Community discussions

MikroTik App
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

CAPsMAN Help

Sun Jul 04, 2021 8:25 pm

Hopefully this can be a quick question. I'm having issues getting capsman working, specifically it doesn't appear the CAP can reach the CAPsMAN. I have CAPsMAN running on my RB4011 and am trying to get my wAP to connect with a CRS switch in between providing POE.

I can see what I believe is the discovery calls at the switch, port 5246 on broadcast. I cannot see that though on the router side. I've enabled logging on all deny firewall rules on the router side and see no traffic attempting that port, this leads me to think its something in the switch preventing it.

All of the switches ports are currently configured for different VLANs, so I'm assuming it is something to do with that.

ether8 is to the wAP, admit-all was set as an attempt to get this working, previously it was admit tagged, assuming the wAP would be tagging as appropriate
# egress behavior
/interface bridge vlan

# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
add bridge=BR1 tagged=ether1 untagged=ether2 vlan-ids=10
add bridge=BR1 tagged=ether1 untagged=ether3,ether4,ether5,ether6,ether7 vlan-ids=20
add bridge=BR1 tagged=BR1,ether1,ether8 vlan-ids=30,40
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether6]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether7]
set bridge=BR1 ingress-filtering=yes frame-types=admit-all [find interface=ether8]

I'm happy to upload full config if necessary.
  • Are broadcasts not automatically forwarded? I did set the CAPsMAN IP in the AP, but that didn't seem to change anything
  • If the CAPs discovery packets aren't tagged, would they normally just be dropped?
  • Any additional debugging I can do to try and capture whats going on? I did temporarily setup a firewall rule on those ports to try and log the traffic, but that turned up nothing.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: CAPsMAN Help

Sun Jul 04, 2021 10:46 pm

CAP packets are encapsulated in ethernet frames and are treated by switch the same way as IP packets (encapsulated in ethernet frames). For CAP device to communicate with CAPsMAN in usual cases the connection has to be transparrent and playing with VLANs on all 3 devices doesn't help if you don't really know what you're doing. You may want to go through this tutorial about how to configure VLANs on Mikrotik gear.

What we would need to see what's in the way are full configs of all 3 devices (CAP device, switch, RB4011) and information about which ports are interconnected.
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: CAPsMAN Help

Mon Jul 05, 2021 3:08 am

If you want a cap to find the capsman server it needs to be on the same l2 network (i.e subnet/vlan). You can configure a cap with the IP address of the capsman server to bypass this requirement.

If setting the IP address on the cap doesn't work, then it could be many things. Like mkx said, post configs of all devices involved.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: CAPsMAN Help

Mon Jul 05, 2021 3:28 pm

Allow all input to your router from the local subnet.

That usually let's caps connect.
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: CAPsMAN Help

Sat Jul 10, 2021 8:33 pm

Sorry took a bit to get back to this. I've attached the current configuration and done a little more exploring. Adding in the IP for the router does not work either, but I also tried to verify connection between the two by pinging the router from the wap and that does not work. Doing the same on the switch does.

Router (ether10) -> Switch (ether8) -> wap
You do not have the required permissions to view the files attached to this post.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: CAPsMAN Help

Sun Jul 11, 2021 2:30 am

Does the 4011 have poe out on 10?

Connect the CAP there. Once you get that working... Put the switch back in.

My last Mikrotik Switch was seriously the last Mikrotik Switch I will buy. Over a year of firmware patches and it can't pass traffic for more than a couple of days.
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: CAPsMAN Help

Sun Jul 11, 2021 3:21 am

Your switch config is wrong for your type of device. This looks like a crs3xx config.

Take a look at the following for your switch and get it configured correctly:

https://wiki.mikrotik.com/wiki/Manual:C ... s_examples
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: CAPsMAN Help

Sun Jul 11, 2021 5:01 pm

Your switch config is wrong for your type of device. This looks like a crs3xx config.

Take a look at the following for your switch and get it configured correctly:

https://wiki.mikrotik.com/wiki/Manual:C ... s_examples
Biomesh, is there something specific you're seeing as incorrect? I appreciate the input/help just not sure what you're seeing.
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: CAPsMAN Help

Mon Jul 12, 2021 12:13 am

You are using bridge vlan configuration instead of switch vlan configuration. Take a look at the link - you should really start your vlan config over from scratch at it is totally wrong for this device.
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: CAPsMAN Help

Mon Jul 12, 2021 7:33 pm

You are using bridge vlan configuration instead of switch vlan configuration. Take a look at the link - you should really start your vlan config over from scratch at it is totally wrong for this device.
... bummer. I had gone through the setup here on the boards for everything originally here: viewtopic.php?f=13&t=175743

Looking at this guide, I am assuming I want one of the variations of Port Based VLAN configuration? Would the port thats going to the hAP just be treated as another Access Port? Seems unlikely to me, but I'm also not that knowledgeable.
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: CAPsMAN Help

Wed Jul 14, 2021 1:05 am

Okay, still stumped.

https://wiki.mikrotik.com/wiki/Manual:C ... s_ports.29

1) Under that section, specifically looking at ingress-vlan-translation. I'm assuming this is the configuration that I shoudl be settting up. At least, i can see how it would pertain to ports 2-7 on the switch as they are all access ports for devices. Ether8 on the other hand is going to my wAP, I can't imagine I'd want to replace the vlan ids on traffic for that?

2) I am also assuming that this means I need to remove most of the bridge/port configuration I have on my switch as this appears to be a replacement.

3) Grasping here, but would ether8 be a hybrid port for my wAP?
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: CAPsMAN Help

Wed Jul 14, 2021 2:32 am

1) The ingress vlan translation is really for those ports that have untagged traffic. If your ap has tagged traffic for the capsman user traffic and for management, then it would not be required for that port. You would only need to say the egress vlan tags and the vlans on the switch.

For most use cases you will only replace vlan 0 with your desired pvid. Untagged traffic will hit the switch as vlan 0.

2) honestly you might want to reset and start over with a clean config. A serial cable will help

3) this depends on your wap is configured. Looking at your export it looks like it would be hybrid. If you added a vlan interface to your wap config and assigned an address to the vlan interface, then it would be tagged traffic for management. You should also disable the DHCP client and the static IP on ether2 if you go this route.
 
IanM
just joined
Topic Author
Posts: 24
Joined: Sun May 23, 2021 6:27 pm

Re: CAPsMAN Help

Sun Jul 25, 2021 7:15 pm

Okay, got a little further.

After converting to the configuration in the link mentioned above it still wasn't working through the switch. However, it did work if I plugged directly into the RB4011. So, I swapped it all back to pass through the switch so I can use it for POE. A little futzing in the switch and I discovered that removing the following specifically just from ether8 gets me a little further:
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8
Previously I wasn't able to see any 5246/5247 traffic making it to the router, after disabling that rule for port 8 I can now see the traffic reaching the router. But, its not configuring itself. Where to now
New switch config export below:
# jan/05/1970 17:36:13 by RouterOS 6.45.9
# software id = AYQX-FLR2
#
# model = CRS112-8P-4S
# serial number = D2600DCD5201
/interface bridge
add name=BR1 protocol-mode=none
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=\
    ether1,ether2,ether3,ether4,ether5,ether6,ether7
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
add bridge=BR1 interface=ether5
add bridge=BR1 interface=ether6
add bridge=BR1 interface=ether7
add bridge=BR1 interface=ether8
add bridge=BR1 interface=ether1
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1 vlan-id=10
add tagged-ports=ether1 vlan-id=20
add tagged-ports=ether1 vlan-id=30
add tagged-ports=ether1 vlan-id=40
add tagged-ports=switch1-cpu,ether1 vlan-id=99
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports=ether2
add customer-vid=0 new-customer-vid=20 ports=ether3
add customer-vid=0 new-customer-vid=20 ports=ether4
add customer-vid=0 new-customer-vid=20 ports=ether5
add customer-vid=0 new-customer-vid=20 ports=ether6
add customer-vid=0 new-customer-vid=20 ports=ether7
/interface ethernet switch vlan
add ports=switch1-cpu,ether1 vlan-id=99
add ports=ether1,ether2 vlan-id=10
add ports=ether1,ether3,ether4,ether5,ether6,ether7 vlan-id=20
add ports=ether1,ether2,ether8 vlan-id=30
add ports=ether1,ether8 vlan-id=40
/ip address
add address=192.168.0.2/24 interface=BASE_VLAN network=192.168.0.0
/ip route
add distance=1 gateway=192.168.0.1
/system identity
set name=MikroTikSwitch
/tool sniffer
set filter-interface=ether8 filter-port=5246,5247
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: CAPsMAN Help

Mon Jul 26, 2021 7:31 pm

https://www.youtube.com/watch?v=taQ70m0DVYA

If its not covered here, then we need more videos!!!
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: CAPsMAN Help

Tue Jul 27, 2021 4:31 pm

If your cap config has not changed from before that is why the filtering is not working on port 8. The management traffic is set to vlan 0 by default. You can either change the cap config to use a VLAN interface or configure port 8 to have a /interface ethernet switch ingress-vlan-translation entry for vlan 30 or 40 (whichever is your management network). Once this is done, just re-enable the filtering on port 8.

Who is online

Users browsing this forum: No registered users and 28 guests