Community discussions

MikroTik App
 
dadda
just joined
Topic Author
Posts: 4
Joined: Wed May 22, 2019 7:20 pm
Location: Estonia

CAPsMAN unwanted interclient isolation

Fri Feb 26, 2021 1:17 pm

Hi!
I have a setup where a routerboard acts as a CAPsMAN controller, does little else and has a bunch of APs connected to it in local forwarding mode.
Then the controller instructs the APs to assign tags according to access list to separate clients to their appropriate network.

The AP configuration is as follows:
/interface bridge
add name=bridge1
set admin-mac=[/interface get [find default-name="ether1"] mac-address ] auto-mac=no numbers=0

/interface bridge port
add bridge=bridge1 interface=ether1

/interface vlan
add interface=bridge1 name=MANAGEMENT vlan-id=100

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=MANAGEMENT

/interface wireless cap
set discovery-interfaces=MANAGEMENT enabled=yes interfaces=wlan1 bridge=bridge1

In the controller configuration client-to-client-forwarding is enabled, however it does not forward anyhing between clients in the same subnet.
Don't take my word for it, here's the controller configuration:
/caps-man configuration
add channel=bgn24-1 country=*** datapath.client-to-client-forwarding=yes \
        datapath.local-forwarding=yes name=conf security.authentication-types=\
        wpa2-psk security.passphrase=*** ssid=***

/caps-man provisioning
add radio-mac=00:00:00:00:00:00 action=create-dynamic-enabled\
        master-configuration=conf slave-configurations="" name-format=identity name-prefix="" 

/caps-man access-list
add signal-range=-120..-80 allow-signal-out-of-range=1s ssid-regexp="" action=reject 
add mac-address=D0:XX:XX:XX:XX:XX allow-signal-out-of-range=1s ssid-regexp="" action=accept\
        vlan-mode=use-tag vlan-id=101 comment="tere"
add allow-signal-out-of-range=1s ssid-regexp="" action=accept vlan-mode=use-tag vlan-id=10\
        comment="fallback"

/caps-man manager
set enabled=yes
Everything is running 6.48.1

Not a unique problem for CAPsMAN users by all means when going through posts on the Internet and the decision to block traffic within the same broadcast domain by default I find... ideologically debateable. Nonetheless, the parameter that should be responsible for it is set in the configuration, but there's obviously some piece of the puzzle missing still.
 
User avatar
JohnTRIVOLTA
Member
Member
Posts: 343
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: CAPsMAN unwanted interclient isolation

Fri Feb 26, 2021 2:32 pm

/caps-man configuration
add channel=bgn24-1 country=*** datapath.client-to-client-forwarding=no \
datapath.local-forwarding=no name=conf security.authentication-types=\
wpa2-psk security.passphrase=*** ssid=***
 
dadda
just joined
Topic Author
Posts: 4
Joined: Wed May 22, 2019 7:20 pm
Location: Estonia

Re: CAPsMAN unwanted interclient isolation

Fri Feb 26, 2021 2:40 pm

/caps-man configuration
add channel=bgn24-1 country=*** datapath.client-to-client-forwarding=no \
datapath.local-forwarding=no name=conf security.authentication-types=\
wpa2-psk security.passphrase=*** ssid=***
Now, this doesn't seem right at all - datapath.local-forwarding=no puts the AP in controller forwarding mode, which is certainly not something I'm after.
 
User avatar
JohnTRIVOLTA
Member
Member
Posts: 343
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: CAPsMAN unwanted interclient isolation

Fri Feb 26, 2021 3:18 pm

May be i did not understand what exactly you want !
 
dadda
just joined
Topic Author
Posts: 4
Joined: Wed May 22, 2019 7:20 pm
Location: Estonia

Re: CAPsMAN unwanted interclient isolation

Fri Feb 26, 2021 6:04 pm

My goal is to be able so send packets from one wireless client to the other (those that belong to the same VLAN, obviously) while maintaining the local forwarding mode.
Connections between a client that's behind a CAP and a host that is not, are working without issues. Traffic between two clients that are behind a CAP and in the same network is not going through, whilst I want it to do so. Traffic that comes from a client behind a CAP from network A, that is routed through a router and is then sent to a client behind a CAP(still attached to the same controller, just to clarify) in network B, is also working.
 
greebo
just joined
Posts: 10
Joined: Wed Jul 24, 2013 4:01 pm

Re: CAPsMAN unwanted interclient isolation

Tue May 18, 2021 10:44 am

My goal is to be able so send packets from one wireless client to the other (those that belong to the same VLAN, obviously) while maintaining the local forwarding mode.
Connections between a client that's behind a CAP and a host that is not, are working without issues. Traffic between two clients that are behind a CAP and in the same network is not going through, whilst I want it to do so. Traffic that comes from a client behind a CAP from network A, that is routed through a router and is then sent to a client behind a CAP(still attached to the same controller, just to clarify) in network B, is also working.
datapath - client-to-client forwarding ?
Last edited by greebo on Tue May 18, 2021 10:45 am, edited 1 time in total.
 
justaperson
just joined
Posts: 1
Joined: Sat Jan 29, 2022 8:03 pm

Re: CAPsMAN unwanted interclient isolation

Sat Jan 29, 2022 8:13 pm

Reviving an old thread...

I was actually searching for a solution to a similar problem when ran into this post.

I have currently an issue that looks the same - when vlan is assigned via access-list (...vlan-mode=use-tag vlan-id=10...) and if the clients are behind the same access point no local traffic is working. Have not yet tested it on the latest longterm (6.48.6), but on the previous version it wasn't working and there is nothing related in the changelog.

Using wireshark i traced the cause to be that the packets are sent by the ap to the air with a 802.11q tag and the client just does not know what to do with tagged packets. When the data exits / enters the ap via wire then the vlan tags are stripped/added as they should. And nothing i do in the config seems to change that behavior.

Is there a fix for this or...?

Who is online

Users browsing this forum: tangent and 37 guests