Community discussions

MikroTik App
 
Lotar
just joined
Topic Author
Posts: 15
Joined: Fri Jun 15, 2012 2:10 pm

Caps-man with vlans and cAP with vlans on switch chip problem

Thu May 06, 2021 2:57 am

Hello,

I am currently trying to setup a small test network as follows:
1) Main router as internet gateway and caps manager with trunk port to the first cAP in the daisy chain (i know.. not good practice to daisy chain network devices, but it's a lab)
2) cAP with vlan settings on switch chip, trunk port to main router and second trunk port (to another cAP further down the line), and Ethernet ports configured as access ports for wired devices.
All devices are running the latest stable with firmware updated as well.

All the wired ports are working as expected ( the proper IPs are assigned via dhcp depending on which access port the devices are plugged, wire-speed transfer with low cpu load on mips cAPs).

The problem is with the wireless connections. The cAPs are connecting to the manager and they get the config, they start the interfaces with proper SSIDs and proper security but there is no data passed. I can associate to an SSID but can't get even an IP assigned via dhcp. This behavior is on all cAPs interfaces, even the ones on the main router (I manage the main router wifi via capsman as well).

I am certain I am doing something wrong (in datapaths probably) and I am missing something obvious...

The configs for the main router and the first cAP

# may/06/2021 02:33:23 by RouterOS 6.48.2
# software id = UG1E-6W58
#
# model = RBD52G-5HacD2HnD
# serial number = 
/caps-man channel
add band=2ghz-onlyn extension-channel=XX frequency=2412 name=channel1
/interface bridge
add admin-mac=74:4D:28:60:1E:7D auto-mac=no comment="main lan" name=bridge_vlan2
add comment="guest lan" name=bridge_vlan3
add comment="mgmt lan" name=bridge_vlan4
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=Trunk
set [ find default-name=ether3 ] comment="access port vlan 2"
set [ find default-name=ether4 ] comment="access port vlan 4"
set [ find default-name=ether5 ] comment="local mgmt"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-601E81 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-601E82 wireless-protocol=802.11
/interface vlan
add interface=ether2 name=vlan2-eth2 vlan-id=2
add interface=ether2 name=vlan3-eth2 vlan-id=3
add interface=ether2 name=vlan4-eth2 vlan-id=4
/caps-man datapath
add bridge=bridge_vlan2 local-forwarding=yes name=datapath2_vlan2 vlan-id=2 vlan-mode=use-tag
add bridge=bridge_vlan3 local-forwarding=yes name=datapath3_vlan3 vlan-id=3 vlan-mode=use-tag
add bridge=bridge_vlan4 local-forwarding=yes name=datapath4_vlan4 vlan-id=4 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip name=security2_vlan2 passphrase=1234567890
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip name=security3_vlan3 passphrase=1234567890
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip name=security4_vlan4 passphrase=1234567890
/caps-man configuration
add channel=channel1 country=romania datapath=datapath2_vlan2 name=cfg2_vlan2 security=security2_vlan2 ssid=mainlan_test
add channel=channel1 country=romania datapath=datapath3_vlan3 name=cfg3_vlan3 security=security3_vlan3 ssid=guestlan_test
add channel=channel1 country=romania datapath=datapath4_vlan4 name=cfg4_vlan4 security=security4_vlan4 ssid=mngmlan_test
/caps-man interface
add configuration=cfg2_vlan2 disabled=no mac-address=74:4D:28:60:1E:81 master-interface=none name=main_TEST-1 radio-mac=74:4D:28:60:1E:81 radio-name=744D28601E81
add configuration=cfg3_vlan3 disabled=no mac-address=76:4D:28:60:1E:81 master-interface=main_TEST-1 name=main_TEST-1-1 radio-mac=00:00:00:00:00:00 radio-name=764D28601E81
add configuration=cfg4_vlan4 disabled=no mac-address=76:4D:28:60:1E:82 master-interface=main_TEST-1 name=main_TEST-1-2 radio-mac=00:00:00:00:00:00 radio-name=764D28601E82
add configuration=cfg2_vlan2 disabled=no l2mtu=1600 mac-address=4C:5E:0C:A9:DE:FD master-interface=none name=middle_TEST-1 radio-mac=4C:5E:0C:A9:DE:FD radio-name=4C5E0CA9DEFD
add configuration=cfg3_vlan3 disabled=no l2mtu=1600 mac-address=4E:5E:0C:A9:DE:FD master-interface=middle_TEST-1 name=middle_TEST-1-1 radio-mac=00:00:00:00:00:00 radio-name=4E5E0CA9DEFD
add configuration=cfg4_vlan4 disabled=no l2mtu=1600 mac-address=4E:5E:0C:A9:DE:FE master-interface=middle_TEST-1 name=middle_TEST-1-2 radio-mac=00:00:00:00:00:00 radio-name=4E5E0CA9DEFE
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool4 ranges=192.168.3.20-192.168.3.200
add name=dhcp_pool5 ranges=192.168.4.20-192.168.4.200
add name=dhcp_pool6 ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether5 name=defconf
add address-pool=dhcp_pool4 disabled=no interface=bridge_vlan3 name=dhcp2
add address-pool=dhcp_pool5 disabled=no interface=bridge_vlan4 name=dhcp3
add address-pool=dhcp_pool6 disabled=no interface=bridge_vlan2 name=dhcp1
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-enabled master-configuration=cfg2_vlan2 name-format=identity slave-configurations=cfg3_vlan3,cfg4_vlan4
/interface bridge port
add bridge=bridge_vlan2 interface=ether3
add bridge=bridge_vlan4 interface=ether4
add bridge=bridge_vlan2 interface=vlan2-eth2 multicast-router=disabled
add bridge=bridge_vlan3 interface=vlan3-eth2 multicast-router=disabled
add bridge=bridge_vlan4 interface=vlan4-eth2 multicast-router=disabled
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge_vlan2 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether5 list=LAN
add interface=bridge_vlan3 list=LAN
add interface=bridge_vlan4 list=LAN
/interface wireless cap
set caps-man-addresses=127.0.0.1 interfaces=wlan1
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether5 network=192.168.88.0
add address=192.168.2.1/24 interface=bridge_vlan2 network=192.168.2.0
add address=192.168.3.1/24 interface=bridge_vlan3 network=192.168.3.0
add address=192.168.4.1/24 interface=bridge_vlan4 network=192.168.4.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=192.168.4.1 gateway=192.168.4.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name=main_TEST
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
And the cAP with switch chip vlans:
# may/06/2021 02:39:20 by RouterOS 6.48.2
# software id = YGDI-3KEV
#
# model = 951Ui-2HnD
# serial number = 
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment="trunk to main Caps-Man"
set [ find default-name=ether2 ] comment="trunk port to other cAPs"
set [ find default-name=ether3 ] comment="Access vlan 2"
set [ find default-name=ether4 ] comment="Access vlan 4"
set [ find default-name=ether5 ] comment="outside bridge "
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(17dBm), SSID: mainlan_test, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
/interface vlan
add interface=bridge1 name=mgmt_int_vlan4 vlan-id=4
/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=4 vlan-header=always-strip vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 comment="trunk to main" interface=ether1 multicast-router=disabled
add bridge=bridge1 comment="trunk to cap" interface=ether2 multicast-router=disabled
add bridge=bridge1 interface=ether3 multicast-router=disabled pvid=2
add bridge=bridge1 interface=ether4 multicast-router=disabled pvid=3
/interface bridge vlan
add bridge=bridge1 tagged=ether1,ether2 untagged=ether3 vlan-ids=2
add bridge=bridge1 tagged=ether1,ether2 vlan-ids=3
add bridge=bridge1 tagged=ether1,ether2 untagged=ether4 vlan-ids=4
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,switch1-cpu switch=switch1 vlan-id=2
add ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=3
add ports=ether1,ether2,ether4,switch1-cpu switch=switch1 vlan-id=4
/interface wireless cap
# 
set discovery-interfaces=mgmt_int_vlan4 enabled=yes interfaces=wlan1
/ip address
add address=192.168.4.2/24 interface=mgmt_int_vlan4 network=192.168.4.0
/ip dns
set servers=192.168.4.1
/ip route
add distance=1 gateway=192.168.4.1
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name=middle_TEST
I tried to change the paths every which way I could think of but to no avail.
Any help is greatly appreciated !! (it kinda drive's me nuts at this point... :) )
Thank you
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Caps-man with vlans and cAP with vlans on switch chip problem

Thu May 06, 2021 3:21 am

tis why I recommend capsman only be used when one can configure ROS, vlans, and wifi WITHOUT capsman first.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Caps-man with vlans and cAP with vlans on switch chip problem

Thu May 06, 2021 3:32 am

I am certain I am doing something wrong (in datapaths probably) and I am missing something obvious...
In "/interface wireless cap" on the two devices, you don't appear to have the "bridge" set. In the case of local-forwarding (which you are using), the bridge= setting in the datapath is ignored and can be left unset, and the bridge= setting on the individual CAPs in "/interface wireless cap" is used instead. You are setting the one in the datapath which does nothing, and are not setting the one in /interface wireless cap, which must be set in your case.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Caps-man with vlans and cAP with vlans on switch chip problem

Thu May 06, 2021 10:39 am

In addition to what @mducharme wrote ... get rid of any VLAN setting in /interface bridge and sub-tree. VLANs should only be configured in one place, either on bridge or on switch chip. Settings on bridge currently don't have any impact because you don't have vlan-filtering=yes set on bridge, but if you (accidentally) enable it, you'll have very undetermined behaviour.
 
Lotar
just joined
Topic Author
Posts: 15
Joined: Fri Jun 15, 2012 2:10 pm

Re: Caps-man with vlans and cAP with vlans on switch chip problem

Thu May 06, 2021 12:01 pm

Thank you for your suggestions mducharme. Setting the bridge in the /interface wireless cap on every cAP did the trick. It worked instantly. (As I predicted, the problem was between the computer and the chair :) )

I confused the bridge setting in datapath used for capsman forwarding with the local bridge on the cAP itself needed for local forwarding. (Local forwarding being a requirement in this case)

@mkx I set an interface in /interface bridge on the cAPs in vlan4 to have an ip assigned there for management purposes to be accessed on vlan4. For this lab, it was convenient to have an ip in vlan 4 on all equipment.

@anav I understand your recommendation. Previously, the setup was configured manually, end to end for every device, and worked as expected without capsman ( software vlan on all APs, manual wireless interfaces and sub interfaces with their own ssids, security, and rates. The wireless interfaces tagged packets as expected and dumped them in their specific vlan via the trunk port)

Using capsman was in itself the purpose for this lab (specifically allowing easy scalability and allowing the changing of rates, ssids, security settings etc without connecting to every ap in the network.

Thank you all !!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Caps-man with vlans and cAP with vlans on switch chip problem

Thu May 06, 2021 12:51 pm

Good work Lotar, glad it worked out for you.!!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Caps-man with vlans and cAP with vlans on switch chip problem

Fri May 07, 2021 12:37 pm

@mkx I set an interface in /interface bridge on the cAPs in vlan4 to have an ip assigned there for management purposes to be accessed on vlan4. For this lab, it was convenient to have an ip in vlan 4 on all equipment.

There are two (very distinct) places for VLAN to be configured:
  1. /interface bridge and subtree or /interface ethernet switch and subtree... where one configures L2 properties ... e.g. bridge (switch-like entity) ports, VLAN-related port properties (e.g. tagged, untagged, PVID, ...). Similarly for switch-chip setup.
    As I already wrote, these two strategies are actually mutually exclusive although ROS does not enforce that (but configuring things in both places may lead to erratic device behaviour). If one chooses switch chip strategy, bridge will function as dumb switch, passing tagged frames back and forth between member ports (bridge is a port of self!) without any action related speciffically to VLAN tags.
  2. /interface vlan where one configures router's window into L2 VLANs so that router can actually communicate with VLAN. And this part is exactly the same for both L2 strategies (bridge vs. switch chip), in both cases VLAN interfaces use bridge as underlying interface (also physical ports, not members of bridge, can be used as well).

VLAN items configured in bullet #1 above don't necessarily need corresponding items from bullet #2, but items in #2 need items #1. For VLANs where device (router) acts as a managed switch (and doesn't interact with traffic at all), only bullet #1 has to be done. In case when device is used as router obviously most (if not all) items from #1 need corresponding items from #2.
 
Lotar
just joined
Topic Author
Posts: 15
Joined: Fri Jun 15, 2012 2:10 pm

Re: Caps-man with vlans and cAP with vlans on switch chip problem

Mon May 10, 2021 3:57 pm

Thank you mkx,

I removed that interface.
Please tell me, on the cAPs, should I put the management ip on the bridge itself, activate vlan filtering and set PVID to vlan 4 (management vlan) ?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Caps-man with vlans and cAP with vlans on switch chip problem

Mon May 10, 2021 7:50 pm

Which interface did you remove, the mgmt_int_vlan4? Not sure what's your current config, but that interface should probably stay there. In case when you configure VLAN stuff on switch chip you should not enable vlan filtering on brudge and hence you can not set up management IP address directly on bridge with pvid set because pvid setting will be ignored.

Who is online

Users browsing this forum: phascogale and 29 guests