Is CAPsMAN local forwarding conflicting with bridge VLAN filtering on cAP?
Posted: Wed Nov 18, 2020 2:56 pm
Hi all,
I am new to Mikrotik but am enjoying learning its capabilities. I am using CAPsMAN with local forwarding on a hAP ac2 to provision an access point (cAP ac) with multiple WiFi interfaces: 5ghz and 2ghz networks for my trusted VLAN, 5ghz and 2ghz for a guest network, and 2ghz only for IoT devices. I mostly followed this guide for the CAPsMAN setup: https://wiki.mikrotik.com/wiki/Manual:C ... rding_Mode
I do still want to be able to access the cAP through Winbox on my management VLAN, so when creating the bridge on the cAP according to the above linked guide I also added a VLAN interface to the cAP's bridge and assigned that VLAN interface an IP address in the same subnet as the management VLAN on my hAP ac2 which is serving as the CAPsMAN router. Then I enabled VLAN filtering on the cAP bridge.
Once I created the CAPsMAN configuration profiles and provisioning rules (following the formatting of the above guide) and enabled CAPsMAN on the router, I logged back into the cAP and noticed that all the dynamic wlan interfaces on the cAP had been created as tagged interfaces on their respective VLANs, but had also all been assigned PVIDs specific to their VLANs. Eth1 on the cAP (which is the trunk back to the router) had not been added to any VLANs. This all seemed in disagreement with my understanding of how Mikrotik handles VLAN traffic. I thought that for VLAN access ports, the proper configuration is to set the PVID equal to the VLAN ID and then to have the port as an untagged member of the VLAN. For trunk ports PVID should be left as "1" and then the port must be added as a tagged member of any VLAN that needs to pass traffic through the port. Applying these concepts to my cAP, I would have assumed that the CAPsMAN configuration would have placed eth1 on the cAP as a tagged member of all the VLANs, and that every wlan would have been un untagged port on its respective VLAN - since in my mind each wlan SSID is functioning as an access port. Every SSID is specific to one VLAN only.
So, what I did is modified the bridge VLAN table on the cAP and added eth1 as a tagged member of all the VLANs, so now it looks like this:
The dynamic "D" flags disappeared on the VLAN 10, 20, and 30 entries when I manually added ether1 to them.
At this point I went back to the CAPsMAN router and added firewall rules to segment the VLANs as suggested in this guide:
viewtopic.php?t=143620&sid=28242a73130c ... ecdb6d9473
Now I am testing before putting this router/AP setup into production and am noticing unexpected behavior. When I connect a laptop to any of the SSIDs on the cAP, I am able to successfully ping all the VLAN gateways and my phone that is connected to an SSID in a different VLAN. For example, I am able to ping my phone on the trusted VLAN from my laptop on the guest VLAN. My expectation was that with this setup none of those pings should be successful. Even when I disable the "allow ICMP" rule in the firewall, all pings are successful.
So ultimately my question is - by doing my manual fiddling with the cAP's bridge VLAN filtering outside of the CAPsMAN configuration, have I inadvertently provided a "back door" pathway for packets to bypass the firewall rules that are configured on the router?
Thank you all so much for reading.
Here are the compact exports from both devices and a summary of the ports on each device:
Router: hAP ac2
wireless: unused
eth1: wan (DCHP client to receive public IP from modem)
eth2: unused
eth3: access port for management VLAN (to connect a laptop to when I need to make configuration changes)
eth4: access port for trusted VLAN (connected to an unmanaged switch that all my wired devices connect to)
eth5: trunk port to cAP (tagged member of all VLANs)
Access Point: cAP ac
wireless: provisioned by CAPsMAN
eth1: trunk port to hAP ac2
eth2: unused
Router: hAP ac2
Access Point: cAP ac
I am new to Mikrotik but am enjoying learning its capabilities. I am using CAPsMAN with local forwarding on a hAP ac2 to provision an access point (cAP ac) with multiple WiFi interfaces: 5ghz and 2ghz networks for my trusted VLAN, 5ghz and 2ghz for a guest network, and 2ghz only for IoT devices. I mostly followed this guide for the CAPsMAN setup: https://wiki.mikrotik.com/wiki/Manual:C ... rding_Mode
I do still want to be able to access the cAP through Winbox on my management VLAN, so when creating the bridge on the cAP according to the above linked guide I also added a VLAN interface to the cAP's bridge and assigned that VLAN interface an IP address in the same subnet as the management VLAN on my hAP ac2 which is serving as the CAPsMAN router. Then I enabled VLAN filtering on the cAP bridge.
Once I created the CAPsMAN configuration profiles and provisioning rules (following the formatting of the above guide) and enabled CAPsMAN on the router, I logged back into the cAP and noticed that all the dynamic wlan interfaces on the cAP had been created as tagged interfaces on their respective VLANs, but had also all been assigned PVIDs specific to their VLANs. Eth1 on the cAP (which is the trunk back to the router) had not been added to any VLANs. This all seemed in disagreement with my understanding of how Mikrotik handles VLAN traffic. I thought that for VLAN access ports, the proper configuration is to set the PVID equal to the VLAN ID and then to have the port as an untagged member of the VLAN. For trunk ports PVID should be left as "1" and then the port must be added as a tagged member of any VLAN that needs to pass traffic through the port. Applying these concepts to my cAP, I would have assumed that the CAPsMAN configuration would have placed eth1 on the cAP as a tagged member of all the VLANs, and that every wlan would have been un untagged port on its respective VLAN - since in my mind each wlan SSID is functioning as an access port. Every SSID is specific to one VLAN only.
So, what I did is modified the bridge VLAN table on the cAP and added eth1 as a tagged member of all the VLANs, so now it looks like this:
Code: Select all
[Edwin@AccessPoint] /interface bridge vlan> print
Flags: X - disabled, D - dynamic
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 cAP 90 cAP
ether1
1 D cAP 1 cAP
ether1
2 cAP 10 ether1
wlan2
wlan1
3 cAP 20 ether1
wlan17
wlan18
4 cAP 30 ether1
wlan19
At this point I went back to the CAPsMAN router and added firewall rules to segment the VLANs as suggested in this guide:
viewtopic.php?t=143620&sid=28242a73130c ... ecdb6d9473
Now I am testing before putting this router/AP setup into production and am noticing unexpected behavior. When I connect a laptop to any of the SSIDs on the cAP, I am able to successfully ping all the VLAN gateways and my phone that is connected to an SSID in a different VLAN. For example, I am able to ping my phone on the trusted VLAN from my laptop on the guest VLAN. My expectation was that with this setup none of those pings should be successful. Even when I disable the "allow ICMP" rule in the firewall, all pings are successful.
So ultimately my question is - by doing my manual fiddling with the cAP's bridge VLAN filtering outside of the CAPsMAN configuration, have I inadvertently provided a "back door" pathway for packets to bypass the firewall rules that are configured on the router?
Thank you all so much for reading.
Here are the compact exports from both devices and a summary of the ports on each device:
Router: hAP ac2
wireless: unused
eth1: wan (DCHP client to receive public IP from modem)
eth2: unused
eth3: access port for management VLAN (to connect a laptop to when I need to make configuration changes)
eth4: access port for trusted VLAN (connected to an unmanaged switch that all my wired devices connect to)
eth5: trunk port to cAP (tagged member of all VLANs)
Access Point: cAP ac
wireless: provisioned by CAPsMAN
eth1: trunk port to hAP ac2
eth2: unused
Router: hAP ac2
Code: Select all
[Edwin@Router] > export compact hide-sensitive
# jan/05/1970 00:18:53 by RouterOS 6.46.8
# software id = 8GDU-NH1W
#
# model = RBD52G-5HacD2HnD
# serial number = CB390C9F6BA4
/caps-man configuration
add channel.band=2ghz-g/n datapath.client-to-client-forwarding=yes \
datapath.local-forwarding=yes datapath.vlan-id=10 datapath.vlan-mode=\
use-tag name=Config_ASHWIN_2G security.authentication-types=wpa2-psk ssid=\
ASHWIN_2G
add channel.band=2ghz-g/n datapath.client-to-client-forwarding=no \
datapath.local-forwarding=yes datapath.vlan-id=20 datapath.vlan-mode=\
use-tag name=Config_GUEST_2G security.authentication-types=wpa2-psk ssid=\
ASHWIN_Guest_2G
add channel.band=2ghz-g/n datapath.client-to-client-forwarding=no \
datapath.local-forwarding=yes datapath.vlan-id=30 datapath.vlan-mode=\
use-tag name=Config_IoT security.authentication-types=wpa2-psk ssid=\
ASHWIN_IoT
add channel.band=5ghz-n/ac datapath.client-to-client-forwarding=yes \
datapath.local-forwarding=yes datapath.vlan-id=10 datapath.vlan-mode=\
use-tag name=Config_ASHWIN_5G security.authentication-types=wpa2-psk ssid=\
ASHWIN_5G
add channel.band=5ghz-n/ac datapath.client-to-client-forwarding=no \
datapath.local-forwarding=yes datapath.vlan-id=20 datapath.vlan-mode=\
use-tag name=Config_GUEST_5G security.authentication-types=wpa2-psk ssid=\
ASHWIN_Guest_5G
/interface bridge
add name=hAP vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=hAP name=Guest vlan-id=20
add interface=hAP name=IoT vlan-id=30
add interface=hAP name=MGMT vlan-id=90
add interface=hAP name=Trusted vlan-id=10
/interface list
add name=WAN
add name=LAN
add name=Manage
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool0 ranges=10.10.90.10-10.10.90.254
add name=dhcp_pool1 ranges=10.10.10.10-10.10.10.254
add name=dhcp_pool2 ranges=10.10.20.10-10.10.20.254
add name=dhcp_pool3 ranges=10.10.30.50-10.10.30.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=MGMT name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=Trusted name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=Guest name=dhcp3
add address-pool=dhcp_pool3 disabled=no interface=IoT name=dhcp4
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=hAP
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config_ASHWIN_2G \
radio-mac=C4:AD:34:D0:A0:12 slave-configurations=Config_GUEST_2G,Config_IoT
add action=create-dynamic-enabled master-configuration=Config_ASHWIN_5G \
radio-mac=C4:AD:34:D0:A0:13 slave-configurations=Config_GUEST_5G
/interface bridge port
add bridge=hAP interface=ether2
add bridge=hAP frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=90
add bridge=hAP frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=hAP interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=Manage
/interface bridge vlan
add bridge=hAP comment=Management tagged=hAP,ether5 untagged=ether3 vlan-ids=90
add bridge=hAP comment=Trusted tagged=hAP,ether5 untagged=ether4 vlan-ids=10
add bridge=hAP comment=Guest tagged=hAP,ether5 vlan-ids=20
add bridge=hAP comment=IoT tagged=hAP,ether5 vlan-ids=30
/interface list member
add interface=ether1 list=WAN
add interface=Trusted list=LAN
add interface=Guest list=LAN
add interface=IoT list=LAN
add interface=MGMT list=Manage
/ip address
add address=10.10.90.1/24 interface=MGMT network=10.10.90.0
add address=10.10.10.1/24 interface=Trusted network=10.10.10.0
add address=10.10.20.1/24 interface=Guest network=10.10.20.0
add address=10.10.30.1/24 interface=IoT network=10.10.30.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.10.10.1
add address=10.10.20.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.10.20.1
add address=10.10.30.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.10.30.1
add address=10.10.90.0/24 gateway=10.10.90.1
/ip firewall address-list
add address=10.10.10.0/24 comment=Trusted list="LAN IPs"
add address=10.10.20.0/24 comment=Guest list="LAN IPs"
add address=10.10.30.0/24 comment=IoT list="LAN IPs"
add address=10.10.90.0/24 comment=MGMT list="LAN IPs"
/ip firewall filter
add action=accept chain=input comment="accept established, related" \
connection-state=established,related
add action=accept chain=input comment="allow ICMP" protocol=icmp
add action=accept chain=input comment="allow MGMT VLAN full access" \
in-interface=MGMT
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="block everything else"
add action=fasttrack-connection chain=forward comment=\
"fasttrack established, related" connection-state=established,related
add action=accept chain=forward comment="accept established, related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN internet access only" \
connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment=\
"drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.10.90.0/24
set api disabled=yes
set winbox address=10.10.90.0/24
set api-ssl disabled=yes
/system identity
set name=Router
/tool mac-server
set allowed-interface-list=Manage
/tool mac-server mac-winbox
set allowed-interface-list=Manage
/tool mac-server ping
set enabled=no
Access Point: cAP ac
Code: Select all
[Edwin@AccessPoint] > export compact hide-sensitive
# jan/04/1970 21:27:11 by RouterOS 6.47.3
# software id = SLTG-ZWU9
#
# model = RBcAPGi-5acD2nD
# serial number = B9330BCDEA75
/interface bridge
add name=cAP vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2447/20-eC/gn(28dBm), SSID: ASHWIN_2G, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(28dBm), SSID: ASHWIN_5G, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface vlan
add interface=cAP name=MGMT vlan-id=90
/interface list
add name=Manage
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=cAP interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=cAP tagged=cAP,ether1 vlan-ids=90
add bridge=cAP tagged=ether1 vlan-ids=10
add bridge=cAP tagged=ether1 vlan-ids=20
add bridge=cAP tagged=ether1 vlan-ids=30
/interface list member
add interface=MGMT list=Manage
/interface wireless cap
#
set bridge=cAP discovery-interfaces=cAP enabled=yes interfaces=wlan1,wlan2
/ip address
add address=10.10.90.2/24 interface=MGMT network=10.10.90.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.10.90.0/24
set api disabled=yes
set winbox address=10.10.90.0/24
set api-ssl disabled=yes
/system identity
set name=AccessPoint
/tool mac-server
set allowed-interface-list=Manage
/tool mac-server mac-winbox
set allowed-interface-list=Manage
/tool mac-server ping
set enabled=no