Page 1 of 1

Need help with CAPsMAN configuration

Posted: Sun Jun 14, 2020 5:55 pm
by jabertwo
Hello,

I have my home network running on a hEX PoE as my router, firewall and capsman manager and two wsap ac lite accespoints to wich I have one PC connected each.
It is all running really nicely, however I have been planing to use vlans to seperate privat and guest networks. When I first setup the network I wasn't able to get it to work however, so I just went without it. A few months ago I once again tried setting up the vlan stuff, which again didn't go as planned.
Would someone be able to tell me, what am I doing wrong?

This is the configuration of my Router:
/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether2 pvid=20
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5 pvid=10
add bridge=bridge interface=sfp1
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether5 vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=20
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=WLAN passphrase=xxxxxxxx
add authentication-types=wpa2-psk encryption=aes-ccm name=WLAN-gast passphrase=xxxxxxxx
add authentication-types=wpa2-psk encryption=aes-ccm name=WLAN-IoT passphrase=xxxxxxxx
/caps-man configuration
add country=germany datapath.bridge=bridge datapath.vlan-id=10 datapath.vlan-mode=use-tag name=WLAN security=WLAN ssid=WLAN
add country=germany datapath.bridge=bridge datapath.vlan-id=20 datapath.vlan-mode=use-tag name=WLAN-gast security=WLAN-gast ssid=WLAN-gast
add country=germany datapath.bridge=bridge datapath.vlan-id=10 datapath.vlan-mode=use-tag name=WLAN-IoT security=WLAN-IoT ssid=WLAN-IoT hide-ssid=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=WLAN slave-configurations=WLAN-gast,WLAN-IoT
/caps-man manager interface
add disabled=no forbid=yes interface=ether1
add disabled=no forbid=yes interface=ether2
add disabled=no interface=ether3
add disabled=no interface=ether4
add disabled=no forbid=yes interface=ether5
add disabled=no forbid=yes interface=sfp1
/caps-man manager
set enabled=yes
/interface vlan
add interface=bridge name=VLAN10 vlan-id=10
add interface=bridge name=VLAN20 vlan-id=20
/ip address
add address=10.0.0.1/24 interface=VLAN10 network=10.0.0.0
add address=10.0.1.1/24 interface=VLAN20 network=10.0.1.0
/ip pool
add name=dhcp_pool10 ranges=10.0.0.10-10.0.0.110
add name=dhcp_pool20 ranges=10.0.1.10-10.0.1.254
/ip dhcp-server
add address-pool=dhcp_pool10 disabled=no interface=VLAN10 name=dhcp10 lease-time=3d
add address-pool=dhcp_pool20 disabled=no interface=VLAN20 name=dhcp20
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=1.1.1.1 gateway=10.0.0.1
add address=10.0.1.0/24 dns-server=1.1.1.1 gateway=10.0.1.1
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-ntp=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked in-interface=bridge
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name="hEX PoE"
/system ntp client
set enabled=yes primary-ntp=128.176.0.12 secondary-ntp=128.176.0.13
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
And this for my AccessPoionts:
/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2 pvid=10
add bridge=bridge interface=ether3 pvid=10
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2,ether3 vlan-ids=10
add bridge=bridge tagged=bridge vlan-ids=20
/interface vlan
add interface=bridge name=VLAN10 vlan-id=10
add interface=bridge name=VLAN20 vlan-id=20
/interface wireless cap
set discovery-interfaces=ether1 enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add disabled=no interface=bridge
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=AP1
/system leds settings
set all-leds-off=after-1h
I would be very greatful for any advice

Best wishes to all of you
jabertwo