G (replacing with another cAP-ac) HP ProCurve 1810G - 24 GE
Router OS v6.48.4(stable) [only packages: dhcp, security, system, wireless]

Physical Connections:
hEX-S:
SFP = Unused
ether1 = cable modem
ether2 = pihole/unbound raspbery pi
ether3 = ProCurve port#1
ether4 = DumbSwitch serving game consoles (internet only)
ether5 = Unused

cAP-ac / RB951G
ether1 = ProCurve port#3 /#4

ProCurve
port1 = hEX-S ether3
port3 = RB951G ether1
port4 = cAP-ac ether1
port11 = IP Phone
port13 = Printer
port15,17,19,21 = Computers
port23 = NAS

Configs:
ProCurve:
VLAN1: 1-4=Untag, 5-24=Exclude
VLAN63: 1-4=Tag, 5-12=Untag, 13-24=Exclude
VLAN127: 1-4=Tag, 5-12=Exclude, 13-24=Untag
VLAN191: 1-4 = Tag, 5-24 = Exclude

cAP-ac / RB951G
Due to issues I can't access them remotely, but basically no configs.
I used the reset function with the CAPsMAN option selected, after the reboot I used the QuickSet menu and clicked the option to bridge LAN ports

hEX-S:
/caps-man channel
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=XX frequency=5220 name=5G-C44
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2412 name=2G-C1
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2417 name=2G-C2
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2422 name=2G-C3
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2427 name=2G-C4
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2432 name=2G-C5
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2437 name=2G-C6
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2442 name=2G-C7
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2447 name=2G-C8
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2452 name=2G-C9
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2457 name=2G-C10
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2462 name=2G-C11

/caps-man configuration
add country=canada datapath.local-forwarding=yes datapath.vlan-id=191 datapath.vlan-mode=use-tag mode=ap name=5G security.authentication-types=wpa-psk,wpa2-psk security.encryption=aes-ccm,tkip security.group-encryption=aes-ccm ssid=SP-5GNet
add country=canada datapath.local-forwarding=yes datapath.vlan-id=191 datapath.vlan-mode=use-tag mode=ap name=2G security.authentication-types=wpa-psk,wpa2-psk security.encryption=aes-ccm,tkip security.group-encryption=aes-ccm ssid=SP-Net
add country=canada datapath.local-forwarding=yes datapath.vlan-id=191 datapath.vlan-mode=use-tag hide-ssid=yes name=5G-Guest ssid=SP-Guest

/interface ethernet
set [ find default-name=ether5 ] poe-out=off

/interface bridge
add admin-mac=08:55:31:FE:6C:25 auto-mac=no comment=defconf name=bridge vlan-filtering=yes

/caps-man interface
add channel=2G-C8 configuration=2G disabled=no l2mtu=1600 mac-address=64:D1:54:A4:5F:6D master-interface=none name=RB951G-CR radio-mac=64:D1:54:A4:5F:6D radio-name=64D154A45F6D
add channel=2G-C4 configuration=2G disabled=no l2mtu=1600 mac-address=74:4D:28:A9:8B:76 master-interface=none name=cAPac-LR-2G radio-mac=74:4D:28:A9:8B:76 radio-name=744D28A98B76
add channel=5G-C44 configuration=5G disabled=no l2mtu=1600 mac-address=74:4D:28:A9:8B:77 master-interface=none name=cAPac-LR-5G radio-mac=74:4D:28:A9:8B:77 radio-name=744D28A98B77

/interface vlan
add interface=bridge name=dns-vlan vlan-id=10
add interface=bridge name=guest-vlan vlan-id=191
add interface=bridge name=iot-vlan vlan-id=63
add interface=bridge name=main-vlan vlan-id=127

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=MGMT

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=main-pool ranges=10.212.10.101-10.212.10.254
add name=iot-pool ranges=192.168.63.101-192.168.63.254
add name=guest-pool ranges=192.168.191.101-192.168.191.254

/ip dhcp-server
add address-pool=main-pool disabled=no interface=main-vlan name=main-dhcp
add address-pool=iot-pool disabled=no interface=iot-vlan name=iot-dhcp
add address-pool=guest-pool disabled=no interface=guest-vlan name=guest-dhcp

/caps-man access-list
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="P's Quest" disabled=no mac-address=2C:26:17:60:BB:72 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s comment=PS4 disabled=no mac-address=A8:6B:AD:CF:0A:D1 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=63 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Phone -- T (Moto E4)" disabled=no mac-address=D4:63:C6:3D:0F:A0 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Phone -- T (Umidigi Power)" disabled=no mac-address=00:08:22:73:3D:B9 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Phone -- P (Moto E4)" disabled=no mac-address=D0:04:01:7E:F3:E8 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Phone -- P (Pixel 4A)" disabled=no mac-address=7E:90:B0:F8:66:9F signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Phone -- A (Moto E4)" disabled=no mac-address=88:B4:A6:11:4D:E0 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Phone -- A (Nokia 5.3)" disabled=no mac-address=BE:80:62:6B:19:92 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Phone -- A (Nokia 5.3) [5GHz]" disabled=no mac-address=E6:06:EE:7A:C1:F2 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Phone -- S (Moto E4)" disabled=no mac-address=D0:04:01:76:5D:56 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Tablet -- P" disabled=no mac-address=B0:6E:BF:05:3E:89 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s comment=NES-Pi disabled=no mac-address=B8:27:EB:C6:62:6C signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=63 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s comment="Nintendo Switch -- T" disabled=no mac-address=5C:52:1E:66:0C:1E signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=63 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Chromecast -- Computer Room" disabled=no mac-address=E4:F0:42:95:C2:6A signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s comment="3DSXL -- T" disabled=no mac-address=34:AF:2C:F7:5E:81 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=63 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s comment="3DSXL -- P" disabled=no mac-address=18:2A:7B:6B:B6:68 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=63 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s comment="n3DSXL -- T" disabled=no mac-address=CC:FB:65:F3:6A:00 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=63 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s comment="eReader -- Sony PRS-T1" disabled=no mac-address=00:01:36:DD:EC:D1 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=63 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Laptop -- Dell 1720" disabled=no mac-address=00:21:5C:3C:98:0D signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Laptop -- Dell 6400" disabled=no mac-address=00:13:02:AC:B7:E0 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Laptop -- Aspire One ZG5" disabled=no mac-address=00:23:4D:85:A2:AB signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Printer -- Canon imageCLASS MF244dw" disabled=no mac-address=74:C6:3B:B3:1A:2B signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=127 vlan-mode=use-tag
add action=reject allow-signal-out-of-range=10s comment="-- REJECT --" disabled=no signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat

/caps-man manager
set enabled=yes

/interface bridge port
add bridge=bridge interface=ether2 pvid=10
add bridge=bridge interface=ether3
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=63
add bridge=bridge interface=ether5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=sfp1 pvid=127

/ip neighbor discovery-settings
set discover-interface-list=MGMT

/interface bridge vlan
add bridge=bridge comment=main-vlan tagged=bridge,ether2,ether3,ether5 vlan-ids=127
add bridge=bridge comment=iot-vlan tagged=bridge,ether3,ether5 untagged=ether4 vlan-ids=63
add bridge=bridge comment=dns-vlan tagged=bridge untagged=ether2 vlan-ids=10
add bridge=bridge comment=guest-vlan tagged=bridge,ether3,ether5 vlan-ids=191

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=main-vlan list=LAN
add interface=iot-vlan list=LAN
add interface=main-vlan list=VLAN
add interface=iot-vlan list=VLAN
add interface=main-vlan list=MGMT
add interface=guest-vlan list=LAN
add interface=guest-vlan list=VLAN

/ip address
add address=10.212.10.3/24 interface=main-vlan network=10.212.10.0
add address=192.168.63.3/24 interface=iot-vlan network=192.168.63.0
add address=10.10.10.3/24 interface=dns-vlan network=10.10.10.0
add address=192.168.191.3/24 interface=guest-vlan network=192.168.191.0

/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no

/ip dhcp-server lease
add address=10.212.10.18 comment=Printer mac-address=84:BA:3B:91:A7:C0 server=main-dhcp
add address=192.168.63.18 client-id=1:0:b:82:63:cd:f8 comment="IP Phone" mac-address=00:0B:82:63:CD:F8 server=iot-dhcp
add address=10.212.10.20 comment="Chromecast -- Computer Room" mac-address=E4:F0:42:95:C2:6A server=main-dhcp

/ip dhcp-server network
add address=10.212.10.0/24 comment=main-dhcp gateway=10.212.10.3
add address=192.168.63.0/24 comment=iot-dhcp gateway=192.168.63.3
add address=192.168.191.0/24 comment=guest-dhcp gateway=192.168.191.3

/ip dns
set allow-remote-requests=yes servers=10.10.10.10

/ip dns static
add address=10.212.10.3 comment=defconf name=router.lan

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow main-vlan/MGMT access to all router services" in-interface-list=MGMT
add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS UDP" dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS TCP" dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow VLAN ICMP Ping" in-interface-list=VLAN protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="Drop all other traffic"
add action=reject chain=forward comment="Block Nintendo Telemetry" connection-mark=nintendo_telemetry reject-with=icmp-host-unreachable
add action=reject chain=forward comment="Block Internet on Flagged Device" connection-mark=block_internet out-interface-list=WAN reject-with=icmp-host-unreachable
add action=accept chain=forward comment="PI Hole Dashboard Access" dst-address=10.10.10.10 in-interface-list=MGMT
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Pi Hole Internet Access" connection-state=new out-interface-list=WAN src-address=10.10.10.10
add action=accept chain=forward comment="VLAN Internet Access Only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT - enable if need server" connection-nat-state=dstnat connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all other traffic"

/ip firewall mangle
add action=mark-connection chain=forward comment="Flag Nintendo Telemetry" dst-address=52.6.240.127 new-connection-mark=nintendo_telemetry passthrough=yes
add action=accept chain=prerouting comment="Flag: No Internet -- BackupNAS" connection-mark=block_internet src-mac-address=24:5E:BE:3E:D2:3B
add action=accept chain=prerouting comment="Flag: No Internet -- Printer" connection-mark=block_internet src-mac-address=84:BA:3B:91:A7:C0

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=webfig disabled=no
set api disabled=yes
set api-ssl disabled=yes

/system clock
set time-zone-name=America/Toronto

/system identity
set name=hEX-S

/tool graphing interface
add allow-address=10.212.10.0/24 interface=ether1 store-on-disk=no
add allow-address=10.212.10.0/24 interface=main-vlan store-on-disk=no
add allow-address=10.212.10.0/24 interface=iot-vlan store-on-disk=no

/tool graphing resource
add allow-address=10.212.10.0/24 store-on-disk=no

/tool mac-server
set allowed-interface-list=MGMT

/tool mac-server mac-winbox
set allowed-interface-list=MGMT
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Issues with WiFi/VLAN config

Sun Sep 26, 2021 5:08 pm

WiFi devices can not communicate with each other (client to client forwarding is enabled, and they are on the same vlan [based on ip given])

Based on IP given? Client forwarding flag is for clients within the same WLAN, AFAIK. If these clients need to communicatie with other WLAN or ethernet interface clients, the the WLAN-WLAN-ethernet connection should allow for this. (e.g. bridged interfaces or VLAN)
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Issues with WiFi/VLAN config

Sun Sep 26, 2021 9:34 pm

- WiFi devices can not communicate with each other (client to client forwarding is enabled, and they are on the same vlan [based on ip given])
I cannot remember controlling client-to-client-forwarding by caps-man access-list anywhere so far, so maybe try to permit it in general (set the respective datapath.client-to-client-forwarding=yes) and eventually set it to no in the access-list items where it is currently not set at all.

- WiFi and hardwired devices can not communicate
- I can't access the access point configs (even via WinBox) without plugging directly into them, and then I can access both of them.
I'd expect both to be caused by an absence of any firewall rule allowing forwarding from one VLAN subnet to another. Your topology doesn't show anything wired to be connected to VLAN 191, so the traffic between them must be routed.

Other than that, you may save a tiny bit of CPU power by moving the action=fasttrack-connection rule and its adjacent action=accept onnection-state=established,related,untracked one to the very beginning of the forward chain (preserving the mutual order of the two), but first you have to move the rule assigning the Nintendo connection-mark from forward to prerouting, or even better, just let the drop rule in the filter match on the dst-address directly - there's actually little point in doing it this complex.
 
TomtiLaBan
just joined
Topic Author
Posts: 6
Joined: Thu Aug 07, 2014 12:39 am

Re: Issues with WiFi/VLAN config

Mon Sep 27, 2021 4:40 pm

I don't know if it works with vlans, but controlling client-to-client-forwarding with capsman access-list was working.
(at least as far as I know, with it on phones could use the chromecast, but with it off they couldn't)

Firewall changes have been made, not sure if I still need to block that ip but I left it in (got sick of the emails about my switch gamming sessions, and blocking that ip was the googled solution)

As for my wifi, I must have it configured real bad if seeing the configs didn't help.
Maybe if I try to explain.

The default wifi vlan is the guest one (191), and the access list assigns the wanted vlan for each device (63-internet only / 127-main)
With guest devices the vlan is left as 191, and a private passphrase is used (no guest devices in the list currently to see this)

I figured this is working as the ip assigned to the device by the dhcp server is one from the corresponding vlan's pool.
If I change the vlan in the access list and reconnect the ip changes to that vlan's pool.
Correct ip pool = correct vlan right?


While making the firewall changes it dawned on me, the reason I can only edit the access point configs through a direct connection is because they are only running the default configs.
Neither bridge or interface have any vlan configs, and the firewall doesn't have a MGMT entry.
Would this be the cause of my wifi issue? or it is just the lack of device config access?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Issues with WiFi/VLAN config

Mon Sep 27, 2021 6:07 pm

Correct ip pool = correct vlan right?
Since the client can only reach the correct DHCP server if it lands in the correct VLAN, yes, this is a correct assumption. Just for the sake of completeness, exceptions exist - if you create a static lease for a particular MAC address and do not restrict it to a single server, I am afraid it gets assigned even by the "wrong" server, but that doesn't seem to be your case.

While making the firewall changes it dawned on me, the reason I can only edit the access point configs through a direct connection is because they are only running the default configs.
If you set a wireless router to a "default cAP mode" using the reset key during boot, the configuration is "all wired ports bridged together and a DHCP client attached to them, the same bridge specified as the one to use for local forwarding for CAPsMAN-controlled interfaces". I have no idea what happens if you use Quickset to create a cAP configuration, so maybe there's a difference.

Since the filter rules were missing, I didn't check whether the cAPs get their default routes from the DHCP server on the hEX-S.

Neither bridge or interface have any vlan configs, and the firewall doesn't have a MGMT entry.
Would this be the cause of my wifi issue? or it is just the lack of device config access?
It should not be the reason - if the connection is good enough that CAPsMAN can set up the wireless interfaces to make them active, it is also good enough to set the client-to-client forwarding.

I'd prefer to kill the issues one by one, though. It is clear that the WiFi clients can reach the DHCP servers, so the connection of the wireless interfaces to local bridges and the bridging from the cAP via the ProCurve to the hEX S clearly works. Can you check that the wireless client can now access the wired clients by means of routing? If yes, you've added the correct firewall rules; if not, either the rules are not sufficient or there is something else.

As I've missed the fact that the access-list also determines which VLAN the client will land in, are there cases where a wireless client should land in the same VLAN like a wired one? If yes, they should see each other no matter what IP firewall rules or client-to-client forwarding say. If they should but actually don't, I'd start thinking that the ProCurve is filtering non-DHCP traffic.

Separately, I'd try to connect just a single cAP, connect two clients that should land in same VLAN and therefore same subnet to it, and see whether they can talk to each other. Just to exclude the scenario that each connects to another cAP and the traffic between them is blocked by the ProCurve.

Also, bear in mind that if two clients, which should not see each other according to client-to-client-forwarding setting, connect to different cAPs, they will see each other unless you use some L2 filtering on the bridge or switch chip - if this is a concern, there was a topic on this here less than a month ago.
 
TomtiLaBan
just joined
Topic Author
Posts: 6
Joined: Thu Aug 07, 2014 12:39 am

Re: Issues with WiFi/VLAN config

Wed Sep 29, 2021 3:48 pm

Was going to post this yesterday but the site was down when I returned to do so.

If you set a wireless router to a "default cAP mode" using the reset key during boot, the configuration is "all wired ports bridged together and a DHCP client attached to them, the same bridge specified as the one to use for local forwarding for CAPsMAN-controlled interfaces". I have no idea what happens if you use Quickset to create a cAP configuration, so maybe there's a difference.
I used WinBox > System > Reset Configuration, with the options CAPS Mode & Do Not Backup selected.
Once it was loaded I entered Quick Set to set the device name, and noticed an unchecked option about bridging all LAN ports so I clicked it.
Maybe I shouldn't have touched QS it and just changed the name under System > Identity instead.


So I've ruled out the ProCurve, connected the cAP directly to the hEX via ether5 (which has the same config as ether3, which connects to the ProCurve)
Only change was part of my house lost its wifi because it was disconnected :)

All wasn't bad though.
While I don't exactly understand the reasoning, I did find a change that makes things work.
It was your talk about client-to-client-forwarding and how the connections where behaving that got me to try a change.

In my caps configs I changed the default vlan from 191(guest) to 127(main) and things just started working.
It appears the configuration vlan(191) was being used for routing, and the access list vlan was being used to assign an ip.

With the default set to 127 wireless to wireless, and wireless to wired connections communicate.
And to add a bit more to my confusion, using the access list to assign 63 or 191, also appear to work as desired. (correct ip, and internet only access)
My guess is 127 was needed to correctly route through the network, and the three can't talk to each other due to the vlans ips

So things appear to be working.
But I am verifying via the assigned ip, checking internet, and if clients can communicate. IP turned out to be a dud test so now I'm unsure how accurate the other two are.

Thank you for all the help :)

Who is online

Users browsing this forum: norepto and 77 guests