CAPsMANv2 with wifi-qcom-ac and vlans

robtor · Sat Dec 16, 2023 5:39 pm

Before ROS v7.13 I used the setup of one CRS326-24G-2S+ as the CAPsMAN controller and several AP's (cAP-AC) which were CAP's. I had configured the CAPsMAN with several datapaths using vlans and local-forwarding traffic to the CRS where I applied the firewall rules for the vlans. Here's a short overview about the datapath configuration on the CRS:

/caps-man datapath
add bridge=brLAN client-to-client-forwarding=yes comment="WIRELESS VLAN" local-forwarding=yes name=datapathWIRELESS \
    vlan-id=40 vlan-mode=use-tag
add arp=enabled bridge=brLAN client-to-client-forwarding=yes comment="SMARTHOME VLAN" local-forwarding=yes name=\
    datapathSMARTHOME vlan-id=41 vlan-mode=use-tag
add bridge=brLAN client-to-client-forwarding=yes comment="FON VLAN" local-forwarding=yes name=datapathFON vlan-id=42 \
    vlan-mode=use-tag
add bridge=brLAN client-to-client-forwarding=yes comment="GUEST VLAN" local-forwarding=yes name=datapathGUEST vlan-id=50 \
    vlan-mode=use-tag

The cAPs themselves were configured like this (vlan filtering on bridge disabled, cAPs were behind a trunk port that forwarded all the vlans 40,41,42,50 to the cAPs)

/interface wireless cap
  set bridge=bridge1 certificate=request discovery-interfaces=vlanMGM enabled=yes interfaces=wlan2,wlan1 lock-to-caps-man=yes

Everything worked like a charm. Today I tried to migrate to the new wifiwave2 implementation after upgrading to ROS v7.13.
On the cAP's i replaced the wireless package with the wifi-qcom-ac package. Unfortunately I later found out, that the documentation states that vlan assignment is currently not possible with the ac drivers:

802.11ac chipsets do not support this type of VLAN tagging , but they can be configured as VLAN access ports in bridge settings.

Like it was mentioned in this documentation entry I've enabled vlan filtering on the bridge on the cAP and assigned wifi1 the corresponding vlan access port and removed the vlan id in the datapath configuration on the CAPsMAN. This setup worked very well but only with one master configuration. After enabling some secondary slave configurations in the CAPsMAN there were several slave wifi interfaces created in dynamic mode on the cAP. I was unable to assign those dynamic interfaces a fixed vlan, because after a reprovision of the cAP their names changed (numbers were increased).

So my questions here:

Will the vlan assignment for wifi interfaces in the wifi-qcom-ac be supported at some time?
If not, is there any workaround in this scenario I can apply? The mentioned approach with the vlan filtering on the bridge only works for the master configuration. So unfortunately I can use only one wifi with one vlan

whatever · Sat Dec 16, 2023 5:46 pm

In CAP settings you can select that slaves are created as static interfaces:

slaves-static ()
Creates Static Virtual Interfaces, allows the possibility to assign IP configuration to those interfaces. MAC address is used to remember each static-interface when applying the configuration from the CAPsMAN.

robtor · Sat Dec 16, 2023 7:05 pm

Oh thank you man! I have completely overseen this option! At least this is exactly what i need!

Then there's just my open question whether there will be support for vlans via datapath later? Can maybe s.o. from Mikrotik staff answer this?
And what does the "slaves-datapath" option exactly do? In the online documentation I can't find anything about this

The following configuration is working now on the cAP's:
----------------------------------

/interface wifi cap
set certificate=CAP-18FD74894484 discovery-interfaces=vlanMGM enabled=yes lock-to-caps-man=yes slaves-static=yes

# The wifi interfaces were renamed manually after creation by CAPsMAN to match their functionality
/interface bridge
add ingress-filtering=no name=brLAN port-cost-mode=short protocol-mode=none pvid=30 vlan-filtering=yes
/interface bridge port
add bridge=brLAN ingress-filtering=no interface=ether1 internal-path-cost=10 multicast-router=disabled path-cost=10 pvid=30
add bridge=brLAN frame-types=admit-only-untagged-and-priority-tagged interface=wifiWIRELESS pvid=40
add bridge=brLAN frame-types=admit-only-untagged-and-priority-tagged interface=wifiSMARTHOME pvid=41
add bridge=brLAN frame-types=admit-only-untagged-and-priority-tagged interface=wifiFON pvid=42
/interface bridge vlan
add bridge=brLAN tagged=brLAN,ether1 vlan-ids=20
add bridge=brLAN tagged=brLAN,ether1 vlan-ids=30
add bridge=brLAN tagged=brLAN,ether1 untagged=wifiWIRELESS vlan-ids=40
add bridge=brLAN tagged=brLAN,ether1 untagged=wifiSMARTHOME vlan-ids=41
add bridge=brLAN tagged=brLAN,ether1 untagged=wifiFON vlan-ids=42

And this is configured on the CRS:

/interface wifi datapath
add bridge=brLAN disabled=no name=datapathFON
add bridge=brLAN disabled=no name=datapathSMARTHOME
add bridge=brLAN disabled=no name=datapathWIRELESS
add disabled=no name=datapathGUEST
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=securityFON wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=securityWIRELESS wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption="" name=securitySMARTHOME wps=disable
/interface wifi configuration
add antenna-gain=2 channel=channel1 datapath=datapathWIRELESS disabled=no mode=ap name=cfg2WIRELESS security=securityWIRELESS ssid=lan.robtor.de
add datapath=datapathSMARTHOME disabled=no name=cfg2SMARTHOME security=securitySMARTHOME ssid=smarthome.robtor.de
add datapath=datapathFON disabled=no name=cfg2FON security=securityFON ssid=fon.robtor.de

/interface wifi capsman
set ca-certificate=CAPsMAN-CA-48A98A7EAC7A certificate=CAPsMAN-48A98A7EAC7A enabled=yes interfaces=vlan-MANAGEMENT package-path=/firmware require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=cfg2WIRELESS name-format=2G slave-configurations=cfg2SMARTHOME,cfg2FON supported-bands=2ghz-n

shaker0000 · Fri Dec 29, 2023 2:03 am

The question above is also my interest.
Is it possible to support VLAN at CAPsManager or will it stay like it is and it is necessary to manage the VLAN at CAP manually?

seriquiti · Fri Dec 29, 2023 8:47 am

Manually creating static VLAN config in a centrally managed system feels dumb and wastes time.

Hope this gets fixed.

Fri Dec 29, 2023 8:57 am

Manually creating static VLAN config in a centrally managed system feels dumb and wastes time.

I partially agree but NOT providing qcom-ac package and throwing away a still perfect usable device is a lot more stupid, waste of time and resources.
And let's be honest, on all those centrally managed systems, how often does config get changed ?

Not a lot for 99% of them. Pretty static.
So do the effort once and enjoy wave2. Or wait. Or replace all your gear to AX.
Your choice.

Hope this gets fixed.

Give it some time. It may happen.
At the start with wifiwave2 on AX devices use of VLAN was not that easy either.
It got fixed eventually.

robtor · Fri Dec 29, 2023 12:09 pm

I totally agree on

I partially agree but NOT providing qcom-ac package and throwing away a still perfect usable device is a lot more stupid, waste of time and resources.

because I was really glad to have 802.11r and WPA3 encryption on my cAP-ACs. I've been waiting so long for to have the wave2 drivers in the stable releases integrated. For my side its totally okay to have to configure it manually on the devices, but I still hope the mikrotik developers get those functionality done.

I've read an interesting post about the development of the wave2 drivers: viewtopic.php?t=178111#p996958
This made me look in a different way on this topic!

DanielJB · Sat Dec 30, 2023 11:32 am

Firstly, hats off to MikroTik for allowing using the Qualcom 802.11ac ath10k WiFi driver (wifi-qcom-ac); it has a lot of latency and fairness benefits on top of Wave 2 support. I have been hoping for this for a long time

. This kind of user support and freedom is what makes MikroTik special!

Will the vlan assignment for wifi interfaces in the wifi-qcom-ac be supported at some time?

+1. The real icing on the cake would be wifi-qcom-ac VLAN ID support from the new CAPsMAN; it would be great if MikroTik could chime in if it cannot happen due to hardware limitations, or if it is on the radar...

Sat Dec 30, 2023 11:37 am

I'm sure its a SW limitation since the chipset can be used in a VLAN setup, only it has to be done manually for now.
Give it some time.

robtor · Sat Dec 30, 2023 11:52 am

I also suggest this is a SW limitation. If it worked with the old customized driver, we might only give the developers enough time to implement the support for the new wave2 driver.

DanielJB · Sat Dec 30, 2023 12:25 pm

I'm sure its a SW limitation since the chipset can be used in a VLAN setup, only it has to be done manually for now.
Give it some time.

Yes, I believe the same, however let's invite MikroTik to comment.

robtor · Wed Jan 31, 2024 2:11 pm

Still no one any idea what slaves-datapath option is good for?

whatever · Wed Jan 31, 2024 3:45 pm

Slaves-datapath is necessary if you want your slave interfaces automatically attached to a different bridge than the master interface. If it's unset, slaves will inherit datapath bridge from the master interface.

robtor · Sat Feb 03, 2024 2:03 pm

Ahh thank you. Hope MT will add this into their documentation.

CAPsMANv2 with wifi-qcom-ac and vlans [SOLVED]

CAPsMANv2 with wifi-qcom-ac and vlans

Re: CAPsMANv2 with wifi-qcom-ac and vlans [SOLVED]

Re: CAPsMANv2 with wifi-qcom-ac and vlans

Re: CAPsMANv2 with wifi-qcom-ac and vlans

Re: CAPsMANv2 with wifi-qcom-ac and vlans

Re: CAPsMANv2 with wifi-qcom-ac and vlans

Re: CAPsMANv2 with wifi-qcom-ac and vlans

Re: CAPsMANv2 with wifi-qcom-ac and vlans

Re: CAPsMANv2 with wifi-qcom-ac and vlans

Re: CAPsMANv2 with wifi-qcom-ac and vlans

Re: CAPsMANv2 with wifi-qcom-ac and vlans

Re: CAPsMANv2 with wifi-qcom-ac and vlans

Re: CAPsMANv2 with wifi-qcom-ac and vlans

Re: CAPsMANv2 with wifi-qcom-ac and vlans

Who is online