CAPsMAN DHCP for virtual AP's

john4669 · Sun Oct 18, 2020 11:04 pm

I just ordered a Tri-band Audience AP and am trying to learn learn CAPsMAN for when it shows up. My goal is to setup virtual AP's for a guest wireless network, IOT wireless network, and a network for trusted devices in our house. I'm practising setting up virtual AP's using an old RB951G that I reset to CAPs mode. My CAPsMAN manager is a HAP AC^2 that I have the internal radios disabled. Everything is "working" except I can't get the guest network to reliably use the dhcp server that I set up for the guest bridge. I've been spinning my wheels and could use some help. Here is an export of everything related to my setup:

# oct/18/2020 14:44:20 by RouterOS 6.47.4
# software id = SZJU-XV26
#
# model = RouterBOARD D52G-5HacD2HnD-TC
# serial number = xxxxxxxxxxx
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2412 name=channel1
add band=2ghz-g/n control-channel-width=20mhz frequency=2437 name=channel6
add band=2ghz-g/n control-channel-width=20mhz frequency=2462 name=channel11
/interface bridge
add admin-mac=CC:2D:E0:C9:BE:90 auto-mac=no comment=defconf name=bridge
add name=bridge_guest
/caps-man datapath
add arp=enabled bridge=bridge client-to-client-forwarding=yes \
    local-forwarding=yes name=datapath_main
add arp=enabled bridge=bridge_guest client-to-client-forwarding=yes \
    local-forwarding=yes name=datapath_guest
/caps-man security
add authentication-types=wpa-psk disable-pmkid=yes encryption=aes-ccm name=\
    security_guest passphrase=password1
add authentication-types=wpa-psk disable-pmkid=yes encryption=aes-ccm name=\
    security_main passphrase=password1
/caps-man configuration
add channel=channel1 country="united states" datapath=datapath_guest mode=ap \
    name=cfg_guest security=security_guest ssid=AP_Guest
add channel=channel1 country="united states" datapath=datapath_main mode=ap \
    name=cfg_main security=security_main ssid=AP_Main
/caps-man interface
add configuration=cfg_main disabled=no l2mtu=1600 mac-address=\
    B8:69:F4:8A:C6:FB master-interface=none name=cap19 radio-mac=\
    B8:69:F4:8A:C6:FB radio-name=B869F48AC6FB
add configuration=cfg_guest disabled=no l2mtu=1600 mac-address=\
    BA:69:F4:8A:C6:FB master-interface=cap19 name=cap20 radio-mac=\
    00:00:00:00:00:00 radio-name=BA69F48AC6FB
add channel=channel1 configuration=cfg_main datapath=datapath_main disabled=\
    no mac-address=00:00:00:00:00:00 master-interface=none name=cap_main \
    radio-mac=00:00:00:00:00:00 radio-name="" security=security_main
add channel=channel1 configuration=cfg_guest datapath=datapath_guest \
    disabled=no mac-address=02:00:00:00:00:00 master-interface=cap_main name=\
    cap_guest radio-mac=00:00:00:00:00:00 radio-name="" security=\
    security_guest
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
    "Cman=v=11a841" wpa2-pre-shared-key="Cman=v=11a841"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool_guest ranges=192.168.40.10-192.168.40.254
add name=pool_iot ranges=192.168.45.10-192.168.45.254
add name=pool_trusted ranges=192.168.15.10-192.168.15.254
/ip dhcp-server
add add-arp=yes address-pool=pool_trusted disabled=no interface=bridge name=\
    dhcp_main
add add-arp=yes address-pool=pool_guest disabled=no interface=bridge_guest \
    name=dhcp_guest
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-enabled master-configuration=cfg_main radio-mac=\
    B8:69:F4:8A:C6:FB slave-configurations=cfg_guest
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=wlan1
add bridge=bridge comment=defconf disabled=yes interface=wlan2
add bridge=bridge_guest interface=cap_guest
add bridge=bridge interface=cap_main
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.5.57/16 interface=ether1 network=192.168.0.0
add address=192.168.40.1/24 interface=bridge_guest network=192.168.40.0
add address=192.168.15.1/24 interface=bridge network=192.168.15.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.15.0/24 gateway=192.168.15.1
add address=192.168.40.0/24 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes servers=192.168.5.1

mkx · Sun Oct 18, 2020 11:35 pm

You have a few problems in config. You showed config from CAPsMAN device, I can only guess if prerequisite config from CAP device matches. One is this:

/caps-man datapath
add arp=enabled bridge=bridge_guest client-to-client-forwarding=yes \
    local-forwarding=yes name=datapath_guest

Does bridge_guest exist on CAP device? Because you have local-forwarding=yes. I guess that if you want to have anything but simple single-SSID wireless configured using CAPsMAN you either have to use local-forwarding=no or (extensively) configure cap device.

Then you have issues with addressing on CAPsNAN device:

/ip address
add address=192.168.5.57/16 interface=ether1 network=192.168.0.0
add address=192.168.40.1/24 interface=bridge_guest network=192.168.40.0
add address=192.168.15.1/24 interface=bridge network=192.168.15.0

Subnet, configured on ether1 (WAN interface), overlaps both "local" subnets (LAN and guest). I'm not sure how things work in this casr, you better use non-overlapping subnets.

Overall your capsman configuration seems over complicated to me, my own capsman is much more simple ... and works.

john4669 · Mon Oct 19, 2020 12:02 am

Well... apparently I have a lot to learn. The CAP itself automatically created a bridge called "bridgeLocal". The intention of me creating the "bridge_guest" on the CAPsMAN was simply to be able to have a dhcp server tied to that bridge for a different pool of addresses. I see what you mean by the overlapping subnets. That's just a mistake I didn't catch. Used /16 instead of /24.

john4669 · Mon Oct 19, 2020 12:19 am

Turning off local forwarding and fixing the overlapping subnet seems to have fixed my problem. Thank you! I also set the virtual interfaces to "static" on the CAP to keep them the same across reboots. I would certainly welcome any suggestions to uncomplicate it further.

mkx · Mon Oct 19, 2020 9:57 am

There are numerous definitions of MAC addresses and radio names in your config ... I don't think that's necessary in your case (with single CAP device). It may be necessary if there are multiple CAPs in play and some (or all) of them should get specific settings (which is done in /caps-man provisioning, see the last part of this post).

You really should use authentication-types=wpa2-psk in security profiles ... unless there's a client device which doesn't support WPA2, in that case set it to authentication-types=wpa2-psk,wpa-psk.

In virtual AP configuration you should omit any HW-related settings (as those are taken from master interface anyway). In your particular config, you should omit setting channel and you can safely omit setting mode as well.

I'm not sure if all those settings in /caps-man interface actually do something. In my case (I'm using local forwarding, which may or may not make any difference) I have simply

/caps-man interface
add interface=bridge disabled=no

where bridge is the interface on CAPsMAN through which CAPs manager and CAPs clients can communicate (when having VLANs, this should probably be management VLAN).

If you only have one CAP device (or if you have multiple, but you want to have them provisioned with same/similar settings), then you can omit setting radio-mac ... or you can set it to radio-mac=00:00:00:00:00:00 (which is default) instructing CAPsMAN to apply rule set to any CAP device not covered by preceding (if there are any) provisioning rules.

CAPsMAN DHCP for virtual AP's

CAPsMAN DHCP for virtual AP's

Re: CAPsMAN DHCP for virtual AP's

Re: CAPsMAN DHCP for virtual AP's

Re: CAPsMAN DHCP for virtual AP's

Re: CAPsMAN DHCP for virtual AP's

Who is online