Community discussions

MikroTik App
 
robsgax
newbie
Topic Author
Posts: 27
Joined: Wed Apr 17, 2019 10:26 pm

hAP AC2, cAP AC, CAPsMAN and Google Smart Home

Tue Apr 21, 2020 10:52 am

Hi, this is my first ask on this forum so please be kind

currently i have a hAP AC2 as my main router and my 1st AP (5G only), with 2 WANs, one cable isp and one dsl isp as a failover, a cAP AC as 2nd AP (2.4G and 5G), administered with capsman, that power my home internet, there i have 5 wired cpus, 2 laptops, a wired ps4, a roku, nintendo switch, 2 tablets, 5 phones and 4 smarts lights.

This december all the stores put the google devices on sale and i went and purchased 5 chromecasts (3rd generation), 1 google nest, 3 google nest minis and 1 google nest hub for my home. install them and all worked ok, until my cable isp upped my speed from 20Mbps to 120Mbps, all worked ok but with wireless i could'n get the 100's speed that i was getting on wire,

So i read and read and found out that if i used local forwarding instead of capsman forwarding could help with the cpu load on the hAP AC2, i did make the change, and yes, i could get my high speed on wireless.

Until i found out that some google devices keep dissapearing from the home app on our home phones, randomly, of the 5 speakers, sometimes only 3 or 2 showed, sometimes all 5 out or all 5 showed, chromecasts the same, 2, 3 all 5, none, etc, all without a pattern,

To make them work i needed to disconnect the control devices from wifi (phones, tablets), change ap (walked around the house to disconnect from one and reconnect to the 2nd) and sometimes need to provision my radios again (with capsman), and that make them to show connected again, until the next disappearance, could be minutes, hours, days, etc.

Now if i use capsman forward instead of local forward, all works ok, but my wireless speeds suffers, my question is, what could be happening here? is the hapac2 not string enough for 120 Mbps? do i need something more powerful? if i do, can you help me here?i will attach my two configurations in local forward mode.

thanks

hAP AC2 Conf
# apr/19/2020 23:29:50 by RouterOS 6.46.5
# software id = YE7D-V6K7
#
# model = RBD52G-5HacD2HnD
# serial number = B4A10A10B227
/caps-man channel
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=XXXX \
    frequency=5180 name=channel_5G reselect-interval=1h
add band=2ghz-g/n extension-channel=disabled frequency=2412,2437,2462 name=\
    channel_1-6-11 reselect-interval=1h
/interface bridge
add admin-mac=74:4D:28:C1:A5:B5 auto-mac=no comment=defconf name=bridgeLAN
/interface ethernet
set [ find default-name=ether1 ] comment=Izzi name=ether1-WAN1
set [ find default-name=ether2 ] comment="RBcAPGi-5acD2nD Pasillo" name=\
    ether2-CAPsMAN
set [ find default-name=ether3 ] comment=LAN name=ether3-LAN
set [ find default-name=ether4 ] comment=Libre
set [ find default-name=ether5 ] comment=Telnor name=ether5-WAN2
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    antenna-gain=8 band=2ghz-g/n channel-width=20/40mhz-XX country=\
    "united states" distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge multicast-helper=full name=wlan2GHz ssid=MikroTik-C1A5B9 \
    wireless-protocol=802.11 wmm-support=enabled
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(24dBm), SSID: RECGV, local forwarding
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode \
    antenna-gain=6 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=\
    indoors hw-protection-mode=rts-cts hw-retries=4 installation=indoor mode=\
    ap-bridge multicast-helper=full name=wlan5GHz ssid=RECGV \
    wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=datapathLAN
/caps-man rates
add basic=12Mbps name="GN Only" supported=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm \
    group-encryption=aes-ccm group-key-update=1h name="RECGV WiFi"
/caps-man configuration
add channel=channel_5G country="united states3" datapath=datapathLAN \
    disconnect-timeout=3s distance=indoors frame-lifetime=0ms guard-interval=\
    any hw-protection-mode=rts-cts hw-retries=4 installation=indoor \
    keepalive-frames=enabled max-sta-count=150 mode=ap multicast-helper=full \
    name=MyHomeWifiAC rx-chains=0,1 security="RECGV WiFi" ssid=RECGV \
    tx-chains=0,1
add channel=channel_1-6-11 country=mexico datapath=datapathLAN \
    disconnect-timeout=3s distance=indoors frame-lifetime=0ms guard-interval=\
    any hw-protection-mode=rts-cts hw-retries=4 installation=indoor \
    keepalive-frames=enabled max-sta-count=150 mode=ap multicast-helper=\
    default name=MyHomeWifi rates="GN Only" rx-chains=0,1 security=\
    "RECGV WiFi" ssid=RECGV tx-chains=0,1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=defconf name=WAN2
add comment=AllWAN name=WANAll
add comment=WLAN name=WLAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc pfs-group=none
/ip pool
add name=dhcp ranges=192.168.0.150-192.168.0.220
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridgeLAN lease-time=1d name=\
    defconf
/ppp profile
add name=profileTelnor remote-address=8.8.4.4
add change-tcp-mss=yes name=openvpn use-compression=no use-encryption=yes \
    use-mpls=no
/interface pppoe-client
add add-default-route=yes comment=Telnor default-route-distance=2 disabled=no \
    interface=ether5-WAN2 name=pppoe-Telnor profile=profileTelnor \
    use-peer-dns=yes user=gisselam@prodigy.net.mx
/interface l2tp-client
add comment=VPN connect-to=98.153.62.16 disabled=no name=TorGuard profile=\
    default use-ipsec=yes user=recgaxiola@gmail.com
/caps-man manager
set enabled=yes package-path=/disk1 upgrade-policy=suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridgeLAN
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=g master-configuration=\
    MyHomeWifi name-format=prefix-identity name-prefix=2.4
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
    MyHomeWifiAC name-format=prefix-identity name-prefix=5.0
/interface bridge port
add bridge=bridgeLAN comment=defconf interface=ether2-CAPsMAN
add bridge=bridgeLAN comment=defconf interface=ether3-LAN
add bridge=bridgeLAN comment=defconf interface=ether4
add bridge=bridgeLAN comment=defconf interface=wlan2GHz
add bridge=bridgeLAN comment=defconf interface=wlan5GHz
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all wan-interface-list=all
/interface list member
add comment=defconf interface=bridgeLAN list=LAN
add comment=defconf interface=ether1-WAN1 list=WAN
add comment=defconf interface=pppoe-Telnor list=WAN2
add interface=pppoe-Telnor list=WANAll
add interface=TorGuard list=WANAll
add interface=ether1-WAN1 list=WANAll
add interface=bridgeGuest list=LAN
/interface pptp-server server
set authentication=chap,mschap1,mschap2 enabled=yes
/interface wireless cap
# 
set bridge=bridgeLAN caps-man-addresses=127.0.0.1 enabled=yes interfaces=\
    wlan5GHz
add address=192.168.0.1/24 interface=ether3-LAN network=192.168.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1-WAN1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=104.223.91.210,104.223.91.210
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="CAPs to CAPsMAN" dst-port=5246,5247 \
    protocol=udp src-address=127.0.0.1
add action=drop chain=forward comment=Attack log-prefix="BlackList - " \
    src-address-list=BlackList
add action=reject chain=forward comment="Drop incoming DNS traffic" dst-port=\
    53 in-interface-list=WANAll protocol=tcp reject-with=\
    icmp-network-unreachable
add action=reject chain=forward dst-port=53 in-interface-list=WANAll \
    protocol=udp reject-with=icmp-network-unreachable
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="ICMP from Chromecast into Router" \
    in-interface=bridgeLAN log-prefix=Accept_Chromecast_ICMP_ protocol=icmp \
    src-address-list=GoogleLAN
add action=accept chain=icmp_chain comment="ICMP on Chromecast" dst-address=\
    8.8.8.8 in-interface=bridgeLAN log-prefix=Accept_ICMP_Chromecast \
    protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=FI_D_port-test
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="Fasttrack Disable TelnorList" \
    src-address-list=TelnorList
add action=accept chain=forward connection-state=established,related \
    dst-address-list=TelnorList
add action=accept chain=forward comment="Fasttrack Disable VPNList" \
    src-address-list=TorGuargList
add action=accept chain=forward connection-state=established,related \
    dst-address-list=TorGuargList
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN2
/ip firewall mangle
add action=mark-routing chain=prerouting comment=Telnor new-routing-mark=\
    TelnorWAN passthrough=yes src-address-list=TelnorList
add action=mark-routing chain=prerouting comment=TorGuard new-routing-mark=\
    VPN passthrough=yes src-address-list=TorGuargList
add action=set-priority chain=postrouting comment="Set priority for WMM" \
    new-priority=from-dscp-high-3-bits passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=pppoe-Telnor
add action=masquerade chain=srcnat comment="TorGuard OpenVPN" out-interface=\
    TorGuard
add action=masquerade chain=srcnat comment="defconf: masquerade" dst-address=\
    0.0.0.0/24 ipsec-policy=out,none src-address=192.168.20.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT Masq" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
/ip route
add distance=1 gateway=pppoe-Telnor routing-mark=TelnorWAN
add distance=1 gateway=TorGuard routing-mark=VPN
add check-gateway=ping distance=1 gateway=10.44.0.1
add check-gateway=ping distance=2 gateway=8.8.4.4
/ip upnp
set allow-disable-external-interface=yes enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=bridgeLAN type=internal
add interface=ether1-WAN1 type=external
add interface=ether5-WAN2 type=external
/system clock
set time-zone-autodetect=no time-zone-name=America/Los_Angeles
/system identity
set name="hAP ac^2"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
cAP AC Conf
# apr/19/2020 23:43:31 by RouterOS 6.46.5
# software id = WATD-YHFU
#
# model = RouterBOARD cAP Gi-5acD2nD
# serial number = 8198079AD7BB
/interface bridge
add admin-mac=64:D1:54:F7:B2:CD auto-mac=no comment=defconf name=bridgeLocal
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk,wpa2-eap disable-pmkid=yes \
    management-protection=allowed mode=dynamic-keys name=wlan \
    supplicant-identity=""
add authentication-types=wpa2-psk,wpa2-eap disable-pmkid=yes \
    management-protection=allowed mode=dynamic-keys name=wlan_guest \
    supplicant-identity=""
/interface wireless
# managed by CAPsMAN
# channel: 2437/20/gn(28dBm), SSID: RECGV, local forwarding
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    band=2ghz-g/n country=mexico frequency=2462 hw-protection-mode=rts-cts \
    hw-retries=4 installation=indoor mode=ap-bridge multicast-helper=full \
    security-profile=wlan ssid=RECGV wmm-support=enabled wps-mode=disabled
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(28dBm), SSID: RECGV, local forwarding
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode \
    antenna-gain=2 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=\
    mexico frequency=5260 mode=ap-bridge security-profile=wlan ssid=RECGV \
    wmm-support=enabled
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal interface=ether2
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/interface wireless cap
# 
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes \
    interfaces=wlan1,wlan2
/ip address
add address=192.168.0.2/24 interface=ether1 network=192.168.0.0
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip dns
set allow-remote-requests=yes servers=192.168.0.1
/ip firewall mangle
add action=set-priority chain=postrouting comment="Set priority for WMM" \
    new-priority=from-dscp-high-3-bits passthrough=yes
/ip route
add distance=1 gateway=192.168.0.1
/ip traffic-flow
set cache-entries=32k enabled=yes
/ip traffic-flow target
add dst-address=192.168.0.19 port=1234 version=ipfix
/ip upnp
set allow-disable-external-interface=yes enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=bridgeLocal type=internal
add interface=ether1 type=internal
/system clock
set time-zone-autodetect=no time-zone-name=America/Los_Angeles
/system identity
set name="cAP ac"
/system leds
add interface=bridgeLocal leds=user-led type=interface-status
/system leds settings
set all-leds-off=immediate
/system logging
add topics=caps,debug
add topics=wireless,debug
add topics=e-mail,debug
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system scheduler
add interval=1d name=ledsOn on-event="/system script run ledOn;" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=feb/02/2020 start-time=06:30:00
add interval=1d name=ledsOff on-event="/system script run ledOff;" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=feb/01/2020 start-time=21:00:00
/system script
add dont-require-permissions=no name=dark-mode owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=" \
    :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n /system leds settings set all-leds-off=immediate \r\
    \n } else={\r\
    \n /system leds settings set all-leds-off=never \r\
    \n } "
add dont-require-permissions=no name=ledOn owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    system leds settings set all-leds-off=never;\r\
    \n:log info (\"Leds On\");"
add dont-require-permissions=no name=ledOff owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    system leds settings set all-leds-off=immediate;\r\
    \n:log info (\"Leds Off\");"
    
Last edited by robsgax on Tue Apr 21, 2020 11:20 am, edited 1 time in total.
 
yhudit
just joined
Posts: 1
Joined: Tue Apr 21, 2020 10:50 am

Re: hAP AC2, cAP AC, CAPsMAN and Google Smart Home

Tue Apr 21, 2020 11:01 am

try use longterm or stable 6464
 
heidarren
Member Candidate
Member Candidate
Posts: 136
Joined: Mon Aug 05, 2019 9:56 am

Re: hAP AC2, cAP AC, CAPsMAN and Google Smart Home

Tue Apr 21, 2020 12:08 pm

I think something to do with the bridge, I would try to make both hAP's can cAP's bridge as the same name, then remove all wireless bridge port of both APs from bridge and let CAPsMAN add it dynamically, don't forget to select bridge in CAPsMAN's datapath
 
maigonis
Member Candidate
Member Candidate
Posts: 180
Joined: Sat Jul 20, 2019 8:16 pm

Re: hAP AC2, cAP AC, CAPsMAN and Google Smart Home

Wed Apr 22, 2020 11:02 pm

I now have RB450x4 as main router and hap ac2 and cap ac as APs. Before RB450x4 I had hex s as main router. I can get around 200mbps on APs whit capsman forwarding and 80mhz channel width. I have issues whit local forwarding also, so I don't use it. Have you played whit channels? Turn off old bands (b/g) if you don't need them. Limit rates.
 
robsgax
newbie
Topic Author
Posts: 27
Joined: Wed Apr 17, 2019 10:26 pm

Re: hAP AC2, cAP AC, CAPsMAN and Google Smart Home

Thu Apr 23, 2020 1:01 am

I now have RB450x4 as main router and hap ac2 and cap ac as APs. Before RB450x4 I had hex s as main router. I can get around 200mbps on APs whit capsman forwarding and 80mhz channel width. I have issues whit local forwarding also, so I don't use it. Have you played whit channels? Turn off old bands (b/g) if you don't need them. Limit rates.
so my issue is that my main router, hap ac2 is not powerful enough to be a capsman manager, cap and router. i also think that if i use local-forwarding=on the system has some stability issues, thats why the problem is intermitent, will try with capsman forwarding for the moment, and when this quarantine ends will purchase another mk so it can be router only.

i had turned off the b band, modify the rates, and used only 1, 6 and 11 channels on 2.4 and 5180 on 5g, (i have the US version, so its the only one that i can use). the google devices, all are connected to the 5g band.

thanks
 
heidarren
Member Candidate
Member Candidate
Posts: 136
Joined: Mon Aug 05, 2019 9:56 am

Re: hAP AC2, cAP AC, CAPsMAN and Google Smart Home

Thu Apr 23, 2020 7:33 am

RB450x4 and hAP ac2 has the same processor (can anyone tell me what's the different between IPQ4018 and IPQ4019?), I wonder if you will see any performance changes. Anyone here who's using RB4011 or above and using CAPsMAN forwarding? Can share with us the result?
 
AllexRo
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Fri Nov 22, 2019 4:24 pm
Location: Bucharest, RO

Re: hAP AC2, cAP AC, CAPsMAN and Google Smart Home

Thu Apr 23, 2020 9:58 am

May I suggest moving all those Google devices to the 2.4 GHz network and see if they manifest the same similar problem?
After all, I think that 2.4 GHz offers enough bandwidth for what they need/offer and I've seen many cases of Google Home devices having issues with 5GHz networks.
 
robsgax
newbie
Topic Author
Posts: 27
Joined: Wed Apr 17, 2019 10:26 pm

Re: hAP AC2, cAP AC, CAPsMAN and Google Smart Home

Thu Apr 23, 2020 8:47 pm

May I suggest moving all those Google devices to the 2.4 GHz network and see if they manifest the same similar problem?
After all, I think that 2.4 GHz offers enough bandwidth for what they need/offer and I've seen many cases of Google Home devices having issues with 5GHz networks.
Will try that route, but fyi, right now they are on the 5Ghz network and have passed 5 days without an issue, the only thing is i'm using capsman forwarding, and with that my wireless speed is not giving me my full bandwidth, maybe 30% of 100Mbps, in local forwarding mode, i got 100% of that, but with disconnections from my google home devices.

thanks for the tip
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: hAP AC2, cAP AC, CAPsMAN and Google Smart Home

Fri Apr 24, 2020 12:59 pm

(can anyone tell me what's the different between IPQ4018 and IPQ4019?)

Seems that 4018 misses some support for peripherial devices (most of which are not present in most of MT gadgets anyway) and possibility to select WiFi band on first WLAN interface (4018 has it fixed to 2.4GHz, 4019 seems to support switching between 2.4 and 5 GHz ... the second WLAN interface is always 5 GHz).
 
robsgax
newbie
Topic Author
Posts: 27
Joined: Wed Apr 17, 2019 10:26 pm

Re: hAP AC2, cAP AC, CAPsMAN and Google Smart Home

Sun Apr 26, 2020 5:04 am

i have made others tests, and when a device dissapears form the google home app, for example, a google mini is wireless connected to the cap and the phone to the wireless on the capsman, i can't ping from the phone to the google mini, but from my pc, conected via wire to the capsman, i can ping the google mini, so its something about wireless---cap---capsman---wireless that breaks the connection. here are the config files

CAPsMAN
# apr/25/2020 18:52:45 by RouterOS 6.46.5
# software id = YE7D-V6K7
#
# model = RBD52G-5HacD2HnD
# serial number = B4A10A10B227
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412,2437,2462 name=channel_1-6-11 reselect-interval=1h
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=XXXX \
    frequency=5180 name=channel_5G reselect-interval=1h
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=datapathLAN
/interface bridge
add admin-mac=74:4D:28:C1:A5:B5 auto-mac=no comment=defconf igmp-snooping=yes \
    name=bridgeLAN
/interface ethernet
set [ find default-name=ether1 ] comment=Izzi name=ether1-WAN1
set [ find default-name=ether2 ] comment="RBcAPGi-5acD2nD Pasillo" name=\
    ether2-CAPsMAN
set [ find default-name=ether3 ] comment=LAN name=ether3-LAN
set [ find default-name=ether4 ] comment=Libre
set [ find default-name=ether5 ] comment=Telnor name=ether5-WAN2
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    antenna-gain=8 band=2ghz-g/n channel-width=20/40mhz-XX country=\
    "united states" distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge multicast-helper=full name=wlan2GHz ssid=MikroTik-C1A5B9 \
    wireless-protocol=802.11 wmm-support=enabled
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(20dBm), SSID: RECGV, local forwarding
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode \
    antenna-gain=10 band=5ghz-n/ac channel-width=20/40/80mhz-XXXX disabled=no \
    distance=indoors hw-protection-mode=rts-cts hw-retries=4 installation=\
    indoor mode=ap-bridge multicast-helper=full name=wlan5GHz ssid=RECGV \
    wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/caps-man rates
add basic=12Mbps name="GN Only" supported=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm \
    group-encryption=aes-ccm group-key-update=1h name="RECGV WiFi"
/caps-man configuration
add channel=channel_5G country="united states3" datapath=datapathLAN \
    datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes \
    disconnect-timeout=3s distance=indoors frame-lifetime=0ms guard-interval=\
    any hw-protection-mode=rts-cts hw-retries=4 installation=indoor \
    keepalive-frames=disabled max-sta-count=150 mode=ap multicast-helper=full \
    name=MyHomeWifiAC rx-chains=0,1 security="RECGV WiFi" ssid=RECGV \
    tx-chains=0,1
add channel=channel_1-6-11 country=mexico datapath=datapathLAN \
    datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes \
    disconnect-timeout=3s distance=indoors frame-lifetime=0ms guard-interval=\
    any hw-protection-mode=rts-cts hw-retries=4 installation=indoor \
    keepalive-frames=disabled max-sta-count=150 mode=ap multicast-helper=full \
    name=MyHomeWifi rates="GN Only" rx-chains=0,1 security="RECGV WiFi" ssid=\
    RECGV tx-chains=0,1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=defconf name=WAN2
add comment=AllWAN name=WANAll
add comment=WLAN name=WLAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc pfs-group=none
/ip pool
add name=dhcp ranges=192.168.0.150-192.168.0.220
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridgeLAN lease-time=1d name=\
    defconf
/ppp profile
add name=profileTelnor remote-address=8.8.4.4
add change-tcp-mss=yes name=openvpn use-compression=no use-encryption=yes \
    use-mpls=no
/interface pppoe-client
add add-default-route=yes comment=Telnor default-route-distance=2 disabled=no \
    interface=ether5-WAN2 name=pppoe-Telnor profile=profileTelnor \
    use-peer-dns=yes user=user@prodigy.net.mx
/interface l2tp-client
add comment=VPN connect-to=123.123.123.123 disabled=no name=TorGuard profile=\
    default use-ipsec=yes user=user@gmail.com
/caps-man access-list
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=\
    yes disabled=no interface=any signal-range=-86..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=any \
    signal-range=-120..-87 ssid-regexp=""
/caps-man manager
set enabled=yes package-path=/disk1
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridgeLAN
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=g master-configuration=\
    MyHomeWifi name-format=prefix-identity name-prefix=2.4
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
    MyHomeWifiAC name-format=prefix-identity name-prefix=5.0
/interface bridge port
add bridge=bridgeLAN comment=defconf interface=ether2-CAPsMAN
add bridge=bridgeLAN comment=defconf interface=ether3-LAN
add bridge=bridgeLAN comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all wan-interface-list=all
/interface list member
add comment=defconf interface=bridgeLAN list=LAN
add comment=defconf interface=ether1-WAN1 list=WAN
add comment=defconf interface=pppoe-Telnor list=WAN2
add interface=pppoe-Telnor list=WANAll
add interface=TorGuard list=WANAll
add interface=ether1-WAN1 list=WANAll
/interface pptp-server server
set authentication=chap,mschap1,mschap2 enabled=yes
/interface wireless access-list
add interface=wlan5GHz vlan-mode=no-tag
/interface wireless cap
# 
set bridge=bridgeLAN caps-man-addresses=127.0.0.1 enabled=yes interfaces=\
    wlan5GHz
/ip accounting
set threshold=2560
/ip accounting web-access
set accessible-via-web=yes address=192.168.0.0/24
/ip address
add address=192.168.0.1/24 interface=ether3-LAN network=192.168.0.0
/ip cloud
set ddns-update-interval=30m
/ip dhcp-client
add comment=defconf disabled=no interface=ether1-WAN1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=104.223.91.210,104.223.91.210
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.0.30 comment=Roberto disabled=yes list=TorGuargList
add address=192.168.0.41 comment=Roku list=TorGuargList
add address=192.168.0.8 comment=PiHole list=NoPiHole
add address=192.168.0.24 comment="Nintendo Switch" disabled=yes list=\
    TelnorList
add address=192.168.0.24 comment="Nintendo Switch" disabled=yes list=\
    TorGuargList
add address=192.168.0.30 comment=Roberto disabled=yes list=TelnorList
add address=192.168.0.28 comment=PS4 disabled=yes list=TelnorList
add address=192.168.0.6 comment="ESXi Server" list=TelnorList
add address=192.168.0.18 comment="No-Ip Server" list=TelnorList
add address=192.168.0.8 comment=UbuntuPiHole disabled=yes list=TelnorList
add address=192.168.0.41 comment=Roku list=NoPiHole
add address=192.168.20.0/24 comment="Guest SSID" list=GuestSSID-NoNetflix
add address=192.168.0.30 comment=Roberto disabled=yes list=RestrictedAccess
add address=192.168.0.19 comment=WS2019 disabled=yes list=TorGuargList
add address=192.168.0.19 comment=WS2019 disabled=yes list=TelnorList
add address=192.168.0.45-192.168.0.60 list=GoogleLAN
add address=192.168.20.0/24 comment="Guest SSID" disabled=yes list=\
    RestrictedAccess
/ip firewall filter
add action=accept chain=input comment="CAPs to CAPsMAN" dst-port=5246,5247 \
    protocol=udp src-address=127.0.0.1
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="ICMP from Chromecast into Router" \
    in-interface=bridgeLAN log-prefix=Accept_Chromecast_ICMP_ protocol=icmp
add action=accept chain=icmp_chain comment="ICMP on Chromecast" dst-address=\
    8.8.8.8 in-interface=bridgeLAN log-prefix=Accept_ICMP_Chromecast \
    protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log-prefix="defconf: drop invalid "
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-address-type=local src-address-type=local
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=\
    "defconf: drop all not coming from LAN "
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="Fasttrack Disable RestrictedAccess" \
    src-address-list=RestrictedAccess
add action=accept chain=forward dst-address-list=RestrictedAccess
add action=accept chain=forward comment="Fasttrack Disable TelnorList" \
    src-address-list=TelnorList
add action=accept chain=forward connection-state=established,related \
    dst-address-list=TelnorList
add action=accept chain=forward comment="Fasttrack Disable VPNList" \
    src-address-list=TorGuargList
add action=accept chain=forward connection-state=established,related \
    dst-address-list=TorGuargList
add action=accept chain=forward comment="Fasttrack Disable GuestWiFi" \
    src-address-list=GuestSSID-NoNetflix
add action=accept chain=forward connection-state=established,related \
    dst-address-list=GuestSSID-NoNetflix
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix="defconf: drop invalid "
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log-prefix=\
    "defconf: drop all from WAN not DSTNATed "
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN2 log-prefix=\
    "defconf: drop all from WAN not DSTNATed 2 "
/ip firewall mangle
add action=mark-routing chain=prerouting comment=Telnor new-routing-mark=\
    TelnorWAN passthrough=yes src-address-list=TelnorList
add action=mark-routing chain=prerouting comment=TorGuard new-routing-mark=\
    VPN passthrough=yes src-address-list=TorGuargList
add action=set-priority chain=postrouting comment="Set priority for WMM" \
    new-priority=from-dscp-high-3-bits passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=pppoe-Telnor
add action=masquerade chain=srcnat comment="TorGuard OpenVPN" out-interface=\
    TorGuard
add action=masquerade chain=srcnat comment="defconf: masquerade" dst-address=\
    0.0.0.0/24 ipsec-policy=out,none src-address=192.168.20.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT Masq" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
/ip route
add distance=1 gateway=pppoe-Telnor routing-mark=TelnorWAN
add distance=1 gateway=TorGuard routing-mark=VPN
add check-gateway=ping distance=1 gateway=10.44.0.1
add check-gateway=ping distance=2 gateway=8.8.4.4
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=bridgeLAN type=internal
add interface=ether1-WAN1 type=external
add interface=ether5-WAN2 type=external
/system clock
set time-zone-autodetect=no time-zone-name=America/Los_Angeles
/system identity
set name="hAP ac^2"
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


CAP
# apr/25/2020 18:52:00 by RouterOS 6.46.5
# software id = WATD-YHFU
#
# model = RouterBOARD cAP Gi-5acD2nD
# serial number = 8198079AD7BB
/interface bridge
add admin-mac=64:D1:54:F7:B2:CD auto-mac=no comment=defconf name=bridgeLocal
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk,wpa2-eap disable-pmkid=yes \
    management-protection=allowed mode=dynamic-keys name=wlan \
    supplicant-identity=""
add authentication-types=wpa2-psk,wpa2-eap disable-pmkid=yes \
    management-protection=allowed mode=dynamic-keys name=wlan_guest \
    supplicant-identity=""
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(28dBm), SSID: RECGV, local forwarding
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    band=2ghz-g/n country=mexico disabled=no frequency=2462 \
    hw-protection-mode=rts-cts hw-retries=4 installation=indoor mode=\
    ap-bridge multicast-helper=full security-profile=wlan ssid=RECGV \
    wmm-support=enabled wps-mode=disabled
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(28dBm), SSID: RECGV, local forwarding
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode \
    antenna-gain=2 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=\
    mexico disabled=no mode=ap-bridge security-profile=wlan ssid=RECGV \
    wmm-support=enabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal interface=ether2
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/interface wireless access-list
add vlan-mode=no-tag
/interface wireless cap
# 
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes \
    interfaces=wlan1,wlan2
/ip address
add address=192.168.0.2/24 interface=bridgeLocal network=192.168.0.0
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip dns
set allow-remote-requests=yes servers=192.168.0.1
/ip firewall filter
add action=accept chain=input comment="ICMP from Chromecast into Router" \
    in-interface=bridgeLocal protocol=icmp
add action=accept chain=icmp_chain comment="ICMP on Chromecast" dst-address=\
    8.8.8.8 in-interface=bridgeLocal protocol=icmp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward log=yes log-prefix="drop "
/ip firewall mangle
add action=set-priority chain=postrouting comment="Set priority for WMM" \
    new-priority=from-dscp-high-3-bits passthrough=yes
/ip route
add distance=1 gateway=192.168.0.1
/ip upnp
set allow-disable-external-interface=yes enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=bridgeLocal type=internal
add interface=ether1 type=internal
/system clock
set time-zone-autodetect=no time-zone-name=America/Los_Angeles
/system identity
set name="cAP ac"
/system leds
add interface=bridgeLocal leds=user-led type=interface-status
/system logging
add topics=caps,debug
add topics=wireless,debug
add topics=e-mail,debug
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system scheduler
add interval=1d name=ledsOn on-event="/system script run ledOn;" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=feb/02/2020 start-time=06:30:00
add interval=1d name=ledsOff on-event="/system script run ledOff;" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=feb/01/2020 start-time=21:00:00
/system script
add dont-require-permissions=no name=dark-mode owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=" \
    :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n /system leds settings set all-leds-off=immediate \r\
    \n } else={\r\
    \n /system leds settings set all-leds-off=never \r\
    \n } "
add dont-require-permissions=no name=ledOn owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    system leds settings set all-leds-off=never;\r\
    \n:log info (\"Leds On\");"
add dont-require-permissions=no name=ledOff owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    system leds settings set all-leds-off=immediate;\r\
    \n:log info (\"Leds Off\");"
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: hAP AC2, cAP AC, CAPsMAN and Google Smart Home

Wed May 06, 2020 4:53 pm

Do you see the dreaded 4-way Hand Shake time out in the logs?
 
pomah
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Fri Aug 15, 2014 5:00 pm

Re: hAP AC2, cAP AC, CAPsMAN and Google Smart Home

Tue Jul 06, 2021 6:06 pm

Do you see the dreaded 4-way Hand Shake time out in the logs?
How does that look like?

How did the TS solve the problem at the end, my two devices loses connection to the google home app once every 24h and i need to reboot them to get them to function again...

Who is online

Users browsing this forum: No registered users and 32 guests