Community discussions

 
User avatar
matamouros
just joined
Topic Author
Posts: 17
Joined: Tue Oct 31, 2017 7:40 pm

CAPsMAN manager can't manage its own wireless

Wed Nov 08, 2017 4:34 am

Hi everyone,

Anyone would know why on earth my CAPsMAN router is able to properly manage the wifi on my AP, but can't manage its own wlan interfaces? Please check attached screenshot below, you should be able to see the local wlan interfaces are not enabled.
Screen Shot 2017-11-08 at 02.14.51.png
Please, what am I doing wrong, this is driving me nuts.

Thanks,

Pedro.

PS: without wanting to be rude, this is the same issue as reported on viewtopic.php?f=7&t=127463, but I think I overcomplicated that post. Please assume this current post you're reading as cannon.
You do not have the required permissions to view the files attached to this post.
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 221
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: CAPsMAN manager can't manage its own wireless

Wed Nov 08, 2017 9:56 am

Check discovery interface on CAP settings. Should be LAN interface.
---
Karlis
 
User avatar
matamouros
just joined
Topic Author
Posts: 17
Joined: Tue Oct 31, 2017 7:40 pm

Re: CAPsMAN manager can't manage its own wireless

Wed Nov 08, 2017 11:40 am

I did try already all possible combinations for "Discovery Interface" although I had it set at "Bridge" before. Still no good... Btw, I don't have any option for "LAN" on the "Discovery Interfaces". Any other things I should check? I currently have the CAP options for wireless as:
Screen Shot 2017-11-08 at 09.39.27.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
matamouros
just joined
Topic Author
Posts: 17
Joined: Tue Oct 31, 2017 7:40 pm

Re: CAPsMAN manager can't manage its own wireless  [SOLVED]

Thu Nov 09, 2017 12:15 am

I've just happened to stumble upon the problem and managed to fix it a few hours ago. I'm sure this would've been dead easy for any hardcore routerOS person on here...

Go to IP > Firewall and disable the default rule commented as "drop all not coming from LAN". That should immediately add the local wlan interface(s) to CAPsMAN. Not sure why this comes like this by default, as obviously it prevents you from CAP-ing the local wifi interfaces on that same CAPsMAN device.

This needs to be disabled because obviously traffic from the local wlan interfaces is not coming from the LAN interface...
Screen Shot 2017-11-08 at 22.08.47.png
You do not have the required permissions to view the files attached to this post.
 
nescafe2002
Long time Member
Long time Member
Posts: 594
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: CAPsMAN manager can't manage its own wireless

Thu Nov 09, 2017 6:23 am

Allow traffic from&to 127.0.0.1 to enable CAPsMAN instead of allowing traffic from anywhere (even WAN).

viewtopic.php?t=109377#p553944
 
freemannnn
Long time Member
Long time Member
Posts: 645
Joined: Sun Oct 13, 2013 7:29 pm

Re: CAPsMAN manager can't manage its own wireless

Thu Nov 09, 2017 10:03 am

as said above...
You do not have the required permissions to view the files attached to this post.
 
User avatar
matamouros
just joined
Topic Author
Posts: 17
Joined: Tue Oct 31, 2017 7:40 pm

Re: CAPsMAN manager can't manage its own wireless

Fri Nov 10, 2017 12:06 am

For future reference, for anyone having the same problem, if you want to CAP the wireless of the CAPsMAN device itself and for some reason you can't, this is what you need to do (after you set up CAP Manager and CAP on your wireless):

1. In Wireless > CAP > CAPsMAN Addresses: make sure you have 127.0.0.1
2. IP > Firewall > Add: create a new rule for the input "chain", set the src address as "127.0.0.1", protocol "UDP", dst ports "5246,5247", action "accept"
3. Make sure the above firewall rule comes right before the default rule whose comment is "drop all not coming from LAN"
4. PROFIT

Not sure why this isn't bang on on some beginners guide documentation, or CAPsMAN common mistakes, or whatever. But it is true that documentation is not MikroTik's forte. ¯\_(ツ)_/¯ Really wish that would change.

Peace out.
 
gertk
just joined
Posts: 1
Joined: Sun Feb 10, 2013 9:38 am

Re: CAPsMAN manager can't manage its own wireless

Sat May 05, 2018 1:49 am

Thank you. I had the same problem.
(Y)
 
dewman
just joined
Posts: 1
Joined: Wed May 30, 2018 1:23 am

Re: CAPsMAN manager can't manage its own wireless

Wed May 30, 2018 3:19 am

Sorry guys, pretty much complete newb with routing but got everything else working EXCEPT self-registration.

Other/external cAP showing up in CAPsMAN, check.
Firewall rule for 127.0.0.1 UDP, check.
Enable CAP in Wireless on the CAPsMAN router, with or without the CAPsMAN address, and with every possible option for Discovery Interface (including none), and it just goes to "being managed" but never shows up in registrations.

Any other ideas?
 
LoneGunMan
just joined
Posts: 8
Joined: Sun Jul 29, 2018 9:58 pm

Re: CAPsMAN manager can't manage its own wireless

Sun Jul 29, 2018 10:23 pm

Sorry guys, pretty much complete newb with routing but got everything else working EXCEPT self-registration.

Other/external cAP showing up in CAPsMAN, check.
Firewall rule for 127.0.0.1 UDP, check.
Enable CAP in Wireless on the CAPsMAN router, with or without the CAPsMAN address, and with every possible option for Discovery Interface (including none), and it just goes to "being managed" but never shows up in registrations.

Any other ideas?
Same boat here. One hAP AC2, one cAP AC, and both running 6.42.6 RouteOS.

I can see the CAP in the "remote CAP" tab in CAPsMAN, and it is broadcasting the right SSID, connects and works fine. However, the local wireless interfaces are showing up as "managed by CAPsMAN", but both are disabled and slave, but they are nowhere to be seen or configured.

Any pointer? If if helps, i can dump my config (do let me know the command to use, i am a n00b).
 
LoneGunMan
just joined
Posts: 8
Joined: Sun Jul 29, 2018 9:58 pm

Re: CAPsMAN manager can't manage its own wireless

Sat Aug 25, 2018 9:24 pm

Finally have this figured out, but this may or may not be a happy solution.

If one follows the guide to for a simple CAPsMan setup,
https://wiki.mikrotik.com/wiki/Manual:S ... sMAN_setup
one would have, at the end, forbid CAP manager from listening to the "all" interface
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
This appears to be the crux of the problem for me.

So, in conclusion:
  • Setup the LAN accept rule as stated above
    add action=accept chain=input comment="CAPsMAN accept all local traffic" src-address-type=local
    , and put it before the "drop all not coming from LAN" rule
  • Don't disable the CAPsMAN manager interface.
  • No need to add the bridge rule
Given the setup, however, I am not entirely sure what would happen if there's a CAP connected to eth1 (my WAN port). Given mine is a private property setup with only internet upstream, it's probably not any concern of mine if an upstream CAP gets connected to mine, but still, not necessarily the best especially setting this up in a multi-tier environment. But then again, if you are setting all that tiers up, you can probably afford to not use the local wireless.
 
borregator
just joined
Posts: 5
Joined: Thu Jun 09, 2016 8:46 pm
Location: Caracas,Venezuela
Contact:

Re: CAPsMAN manager can't manage its own wireless

Wed Oct 31, 2018 11:34 am

Thanks a lot, it works!
 
davestahr
just joined
Posts: 10
Joined: Wed May 04, 2011 3:33 pm

Re: CAPsMAN manager can't manage its own wireless

Mon Dec 03, 2018 4:36 pm

I was having this same problem, and the solutions here were half of the problem. I've been running capsmanager for quite awhile, but deployed new routers yesterday for a customer, and copying my existing configs didn't work. My remote APs worked, but the onboard wifi just sat there doing nothing. After turning on "caps" in system->logging I found that the problem was due to the lack of using certificates. The solution was easy:

In CAPsMAN->CAP Interface, "Manager" button, be sure Certificate and CA Certificate are both set to "auto". Or by CLI:

/caps-man manager set ca-certificate=auto certificate=auto enabled=yes

Then, in Wireless->WiFi Interfaces, "CAP" button, be sure it's enabled, has your wlan interface(s) selected, and certificate set to "request" with the CAPsMAN Address set to 127.0.0.1, and bridge to the name of your LAN interface. Stock this is called "bridge" I think. I always rename mine to "lan" - so change your config accordingly. CLI version:

/interface wireless cap set bridge=lan caps-man-addresses=127.0.0.1 certificate=request enabled=yes interfaces=wlan1,wlan2

(Note this is a dual band AP, if you only have one, then drop it to just wlan1 or the name of your wireless interface)
 
jrbenito
just joined
Posts: 9
Joined: Tue May 20, 2014 4:19 am

Re: CAPsMAN manager can't manage its own wireless

Mon Jan 21, 2019 3:22 pm

I was having this same problem, [...] I found that the problem was due to the lack of using certificates.
I had same issue and my conclusion is:

1) once you set cap to use certificate, even do you set it back to no certificate, it still ask certificate and result in error.
summary: once set to use certificate you are sold.

2) local cap cannot connect through Layer 2, no matter what config you do, Layer 2 will not work with local cap.

3) you cannot forbid all interfaces on CAPsMan if you need local cap to connect to it (even on Layer 3). This is a bug and Mikrotik should address it. One would be able to specify local interface as allowed and WAN interfaces as forbidden, this is a security issue.

The workarounds on this thread make it works.
 
User avatar
kosyot
just joined
Posts: 18
Joined: Wed Jan 16, 2019 1:28 pm
Contact:

Re: CAPsMAN manager can't manage its own wireless

Mon Jan 21, 2019 4:57 pm

I have hundreds of CapMans managing they own wireless interfaces.

1st. and very important - never use any default configuration on router - start with absolute empty configuration.
2. Make CapsMan config
3. Exclude wlan interfaces from any bridge
4. Activate Caps on wireless - just set "discovery interface' local bridge on witch CapMan running.
 
jrbenito
just joined
Posts: 9
Joined: Tue May 20, 2014 4:19 am

Re: CAPsMAN manager can't manage its own wireless

Tue Jan 22, 2019 1:32 pm

I have hundreds of CapMans managing they own wireless interfaces.
On layer2 or layer3? I do have it working, but could not make it work on layer 2.
1st. and very important - never use any default configuration on router - start with absolute empty configuration.
2. Make CapsMan config
3. Exclude wlan interfaces from any bridge
4. Activate Caps on wireless - just set "discovery interface' local bridge on witch CapMan running.
Exactly the recipe I follow but:

1) I can´t remove "all" rule on capsman interfaces and if set it to forbid, local cap can´t connect. That is a bug, one should be able to specify only one interface if necessary.
I cannot agree that allow capsman on all interfaces is wise thing, and as far as I can tell this has to do with layer 2 connection because I can drop layer 3 with firewall rules.

2) Local cap only do layer 3 and not layer 2 (not a big deal but with no explanation to why this happens I still think there is something wrong)

Anyway, with all set to allow, local cap is able to connect (layer 3) and work perfectly.
 
Jojo2501
just joined
Posts: 1
Joined: Fri Mar 29, 2019 11:25 pm

Re: CAPsMAN manager can't manage its own wireless

Sat Mar 30, 2019 7:34 am

Hi everyone,
Sorry for asking naive questions.

I have setup capsman on Hap AC2 and hap mini works fine in caps mode, but
Hap AC2 wlan1 does not get detected.

I have added 127.0.0.1 firewall rules, I have tried what has been recommended in the forums, but still wlan1 does not get detected.
How can this be fixed?
Thanks.


# mar/30/2019 09:21:05 by RouterOS 6.44.1
# software id = Z41C-3617
#
# model = RBD52G-5HacD2HnD
# serial number = 8FDE094620DC
/caps-man channel add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=channel_2.4G_1 tx-p
ower=20
/caps-man channel add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=channel_2.4G_6 tx-p
ower=20
/interface bridge add admin-mac=B8:69:F4:30:20:7B auto-mac=no comment=defconf name=bridge
/interface bridge add name=bridge-CAPsMAN
/interface ethernet set [ find default-name=ether1 ] mac-address=00:30:4F:6B:62:61 speed=100Mbps
/interface ethernet set [ find default-name=ether2 ] speed=100Mbps
/interface ethernet set [ find default-name=ether3 ] speed=100Mbps
/interface ethernet set [ find default-name=ether4 ] speed=100Mbps
/interface ethernet set [ find default-name=ether5 ] speed=100Mbps
/caps-man datapath add bridge=bridge-CAPsMAN client-to-client-forwarding=yes local-forwarding=yes name=datapath1
/caps-man configuration add channel=channel_2.4G_1 country=armenia datapath=datapath1 hide-ssid=no mode=ap name=cfg_micro1 rx-chains
=0,1,2 security=securityCap ssid=MikroPJ tx-chains=0,1,2
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=armenia distance=indoors frequency=auto mode=ap-br
idge security-profile=my_version ssid=MikroJames1990F wireless-protocol=802.11 wps-mode=disabled
/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot
/ip pool add name=dhcp ranges=192.168.88.3-192.168.88.254
/ip dhcp-server add address-pool=dhcp disabled=no interface=bridge name=defconf
/caps-man manager set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface add interface=bridge
/caps-man manager interface add forbid=yes interface=ether1
/caps-man provisioning add action=create-dynamic-enabled hw-supported-modes=b,gn master-configuration=cfg_micro1 name-prefix=Mikroti
k-Dual
/caps-man provisioning add action=create-dynamic-enabled disabled=yes ip-address-ranges=127.0.0.1 master-configuration=cfg_micro1
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=ether3
/interface bridge port add bridge=bridge comment=defconf interface=ether4
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/interface bridge port add bridge=bridge comment=defconf interface=wlan1
/interface bridge port add bridge=bridge comment=defconf interface=wlan2
/interface bridge port add bridge=bridge disabled=yes interface=ether1
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface list member add interface=ether2 list=LAN
/interface list member add interface=ether3 list=LAN
/interface list member add interface=ether4 list=LAN
/interface list member add interface=ether5 list=LAN
/interface list member add interface=wlan2 list=LAN
/interface list member add interface=wlan1 list=LAN
/interface list member add interface=bridge list=LAN
/interface wireless cap
#
set caps-man-addresses=127.0.0.1 caps-man-names="" discovery-interfaces=bridge-CAPsMAN enabled=yes interfaces=wlan1
/ip address add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip address add address=192.168.115.43/27 interface=ether1 network=192.168.115.32
/ip address add address=192.168.88.1/24 interface=bridge network=192.168.88.0
/ip dhcp-client add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease add address=dhcp mac-address=34:14:5F:DE:B0:2C server=defconf
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns static add address=192.168.88.1 name=router.lan
/ip firewall filter add action=accept chain=output dst-address=127.0.0.1 log=yes port=5246,5247 protocol=udp src-address=127.0.0.1
/ip firewall filter add action=accept chain=input comment="CAPs to CAPsMAN" dst-port=5246,5247 log=yes protocol=udp src-address=127.
0.0.1
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=establish
ed,related,untracked disabled=yes
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
disabled=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=establ
ished,related,untracked disabled=yes
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat co
nnection-state=new disabled=yes in-interface-list=WAN
/ip firewall filter add action=accept chain=input comment="CAPsMAN accept all local traffic" disabled=yes src-address-type=local
/ip firewall filter add action=accept chain=input disabled=yes src-address=127.0.0.1
/ip firewall filter add action=accept chain=input comment=CAPsMAN disabled=yes in-interface-list=!all port=5246,5247 protocol=udp
/ip firewall filter add action=accept chain=input disabled=yes dst-address-type=local src-address-type=local
/ip firewall filter add action=accept chain=output disabled=yes dst-address=127.0.0.1 port=5246,5247 protocol=udp src-address=127.0.
0.1
/ip firewall filter add action=accept chain=input disabled=yes dst-address=127.0.0.1 port=5246,5247 protocol=udp src-address=127.0.0
.1
/ip firewall filter add action=accept chain=input disabled=yes in-interface=bridge
/ip firewall filter add action=accept chain=input connection-state=new disabled=yes dst-address-type=local src-address-type=local
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route add distance=1 gateway=192.168.115.33
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set ssh port=2200
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip ssh set allow-none-crypto=yes strong-crypto=yes
/system clock set time-zone-name=Asia/Yerevan
/system identity set name=MikroJTik
/system routerboard settings set cpu-frequency=488MHz
/tool bandwidth-server set enabled=no
/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server ping set enabled=no

Who is online

Users browsing this forum: No registered users and 7 guests