[SOLVED] CAPSMAN + "Manager Forwarding Mode" + Tagged VLANs (=> use case: EDUROAM)

anuser · Fri Feb 26, 2016 11:20 am

Hello,

what would I like to do:
- CAPSMAN with manager forwarding mode
- on CAPSMAN traffic should be forwarded to a specific tagged VLAN 743
( - in future: CAPSMAN traffic should be forwarded to a dynamic tagged VLANs which will all start on the left switch with the help of Radius (the Radius part is working, only the VLAN coniguration doesn´t work at all for now. One use case is for EDUROAM. My internal user should be forwarded to VLAN A, which will be routed into internal LAN, external Clients should be forwarded to VLAN B which will be routed into an external subnet)

Well, I played a lot with the config (added vlans, bridges, interconnected everything with everything, proxy arp enable, datapath with VLAN-ID 743, ...), but I cannot get any IP traffic between the network and the laptop being connected to a CAP. I am missing something. Does anyone know what could be wrong?


/export compact 

/caps-man channel
add band=5ghz-a/n/ac name=eduroam-5ghz
/caps-man configuration
add country=germany name=PSK1 ssid=PSK1
/interface bridge
add arp=proxy-arp name=bridge-with-vlan-tags protocol-mode=none
add mtu=1500 name=bridge1 protocol-mode=none
/interface vlan
add interface=bridge-with-vlan-tags name=interfacevlan743bridge vlan-id=743
/caps-man datapath
add bridge=bridge1 name=datapath1
add bridge=bridge-with-vlan-tags name=datapath-dynamic-vlan
/caps-man security
add authentication-types=wpa2-eap encryption=aes-ccm name=security1
/caps-man configuration
add channel=eduroam-5ghz country=germany datapath=datapath-dynamic-vlan name=cfg1 security=security1 ssid=SSID1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.11.0.2-10.11.255.254
add name=dhcp_pool2 ranges=10.14.0.2-10.14.255.254
add name=dhcp_pool3 ranges=10.1.16.2-10.1.17.254
add name=dhcp_pool4 ranges=10.14.0.1-10.14.0.239,10.14.0.241-10.14.255.254
add name=dhcp_pool6 ranges=10.19.0.1-10.19.0.239,10.19.0.241-10.19.255.254
add name=dhcp_pool5 ranges=10.14.0.1-10.14.0.239,10.14.0.241-10.14.255.254
/ip dhcp-server
add address-pool=dhcp_pool6 disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_pool5 disabled=no interface=bridge-with-vlan-tags name=dhcp2
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1 name-prefix=AccessPoint slave-configurations=SSID2,SSID3,SSID4,PSK1
/interface bridge port
add bridge=bridge-with-vlan-tags interface=ether2
add bridge=bridge-with-vlan-tags interface=interfacevlan743bridge
/ip address
add address=10.1.250.160/23 interface=ether1 network=10.1.250.0
add address=10.19.0.240/16 interface=bridge1 network=10.19.0.0
add address=10.14.0.241/16 interface=bridge-with-vlan-tags network=10.14.0.0
/ip dhcp-server network
add address=10.14.0.0/16 gateway=10.14.0.240
add address=10.19.0.0/16 gateway=10.19.0.240

czolo · Fri Feb 26, 2016 12:38 pm

/interface bridge
add arp=proxy-arp name=bridge-with-vlan-tags protocol-mode=none

/interface vlan
add interface=bridge-with-vlan-tags name=interfacevlan743bridge vlan-id=743

/interface bridge port
add bridge=bridge-with-vlan-tags interface=ether2
add bridge=bridge-with-vlan-tags interface=interfacevlan743bridge

I think that here is the answer. Think about and if you still do not understand, you will get another hint

anuser · Fri Feb 26, 2016 1:12 pm

Hello,

thanks, but I actually don´t see the difference what you suggested and what I already tried?

i.e.:
- add a bridge with proxy arp enabled
- add a tagged VLAN (ID 743) on the bridge
- add the ethernet port to the bridge
- add the VLAN-Interface to the bridge

That actually doesn´t work for me. There´s still noch traffic coming through the RouterOS.
Do you have another hint for me?

czolo · Sat Feb 27, 2016 4:14 am

Hello,

thanks, but I actually don´t see the difference what you suggested and what I already tried?
i.e.:
- add a bridge with proxy arp enabled
- add a tagged VLAN (ID 743) on the bridge
- add the ethernet port to the bridge
- add the VLAN-Interface to the bridge

That actually doesn´t work for me. There´s still noch traffic coming through the RouterOS.
Do you have another hint for me?

Yep
I show you the place where the problem is, not a solution

anuser · Sun Feb 28, 2016 9:59 pm

Well, I played a lot with VLAN tagging. Let´s summarize:

1. With CAPSMAN an (listed) CAP is an Interface
2. So, let´s create a bridge, then "port add" the "ethernet2"-interface and the "CAP"-interface
2.1 All untagged traffic will happily pass that bridge
3. If I want a tagged VLAN pass through that bridge, let´s create an "/Interface vlan" give it a VLAN tag and put it on to the bridge. (no need for proxy arp, it´s one single VLAN)
3.1 Now with a tagged vlan added to the datapath of CAPSMAN, the tagged traffic should actually flow from the ethernet-interface over the bridge to the CAP-Interface
(4. If I add an IP address on the former created "Interface VLAN" I should ping that IP from the Switch, from a Laptop at the CAP plus switch and laptop should happily ping each other)

czolo · Mon Feb 29, 2016 9:00 pm

Ok - next hint:
Creating VLAN on a bridge and adding it to the same bridge is a good way to trouble. So if you want to use that VLAN for untaging traffic from capsman datapath, just don't add it to that bridge again. If you have to untag it to another ether interface, try to use another bridge.

anuser · Wed Mar 02, 2016 12:14 pm

I want the traffic of a laptop that connects to the CAP being forwarded by the RouterOS to a tagged VLAN that resides on ethernet2. (The whole setup was running with untagged traffic. But this is not my goal, as I want to use multiple tagged VLANs on ethernet2 later and getting traffic over it)

With my current config:
- The switch can ping RouterOS which replies
- The laptop can ping RouterOS which replies
- When I ping from the switch the IP address of the laptop, on the laptop within Wireshark I can see the ARP requests coming in, I can see the ICMP coming in and the laptop replies to those request, but those answers never reach the switch.

So why doesn´t RouterOS get those IP packets back to the switch (over ethernet2)?

brwainer · Wed Mar 02, 2016 10:00 pm

/interface bridge
add arp=proxy-arp name=bridge-with-vlan-tags protocol-mode=none

/interface vlan
add interface=bridge-with-vlan-tags name=interfacevlan743bridge vlan-id=743

/interface bridge port
add bridge=bridge-with-vlan-tags interface=ether2
add bridge=bridge-with-vlan-tags interface=interfacevlan743bridge

I think that here is the answer. Think about and if you still do not understand, you will get another hint

czolo is absolutely right, this part is a problem. You have both created a VLAN on the bridge, and then included that interface *in* the bridge. That's like making a loop in the network (but it won't really be a loop, just an analogy). You should have the VLAN interface on the bridge (interface vlan) but not in the bridge (interface bridge port). There might be other issues, but I'm not seeing anything else in the config snippet you provided.

czolo · Wed Mar 02, 2016 10:36 pm

I want the traffic of a laptop that connects to the CAP being forwarded by the RouterOS to a tagged VLAN that resides on ethernet2. (The whole setup was running with untagged traffic. But this is not my goal, as I want to use multiple tagged VLANs on ethernet2 later and getting traffic over it)

With my current config:
- The switch can ping RouterOS which replies
- The laptop can ping RouterOS which replies
- When I ping from the switch the IP address of the laptop, on the laptop within Wireshark I can see the ARP requests coming in, I can see the ICMP coming in and the laptop replies to those request, but those answers never reach the switch.

So why doesn´t RouterOS get those IP packets back to the switch (over ethernet2)?

OK, so you have to use vlan-mode and vlan-id settings in datapath.
But remember that you have two possibilities: local forwarding, or capsman tunel. Now it looks like you don't know which one to chose? If you tag the traffic in virtual-ap with datapath and send it to capsman, then you have to create a vlan on a bridge that is set in datapath. But sending it to ethernet interface is not so easy, because it's "software" VLAN on a bridge. I hope, that "Brwainer" explained you where you make a mistake in that part.
Let's leave local-forwarding mode for later.

If you want an answer to your ping problem, it will be better if you show us config export. Pictures are nice, but there is always only a part of the configuration.

anuser · Thu Mar 03, 2016 12:54 pm

Thanks guys, I still have problems depending on what I change.
- I clearly want traffic forwarding done by CAPSMAN, not locally.
(I also found that article about tagging: http://blog.butchevans.com/2010/02/to-t ... -question/)

What´s the current situation with the configuration below:
- On the laptop I can ping 10.14.0.241 (on VLAN-Interface of RouterOS),
- the switch can neither ping 10.14.0.241 nor the IP of the laptop.
- So traffic is finally coming from the laptop to RouterOS. The problem is to get those traffic further to ethernet2 and then to the switch next to it. (I am asking myself whether it would be easier to let the VLAN end on RouterOS and then let the RouterOS route to the switch for what I want to reach: Dynamically VLANs with the help of RADIUS and then put the traffic in different VRF instances)

/caps-man channel
add band=5ghz-a/n/ac name=eduroam-5ghz
/caps-man configuration
add country=germany name=PSK1 ssid=PSK1
/interface bridge
add name=bridge3 protocol-mode=none
/interface vlan
add interface=bridge3 name=vlan743 vlan-id=743
/caps-man datapath
add bridge=bridge3 name=datapath-dynamic-vlan vlan-id=743 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-eap encryption=aes-ccm name=security1
/caps-man configuration
add channel=eduroam-5ghz country=germany datapath=datapath-dynamic-vlan name=cfg1 security=security1 
ssid=eduroam-ipv6
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp_pool9 ranges=10.14.0.1-10.14.0.239,10.14.0.241-10.14.255.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool9 disabled=no interface=vlan743 name=dhcp1
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1 name-prefix=AccessPoint slave-
configurations=SSID2,SSID3,SSID4,PSK1
/interface bridge port
add bridge=bridge3 interface=ether2
/ip address
add address=10.14.0.241/16 interface=vlan743 network=10.14.0.0
/ip dhcp-server network
add address=10.14.0.0/16 gateway=10.14.0.240

anuser · Thu Mar 10, 2016 9:41 pm

So, I wasn´t able to get the tagging through der RouterOS device, so now the RouterOS is part of two VRF instances, dynamic VLAN assignment works partially with IPv4, only - not IPv6

- clients don´t receive any IPv6 traffic, no IPv6 router adverisements at all iff VLAN assignement is done dynamically.
- Dynamic VLAN assignment within datapath works for IPv4 traffic, though.
- If I assign a VLAN ID wihin datapath configuration of CAPSMAN, IPv6 and IPv4 is working without any problems.

Strange

Fri Mar 11, 2016 10:55 am

Try switching the multicast-helper setting to full on the Cap interface and check again.

anuser · Mon Mar 14, 2016 1:57 pm

That´s it. Thank you, Uldis!

OKNET · Wed Jun 13, 2018 11:55 am

I have to do it in CRS125 but is confusing me:

I have a bridge1 bonding all switch ports together as replacement of old master-port
I have three vlan to bridge1:

add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
add interface=bridge1 name=vlan30 vlan-id=30

Then untagged ether ports are declared with

/interface ethernet switch ingress-vlan-translation

Tagged ports are declared with

/interface ethernet switch ingress-vlan-translation

and finally membership is declared with

/interface ethernet switch vlan

Vlan are working correctly

Now I set up capsman talking with Ap via an ethernet port making NOT part of the bridge, and having a separate subnet.
I set provisioning as "create dynamic enabled" and datapath as BRIDGE1 with vlan mode USE TAG and desired VLAN ID : two different datapath vlan id settings for each of two SSID configuration.

This is NOT working , probably because of dynamically created CAP interface has no way to be declared having VLAN tag (??)
Neither if I set "create enabled" to make CAPsMAN to create a static interface.

WHERE AM I WRONG ???

For now , the only working solution is to create two further bridges including each the desired VLAN as slave , then set each of these new bridges as datapath with no VLAN settings into each SSID configuration.
Pratically, no vlan are involved in capsman , simply each dynamically created cap interface , is bound to its bridge containing the VLAN itself.

But, is it a safe way to proceed ? or can it lead to trouble ?

I haven't found an answer yet.....

UliDD70 · Mon Feb 11, 2019 11:27 pm

Hi OKNET, did you have figured out any solution to your CAPsMan Problem with the bridge interface? I hve run into the same problem, have no idea how to solve this. I used this giude https://wiki.mikrotik.com/wiki/Manual:C ... rding_Mode ut no success. VLAN work pretty good, also my dhcp-server settings. But no CAP-Interfaces will be built on my CAP-Manger (CRS328)

Uli

[SOLVED] CAPSMAN + "Manager Forwarding Mode" + Tagged VLANs (=> use case: EDUROAM)

[SOLVED] CAPSMAN + "Manager Forwarding Mode" + Tagged VLANs (=> use case: EDUROAM)

Re: CAPSMAN + "Manager Forwarding Mode" + Tagged VLAN

Re: CAPSMAN + "Manager Forwarding Mode" + Tagged VLAN

Re: CAPSMAN + "Manager Forwarding Mode" + Tagged VLAN

Re: CAPSMAN + "Manager Forwarding Mode" + Tagged VLAN

Re: CAPSMAN + "Manager Forwarding Mode" + Tagged VLANs (=> use case: EDUROAM)

Re: CAPSMAN + "Manager Forwarding Mode" + Tagged VLANs (=> use case: EDUROAM)

Re: CAPSMAN + "Manager Forwarding Mode" + Tagged VLAN

Re: CAPSMAN + "Manager Forwarding Mode" + Tagged VLANs (=> use case: EDUROAM)

Re: CAPSMAN + "Manager Forwarding Mode" + Tagged VLANs (=> use case: EDUROAM)

Re: CAPSMAN + "Manager Forwarding Mode" + Tagged VLANs (=> use case: EDUROAM)

Re: CAPSMAN + "Manager Forwarding Mode" + Tagged VLANs (=> use case: EDUROAM)

Re: CAPSMAN + "Manager Forwarding Mode" + Tagged VLANs (=> use case: EDUROAM)

Re: [SOLVED] CAPSMAN + "Manager Forwarding Mode" + Tagged VLANs (=> use case: EDUROAM)

Re: [SOLVED] CAPSMAN + "Manager Forwarding Mode" + Tagged VLANs (=> use case: EDUROAM)

Who is online