Community discussions

 
raymonvdm
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Mon Jan 31, 2005 7:47 pm

CAPsMAN Connection issues

Sat Jan 09, 2016 1:03 am

I have the following setup but i`m still having some issues with clients who are connecting to the "wrong" access point

RB450G - CAPsMAN
CRS125-24G-1S-2HnD - Switch
RB941-2nD - Access Point Groud Floor
RB941-2nD - Access Point First Florr


I have the following rules

add action=accept comment=CaliCast disabled=no interface=all mac-address=6C:AD:F8:xx:xx:xx signal-range=-60..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat

add action=reject comment="Reject All Client with low Signal" disabled=no interface=all signal-range=-120..-71 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat

Which results in the following logging on the remote syslog server

Jan  8 23:43:19 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP01-Beneden-1-4 connected
Jan  8 23:43:25 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP01-Beneden-1-4 disconnected, too weak signal
Jan  8 23:43:26 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP02-Boven-1-4 rejected, forbidden by access-list
Jan  8 23:43:38 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP01-Beneden-1-4 connected
Jan  8 23:43:56 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP01-Beneden-1-4 disconnected, too weak signal
Jan  8 23:43:57 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP01-Beneden-1-4 connected
Jan  8 23:44:06 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP01-Beneden-1-4 disconnected, too weak signal
Jan  8 23:44:09 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP02-Boven-1-4 rejected, forbidden by access-list
Jan  8 23:44:21 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP01-Beneden-1-4 connected
Jan  8 23:44:27 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP01-Beneden-1-4 disconnected, too weak signal
Jan  8 23:44:28 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP02-Boven-1-4 rejected, forbidden by access-list
Jan  8 23:44:53 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP02-Boven-1-4 rejected, forbidden by access-list
Jan  8 23:45:29 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP01-Beneden-1-4 connected
Jan  8 23:45:32 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP01-Beneden-1-4 disconnected, too weak signal
Jan  8 23:45:49 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP01-Beneden-1-4 connected
Jan  8 23:45:55 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP01-Beneden-1-4 disconnected, too weak signal
Jan  8 23:45:57 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP01-Beneden-1-4 connected
Jan  8 23:46:03 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP01-Beneden-1-4 disconnected, too weak signal
Jan  8 23:46:04 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP02-Boven-1-4 rejected, forbidden by access-list
Jan  8 23:46:16 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP01-Beneden-1-4 connected
Jan  8 23:46:16 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP01-Beneden-1-4 disconnected, too weak signal
Jan  8 23:46:30 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP01-Beneden-1-4 connected
Jan  8 23:46:32 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP01-Beneden-1-4 disconnected, received deauth: class 2 frame received (6)
Jan  8 23:46:42 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP02-Boven-1-4 rejected, forbidden by access-list
Jan  8 23:46:54 192.168.110.252 caps,info caps: 6C:AD:F8:xx:xx:xx@CAP01-Beneden-1-4 connected

I don`t understand why the CAP01 unit is sending this "too weak signal" messages as it it placed 5 meters from the wireless client (ChromeCast) on the same floor. The CAP02 is placed on the second floor but if i change the access rule the Chromecast is connecting to CAP02 without issues but it should be connecting to the CAP01

How can i resolve this issue?

- Do i need to change the wireless interface on the CAP units (increase or decrease power level) and how to do so ?
- Do i need to change the placement off the CAP (It is laying on its belly) ?
- I have the old hap lite units

Image
Last edited by raymonvdm on Tue Jan 12, 2016 5:41 pm, edited 2 times in total.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1743
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: CAPsMan

Sat Jan 09, 2016 1:16 am

currently i dont use capsman

on regular wireless accesslist i use this, i hope it can help you
/interface wireless access-list
add authentication=no forwarding=no signal-range=-120..-73
add signal-range=-85..120


ported to capsman
/caps-man access-list
add action=reject interface=all signal-range=-120..-73
add action=accept interface=all signal-range=-85..120
 
raymonvdm
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Mon Jan 31, 2005 7:47 pm

Re: CAPsMan

Sat Jan 09, 2016 1:24 am

I`m already using these kind of rules which seem to be working fine since the client is rejected on the first floor access point. But it is also rejected on the ground floor access point but not based on the access list but based on the wireless interface handshake itself
 
raymonvdm
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Mon Jan 31, 2005 7:47 pm

Re: CAPsMAN Connection issues

Tue Jan 12, 2016 5:52 pm

I have made the following changes in the setup to make it more straight forward


RB450G

The was are bridge on VLAN110 which was used to connect the "SSID wifi" to the vlan and it is now removed

This is the config on the CAPsMAN

/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=LAN_Datapath vlan-id=112 vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=Kruidpad_Datapath vlan-id=112 vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=Camera_DataPath vlan-id=113 vlan-mode=use-tag

/caps-man interface
add disabled=no l2mtu=1600 mac-address=E4:8D:8C:13:53:6C master-interface=none name=CAP01-Beneden-1 radio-mac=E4:8D:
add disabled=no l2mtu=1600 mac-address=E4:8D:8C:13:53:D5 master-interface=none name=CAP02-Boven-1 radio-mac=E4:8D

/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=Wifi_Security passphrase=
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=HotSpot_Security passphrase=
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=Camera_Security passphrase=

/caps-man configuration
add country=netherlands datapath=HotSpot_Datapath hide-ssid=no mode=ap name=HotSpot security=HotSpot_Security ssid=HotSpot
add country=netherlands datapath=Camera_DataPath hide-ssid=no mode=ap name=CameraNetwerk security=Camera_Security ssid=waesrdtfygukhlij
add channel.band=2ghz-onlyn country=netherlands datapath=LAN_Datapath hide-ssid=no mode=ap name=wifi security=Wifi_Security ssid=wifi
add country=netherlands datapath=Kruidpad_Datapath hide-ssid=no mode=ap name=Kruidpad security=Wifi_Security ssid=kruidvat

/caps-man interface

add configuration=HotSpot disabled=no l2mtu=1600 mac-address=E6:8D:8C master-interface=CAP01-Beneden-1 name=CAP01-Beneden-1-1 radio-mac=00:00:00:00:00:00

add configuration=CameraNetwerk disabled=no l2mtu=1600 mac-address=E6:8D:8C master-interface=CAP01-Beneden-1 name=CAP01-Beneden-1-2 radio-mac=00:00:00:00:00:00

add arp=enabled configuration=wifi disabled=no l2mtu=1600 mac-address=E6:8D:8C master-interface=CAP01-Beneden-1 mtu=1500 name=CAP01-Beneden-1-4 radio-mac=00:00:00:00:00:00

add arp=enabled configuration=Kruidpad datapath.bridge=LAN_Bridge disabled=no l2mtu=1600 mac-address=E6:8D:8C master-interface=CAP01-Beneden-1 mtu=1500 name=CAP01-Kruidpad-Handmatig radio-mac= 00:00:00:00:00:00
 
add configuration=HotSpot disabled=no l2mtu=1600 mac-address=E6:8D:8C master-interface=CAP02-Boven-1 name=CAP02-Boven-1-1 radio-mac=00:00:00:00:00:00
 
add configuration=CameraNetwerk disabled=no l2mtu=1600 mac-address=E6:8D:8C master-interface=CAP02-Boven-1 name=CAP02-Boven-1-2 radio-mac=00:00:00:00:00:00
 
add configuration=wifi disabled=no l2mtu=1600 mac-address=E6:8D:8C master-interface=CAP02-Boven-1 name=CAP02-Boven-1-4 radio-mac=00:00:00:00:00:00

/caps-man access-list

add action=accept comment="S4 Mini" disabled=no interface=all mac-address=AC:36:13 signal-range=-70..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=reject comment="Reject All Client with low Signal" disabled=no interface=all signal-range=-120..-71 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=reject comment="Deny All" disabled=no interface=all signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat

/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes

/caps-man provisioning
add action=create-enabled name-format=identity name-prefix=OfficeAP slave-configurations=HotSpot,CameraNetwerk,*5,wifi,*9,*A,*B,*8,*7


RB941-2nD

/interface bridge
add name=Local_Bridge

/interface wireless
# managed by CAPsMAN
# channel: 2427/20-Ce/gn(30dBm), SSID: , CAPsMAN forwarding
set [ find default-name=wlan1 ] rx-chains=0 ssid=MikroTik tx-chains=0

/interface ethernet
set [ find default-name=ether1 ] name="ether1 - Uplink"
set [ find default-name=ether2 ] master-port="ether1 - Uplink"
set [ find default-name=ether3 ] master-port="ether1 - Uplink"
set [ find default-name=ether4 ] master-port="ether1 - Uplink"

/interface vlan
add interface="ether1 - Uplink" l2mtu=1594 name=vlan15 vlan-id=15
add interface="ether1 - Uplink" l2mtu=1594 name=vlan110 vlan-id=1110
add interface="ether1 - Uplink" l2mtu=1594 name=vlan250 vlan-id=250

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/interface bridge port
add bridge=Local_Bridge interface="ether1 - Uplink"

/interface wireless cap
set bridge=Local_Bridge certificate=request discovery-interfaces="ether1 - Uplink" enabled=yes interfaces=wlan1

As soon is i disable the Local_Bridge the the wifi netwerk are no longer accepting traffic (even if the remove the Local_Brdige from /interface wireless cap

I also updated the HAP Lite from Current Firmware 3.22 to Upgrade Firmware 3.27

The questions i have

- How can i force one access-point to a specific channel without setting all connected APs to this channel?
- How can i remove the bridge interface from the HAP units (because a lot of bridge in the network seem to be the cause of some issues
- How do i set the correct wifi settings such as powerlevel and width as i`m not yes a experienced wifi administrator :-)
- Do you need additional information to help me?
 
raymonvdm
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Mon Jan 31, 2005 7:47 pm

Re: CAPsMAN Connection issues

Thu Jan 14, 2016 6:36 am

I noticed that the access-points are quite often changing for channel to channel. I have not found a way to restict this except setting a specific channel

Image


However is still see disconnects on especially Android Phones

Who is online

Users browsing this forum: No registered users and 24 guests