Community discussions

MikroTik App
 
igpetkov
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Oct 09, 2014 10:27 pm

wapAC - CAPsMAN

Tue Nov 17, 2020 3:50 pm

H, All!
I'm using CAPsMAN to control AP's through VLAN's.
There are 4 VLAN's - two of them are transmiting with cap's and wap's, third VLAN is for video surveillance and fourth is Management VLAN.
The system consist of 107 cAPac and wAPac.
Everything works fine exept one AP (wAPac). Periodically its disconnect and connect again.
removing stale connection [B8:69:F4:36:30:B3/69/68a6,Run,CAP-B869F43630B3] because of ident conflict with [B8:69:F4:36:30:B3/69/7d60,Join,CAP-B869F43630B3]
I red this post:
viewtopic.php?t=98753
and open ports.
This is my rule:

0 chain=input action=accept protocol=udp dst-port=5246,5247 log=no
log-prefix=""

It does not resolve my problem and AP contunue disconnect/connect.
Have anyone same problem?
Is there some solution?
Thank You

P.S. I have other two systems with same config and there no problem.
 
igpetkov
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Oct 09, 2014 10:27 pm

Re: wapAC - CAPsMAN

Tue Nov 17, 2020 3:54 pm

This is my all filter content:
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=udp dst-port=5246,5247 log=no
log-prefix=""

1 ;;; Allow Trusted Address List Connections:
chain=input action=accept src-address-list=Allow Input Connection log=no
log-prefix=""

2 ;;; Accept Related and Established Connections:
chain=input action=accept connection-state=established,related log=no
log-prefix=""

3 ;;; Reject All Untrusted Connections:
chain=input action=drop connection-state=invalid,new log=no log-prefix=""

4 ;;; Reject Connections From Guest to Staff:
chain=forward action=drop src-address=10.10.16.0/21
dst-address=10.10.10.0/24 log=no log-prefix=""

5 ;;; Reject Connections From Guest to CCTV:
chain=forward action=drop src-address=10.10.16.0/21
dst-address=10.10.30.0/24 log=no log-prefix=""

6 ;;; Reject Connections From Guest to Management:
chain=forward action=drop src-address=10.10.16.0/21
dst-address=10.10.222.0/23 log=no log-prefix=""

Trusted Address List consist of Management Network 10.10.222.0/23 and two other outside IP's
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5759
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wapAC - CAPsMAN

Tue Nov 17, 2020 4:02 pm

/export hide-sensitive file=anynameyouwish

one for the main router
one for the capac
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
igpetkov
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Oct 09, 2014 10:27 pm

Re: wapAC - CAPsMAN

Tue Nov 17, 2020 4:27 pm

Thank You for fast replay Anav
This are my configs:
Router:

# nov/17/2020 16:17:22 by RouterOS 6.47.7
# software id = HCJP-P7W1
#
# model = CCR1016-12S-1S+
# serial number = 9165095EF619
/caps-man channel
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=Ce name=\
channel
/interface bridge
add name=LAN
/interface ethernet
set [ find default-name=sfp2 ] disabled=yes
/interface vlan
add interface=LAN name=1.Staff_VLAN_10 vlan-id=10
add interface=LAN name=2.Guest_VLAN_16 vlan-id=16
add interface=LAN name=3.CCTV_VLAN_30 vlan-id=30
add interface=LAN name=4.Management_VLAN_222 vlan-id=222
/caps-man datapath
add bridge=LAN name=staff_datapath vlan-id=10 vlan-mode=use-tag
add bridge=LAN client-to-client-forwarding=no name=guest_datapath vlan-id=16 \
vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm \
group-encryption=aes-ccm group-key-update=1h name=staff_security
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm \
group-encryption=aes-ccm group-key-update=1h name=guest_security
/caps-man configuration
add channel=channel datapath=staff_datapath mode=ap name=staff_conf_2.4GHz \
security=staff_security ssid=dere_Staff
add datapath=staff_datapath mode=ap name=staff_conf_5GHz security=\
staff_security ssid=dere_Staff_5GHz
add channel=channel datapath=guest_datapath mode=ap name=guest_conf_2,4GHz \
security=guest_security ssid=dere_Guest
add datapath=guest_datapath mode=ap name=guest_conf_5GHz security=\
guest_security ssid=dere_Guest_5GHz
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.10.10.101-10.10.10.200
add name=dhcp_pool1 ranges=10.10.16.2-10.10.23.254
add name=dhcp_pool2 ranges=10.10.30.241-10.10.30.250
add name=dhcp_pool3 ranges=10.10.223.151-10.10.223.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=1.Staff_VLAN_10 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=2.Guest_VLAN_16 name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=3.CCTV_VLAN_30 name=dhcp3
add address-pool=dhcp_pool3 disabled=no interface=4.Management_VLAN_222 name=\
dhcp4
/ppp profile
add local-address=dhcp_pool3 name=VPN remote-address=dhcp_pool3
/queue type
add kind=pcq name=download pcq-classifier=dst-address pcq-dst-address6-mask=\
64 pcq-rate=8M pcq-src-address6-mask=64
add kind=pcq name=upload pcq-classifier=src-address pcq-dst-address6-mask=64 \
pcq-rate=5M pcq-src-address6-mask=64
/queue simple
add max-limit=90M/90M name=OneLimitToAllGuestClients queue=upload/download \
target=10.10.16.0/21
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=\
/firmware_cap_wap require-peer-certificate=yes upgrade-policy=\
suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=4.Management_VLAN_222
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=staff_conf_2.4GHz \
name-format=identity slave-configurations=guest_conf_2,4GHz
/interface bridge port
add bridge=LAN interface=sfp3
add bridge=LAN interface=sfp4
add interface=1.Staff_VLAN_10
add interface=2.Guest_VLAN_16
add bridge=LAN interface=sfp5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set authentication=mschap1,mschap2 enabled=yes use-ipsec=required
/ip address
add address=10.10.222.1/23 comment=Management_network: interface=\
4.Management_VLAN_222 network=10.10.222.0
add address=10.10.10.1/24 comment=Staff_network interface=1.Staff_VLAN_10 \
network=10.10.10.0
add address=10.10.30.1/24 comment=CCTV_Network: interface=3.CCTV_VLAN_30 \
network=10.10.30.0
add address=10.10.16.1/21 comment=Guest_network: interface=2.Guest_VLAN_16 \
network=10.10.16.0
add address=xx.xx.xx.xx/30 comment="WAN 2:" disabled=yes interface=sfp2 \
network=xx.xx.xx.xx
add address=xx.xx.xx.xx/30 comment="WAN 1:" interface=sfp1 network=\
xx.xx.xx.xx
/ip dhcp-server lease
add address=10.10.223.79 client-id=1:c4:ad:34:12:ad:28 mac-address=\
C4:AD:34:12:AD:28 server=dhcp4
add address=10.10.223.15 client-id=1:c4:ad:34:45:cf:dc mac-address=\
C4:AD:34:45:CF:DC server=dhcp4
add address=10.10.223.16 client-id=1:c4:ad:34:45:cf:fc mac-address=\
C4:AD:34:45:CF:FC server=dhcp4
add address=10.10.223.17 client-id=1:c4:ad:34:45:cf:70 mac-address=\
C4:AD:34:45:CF:70 server=dhcp4
add address=10.10.223.18 client-id=1:c4:ad:34:45:cf:b4 mac-address=\
C4:AD:34:45:CF:B4 server=dhcp4
add address=10.10.223.19 client-id=1:b8:69:f4:f4:ea:af mac-address=\
B8:69:F4:F4:EA:AF server=dhcp4
add address=10.10.223.20 client-id=1:b8:69:f4:f4:e9:68 mac-address=\
B8:69:F4:F4:E9:68 server=dhcp4
add address=10.10.223.21 client-id=1:b8:69:f4:f4:e9:77 mac-address=\
B8:69:F4:F4:E9:77 server=dhcp4
add address=10.10.223.22 client-id=1:b8:69:f4:f8:3c:66 mac-address=\
B8:69:F4:F8:3C:66 server=dhcp4
add address=10.10.223.31 client-id=1:c4:ad:34:45:d1:a0 mac-address=\
C4:AD:34:45:D1:A0 server=dhcp4
add address=10.10.223.23 client-id=1:b8:69:f4:f8:3d:89 mac-address=\
B8:69:F4:F8:3D:89 server=dhcp4
add address=10.10.223.24 client-id=1:b8:69:f4:f4:e9:89 mac-address=\
B8:69:F4:F4:E9:89 server=dhcp4
add address=10.10.223.26 client-id=1:c4:ad:34:45:d1:74 mac-address=\
C4:AD:34:45:D1:74 server=dhcp4
add address=10.10.223.27 client-id=1:c4:ad:34:45:cf:cc mac-address=\
C4:AD:34:45:CF:CC server=dhcp4
add address=10.10.223.28 client-id=1:c4:ad:34:45:cf:80 mac-address=\
C4:AD:34:45:CF:80 server=dhcp4
add address=10.10.223.29 client-id=1:c4:ad:34:43:d6:b2 mac-address=\
C4:AD:34:43:D6:B2 server=dhcp4
add address=10.10.223.30 client-id=1:c4:ad:34:45:d1:94 mac-address=\
C4:AD:34:45:D1:94 server=dhcp4
add address=10.10.223.63 client-id=1:c4:ad:34:42:9e:ab mac-address=\
C4:AD:34:42:9E:AB server=dhcp4
add address=10.10.223.64 client-id=1:c4:ad:34:45:d1:68 mac-address=\
C4:AD:34:45:D1:68 server=dhcp4
add address=10.10.223.65 client-id=1:c4:ad:34:45:d1:6c mac-address=\
C4:AD:34:45:D1:6C server=dhcp4
add address=10.10.223.66 client-id=1:c4:ad:34:45:d1:80 mac-address=\
C4:AD:34:45:D1:80 server=dhcp4
add address=10.10.223.67 client-id=1:c4:ad:34:45:d1:84 mac-address=\
C4:AD:34:45:D1:84 server=dhcp4
add address=10.10.223.75 client-id=1:c4:ad:34:45:d1:88 mac-address=\
C4:AD:34:45:D1:88 server=dhcp4
add address=10.10.223.76 client-id=1:c4:ad:34:c:ec:a1 mac-address=\
C4:AD:34:0C:EC:A1 server=dhcp4
add address=10.10.223.77 client-id=1:c4:ad:34:c:ec:dd mac-address=\
C4:AD:34:0C:EC:DD server=dhcp4
add address=10.10.223.78 client-id=1:c4:ad:34:45:d1:70 mac-address=\
C4:AD:34:45:D1:70 server=dhcp4
add address=10.10.223.87 client-id=1:c4:ad:34:12:ad:34 mac-address=\
C4:AD:34:12:AD:34 server=dhcp4
add address=10.10.223.88 client-id=1:c4:ad:34:c:ee:9d mac-address=\
C4:AD:34:0C:EE:9D server=dhcp4
add address=10.10.223.89 client-id=1:c4:ad:34:c:ee:a9 mac-address=\
C4:AD:34:0C:EE:A9 server=dhcp4
add address=10.10.223.90 client-id=1:c4:ad:34:12:ad:1c mac-address=\
C4:AD:34:12:AD:1C server=dhcp4
add address=10.10.223.91 client-id=1:c4:ad:34:12:ad:24 mac-address=\
C4:AD:34:12:AD:24 server=dhcp4
add address=10.10.223.99 client-id=1:c4:ad:34:c:ed:51 mac-address=\
C4:AD:34:0C:ED:51 server=dhcp4
add address=10.10.223.100 client-id=1:c4:ad:34:c:ec:95 mac-address=\
C4:AD:34:0C:EC:95 server=dhcp4
add address=10.10.223.101 client-id=1:c4:ad:34:c:ec:89 mac-address=\
C4:AD:34:0C:EC:89 server=dhcp4
add address=10.10.223.102 client-id=1:c4:ad:34:12:ad:2c mac-address=\
C4:AD:34:12:AD:2C server=dhcp4
add address=10.10.223.103 client-id=1:c4:ad:34:12:ad:40 mac-address=\
C4:AD:34:12:AD:40 server=dhcp4
add address=10.10.223.1 client-id=1:c4:ad:34:48:1c:90 mac-address=\
C4:AD:34:48:1C:90 server=dhcp4
add address=10.10.223.10 client-id=1:74:4d:28:1:b2:7d mac-address=\
74:4D:28:01:B2:7D server=dhcp4
add address=10.10.223.11 client-id=1:74:4d:28:1:fc:f0 mac-address=\
74:4D:28:01:FC:F0 server=dhcp4
add address=10.10.223.12 client-id=1:74:4d:28:1:cf:8e mac-address=\
74:4D:28:01:CF:8E server=dhcp4
add address=10.10.223.13 client-id=1:74:4d:28:1:d4:50 mac-address=\
74:4D:28:01:D4:50 server=dhcp4
add address=10.10.223.14 client-id=1:74:4d:28:1:e2:42 mac-address=\
74:4D:28:01:E2:42 server=dhcp4
add address=10.10.223.2 client-id=1:c4:ad:34:48:1c:8c mac-address=\
C4:AD:34:48:1C:8C server=dhcp4
add address=10.10.223.3 client-id=1:c4:ad:34:48:1c:a4 mac-address=\
C4:AD:34:48:1C:A4 server=dhcp4
add address=10.10.223.4 client-id=1:c4:ad:34:48:1c:c4 mac-address=\
C4:AD:34:48:1C:C4 server=dhcp4
add address=10.10.223.5 client-id=1:c4:ad:34:45:cf:c0 mac-address=\
C4:AD:34:45:CF:C0 server=dhcp4
add address=10.10.223.6 client-id=1:c4:ad:34:48:1b:5c mac-address=\
C4:AD:34:48:1B:5C server=dhcp4
add address=10.10.223.7 client-id=1:74:4d:28:2:b:be mac-address=\
74:4D:28:02:0B:BE server=dhcp4
add address=10.10.223.8 client-id=1:74:4d:28:2:b:cc mac-address=\
74:4D:28:02:0B:CC server=dhcp4
add address=10.10.223.9 client-id=1:74:4d:28:1:e0:18 mac-address=\
74:4D:28:01:E0:18 server=dhcp4
add address=10.10.223.32 client-id=1:b8:69:f4:36:30:dd mac-address=\
B8:69:F4:36:30:DD server=dhcp4
add address=10.10.223.41 client-id=1:c4:ad:34:45:d1:60 mac-address=\
C4:AD:34:45:D1:60 server=dhcp4
add address=10.10.223.42 client-id=1:c4:ad:34:45:d1:7c mac-address=\
C4:AD:34:45:D1:7C server=dhcp4
add address=10.10.223.43 client-id=1:c4:ad:34:43:d6:b6 mac-address=\
C4:AD:34:43:D6:B6 server=dhcp4
add address=10.10.223.33 client-id=1:b8:69:f4:f4:ea:a6 mac-address=\
B8:69:F4:F4:EA:A6 server=dhcp4
add address=10.10.223.34 client-id=1:b8:69:f4:36:2f:96 mac-address=\
B8:69:F4:36:2F:96 server=dhcp4
add address=10.10.223.35 client-id=1:c4:ad:34:39:dc:4a mac-address=\
C4:AD:34:39:DC:4A server=dhcp4
add address=10.10.223.36 client-id=1:c4:ad:34:48:1c:a0 mac-address=\
C4:AD:34:48:1C:A0 server=dhcp4
add address=10.10.223.37 client-id=1:c4:ad:34:45:cf:94 mac-address=\
C4:AD:34:45:CF:94 server=dhcp4
add address=10.10.223.38 client-id=1:c4:ad:34:45:cf:98 mac-address=\
C4:AD:34:45:CF:98 server=dhcp4
add address=10.10.223.39 client-id=1:c4:ad:34:45:cf:d0 mac-address=\
C4:AD:34:45:CF:D0 server=dhcp4
add address=10.10.223.40 client-id=1:c4:ad:34:45:cf:bc mac-address=\
C4:AD:34:45:CF:BC server=dhcp4
add address=10.10.223.150 client-id=1:d0:bf:9c:e0:a5:db mac-address=\
D0:BF:9C:E0:A5:DB server=dhcp4
add address=10.10.223.44 client-id=1:c4:ad:34:43:d6:8a mac-address=\
C4:AD:34:43:D6:8A server=dhcp4
add address=10.10.223.45 client-id=1:c4:ad:34:43:d6:ae mac-address=\
C4:AD:34:43:D6:AE server=dhcp4
add address=10.10.223.46 client-id=1:c4:ad:34:45:d1:90 mac-address=\
C4:AD:34:45:D1:90 server=dhcp4
add address=10.10.223.47 client-id=1:c4:ad:34:43:d6:86 mac-address=\
C4:AD:34:43:D6:86 server=dhcp4
add address=10.10.223.48 client-id=1:c4:ad:34:45:d0:c0 mac-address=\
C4:AD:34:45:D0:C0 server=dhcp4
add address=10.10.223.49 client-id=1:74:4d:28:2:2:ce mac-address=\
74:4D:28:02:02:CE server=dhcp4
add address=10.10.223.50 client-id=1:74:4d:28:1:cf:ab mac-address=\
74:4D:28:01:CF:AB server=dhcp4
add address=10.10.223.52 client-id=1:74:4d:28:1:d4:58 mac-address=\
74:4D:28:01:D4:58 server=dhcp4
add address=10.10.223.53 client-id=1:74:4d:28:1:b7:23 mac-address=\
74:4D:28:01:B7:23 server=dhcp4
add address=10.10.223.54 client-id=1:74:4d:28:1:d5:6c mac-address=\
74:4D:28:01:D5:6C server=dhcp4
add address=10.10.223.55 client-id=1:b8:69:f4:85:38:20 mac-address=\
B8:69:F4:85:38:20 server=dhcp4
add address=10.10.223.51 client-id=1:74:4d:28:1:d0:3c mac-address=\
74:4D:28:01:D0:3C server=dhcp4
add address=10.10.223.60 client-id=1:c4:ad:34:45:d0:9c mac-address=\
C4:AD:34:45:D0:9C server=dhcp4
add address=10.10.223.61 client-id=1:c4:ad:34:45:d0:e0 mac-address=\
C4:AD:34:45:D0:E0 server=dhcp4
add address=10.10.223.62 client-id=1:c4:ad:34:45:d0:f0 mac-address=\
C4:AD:34:45:D0:F0 server=dhcp4
add address=10.10.223.72 client-id=1:c4:ad:34:45:d1:34 mac-address=\
C4:AD:34:45:D1:34 server=dhcp4
add address=10.10.223.73 client-id=1:c4:ad:34:45:d0:e8 mac-address=\
C4:AD:34:45:D0:E8 server=dhcp4
add address=10.10.223.74 client-id=1:c4:ad:34:45:d0:dc mac-address=\
C4:AD:34:45:D0:DC server=dhcp4
add address=10.10.223.84 client-id=1:c4:ad:34:9e:9c:59 mac-address=\
C4:AD:34:9E:9C:59 server=dhcp4
add address=10.10.223.85 client-id=1:74:4d:28:1:e4:c2 mac-address=\
74:4D:28:01:E4:C2 server=dhcp4
add address=10.10.223.86 client-id=1:c4:ad:34:45:d0:ec mac-address=\
C4:AD:34:45:D0:EC server=dhcp4
add address=10.10.223.96 client-id=1:c4:ad:34:45:d1:18 mac-address=\
C4:AD:34:45:D1:18 server=dhcp4
add address=10.10.223.97 client-id=1:c4:ad:34:45:d0:e4 mac-address=\
C4:AD:34:45:D0:E4 server=dhcp4
add address=10.10.223.98 client-id=1:c4:ad:34:45:d0:fc mac-address=\
C4:AD:34:45:D0:FC server=dhcp4
add address=10.10.223.57 client-id=1:c4:ad:34:48:1c:b0 mac-address=\
C4:AD:34:48:1C:B0 server=dhcp4
add address=10.10.223.56 client-id=1:c4:ad:34:45:cf:e0 mac-address=\
C4:AD:34:45:CF:E0 server=dhcp4
add address=10.10.223.58 client-id=1:c4:ad:34:45:d1:3c mac-address=\
C4:AD:34:45:D1:3C server=dhcp4
add address=10.10.223.59 client-id=1:c4:ad:34:48:1c:88 mac-address=\
C4:AD:34:48:1C:88 server=dhcp4
add address=10.10.223.68 client-id=1:c4:ad:34:45:d0:84 mac-address=\
C4:AD:34:45:D0:84 server=dhcp4
add address=10.10.223.69 client-id=1:c4:ad:34:45:d0:b4 mac-address=\
C4:AD:34:45:D0:B4 server=dhcp4
add address=10.10.223.70 client-id=1:c4:ad:34:45:d1:0 mac-address=\
C4:AD:34:45:D1:00 server=dhcp4
add address=10.10.223.71 client-id=1:c4:ad:34:45:d1:14 mac-address=\
C4:AD:34:45:D1:14 server=dhcp4
add address=10.10.223.92 client-id=1:c4:ad:34:45:d1:c mac-address=\
C4:AD:34:45:D1:0C server=dhcp4
add address=10.10.223.93 client-id=1:c4:ad:34:48:41:f7 mac-address=\
C4:AD:34:48:41:F7 server=dhcp4
add address=10.10.223.94 client-id=1:c4:ad:34:45:d1:24 mac-address=\
C4:AD:34:45:D1:24 server=dhcp4
add address=10.10.223.95 client-id=1:c4:ad:34:45:d1:1c mac-address=\
C4:AD:34:45:D1:1C server=dhcp4
add address=10.10.223.82 client-id=1:c4:ad:34:45:d1:20 mac-address=\
C4:AD:34:45:D1:20 server=dhcp4
add address=10.10.223.81 client-id=1:74:4d:28:1:c3:55 mac-address=\
74:4D:28:01:C3:55 server=dhcp4
add address=10.10.223.83 client-id=1:74:4d:28:1:c7:4e mac-address=\
74:4D:28:01:C7:4E server=dhcp4
add address=10.10.223.80 client-id=1:74:4d:28:2:0:c6 mac-address=\
74:4D:28:02:00:C6 server=dhcp4
add address=10.10.223.25 client-id=1:74:4d:28:1:fa:da mac-address=\
74:4D:28:01:FA:DA server=dhcp4
add address=10.10.223.104 client-id=1:b8:69:f4:f8:3d:83 mac-address=\
B8:69:F4:F8:3D:83 server=dhcp4
add address=10.10.223.105 client-id=1:b8:69:f4:f8:3c:3f mac-address=\
B8:69:F4:F8:3C:3F server=dhcp4
add address=10.10.223.106 client-id=1:b8:69:f4:36:30:b3 mac-address=\
B8:69:F4:36:30:B3 server=dhcp4
add address=10.10.223.107 client-id=1:b8:69:f4:f8:3c:36 mac-address=\
B8:69:F4:F8:3C:36 server=dhcp4
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.16.0/21 gateway=10.10.16.1
add address=10.10.30.0/24 gateway=10.10.30.1
add address=10.10.222.0/23 gateway=10.10.222.1
/ip dns
set allow-remote-requests=yes servers=212.39.90.42,212.39.90.43,8.8.8.8
/ip firewall address-list
add address=10.10.222.0/23 list="Allow Input Connection"
add address=outside IP list="Allow Input Connection"
add address=outside IP list="Allow Input Connection"
add address=10.10.10.0/24 disabled=yes list="Allow Input Connection"
add address=outside IP list="Allow Input Connection"
/ip firewall filter
add action=accept chain=input dst-port=5246,5247 protocol=udp
add action=accept chain=input comment=\
"Allow Trusted Address List Connections:" src-address-list=\
"Allow Input Connection"
add action=accept chain=input comment=\
"Accept Related and Established Connections:" connection-state=\
established,related
add action=drop chain=input comment="Reject All Untrusted Connections:" \
connection-state=invalid,new
add action=drop chain=forward comment=\
"Reject Connections From Guest to Staff:" dst-address=10.10.10.0/24 \
src-address=10.10.16.0/21
add action=drop chain=forward comment=\
"Reject Connections From Guest to CCTV:" dst-address=10.10.30.0/24 \
src-address=10.10.16.0/21
add action=drop chain=forward comment=\
"Reject Connections From Guest to Management:" dst-address=10.10.222.0/23 \
src-address=10.10.16.0/21
/ip firewall nat
add action=masquerade chain=srcnat comment="Massquerade Management Network:" \
src-address=10.10.222.0/23
add action=masquerade chain=srcnat comment="Massquerade Staff Network:" \
src-address=10.10.10.0/24
add action=masquerade chain=srcnat comment="Massquerade Guest Network:" \
src-address=10.10.16.0/21
add action=masquerade chain=srcnat comment="Massquerade CCTV Network:" \
src-address=10.10.30.0/24
add action=dst-nat chain=dstnat comment="NVR 1:" dst-address=xx.xxx.xx.xx \
dst-port=50001-50006 protocol=tcp to-addresses=10.10.30.11
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx dst-port=\
50001-50006 protocol=udp to-addresses=10.10.30.11
add action=dst-nat chain=dstnat comment="NVR 2:" dst-address=xx.xx.xx.xx \
dst-port=50011-50016 protocol=tcp to-addresses=10.10.30.12
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx dst-port=\
50011-50016 protocol=udp to-addresses=10.10.30.12
add action=dst-nat chain=dstnat comment="NVR 3:" dst-address=xx.xx.xx.xx \
dst-port=50021-50026 protocol=tcp to-addresses=10.10.30.13
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx dst-port=\
50021-50026 protocol=udp to-addresses=10.10.30.13
add action=dst-nat chain=dstnat comment="TV Station:" dst-address=\
xx.xx.xx.xx dst-port=50000 protocol=tcp to-addresses=10.10.10.250 \
to-ports=80
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx dst-port=50000 \
protocol=udp to-addresses=10.10.10.250 to-ports=80
add action=dst-nat chain=dstnat comment=Clock: dst-address=xx.xx.xx.xx \
dst-port=3424,3050,3051 protocol=tcp to-addresses=10.10.10.10
add action=dst-nat chain=dstnat comment=RDP dst-address=xx.xx.xx.xx \
dst-port=57816 log=yes protocol=tcp to-addresses=10.10.10.10 to-ports=\
3390
add action=dst-nat chain=dstnat comment=Pojarna: dst-address=xx.xx.xx.xx \
dst-port=50555 protocol=tcp to-addresses=10.10.10.252 to-ports=80
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx dst-port=50555 \
protocol=udp to-addresses=10.10.10.252 to-ports=80
add action=dst-nat chain=dstnat comment="SOT IP150 + Z1:" dst-address=\
xx.xx.xx.xx dst-port=10000 protocol=tcp to-addresses=10.10.10.253
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx dst-port=10000 \
protocol=udp to-addresses=10.10.10.253
add action=dst-nat chain=dstnat comment="SOT IP150 + Z2:" dst-address=\
xx.xx.xx.xx dst-port=10001 protocol=tcp to-addresses=10.10.10.254
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx dst-port=10001 \
protocol=udp to-addresses=10.10.10.254
add action=dst-nat chain=dstnat comment="RDP Ohraha PC:" dst-address=\
xx.xx.xx.xx dst-port=6587 protocol=tcp to-addresses=10.10.30.249 \
to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-address=xx.xx.xx.xx \
dst-port=6587 protocol=udp to-addresses=10.10.30.249 to-ports=3389
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=xx.xx.xx.xx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=23231
set api-ssl disabled=yes
/lcd
set enabled=no touch-screen=disabled
/ppp secret
add name=Ivan profile=VPN service=l2tp
/system clock
set time-zone-name=Europe/Sofia
/system identity
set name="H-l dere Router"
/system ntp client
set enabled=yes primary-ntp=79.98.105.18 secondary-ntp=89.163.224.15
/tool bandwidth-server
set authenticate=no enabled=no
/tool romon
set enabled=yes


Cap:

# jan/03/1970 18:43:13 by RouterOS 6.47.7
# software id = 7J19-9420
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = A6300949F677
/interface wireless
# managed by CAPsMAN
# channel: 2422/20-Ce/gn(28dBm), SSID: Belvedere_Staff, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface wireless cap
#
set certificate=request discovery-interfaces=ether1 enabled=yes interfaces=\
wlan1
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall filter
add action=accept chain=input src-address=10.10.222.0/23
add action=drop chain=input
/system identity
set name="AP 17-P10"
/tool romon
set enabled=yes
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5759
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wapAC - CAPsMAN

Tue Nov 17, 2020 7:06 pm

I am a bit confused (at most times) but also by your setup regarding bridge ports..........

only etheports and wlans are identified as bridge ports

/interface bridge port
add bridge=LAN interface=sfp3
add bridge=LAN interface=sfp4
add interface=1.Staff_VLAN_10
add interface=2.Guest_VLAN_16

add bridge=LAN interface=sfp5\

Also the two seemingly erroneous entries are missing the add bridge=LAN part........
Dont see vlan filtering turned on ?
Dont see bridge vlan settings??
Are all your etherports trunk ports??
Why so little firewall rules, does this device face the internet (ie attached to an ISP modem)?
Why have separate masquerades for each network, its normally required for each ISP connection if one wants to do it separatley vice in-interface-list=WAN?
Note: much easier to have a drop all else rule at end of forward chain and only state what traffic is allowed all else gets dropped.

Based on your dstnat rules assuming you have a static fixed WANIP address???

As for the capac are they all configured like that (no bridge and with firewall filtering active? What mode are they set to??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
igpetkov
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Oct 09, 2014 10:27 pm

Re: wapAC - CAPsMAN

Tue Nov 17, 2020 8:09 pm

Hi Anav!
VLAN 1 and 2 are in Bridge because before that I do not use VLAN in CAPsMAN-Datapath. I fixed it and VLAN 1 and 2 left in Bridge. I will remove them now.
Yes, I have Real WAN IP address. I removed my Filter rules for WAN port to test problem with AP's
I do not use VLAN filtering on Bridge because after router I have 3 main switches which unite poe switches for Wired Network, AP network and Cams Network. These switches care for vlan filtering

All my caps are configured with this:


/ip dhcp-client add disabled=no interface=ether1
/user add group=full name=xxxx pass=xxxxxxxxxxxxxxxxx
/user remove admin
/ip firewall filter
add action=accept chain=input src-address=10.10.222.0/23
add action=drop chain=input
/tool romon set enabled=yes
/interface wireless cap set certificate=request discovery-interfaces=ether1 enabled=yes interfaces=wlan1

and have problem only with specific one (exported in file) all other works fine

I have set multiple masquarade rules to can reach NVR's from anywhere on ext IP. Are multiple masquarade rules wrong?
 
igpetkov
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Thu Oct 09, 2014 10:27 pm

Re: wapAC - CAPsMAN  [SOLVED]

Fri Nov 20, 2020 10:26 am

Hi, All!

I do not have disconnect issue from two days. Reset all my caps and provision them again with same script:

/ip dhcp-client add disabled=no interface=ether1
/user add group=full name=xxxx pass=xxxxxxxxxxxxxxxxx
/user remove admin
/ip firewall filter
add action=accept chain=input src-address=10.10.222.0/23
add action=drop chain=input
/tool romon set enabled=yes
/interface wireless cap set certificate=request discovery-interfaces=ether1 enabled=yes interfaces=wlan1

Thank you Anav for help

I will post if there is some changes in caps behaivor.

Who is online

Users browsing this forum: Bing [Bot], Psycho and 52 guests