Page 1 of 1

Capsman AP can't connect after power lost

Posted: Fri Nov 30, 2018 6:43 am
by jprasad
hi there

I have a strange issue. hardware being used
  • CRS109 (AP01) devices
  • RB969 (AP02)
CRS is caps manager. what is happening is that wireless is working completely fine. if there is a power cut (this has been happening quite a bit in our area due to weather) then the CRS will correctly provision the RB969 however it is impossible to connect to the 5G network and when I look at the registration table no devices are connected to AP02. the error in windows is "unable to connect". what I have found is that if I disable just one of my security rules hit apply and then re-enable it and apply I can connect to all my networks again no problem. if I reprovision the AP it does not help the only thing that helps is to disable and re-enable a security rule. this is driving me mad can someone please help
# nov/29/2018 21:05:13 by RouterOS 6.43.4
# software id = CMRQ-E7FU
#
# model = CRS109-8G-1S-2HnD
# serial number = 5A890299CA04
/caps-man channel
add band=2ghz-g/n name=2g
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5240 name=5g
/interface bridge
add admin-mac=D4:CA:6D:CA:86:5F auto-mac=no fast-forward=no igmp-snooping=yes name=bridge-trunk pvid=10 vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2442/20-Ce/gn(30dBm), SSID: bethel-facilities, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC frequency=auto mode=ap-bridge ssid=Bethel wps-mode=disabled
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1580 name=ether1-nas1 speed=100Mbps
set [ find default-name=ether2 ] l2mtu=1580 mac-address=D4:CA:6D:CA:86:5D name=ether2-nas2 speed=100Mbps
set [ find default-name=ether3 ] l2mtu=1580 name=ether3-pms speed=100Mbps
set [ find default-name=ether4 ] l2mtu=1580 name=ether4-rpi speed=100Mbps
set [ find default-name=ether5 ] l2mtu=1580 name=ether5-slave-local speed=100Mbps
set [ find default-name=ether6 ] l2mtu=1580 name=ether6-slave-local speed=100Mbps
set [ find default-name=ether7 ] l2mtu=1580 name=ether7-uplink speed=100Mbps
set [ find default-name=ether8 ] l2mtu=1580 name=ether8-WAN speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=sfp1-slave-local
/interface pppoe-client
add add-default-route=yes default-route-distance=0 disabled=no interface=ether8-WAN max-mru=1492 max-mtu=1492 mrru=1500 name=bell-internet service-name=bell use-peer-dns=yes user=b1xmhd39
/interface vlan
add interface=wlan1 name=vlan1 vlan-id=1
add comment=facilities interface=bridge-trunk name=vlan10 vlan-id=10
add comment=home-network interface=bridge-trunk name=vlan20 vlan-id=20
add comment=guest-network interface=bridge-trunk name=vlan30 vlan-id=30
add comment=media interface=bridge-trunk name=vlan40 vlan-id=40
/interface bonding
add mode=802.3ad name=bond-nas slaves=ether1-nas1,ether2-nas2
/caps-man datapath
add bridge=bridge-trunk client-to-client-forwarding=yes local-forwarding=no name=bridge-trunk vlan-mode=no-tag
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=facilities
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=guest
add authentication-types=wpa2-psk encryption=aes-ccm group-key-update=1h name=home
/caps-man configuration
add datapath=bridge-trunk hide-ssid=yes mode=ap name=cfg-facilities-2g security=facilities ssid=bethel-facilities
add datapath=bridge-trunk mode=ap name=cfg-home-2g security=home ssid="Bethel 2g"
add channel=5g datapath=bridge-trunk hide-ssid=yes mode=ap name=cfg-media-5g security=facilities ssid=bethel-media
add datapath=bridge-trunk distance=indoors mode=ap name=cfg-guest-2g security=guest ssid="Pilgrim 2g"
add channel=5g datapath=bridge-trunk datapath.client-to-client-forwarding=yes datapath.local-forwarding=no distance=indoors mode=ap name=cfg-guest-5g security=guest ssid="Pilgrim 5g"
add channel=5g datapath=bridge-trunk distance=indoors mode=ap name=cfg-home-5g security=home ssid="Bethel 5g"
add datapath=bridge-trunk hide-ssid=yes mode=ap name=cfg-facilities-5g security=facilities ssid="bethel-facilities 5g"
/caps-man interface
add channel=2g configuration=cfg-facilities-2g disabled=no l2mtu=1600 mac-address=D4:CA:6D:CA:86:66 master-interface=none name=AP01-Facilities-2G radio-mac=D4:CA:6D:CA:86:66 radio-name=D4CA6DCA8666
add configuration=cfg-guest-2g disabled=no l2mtu=1600 mac-address=D6:CA:6D:CA:86:67 master-interface=AP01-Facilities-2G name=AP01-Guest-2G radio-mac=00:00:00:00:00:00
add configuration=cfg-home-2g disabled=no l2mtu=1600 mac-address=D6:CA:6D:CA:86:66 master-interface=AP01-Facilities-2G name=AP01-Home-2G radio-mac=00:00:00:00:00:00
# radio locked to country 'united states3'
add channel=2g configuration=cfg-facilities-2g disabled=no l2mtu=1600 mac-address=E4:8D:8C:53:B2:07 master-interface=none name=AP02-Facilities-2G radio-mac=E4:8D:8C:53:B2:07 radio-name=E48D8C53B207
# radio locked to country 'united states3'
add channel=5g configuration=cfg-facilities-5g disabled=no l2mtu=1600 mac-address=E4:8D:8C:53:B2:06 master-interface=none name=AP02-Facilities-5G radio-mac=E4:8D:8C:53:B2:06 radio-name=E48D8C53B206
add configuration=cfg-guest-2g disabled=no l2mtu=1600 mac-address=E6:8D:8C:53:B2:07 master-interface=AP02-Facilities-2G name=AP02-Guest-2G radio-mac=00:00:00:00:00:00
add configuration=cfg-guest-5g disabled=no l2mtu=1600 mac-address=E6:8D:8C:53:B2:06 master-interface=AP02-Facilities-5G name=AP02-Guest-5G radio-mac=00:00:00:00:00:00
add configuration=cfg-home-2g disabled=no l2mtu=1600 mac-address=E6:8D:8C:53:B2:07 master-interface=AP02-Facilities-2G name=AP02-Home-2G radio-mac=00:00:00:00:00:00
add configuration=cfg-home-5g disabled=no l2mtu=1600 mac-address=E6:8D:8C:53:B2:06 master-interface=AP02-Facilities-5G name=AP02-Home-5G radio-mac=00:00:00:00:00:00
add configuration=cfg-media-5g disabled=yes l2mtu=1600 mac-address=E6:8D:8C:53:B2:07 master-interface=AP02-Facilities-2G name=AP02-Media-2G radio-mac=00:00:00:00:00:00
add configuration=cfg-media-5g disabled=no l2mtu=1600 mac-address=E6:8D:8C:53:B2:06 master-interface=AP02-Facilities-5G name=AP02-Media-5G radio-mac=00:00:00:00:00:00
/interface list
add exclude=dynamic name=discover
add name=mactel
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-local ranges=192.168.88.100-192.168.88.199
add name=dhcp-guest ranges=192.168.89.100-192.168.89.120
add name=pool-facilities ranges=10.1.10.150-10.1.10.200
add name=pool-home ranges=10.1.20.150-10.1.20.200
add name=pool-guest ranges=10.1.30.150-10.1.30.200
add name=pool-media ranges=10.1.40.150-10.1.40.200
/ip dhcp-server
add address-pool=pool-guest disabled=no interface=vlan30 lease-time=1h name=dhcp-guest
add address-pool=pool-facilities disabled=no interface=vlan10 lease-time=1d name=dhcp-faciities
add address-pool=pool-home authoritative=after-2sec-delay disabled=no interface=vlan20 lease-time=1d name=dhcp-home
add address-pool=pool-media disabled=no interface=vlan40 lease-time=1d name=dhcp-media
/ppp profile
add name=easynews use-encryption=yes
/interface pptp-client
add connect-to=lax-a01.wlvpn.com name=easynews profile=easynews user=Jonnip@easynews
/queue simple
add limit-at=10M/10M max-limit=45M/45M name=high-speed packet-marks=high-speed-packet target=""
add burst-limit=5M/5M burst-time=10s/10s limit-at=2M/2M max-limit=2M/2M name=low-speed packet-marks=low-speed-packet target=""
/system logging action
add name=dhcp target=memory
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=yes interface=AP02-Facilities-2G mac-address=00:05:CD:44:D7:17 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=yes interface=AP01-Facilities-2G mac-address=00:05:CD:44:D7:17 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=yes interface=AP02-Facilities-2G mac-address=D8:49:2F:2D:BF:C8 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no interface=AP01-Home-2G signal-range=-100..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=AP01-Home-2G signal-range=-120..-101 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=yes interface=any signal-range=-75..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=yes interface=any signal-range=-120..-76 ssid-regexp=""
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge-trunk interface=AP02-Facilities-5G pvid=10
add bridge=bridge-trunk interface=ether6-slave-local pvid=20
add bridge=bridge-trunk interface=AP02-Facilities-2G pvid=10
add bridge=bridge-trunk interface=AP02-Guest-2G pvid=30
add bridge=bridge-trunk interface=AP02-Guest-5G pvid=30
add bridge=bridge-trunk interface=AP02-Home-2G pvid=20
add bridge=bridge-trunk interface=AP02-Home-5G pvid=20
add bridge=bridge-trunk interface=AP02-Media-2G pvid=40
add bridge=bridge-trunk interface=AP02-Media-5G pvid=40
add bridge=bridge-trunk interface=AP01-Facilities-2G pvid=10
add bridge=bridge-trunk interface=AP01-Home-2G pvid=20
add bridge=bridge-trunk interface=AP01-Guest-2G pvid=30
add bridge=bridge-trunk interface=ether3-pms pvid=40
add bridge=bridge-trunk interface=ether4-rpi pvid=40
add bridge=bridge-trunk interface=ether5-slave-local pvid=10
add bridge=bridge-trunk interface=ether7-uplink pvid=10
add bridge=bridge-trunk interface=bond-nas pvid=40
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge-trunk tagged=bridge-trunk,ether7-uplink vlan-ids=10
add bridge=bridge-trunk tagged=bridge-trunk,ether7-uplink untagged=AP02-Home-5G vlan-ids=20
add bridge=bridge-trunk tagged=bridge-trunk,ether7-uplink vlan-ids=30
add bridge=bridge-trunk tagged=bridge-trunk,ether7-uplink vlan-ids=40
/interface ethernet switch vlan
add vlan-id=10
add vlan-id=20
add vlan-id=30
add vlan-id=40
/interface list member
add interface=wlan1 list=discover
add list=discover
add interface=ether3-pms list=discover
add interface=ether4-rpi list=discover
add interface=ether5-slave-local list=discover
add interface=ether6-slave-local list=discover
add interface=ether7-uplink list=discover
add interface=ether8-WAN list=discover
add interface=sfp1-slave-local list=discover
add list=discover
add list=discover
add interface=bond-nas list=discover
add interface=bell-internet list=discover
add interface=easynews list=discover
add list=mactel
add interface=ether3-pms list=mactel
add interface=ether4-rpi list=mactel
add interface=ether5-slave-local list=mactel
add interface=ether6-slave-local list=mactel
add interface=ether7-uplink list=mactel
add interface=ether8-WAN list=mactel
add interface=sfp1-slave-local list=mactel
/interface wireless cap
# 
set caps-man-addresses=10.1.10.1 enabled=yes interfaces=wlan1
/ip address
add address=10.1.10.1/24 interface=vlan10 network=10.1.10.0
add address=10.1.20.1/24 interface=vlan20 network=10.1.20.0
add address=10.1.30.1/24 interface=vlan30 network=10.1.30.0
add address=10.1.40.1/24 interface=vlan40 network=10.1.40.0
/ip dhcp-server lease
add address=10.1.40.201 comment=PMS mac-address=44:37:E6:C1:E0:22 server=dhcp-media
add address=10.1.40.101 client-id=1:b8:27:eb:66:a1:7c comment=RPi-Music mac-address=B8:27:EB:66:A1:7C server=dhcp-media
add address=10.1.40.100 client-id=1:b8:27:eb:5b:40:3c comment=RPi-Downstairs mac-address=B8:27:EB:5B:40:3C server=dhcp-media
add address=10.1.10.10 always-broadcast=yes client-id=1:0:5:cd:44:d7:17 comment=Denon-S900W mac-address=00:05:CD:44:D7:17 server=dhcp-faciities
add address=10.1.10.100 client-id=1:d8:49:2f:2d:bf:c8 comment=Canon-MX722 mac-address=D8:49:2F:2D:BF:C8 server=dhcp-faciities
add address=10.1.40.200 client-id=1:0:11:32:20:d8:4d comment=NAS mac-address=00:11:32:20:D8:4D server=dhcp-media
add address=10.1.10.2 client-id=1:e4:8d:8c:53:b2:0 comment=hapAC mac-address=E4:8D:8C:53:B2:00 server=dhcp-faciities
/ip dhcp-server network
add address=10.1.10.0/24 dns-server=10.1.10.1 gateway=10.1.10.1 netmask=24 ntp-server=10.1.10.1
add address=10.1.20.0/24 dns-server=10.1.20.1 gateway=10.1.20.1 netmask=24
add address=10.1.30.0/24 dns-server=10.1.30.1 gateway=10.1.30.1 netmask=24
add address=10.1.40.0/24 dns-server=10.1.40.1 gateway=10.1.40.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=10.1.30.1 name=router
add address=10.1.40.200 name=xtower.synology.me
add address=10.1.40.201 name=plex.com
/ip firewall address-list
add address=10.1.20.0/24 list=high-speed
add address=10.1.30.0/24 list=low-speed
add address=10.1.40.0/24 list=high-speed
/ip firewall filter
add action=drop chain=input comment="Block external DNS" dst-port=53 in-interface=bell-internet protocol=udp
add action=drop chain=input comment="Block external DNS" dst-port=53 in-interface=bell-internet protocol=tcp
add action=drop chain=input comment=BlockSSH disabled=yes dst-port=22 in-interface=bell-internet protocol=tcp
add action=drop chain=input comment="Block FTP" dst-port=21 in-interface=bell-internet protocol=tcp
add action=accept chain=forward comment="Allow Facilities" in-interface=vlan10 out-interface=vlan10
add action=accept chain=forward comment="Allow Home" in-interface=vlan20 out-interface=vlan20
add action=accept chain=forward comment="Allow Guest" in-interface=vlan30 out-interface=vlan30
add action=accept chain=forward comment="Allow Media" in-interface=vlan40 out-interface=vlan40
add action=accept chain=forward comment="Allow Home -> Facilities" in-interface=vlan20 out-interface=vlan10
add action=accept chain=forward comment="Allow Home -> Media" in-interface=vlan20 out-interface=vlan40
add action=drop chain=forward in-interface=vlan30 out-interface=!vlan30
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=vpn passthrough=yes src-address=192.168.88.210
add action=mark-connection chain=forward dst-address-list=high-speed new-connection-mark=high-speed out-interface=bell-internet passthrough=yes
add action=mark-connection chain=forward dst-address-list=low-speed new-connection-mark=low-speed out-interface=bell-internet passthrough=yes
add action=mark-packet chain=forward connection-mark=high-speed dst-address-list=high-speed new-packet-mark=high-speed-packet out-interface=bell-internet passthrough=no
add action=mark-packet chain=forward connection-mark=low-speed dst-address-list=low-speed new-packet-mark=low-speed-packet out-interface=bell-internet passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=bell-internet
add action=dst-nat chain=dstnat comment="DS HTTP" dst-port=80 in-interface=bell-internet protocol=tcp src-port=1024-65535 to-addresses=10.1.40.200 to-ports=5000
add action=dst-nat chain=dstnat comment="DS HTTP" dst-port=5000 in-interface=bell-internet protocol=tcp src-port=1024-65535 to-addresses=10.1.40.200 to-ports=5000
add action=dst-nat chain=dstnat comment="DS HTTPs" dst-port=5001 in-interface=bell-internet protocol=tcp src-port=1024-65535 to-addresses=10.1.40.200 to-ports=5001
add action=dst-nat chain=dstnat comment="DS HTTPs" dst-port=2223 in-interface=bell-internet protocol=tcp src-port=1024-65535 to-addresses=10.1.40.200 to-ports=22
add action=dst-nat chain=dstnat comment="DS CP" dst-port=5053 in-interface=bell-internet protocol=tcp src-port=1024-65535 to-addresses=10.1.40.200 to-ports=5053
add action=dst-nat chain=dstnat comment="PMS Plex" dst-port=32400 in-interface=bell-internet protocol=tcp src-port=1024-65535 to-addresses=10.1.40.200 to-ports=32400
add action=dst-nat chain=dstnat comment="PMS VNC" dst-port=5901 in-interface=bell-internet protocol=tcp src-port=1024-65535 to-addresses=10.1.40.201 to-ports=5901
add action=dst-nat chain=dstnat comment="PMS SSH" dst-port=2222 in-interface=bell-internet protocol=tcp src-port=1024-65535 to-addresses=10.1.40.201 to-ports=22
add action=dst-nat chain=dstnat comment="PMS SSH" disabled=yes dst-port=3000 in-interface=bell-internet protocol=tcp src-port=1024-65535 to-addresses=10.1.10.10 to-ports=80
/ip route
add disabled=yes distance=1 gateway=easynews routing-mark=vpn
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-autodetect=no time-zone-name=America/Toronto
/system identity
set name=xtower.crs
/system leds
add interface=easynews leds=user-led type=interface-status
/system logging
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
add disabled=yes topics=dhcp
add prefix=debug topics=caps
/system ntp client
set enabled=yes primary-ntp=108.61.56.35 secondary-ntp=204.9.54.119
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool romon
set enabled=yes</CODE>