Community discussions

MikroTik App
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 237
Joined: Fri Oct 02, 2020 1:42 pm

Optimal CAP configuration on CAP-only network

Tue Sep 28, 2021 4:57 pm

Hi guys, I have a practical Q regarding a large-is CAP installation.

When I am putting up a Capsman network, I usually configure cap by cap, firewall and everything that goes with that. However, that is really cumbersome for say fifty devices. So the question is there really a need for careful configuration of CAPs, bridges in it, etc, if the traffic will be routed thru the Capsman. - I know CAPs have their CAP mode when they are starting up, but what good is it if I still have to set everything up manually.

Is there a way to automate entire process to a point where it is easier to set-up devices galore?
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Optimal CAP configuration on CAP-only network

Sat Oct 02, 2021 6:47 pm

Is there a way to automate entire process to a point where it is easier to set-up devices galore?
Have you tried Cap mode ?
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 237
Joined: Fri Oct 02, 2020 1:42 pm

Re: Optimal CAP configuration on CAP-only network

Sat Oct 02, 2021 8:19 pm

Is there a way to automate entire process to a point where it is easier to set-up devices galore?
Have you tried Cap mode ?
Of course, but that is pretty rudimental. I have some 50 APs here, and I am aware that I need to lock them up, but the Q is how much... It is a lot of work, so I have to think stuff over in advance.
For example - do I set firewall? And if I set it, how much to lock stuff up? Same with services. - What is safe to leave, and what to kill? Etc...

Currently I have following workflow in mind:

1. Reset device to CAP mode
2. log into device and set Identity manually (important for channel and power setting)
3. plug some kinf od config thru terminal
4. done, move on

As for services that I was thinking about leaving on, off:

1. leave cap settings, brdige, etc default
2. kill: telnet, ftp, www, www-ssl and api and leave ssh and winbox
3. kill bw server
4. Leave MAC winbox on (MAC winobox) - I know this might be stupid, but I am thinking of leaving it on because it saved my bacon many times (the idea of leaing on ssh and winbox is that if anyone is about to try and break 128 char key, be my guest
5. allow login into router only from wired subnet
6. create main admin user and backup admin user and pass and delete default admin / END OF SESSION, kicked off, move to another box

I would do update to latest ROS over capsman, with auto upgrade turned on on the caps. (I would not set auto updating of the equipment, only over capsman.)
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Optimal CAP configuration on CAP-only network  [SOLVED]

Sat Oct 02, 2021 9:30 pm

You can automate all the procedure by creating a script and importing it to every cap after reset ( change IP if set static, Identity etc...)...
No need to configure firewall to an Access Point...
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 237
Joined: Fri Oct 02, 2020 1:42 pm

Re: Optimal CAP configuration on CAP-only network

Sat Oct 02, 2021 9:40 pm

You can automate all the procedure by creating a script and importing it to every cap after reset ( change IP if set static, Identity etc...)...
No need to configure firewall to an Access Point...
I am making a script right now :-)

Thanks for the FW tip.

As for the other services and such, how much should I tighten the security?
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 237
Joined: Fri Oct 02, 2020 1:42 pm

Re: Optimal CAP configuration on CAP-only network

Sun Oct 03, 2021 1:21 am

This is what I have as for now. Trying to keep everything simple and fast:

1. i set the CAP in CAPS mode
2. i login defaul and feed this in:
/system identity
set name="CAP - NAME"

/interface wireless cap
# 
set bridge=bridgeLocal certificate=request discovery-interfaces=bridgeLocal enabled=yes interfaces=wlan1 lock-to-caps-man=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system note
set note="Access to this device is monitored."
/tool mac-server
set allowed-interface-list=none

/user add name=NEWWADMIN group=full password=PASSWORD
/user add name=BACKUPADMIN group=full password=PASSWORD
/user remove admin
Would this be enough? - I secured the logins, deleted unneeded stuff, and set new proper admins and deleted default admin.

CAPSMAN and NTP server are provided via DHCP, so no need to define those explicitly?
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Optimal CAP configuration on CAP-only network

Sun Oct 03, 2021 8:31 pm

Your config looks good to me...
As for the other services and such, how much should I tighten the security?
As much as you thing you should, i can't tell how strict your security should be or not ...

You use Capsman ( Manager ) Forwarding or Local Forwarding ?
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 237
Joined: Fri Oct 02, 2020 1:42 pm

Re: Optimal CAP configuration on CAP-only network

Sun Oct 03, 2021 9:39 pm

Your config looks good to me...
As for the other services and such, how much should I tighten the security?
As much as you thing you should, i can't tell how strict your security should be or not ...
I was preparing and testing these scripts for the whole day, thinking about this. One should be aware that there is no absolute security, and that some concessions have to be made to be able to operate with relative ease. The environment I am putting this to is secure warehouse, and the devices will be behind firewalled router on an own cabling. So... I will put there a big password and such, disable unencrypted stuff and enable strong crypto. Now, if someone will be willing to hack a system that will be used to transport onlya secure RDP connection, be my guest. :-?
You use Capsman ( Manager ) Forwarding or Local Forwarding ?
I intend to use Capsman Forwarding, and I will have three SSID-s:

1. one for general use, exit to internet
2. one for "office" use, for the users to get addresses and other stuff fro the parent network
3. one for warehouse use, with internet blocked and only one port allowed out (RDS)

Any suggestions on this?
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Optimal CAP configuration on CAP-only network

Wed Oct 06, 2021 10:20 pm

Well you can use VLANs along with CapsMan if you want to create different networks and apply different "security policies" through the firewall for each one of them...

Also, in CapsMan forwarding, you don't need to add the bridge under /interface wireless cap ... That is used for Local Forwarding ...

Who is online

Users browsing this forum: GoogleOther [Bot], onnyloh and 34 guests