Here are a few "little" configuration questions. As background I have two routers: a "front side" (connected to the ISP, gets a public dynamic IPv4 address) hAP ac^2 and a "back side" (wireless access point only) hAP ac^3. There's a wired connection between them. Both are running RouterOS 7.13.3.
1. On my hAP ac^2 I'm currently using the wireless package. I'm having a tough time getting a working configuration with the new wifi-qcom-ac package. I can't get any client devices to associate with the access point after swapping wireless packages. Any general troubleshooting advice?
2. My current configuration dedicates the 2.4 GHz radio (wlan1) on the hAP ac^2 to a guest network. This simple arrangement has been working well. If I get wifi-qcom-ac working and configure CAPsMAN on my hAP ac^3 (already running wifi-qcom-ac) to "unify" the main wireless network can I exclude the 2.4 GHz radio on the hAP ac^2 from CAPsMAN and leave it for a separate, standalone guest network? Or is it "all or nothing" with CAPsMAN? If it's "all or nothing" can I still dedicate the 2.4 GHz radio on the hAP ac^2 to a guest network from within CAPsMAN? Any how-to pointers either way would be welcome.
3. I'm getting an "invalid" flag on the DHCP Server configuration for the guest network on the hAP ac^2's 2.4 GHz radio (wlan1). But oddly enough it still works. Guest client devices are still getting DHCP address assignments from the correct, separate IP address pool I've defined. Any ideas what to check to clear that flag?
4. Currently the DHCP server configurations for both the main and guest networks hand out traditional public IPv4 DNS server addresses to DHCP clients (addresses I choose rather than what my ISP hands out). I'm thinking of configuring the hAP ac^3 to act as a DNS server which then forwards DNS queries using DNS over HTTPS (DoH). Then reconfiguring the DNS server (on the hAP ac^2) to provide the IP address of the hAP ac^3 as the DNS server address to DHCP clients. Are there any disadvantages with this approach?
5. My Internet Service Provider offers 6rd service to get IPv6, but I haven't bothered to configure 6rd on either the hAP ac^2 or hAP ac^3 mainly because I'm concerned about getting firewall rules correct. Any pointers? Or should I continue ignoring 6rd?
Thanks.
Re: CAPsMAN, DHCP Server, Wireless to wifi-qcom-ac, etc.
1. question is not clear. You loaded wifi-qcom-ac driver on AC2 and then having problems ? Or something else ?
2. you can specify on interface basis which ones participate in capsman and which not. But you can also define that separate SSID as a separate config in capsman, leaving everything on AC2 as default (for a cap device) as it can be.
3. You need to show config or anyone can guess away ...
4. Not really but for my understanding, why don't you swap ac3 and ac2 from place in your network ? Having wifi-qcom-ac installed that ac2 is going to be VERY space restricted on storage and the only thing it might still reliably do then is ... being an access point. Nothing more.
The fact you're going to foresee capsman, DNS, DoH on AC3, ... all are indications of this as well. It's more logical then to have ac3 facing ISP router directly.
My view, others may disagree.
5. no comment. Don't really know what that is. But the little I do know is that it is basically 6to4, so actually using IPv4. If not real IPv6, why bother ?
Why do you need IPv6 if IPv4 still works for you ? Just a question.
2. you can specify on interface basis which ones participate in capsman and which not. But you can also define that separate SSID as a separate config in capsman, leaving everything on AC2 as default (for a cap device) as it can be.
3. You need to show config or anyone can guess away ...
4. Not really but for my understanding, why don't you swap ac3 and ac2 from place in your network ? Having wifi-qcom-ac installed that ac2 is going to be VERY space restricted on storage and the only thing it might still reliably do then is ... being an access point. Nothing more.
The fact you're going to foresee capsman, DNS, DoH on AC3, ... all are indications of this as well. It's more logical then to have ac3 facing ISP router directly.
My view, others may disagree.
5. no comment. Don't really know what that is. But the little I do know is that it is basically 6to4, so actually using IPv4. If not real IPv6, why bother ?
Why do you need IPv6 if IPv4 still works for you ? Just a question.
Re: CAPsMAN, DHCP Server, Wireless to wifi-qcom-ac, etc.
Why do you need IPv6 if IPv4 still works for you ?
A short while ago I've got information that google cloud is giving only IPv6 addresses for certain cloud infrastructure. So I guess we are starting to see actual needs for IPv6 everywhere (which usually means dual stack).
-
-
BBCWatcher
just joined
- Posts: 7
- Joined:
Re: CAPsMAN, DHCP Server, Wireless to wifi-qcom-ac, etc.
That's correct. I uninstalled the wireless package, installed the wifi-qcom-ac package, configured wlan1 and wlan2 interfaces again, and...clients can't associate. I've returned to the wireless package for now, but I was wondering if anyone has any general tips. (I see someone else just posted a similar problem.)1. question is not clear. You loaded wifi-qcom-ac driver on AC2 and then having problems ? Or something else ?
OK, excellent. Once I get past #1 I'll add CAPsMAN to the mix.2. you can specify on interface basis which ones participate in capsman and which not. But you can also define that separate SSID as a separate config in capsman, leaving everything on AC2 as default (for a cap device) as it can be.
Just the DHCP server section? Any other sections?3. You need to show config or anyone can guess away ...
The hAP ac^3 offers a little better wireless radio coverage, and for that reason it's working better to have the ac^3 and ac^2 in their respective physical locations. But I'll give that idea some more thought.4. Not really but for my understanding, why don't you swap ac3 and ac2 from place in your network ? Having wifi-qcom-ac installed that ac2 is going to be VERY space restricted on storage and the only thing it might still reliably do then is ... being an access point. Nothing more.
The fact you're going to foresee capsman, DNS, DoH on AC3, ... all are indications of this as well. It's more logical then to have ac3 facing ISP router directly.
My view, others may disagree.
It's not the most urgent task item, but it's an option the ISP offers.5. no comment. Don't really know what that is. But the little I do know is that it is basically 6to4, so actually using IPv4. If not real IPv6, why bother ?
Why do you need IPv6 if IPv4 still works for you ? Just a question.
Re: CAPsMAN, DHCP Server, Wireless to wifi-qcom-ac, etc.
Full config please, preferably with wifi-qcom-ac driver loaded and configured as well, then we can have a look at both issues.That's correct. I uninstalled the wireless package, installed the wifi-qcom-ac package, configured wlan1 and wlan2 interfaces again, and...clients can't associate. I've returned to the wireless package for now, but I was wondering if anyone has any general tips. (I see someone else just posted a similar problem.)1. question is not clear. You loaded wifi-qcom-ac driver on AC2 and then having problems ? Or something else ?
Just the DHCP server section? Any other sections?3. You need to show config or anyone can guess away ...
-
-
BBCWatcher
just joined
- Posts: 7
- Joined:
Re: CAPsMAN, DHCP Server, Wireless to wifi-qcom-ac, etc.
It'll take a little time to get everything ready since I need a "maintenance window." Thanks for the offer. I'll work on it and should return with details.
Re: CAPsMAN, DHCP Server, Wireless to wifi-qcom-ac, etc.
Making a config export does not require a maintenance window.
-
-
BBCWatcher
just joined
- Posts: 7
- Joined:
Re: CAPsMAN, DHCP Server, Wireless to wifi-qcom-ac, etc.
Ordinarily not, but in this case it did require a maintenance window since I was trying to export a configuration with the new wifi-qcom-ac installed.Making a config export does not require a maintenance window.
Fortunately I've made huge progress! The wifi-qcom-ac package is now installed (instead of the wireless package), and it appears I've got everything working at least as well as it did with the wireless package. The next project will be to get the 4 WiFi radios (total across the 2 routers) under CAPsMAN (running on the "interior" hAP ac^3), but that's a project for a future day. Below is a terse export of the configuration on "MikroTik 1," the ISP-facing hAP ac^2. The ~ (tilde) marks indicate redacted information. Critiques would be welcome. The DHCP server attached to wifi1 (the 2.4 GHz radio) and doling out addresses in the 10.0.2.x subnet is no longer displaying "invalid" in WebFig, so that cosmetic (?) issue appears to be resolved. I think I must've missed some configuration repair items with the wlan(x) to wifi(x) renaming back before I opened this thread, but I guess they're all cleaned up now in this configuration.
"Free HDD Space" on the hAP ac^2 with base RouterOS 7.13.3 and the wifi-qcom-ac package (only) is hovering around 672 KiB. Is that the best I can do, or would a netinstall improve that number? Anything else I can do to improve free space?
Code: Select all
# 2024-02-~~ ~~:~~:~~ by RouterOS 7.13.3
# software id = YR~~-~~~~
#
# model = RBD52G-5HacD2HnD
# serial number = C~~~~~~~~~~~
/interface bridge add admin-mac=08:55:~~:~~:~~:~~ auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi security add authentication-types=wpa2-psk connect-priority=0 disable-pmkid=yes disabled=no encryption=ccmp management-protection=disabled name=default-sec wps=disable
/interface wifi security add authentication-types=wpa2-psk connect-priority=0 disable-pmkid=yes disabled=no encryption=ccmp management-protection=disabled name=default-guest wps=disable
/interface wifi set [ find default-name=wifi1 ] channel.band=2ghz-n .frequency=2412 .skip-dfs-channels=all .width=20mhz configuration.country=Singapore .mode=ap .ssid=~ disabled=no security=default-guest security.connect-priority=0
/interface wifi set [ find default-name=wifi2 ] channel.band=5ghz-ac .frequency=5745 .skip-dfs-channels=all .width=20mhz configuration.country=Singapore .mode=ap .ssid=~ disabled=no security=default-sec security.connect-priority=0
/ip pool add name=dhcp ranges=10.0.1.10-10.0.1.190
/ip pool add name=dhcp-guest ranges=10.0.2.10-10.0.2.190
/ip dhcp-server add address-pool=dhcp interface=bridge lease-time=3h name=defconf
/ip dhcp-server add address-pool=dhcp-guest bootp-support=none interface=wifi1 lease-time=2h name=guest
/queue type add kind=sfq name=sfq-default sfq-perturb=10
/queue type add cake-rtt=200ms kind=cake name=cake-default
/queue simple add disabled=yes max-limit=65M/85M name=sfq-default queue=sfq-default/sfq-default target=10.0.1.0/24
/queue simple add max-limit=4M/8M name=sfq-guest queue=sfq-default/sfq-default target=10.0.2.0/24
/queue simple add max-limit=65M/85M name=cake-default queue=cake-default/cake-default target=10.0.1.0/24
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=wifi2 internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings set discover-interface-list=none
/ip settings set max-neighbor-entries=8192
/ipv6 settings set accept-router-advertisements=no disable-ipv6=yes max-neighbor-entries=8192
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server set auth=sha1,md5
/ip address add address=10.0.1.1/24 comment=defconf interface=bridge network=10.0.1.0
/ip address add address=10.0.2.1/24 interface=wifi1 network=10.0.2.0
/ip cloud set update-time=no
/ip dhcp-client add comment=defconf interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease add address=10.0.1.201 mac-address=90:32:~~:~~:~~:~~ server=defconf
/ip dhcp-server lease add address=10.0.1.240 mac-address=94:CC:~~:~~:~~:~~ server=defconf
/ip dhcp-server lease add address=10.0.1.241 mac-address=94:CC:~~:~~:~~:~~ server=defconf
/ip dhcp-server lease add address=10.0.1.2 lease-time=6h mac-address=08:55:~~:~~:~~:~~ server=defconf
/ip dhcp-server lease add address=10.0.1.200 mac-address=20:C9:~~:~~:~~:~~ server=defconf
/ip dhcp-server network add address=10.0.1.0/24 comment=defconf dns-server=9.9.9.9,1.1.1.2 gateway=10.0.1.1 netmask=24
/ip dhcp-server network add address=10.0.2.0/24 dns-server=9.9.9.9,1.1.1.2 gateway=10.0.2.1 netmask=24
/ip dns set servers=9.9.9.9,1.1.1.2
/ip dns static add address=10.0.1.1 comment=defconf name=router.lan
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" in-interface-list=LAN protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall filter add action=drop chain=forward dst-address=10.0.1.0/24 src-address=10.0.2.0/24
/ip firewall filter add action=drop chain=forward dst-address=10.0.2.0/24 src-address=10.0.1.0/24
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat out-interface=wifi1 src-address=10.0.2.0/24
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www address=10.0.1.0/24
/ip service set ssh address=10.0.1.0/24
/ip service set api address=10.0.1.0/24 disabled=yes
/ip service set winbox address=10.0.1.0/24
/ip service set api-ssl address=10.0.1.0/24 disabled=yes
/ip smb set allow-guests=no comment=Backup
/ip ssh set strong-crypto=yes
/routing bfd configuration add disabled=no
/system clock set time-zone-autodetect=no time-zone-name=Asia/Singapore
/system identity set name="MikroTik 1"
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp client servers add address=pool.ntp.org
/tool bandwidth-server set enabled=no
/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server ping set enabled=no
Last edited by BBCWatcher on Tue Feb 06, 2024 1:53 pm, edited 1 time in total.
-
-
BBCWatcher
just joined
- Posts: 7
- Joined:
Re: CAPsMAN, DHCP Server, Wireless to wifi-qcom-ac, etc.
WebFig now shows the DHCP server for the 10.0.2.x subnet as "Invalid." But it's doing what it's supposed to be doing (doling out 10.0.2.x addresses to clients connecting on the 2.4 GHz radio's guest network).
-
-
BBCWatcher
just joined
- Posts: 7
- Joined:
Re: CAPsMAN, DHCP Server, Wireless to wifi-qcom-ac, etc.
OK, I think I've got a basic CAPsMAN (wifi-qcom-ac) configuration working now. The "inside" router (hAP ac^3) is acting as the CAPsMAN, and the ISP-facing router (hAP ac^2) is a CAP, and only with its 5 GHz radio. I'm dedicating the hAP ac^2's 2.4 GHz radio to a guest network, and it's not participating in CAPsMAN. It took me a while to figure out that I shouldn't try to include the hAP ac^3's own radios into the CAPsMAN configuration.
Adding the hAP ac^2's 5 GHz radio to a CAPsMAN configuration is really just to get fast roaming (802.11r/k/v) working between/among all 3 radios. I'm not exactly sure how to test whether it's actually working, but I see some promising roaming messages in the hAP ac^3's log.
I had the hAP ac^3 configured with a DHCP client address (obtained from the DHCP server running on the hAP ac^2) with an address reservation, but I've changed that over to a static address (with simple default route) just to make it a little more robust.
I'm still unsure why the DHCP server bound to wifi1 (the 2.4 GHz radio) on the hAP ac^2 is displaying an "Invalid" indicator in WebFig. It's working despite the indicator. Any ideas? Would a second bridge interface (with wifi1 only) clear that indicator?
I'm still considering the 6rd, DNS server/DoH, and router location swap ideas.
Adding the hAP ac^2's 5 GHz radio to a CAPsMAN configuration is really just to get fast roaming (802.11r/k/v) working between/among all 3 radios. I'm not exactly sure how to test whether it's actually working, but I see some promising roaming messages in the hAP ac^3's log.
I had the hAP ac^3 configured with a DHCP client address (obtained from the DHCP server running on the hAP ac^2) with an address reservation, but I've changed that over to a static address (with simple default route) just to make it a little more robust.
I'm still unsure why the DHCP server bound to wifi1 (the 2.4 GHz radio) on the hAP ac^2 is displaying an "Invalid" indicator in WebFig. It's working despite the indicator. Any ideas? Would a second bridge interface (with wifi1 only) clear that indicator?
I'm still considering the 6rd, DNS server/DoH, and router location swap ideas.
Re: CAPsMAN, DHCP Server, Wireless to wifi-qcom-ac, etc.
Where is CAPSMAN config on wifi-qcom-ac? In client, there is cap but without interface
You do not have the required permissions to view the files attached to this post.
Re: CAPsMAN, DHCP Server, Wireless to wifi-qcom-ac, etc.
CAPsMAN is configured through the WiFi menu on the Remote CAP tab, CAPsMAN button (or /interface/wifi/capsman). It is available since 7.13.x and has nothing to do with the additional package/driver.Where is CAPSMAN config on wifi-qcom-ac? In client, there is cap but without interface
Who is online
Users browsing this forum: Willsonmagicbeans and 11 guests