I have a setup where a routerboard acts as a CAPsMAN controller, does little else and has a bunch of APs connected to it in local forwarding mode.
Then the controller instructs the APs to assign tags according to access list to separate clients to their appropriate network.
The AP configuration is as follows:
Code: Select all
/interface bridge
add name=bridge1
set admin-mac=[/interface get [find default-name="ether1"] mac-address ] auto-mac=no numbers=0
/interface bridge port
add bridge=bridge1 interface=ether1
/interface vlan
add interface=bridge1 name=MANAGEMENT vlan-id=100
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=MANAGEMENT
/interface wireless cap
set discovery-interfaces=MANAGEMENT enabled=yes interfaces=wlan1 bridge=bridge1
In the controller configuration client-to-client-forwarding is enabled, however it does not forward anyhing between clients in the same subnet.
Don't take my word for it, here's the controller configuration:
Code: Select all
/caps-man configuration
add channel=bgn24-1 country=*** datapath.client-to-client-forwarding=yes \
datapath.local-forwarding=yes name=conf security.authentication-types=\
wpa2-psk security.passphrase=*** ssid=***
/caps-man provisioning
add radio-mac=00:00:00:00:00:00 action=create-dynamic-enabled\
master-configuration=conf slave-configurations="" name-format=identity name-prefix=""
/caps-man access-list
add signal-range=-120..-80 allow-signal-out-of-range=1s ssid-regexp="" action=reject
add mac-address=D0:XX:XX:XX:XX:XX allow-signal-out-of-range=1s ssid-regexp="" action=accept\
vlan-mode=use-tag vlan-id=101 comment="tere"
add allow-signal-out-of-range=1s ssid-regexp="" action=accept vlan-mode=use-tag vlan-id=10\
comment="fallback"
/caps-man manager
set enabled=yes
Not a unique problem for CAPsMAN users by all means when going through posts on the Internet and the decision to block traffic within the same broadcast domain by default I find... ideologically debateable. Nonetheless, the parameter that should be responsible for it is set in the configuration, but there's obviously some piece of the puzzle missing still.