Note: at the moment I do not have the switch included I am only testing with a mikrotik router and access point. I am only showing this diagram as an example of the planned infrastructure, also the switch ports in the diagram are not necessarily correct i just drew some lines to indicate communication between devices.
I have configured an open wireless network, where guests are restricted from internet access initially behind a captive portal. I modified the mikrotik captive portal login.html file to redirect to the packetfence captive portal as outlined in the somewhat outdated packetfence mikrotik networking guide. I have CAPsMAN configured on the main router to manage the access points.
My problem is when my clients first connect they do not have an assigned VLAN tag. Once they complete authentication with the captive portal, Packetfence (RADIUS) replies with with Access Accept and
Mikrotik-Wireless-VlanID = <room_number>
Mikrotik-Wireless-VlanIDType = 0
In my CAPsMAN datapath configuration if I do:
Code: Select all
/caps-man datapath
add bridge=bridge1 name=datapath1 vlan-mode=use-tag
If I leave out my datapath vlan configuration eg:
Code: Select all
/caps-man datapath
add bridge=bridge1 name=datapath1
Code: Select all
(10.2.2.1) Returning ACCEPT with VLAN 906
Am I just going about this all wrong? It seems like I should have "use tag" enabled, but also have some sort of ACL that specifies the registration VLAN tag for unauthenticated users? Thank you for taking the time to read my post.
Here are my router config:
Code: Select all
# dec/14/2020 20:28:41 by RouterOS 6.47.4
# software id = EVXY-A9Y7
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEE0A390AAB
/interface bridge
add mtu=1504 name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=bridge1 mtu=1504 name="ether1-vlan 100 MGMT" vlan-id=100
add interface=ether1 name="ether1-vlan 103" vlan-id=103
add interface=bridge1 name="ether1-vlan 150 Phones" vlan-id=150
add interface=bridge1 name="ether1-vlan 200 CAST" vlan-id=200
add interface=bridge1 name="ether1-vlan 801" vlan-id=801
add interface=bridge1 name="ether1-vlan 905" vlan-id=905
add interface=bridge1 name="ether1-vlan 906" vlan-id=906
add interface=bridge1 name="ether1-vlan 907" vlan-id=907
add interface=bridge1 name="ether1-vlan 908" vlan-id=908
add interface=ether1 mtu=1504 name=ether1-vlan102 vlan-id=102
add interface=ether9 name="vlan35 for Bell" vlan-id=35
/caps-man datapath
add bridge=bridge1 name=datapath1 vlan-id=102 vlan-mode=use-tag
/interface pppoe-client
add add-default-route=yes disabled=no interface="vlan35 for Bell" name="Bell Fibe" password=<redacted> use-peer-dns=yes user=<redacted>
/caps-man security
add authentication-types="" name=GuestsNetwork
/caps-man configuration
add channel.band=2ghz-g/n channel.control-channel-width=20mhz channel.extension-channel=disabled channel.reselect-interval=1h datapath=\
datapath1 multicast-helper=full name=GuestsNetwork2Ghz security=GuestsNetwork ssid=MikroTik
add channel.band=5ghz-n/ac channel.control-channel-width=20mhz channel.extension-channel=XX channel.reselect-interval=1d datapath=\
datapath1 multicast-helper=full name=GuestNetwork5Ghz security=GuestsNetwork ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add dns-name=wifi.rookhotel.com hotspot-address=10.5.50.1 login-by=cookie,http-chap,https name=hsprof1 ssl-certificate=\
CAPsMAN-744D2819AD41 use-radius=yes
/ip pool
add name="906 pool" ranges=10.9.6.8-10.9.6.14
add name=dhcp_pool1 ranges=10.5.5.2-10.5.5.254
add name="cast pool" ranges=10.4.4.2-10.4.4.254
add name="907 pool" ranges=10.9.7.8-10.9.7.14
add name="MGMT pool" ranges=10.2.2.50-10.2.2.60
add name="908 Pool" ranges=10.9.8.8-10.9.8.14
add name="102 VLAN dhcp" ranges=192.168.102.2-192.168.102.254
add name="905 Pool" ranges=10.9.5.8-10.9.5.14
add name="801 Pool" ranges=10.8.1.8-10.8.1.14
add name=hs-pool-27 ranges=10.5.50.2-10.5.50.254
/ip dhcp-server
add address-pool="906 pool" disabled=no interface="ether1-vlan 906" name="Room 906 DHCP"
add address-pool=dhcp_pool1 disabled=no interface="ether1-vlan 150 Phones" name=dhcp1
add address-pool="cast pool" disabled=no interface="ether1-vlan 200 CAST" name="cast dhcp"
add address-pool="907 pool" disabled=no interface="ether1-vlan 907" name="Room 907 DHCP"
add address-pool="MGMT pool" disabled=no interface="ether1-vlan 100 MGMT" name="MGMT DHCP"
add address-pool="908 Pool" disabled=no interface="ether1-vlan 908" name="Room 908 DHCP"
add address-pool="905 Pool" disabled=no interface="ether1-vlan 905" name="Room 905 DHCP"
add address-pool="801 Pool" interface="ether1-vlan 801" name="Room 801 DHCP"
add address-pool=hs-pool-27 disabled=no interface=bridge1 lease-time=1h name=dhcp2
/ip hotspot
add address-pool=hs-pool-27 disabled=no interface=bridge1 name=hotspot1 profile=hsprof1
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
add disabled=no interface=bridge1
/caps-man provisioning
add action=create-dynamic-enabled comment=GuestNetwork2Ghz hw-supported-modes=gn master-configuration=GuestsNetwork2Ghz
add action=create-dynamic-enabled comment=GuestNetwork5Ghz hw-supported-modes=ac master-configuration=GuestNetwork5Ghz
/interface bridge filter
add action=drop chain=forward in-bridge=bridge1 out-bridge=bridge1
/interface bridge port
add bridge=bridge1 ingress-filtering=yes interface="ether1-vlan 100 MGMT" pvid=100
add bridge=bridge1 interface=eoip-tunnel1
add bridge=bridge1 interface=ether1 pvid=100
add bridge=bridge1 interface="ether1-vlan 906"
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=10.9.6.1/28 interface="ether1-vlan 906" network=10.9.6.0
add address=10.2.2.1/24 interface="ether1-vlan 100 MGMT" network=10.2.2.0
add address=10.9.7.1/27 interface="ether1-vlan 907" network=10.9.7.0
add address=10.5.5.1/24 interface="ether1-vlan 150 Phones" network=10.5.5.0
add address=10.4.4.1/24 interface="ether1-vlan 200 CAST" network=10.4.4.0
add address=10.9.8.1/28 interface="ether1-vlan 908" network=10.9.8.0
add address=10.9.5.1/28 interface="ether1-vlan 905" network=10.9.5.0
add address=10.8.1.1/28 interface="ether1-vlan 801" network=10.8.1.0
add address=10.5.50.1/24 comment="hotspot network" interface=bridge1 network=10.5.50.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-relay
add dhcp-server=10.2.2.254 disabled=no interface="ether1-vlan 100 MGMT" name=packetfence
/ip dhcp-server network
add address=10.2.2.0/24 gateway=10.2.2.1
add address=10.4.4.0/24 dns-server=8.8.8.8 gateway=10.4.4.1
add address=10.5.5.0/24 gateway=10.5.5.1
add address=10.5.50.0/24 comment="hotspot network" dns-server=8.8.8.8 gateway=10.5.50.1
add address=10.9.6.0/28 dns-server=8.8.8.8 gateway=10.9.6.1
add address=10.9.7.0/27 dns-server=8.8.8.8 gateway=10.9.7.1
add address=10.100.100.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.100.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=10.2.2.254 name=radius.<redacted>.com
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=drop chain=input in-interface="ether1-vlan 200 CAST" protocol=igmp
add action=accept chain=forward dst-address=10.2.2.0/24 src-address=10.0.2.0/24
add action=drop chain=forward disabled=yes dst-address=!10.0.0.0/8 src-address=10.2.2.0/24
add action=accept chain=forward src-address=10.2.2.254
add action=accept chain=forward disabled=yes dst-address=10.2.2.1 src-address=10.2.2.60
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="NAT rule for 10.9.6.0/28" out-interface="Bell Fibe" src-address=10.9.6.0/28
add action=masquerade chain=srcnat comment="NAT rule for 10.9.7.0/27" out-interface="Bell Fibe" src-address=10.9.7.0/27
add action=masquerade chain=srcnat comment="NAT rule for Phones" out-interface="Bell Fibe" src-address=10.5.5.0/24
add action=masquerade chain=srcnat comment="NAT rule for MGMT network" out-interface="Bell Fibe" src-address=10.2.2.0/24
add action=masquerade chain=srcnat out-interface="Bell Fibe" src-address=10.4.4.0/24
add action=masquerade chain=srcnat comment="Test Rule" src-address=10.100.100.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.5.50.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.5.50.0/24
/ip hotspot user
add name=admin
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
add dst-host=10.2.2.254
add src-address=10.2.2.254
/ip hotspot walled-garden ip
add action=accept disabled=no dst-host=10.2.2.254
add action=accept disabled=no src-address=10.2.2.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/radius
add address=10.2.2.254 secret=<redacted> service=hotspot,wireless
/radius incoming
set accept=yes
/system clock
set time-zone-autodetect=no
/tool mac-server
set allowed-interface-list=none
here is my AP config:
Code: Select all
# dec/14/2020 15:39:29 by RouterOS 6.47.8
# software id = WFU3-28AH
#
# model = RBcAPGi-5acD2nD
# serial number = B8BF0ABC78AF
/interface bridge
add name=NewBridge
/interface wireless
# managed by CAPsMAN
# channel: 2422/20/gn(28dBm), SSID: MikroTik, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
# channel: 5660/20-Ce/ac/DP(24dBm), SSID: MikroTik, CAPsMAN forwarding
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=NewBridge interface=ether1 pvid=100
add bridge=NewBridge interface=wlan2
add bridge=NewBridge interface=wlan1
/interface wireless cap
#
set certificate=request discovery-interfaces=NewBridge enabled=yes interfaces=wlan2,wlan1
/ip dhcp-client
add disabled=no interface=NewBridge
/ip firewall filter
add action=accept chain=forward dst-address=10.2.2.0/24
add action=accept chain=forward src-address=10.2.2.0/24
/radius
add address=10.2.2.254 secret=<redacted> service=hotspot,wireless
/radius incoming
set accept=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name="Test CAP AC Mikrotik AP"