Page 1 of 1
CAPsMAN - How to force layer 2?
Posted: Thu Jun 16, 2016 4:43 am
by swisstico
Hello everybody,
We have an issue with CAPsMAN and need your help.
We configured a wifi in various routers linked a main one with CAPsMAN and all routers (including the main one) are managed by CAPsMAN.
Everything works fine EXCEPT the main router, for the reason that is the only one that connect to himself in layer 3 (by IP), so the firewall is blocking it and we must add a filter rule to bypass the firewall.
There is a way to force CAPsMAN to work in layer 2?
2 examples (2 different offices):
http://imgur.com/a/SkNyC
Thanks for your help!
Re: CAPsMAN - How to force layer 2?
Posted: Thu Jun 16, 2016 2:58 pm
by mrz
Yes you can, set discovery-interface to any local interface on the manager router, or create a dummy loopback interface with static MAC and set discovery-interface to that one.
Re: CAPsMAN - How to force layer 2?
Posted: Fri Jul 29, 2016 12:10 am
by eworm
Same issue here... Could not make it work with a local ethernet interface. Either connects on layer 3 or not at all. Is it picky on interfaces that belongs to bridge, have vlan config, ... whatever?
Any what is a dummy loopback interface? A bridge with no ports? A virtual ethernet interface? Tried both, no success either.
Re: CAPsMAN - How to force layer 2?
Posted: Tue Aug 02, 2016 10:05 pm
by czolo
Maybe try that:
interface wireless cap set caps-man-addresses=127.0.0.1
Re: CAPsMAN - How to force layer 2?
Posted: Tue Aug 02, 2016 10:48 pm
by eworm
Maybe try that:
interface wireless cap set caps-man-addresses=127.0.0.1
That is still layer 3, no?
Re: CAPsMAN - How to force layer 2?
Posted: Tue Aug 02, 2016 11:08 pm
by czolo
Yes, but it works
Re: CAPsMAN - How to force layer 2?
Posted: Thu Aug 25, 2016 7:42 am
by swisstico
Nice workaround!
This is our solution for now:
1. Add CAPsMAN to discover address 127.0.0.1 (As czolo wrote)
/interface wireless cap set caps-man-addresses=127.0.0.1
2. Open Firewall for CAPsMAN
/ip firewall filter add chain=output action=accept protocol=udp src-address=127.0.0.1 dst-address=127.0.0.1 port=5246,5247
/ip firewall filter add chain=input action=accept protocol=udp src-address=127.0.0.1 dst-address=127.0.0.1 port=5246,5247
BUT PLEASE MikroTik Team, fix the issue, we would be so thankful!
Re: CAPsMAN - How to force layer 2?
Posted: Thu Aug 25, 2016 9:48 pm
by czolo
Nice workaround!
thx
Re: CAPsMAN - How to force layer 2?
Posted: Mon Jan 21, 2019 4:49 pm
by jrbenito
Nice workaround!
This is still an issue almost three years later.
1) I cannot forbid CAPsMan on all interfaces but local because it prevents own cap to connect
2) I cannot use layer 2 on own cap interface
3) The worst: this is not documented anywhere besides user forums (it should be on CAPsMan manual to prevent people be fighting hours with something that isn´t going to work)
4) I noticed that if I enable certificate request and CAPsMan is not configured, event disabling the certificate request on Cap has no effect, it still requests certificate to CAPsMan resulting in error. (this is a bug)
Re: CAPsMAN - How to force layer 2?
Posted: Mon Jan 21, 2019 5:08 pm
by nescafe2002
Have you tried the last beta?
https://mikrotik.com/download/changelog ... lease-tree
What's new in 6.44beta50 (2018-Dec-17 13:01):
*) capsman - always accept connections from loopback address;
Re: CAPsMAN - How to force layer 2?
Posted: Mon Jan 21, 2019 10:19 pm
by jrbenito
Have you tried the last beta?
What's new in 6.44beta50 (2018-Dec-17 13:01):
*) capsman - always accept connections from loopback address;
Nope, I am running 6.43.8. Nice to see a solution is finally coming.
Re: CAPsMAN - How to force layer 2?
Posted: Tue Jan 22, 2019 12:18 am
by Pea
3) The worst: this is not documented anywhere besides user forums (it should be on CAPsMan manual to prevent people be fighting hours with something that isn´t going to work)
https://wiki.mikrotik.com/wiki/Manual:S ... in_CAPsMAN
But I agree that having firewall rule for CAP on CAPsMAN is annoying. L2 should run as other CAPs.