Hi! Just replaced my old AP by a CAPax and it ran for a few months flawlessly, until I tried an update to 7.13. The wifi had issues with some devices (mainly some cheap Windows laptops with some RTL wifi chipsets) so I decided to roll back to 7.12.1, as this is a mission critical network beeing in the state of change freeze (used for sending Christmas wishes by my wife, and I dared to touch it shortly before Christmas) . The downgrade went very badly, I have managed to loose most of my config. Of course I have no backup of the config. The network looks like this (some MT switches omitted, but they are working well since years):
I am managing the network from the "Management Station" (my PC), from VLAN1. My RB5009 connects to the internet and routes between VLANS (nothing changed here, it was working well).
On the CAPax there are the following VLANs.
VL9 for management with the management interface 10.1.9.21
VL3 for privileged access 10.1.3.x, SSID "kk"
VL6 for guest access 10.1.6.x, SSID "kk-guest"
VL5 also for guest access, currently unused
WIFI clients can connect, but have no network acces.
If I disable the 5GHz WIFI interfaces, then I can ping management interface on the CAPac 10.1.9.21 from my PC!
Now as soon as I enable the 5G Interfaces, pings are lost.
I can always access my CAPac via RoMON from the RB5009.
The Interfaces:
Bridge Ports:
Bridge VLANS:
My Config:
I have tried some things, like changing the MAC on the 5G interfaces, but it did not help.
I'm not sure: is it some VLAN basics problem, which I can´t see any more, because I have gone over the config many many times?
Is this a bug? Maybe I just don´t understand how wifiwave2 works?
I would very much appreciate some help!
Thanks and a happy new year to everyone!
Peter
CAPax 2 SSIDS on 2 VLANs + 1MGT VLAN > I'm getting desperate
You do not have the required permissions to view the files attached to this post.
Re: CAPax 2 SSIDS on 2 VLANs + 1MGT VLAN > I'm getting desperate
Since you have an explicit forward accept rule for list "lfwd" followed by drop on forward, possibly this part ? The missing interfaces ?
Code: Select all
/interface list member
add interface=e2 list=lmgt
add interface=vl9 list=lmgt
--> add interface=*5 list=lfwd
add interface=ap1-kk2g_kk list=lfwd
--> add interface=*4 list=lfwd
add interface=ap1-kk2g_kk-guest list=lfwd
Re: CAPax 2 SSIDS on 2 VLANs + 1MGT VLAN > I'm getting desperate
*cough*this is a mission critical network
[...]
Of course I have no backup of the config.
Re: CAPax 2 SSIDS on 2 VLANs + 1MGT VLAN > I'm getting desperate
Unfortunately you are right, Sir!*cough*this is a mission critical network
[...]
Of course I have no backup of the config.
Re: CAPax 2 SSIDS on 2 VLANs + 1MGT VLAN > I'm getting desperate
Thanks, Holvoetn! I don´t think it's relevant, as that list is just used in the IP firewall. The packets are not routed, but only bridged to their VLANs?Since you have an explicit forward accept rule for list "lfwd" followed by drop on forward, possibly this part ? The missing interfaces ?
Still I of course tried it:
Code: Select all
/interface list member
add interface=e2 list=lmgt
add interface=vl9 list=lmgt
add interface=ap1-kk2g_kk list=lfwd
add interface=ap1-kk2g_kk-guest list=lfwd
add interface=ap1-kk5g_kk list=lfwd
add interface=ap1-kk5g_kk-guest list=lfwd
add interface=br0 list=lfwd
add interface=e1 list=lfwd
add interface=vl9 list=lfwd
Should I open a ticket with MT, does it look like a bug to you?
I have found so many posts regarding issues with wifiwave2, but none about this particular issue...
Peter
Re: CAPax 2 SSIDS on 2 VLANs + 1MGT VLAN > I'm getting desperate
It was the first obvious problem I saw.
On those interfaces you mention, there seems to be a duplicate MAC address ?
Does it work if you only enable the master interface ?
If you add 1 to MAC address on slave interface (4A:A9:8A:BA:1F:FD), does it work then ?
Assuming that address is not already used in your network ...
On those interfaces you mention, there seems to be a duplicate MAC address ?
You should see something about that in log, I would think ?set [ find default-name=wifi1 ] channel=5gax configuration=kk-5g \
configuration.mode=ap datapath=dp-vl3 mac-address=48:A9:8A:BA:1F:FC name=\
ap1-kk5g_kk security=kk
add configuration=kk-guest-5g configuration.mode=ap datapath=dp-vl6 \
mac-address=4A:A9:8A:BA:1F:FC master-interface=ap1-kk5g_kk name=\
ap1-kk5g_kk-guest security=kk-guest
Does it work if you only enable the master interface ?
If you add 1 to MAC address on slave interface (4A:A9:8A:BA:1F:FD), does it work then ?
Assuming that address is not already used in your network ...
Re: CAPax 2 SSIDS on 2 VLANs + 1MGT VLAN > I'm getting desperate
Thanks @holvoetn!
I have set the unique MACs now, also changed the admin MAC of the bridge:
The behavior is still the same. As soon as I enable ap1-kk5g_kk-guest or ap1-kk5g_kk, there are no answers to the pings.
I believe, that the same MAC for the bridge br0 itself and for the vl9, which is a vlan subif attached to br0 is OK.
At least I have the same on the RB5009, the bridge and all the vlan interfaces have there the same MAC.
Ad Logs:
I have filtered the logs for the word "duplicate" but I have have found none. Also I have looked at the logs, and I don´t see anything suspicious.
I have set besides the default logs, some debug:
I have set the unique MACs now, also changed the admin MAC of the bridge:
Code: Select all
[admin@kk-ap1] /interface> print brief
Flags: R - RUNNING; S - SLAVE
Columns: NAME, TYPE, ACTUAL-MTU, L2MTU, MAX-L2MTU, MAC-ADDRESS
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 RS e1 ether 1500 1568 9214 48:A9:8A:BA:1F:9A
1 e2 ether 1500 1568 9214 48:A9:8A:BA:1F:9B
2 S ap1-kk2g_kk wifi 1500 1560 1560 48:A9:8A:BA:1F:9D
3 ap1-kk2g_kk-guest wifi 1560 1560 48:A9:8A:BA:1F:9E
4 S ap1-kk5g_kk wifi 1500 1560 1560 48:A9:8A:BA:1F:FC
5 ap1-kk5g_kk-guest wifi 1560 1560 4A:A9:8A:BA:1F:FD
6 R br0 bridge 1500 1560 48:A9:8A:BA:1F:FA
7 R vl9 vlan 1500 1556 48:A9:8A:BA:1F:FAI believe, that the same MAC for the bridge br0 itself and for the vl9, which is a vlan subif attached to br0 is OK.
At least I have the same on the RB5009, the bridge and all the vlan interfaces have there the same MAC.
Ad Logs:
I have filtered the logs for the word "duplicate" but I have have found none. Also I have looked at the logs, and I don´t see anything suspicious.
I have set besides the default logs, some debug:
Code: Select all
/system logging
add topics=debug,caps
add topics=debug,wireless
add topics=debug,interfaceRe: CAPax 2 SSIDS on 2 VLANs + 1MGT VLAN > I'm getting desperate
I still prefer to make sure MAC addresses are unique.
Looking further.
I suppose here is a mistake too ?
2GHz interface as slave on 5GHz ?
Looking further.
I suppose here is a mistake too ?
2GHz interface as slave on 5GHz ?
Code: Select all
add configuration=kk-guest-2g configuration.mode=ap datapath=dp-vl6 disabled=\
no mac-address=48:A9:8A:BA:1F:9D master-interface=ap1-kk5g_kk name=\
ap1-kk2g_kk-guest security=kk-guestRe: CAPax 2 SSIDS on 2 VLANs + 1MGT VLAN > I'm getting desperate
OK, I see your point, but I can´t find how to set the bridge mac different from the vlan mac?I still prefer to make sure MAC addresses are unique.
If I change the bridge MAC , the vl9 MAC changes too:
Code: Select all
6 R br0 bridge 1500 1568 48:A9:8A:BA:1F:CA
7 R vl9 vlan 1500 1564 48:A9:8A:BA:1F:CA
Oh yes, thanks!I suppose here is a mistake too ?
2GHz interface as slave on 5GHz ?Code: Select alladd configuration=kk-guest-2g configuration.mode=ap datapath=dp-vl6 disabled=\ no mac-address=48:A9:8A:BA:1F:9D master-interface=ap1-kk5g_kk name=\ ap1-kk2g_kk-guest security=kk-guest
Oh no: I just did correct it, and everything stays the same, no answer to pings if 5GHz WIFI is enabled.
I have found a further issue, there is an interesting command, which I have just found:
Code: Select all
[admin@kk-ap1] /interface/wifiwave2/actual-configuration> print
0 name="ap1-kk2g_kk" l2mtu=1560 mac-address=48:A9:8A:BA:1F:8A arp-timeout=auto
radio-mac=48:A9:8A:BA:1F:9D
configuration.mode=ap .ssid="kk" .country=Hungary .tx-power=10
security.authentication-types=wpa2-psk,wpa3-psk .passphrase="something"
datapath.bridge=br0 .vlan-id=3
channel.band=2ghz-ax .width=20mhz
1 name="ap1-kk2g_kk-guest" l2mtu=1560 mac-address=4A:A9:8A:BA:1F:8B arp-timeout=auto
master-interface=ap1-kk2g_kk
configuration.mode=ap .ssid="kk-guest" .country=Hungary .tx-power=10
security.authentication-types=wpa2-psk,wpa3-psk .passphrase="something"
datapath.bridge=br0 .vlan-id=6
channel.band=2ghz-ax .width=20mhz
2 name="ap1-kk5g_kk" l2mtu=1560 mac-address=48:A9:8A:BA:1F:8C arp-timeout=auto
radio-mac=48:A9:8A:BA:1F:9C
configuration.mode=ap .ssid="kk" .country=Hungary
security.authentication-types=wpa2-psk,wpa3-psk .passphrase="something"
datapath.bridge=br0 .vlan-id=3
channel.band=5ghz-ax .width=20/40/80mhz ###Here correct channel set
3 name="ap1-kk5g_kk-guest" l2mtu=1560 mac-address=48:A9:8A:BA:1F:8D arp-timeout=auto
master-interface=ap1-kk5g_kk
configuration.mode=ap .ssid="kk-guest" .country=Hungary
security.authentication-types=wpa2-psk,wpa3-psk .passphrase="something"
datapath.bridge=br0 .vlan-id=6
channel.band=2ghz-ax .width=20mhz ###Here the wrong channel 2ghz-ax is set
NO, I have found the issue, also the configuration had the wrong channel config. My mistake...
Now /interface/wifiwave2/actual-configuration shows the correct config! AND my sons report: they have internet access via WiFi again!
Getting there slowly! Thanks a lot @holvoetn !
BUT: ping to 10.1.9.21 stops as soon as the 5G interface is enabled....
Now I would like to scream, just a bit. Or maybe go boxing, or something else violent.
Re: CAPax 2 SSIDS on 2 VLANs + 1MGT VLAN > I'm getting desperate
Please post latest config.
Will check if I see other things which might be off.
Will check if I see other things which might be off.
Re: CAPax 2 SSIDS on 2 VLANs + 1MGT VLAN > I'm getting desperate
Hi,
many thanks!
Here it goes: Peter
many thanks!
Here it goes: Peter
You do not have the required permissions to view the files attached to this post.
Re: CAPax 2 SSIDS on 2 VLANs + 1MGT VLAN > I'm getting desperate
You have again an invalid interface in those lists.
Correct that one and since this address list is used in firewall rules, clear connection table in IP Firewall Connections.
(or reboot but your sons might not be too happy with that move
)
I assume you are testing ping from Management PC on VL1 towards 10.1.9.21 ?
Another thing to troubleshoot is to clear all counters on IP Firewall Filter rules, then perform ping and see which counters are moving (or not where you expect them).
Code: Select all
add interface=*A list=lfwd(or reboot but your sons might not be too happy with that move
)I assume you are testing ping from Management PC on VL1 towards 10.1.9.21 ?
Another thing to troubleshoot is to clear all counters on IP Firewall Filter rules, then perform ping and see which counters are moving (or not where you expect them).
Re: CAPax 2 SSIDS on 2 VLANs + 1MGT VLAN > I'm getting desperate
It just occurred to me ...
You are using RB5009 as central router ?
Then why all the filtering and other complexity on cAP AX ?
Just let the trunk go from RB5009 to cAP AX and do all the routing/filtering on RB.
You are using RB5009 as central router ?
Then why all the filtering and other complexity on cAP AX ?
Just let the trunk go from RB5009 to cAP AX and do all the routing/filtering on RB.
Re: CAPax 2 SSIDS on 2 VLANs + 1MGT VLAN > I'm getting desperate
Thanks! Yes, actually my rb5009 is doing all the filtering and hangs on a 10G Trunk as a router on a stick.
Well all the firewalling on the CAPax is just additional security measures, as I read on the forums a few years ago. (I guess I just worked in IT for too long.) But that should not be the culprit, it was working well before and I did not touch that.
Also now I have just inserted 5 new rules before everything else. Everything is accepted in every chain:
I can now check the counters increasing for my PC (10.1.1.100).
As my family just left home I was free to reboot as I like, so I just did it!
Now I got the same misterious behavior, but I see more:
It seems like the packets are leaving the firewall as both rule 1 and rule 2 counters increase simultaneously.
This is true for both cases, it doesnt matter if 5G Interfaces are enabled or disabled.
I also launched tcpdump on my PC, to see what the ICMP packets look like.
With tcpdump I can verify if 5G Interfaces disabled I get replies, with 5G enabled I don´t.
Wow!
I will try to make a trace on the RB5009 and check with Wireshark.
This is incredible..... I'm just guessing, but maybe somehow the packets are sent back over the wrong VLAN? How is that possible if I only enable the 5G WIFI?
Well all the firewalling on the CAPax is just additional security measures, as I read on the forums a few years ago. (I guess I just worked in IT for too long.) But that should not be the culprit, it was working well before and I did not touch that.
Also now I have just inserted 5 new rules before everything else. Everything is accepted in every chain:
Code: Select all
/ip firewall filter
add action=accept chain=input comment="from MgtStation aka MyPC ICMP" log=yes log-prefix=":from MgtStation aka MyPC ICMP" protocol=icmp src-address=10.1.1.100
add action=accept chain=output comment="to MgtStation aka MyPC ICMP" dst-address=10.1.1.100 log=yes log-prefix=":to MgtStation aka MyPC ICMP" protocol=icmp
add action=accept chain=forward comment="fwd accept all"
add action=accept chain=input comment="in accept all"
add action=accept chain=output comment="out accept all"
As my family just left home I was free to reboot as I like, so I just did it!
Now I got the same misterious behavior, but I see more:
It seems like the packets are leaving the firewall as both rule 1 and rule 2 counters increase simultaneously.
This is true for both cases, it doesnt matter if 5G Interfaces are enabled or disabled.
I also launched tcpdump on my PC, to see what the ICMP packets look like.
With tcpdump I can verify if 5G Interfaces disabled I get replies, with 5G enabled I don´t.
Wow!
I will try to make a trace on the RB5009 and check with Wireshark.
This is incredible..... I'm just guessing, but maybe somehow the packets are sent back over the wrong VLAN? How is that possible if I only enable the 5G WIFI?
You do not have the required permissions to view the files attached to this post.
Re: CAPax 2 SSIDS on 2 VLANs + 1MGT VLAN > I'm getting desperate
Here comes some more fun:
The uplink trunk interface on the CAPax does not see the ICMP replies until around rule No. 79, where I disable the 5G interface!
With no 5GHz Wifi, pings are answered.
If I put the trace on br0 I have same behavior.
The uplink trunk interface on the CAPax does not see the ICMP replies until around rule No. 79, where I disable the 5G interface!
With no 5GHz Wifi, pings are answered.
Code: Select all
/tool sniffer
set file-limit=10000KiB file-name=capax filter-interface=e1uplink \
filter-ip-protocol=icmp memory-limit=1000KiB
You do not have the required permissions to view the files attached to this post.
Re: CAPax 2 SSIDS on 2 VLANs + 1MGT VLAN > I'm getting desperate
I have downloaded the PCAP from br0, and opened it with Wireshark, but of course there is nothing special in there.
I guess my only two options are to open a ticket with MT support or to wait for the next 7.13.1/7.14rc28 release then.
Special thanks to @holvoethn responses to my extensive posts!
Still, I´d appreciate any further idea or suggestion.....
Peter
I guess my only two options are to open a ticket with MT support or to wait for the next 7.13.1/7.14rc28 release then.
Special thanks to @holvoethn responses to my extensive posts!
Still, I´d appreciate any further idea or suggestion.....
Peter
Re: CAPax 2 SSIDS on 2 VLANs + 1MGT VLAN > I'm getting desperate
It doesn't hurt to try already 7.13 or 7.14beta.
I've seen some lines related to bridge and VLAN in those change logs ...
I've seen some lines related to bridge and VLAN in those change logs ...
Re: CAPax 2 SSIDS on 2 VLANs + 1MGT VLAN > I'm getting desperate
Yeah, I was all high hopes about the 7.13, and it worked, but it simply did not like my sons laptop. Still considering to maybe try 7.14b4, I just have read the relnotes. Only after downloading the backup!
Anyway I have a working WIFI now and my sons will be back soon, so I might wait with the next experiment.
Or I prepare my hap ax2 for my sons to use, before I try 7.14b4....
Thanks again for your help!
Anyway I have a working WIFI now and my sons will be back soon, so I might wait with the next experiment.
Or I prepare my hap ax2 for my sons to use, before I try 7.14b4....
Thanks again for your help!
Who is online
Users browsing this forum: No registered users and 1 guest