Community discussions

MikroTik App
 
voy4g3r2
just joined
Topic Author
Posts: 10
Joined: Wed Apr 10, 2024 11:22 pm

CAPsMAN configuring 5ghz but always defaulting to 2ghz

Thu Apr 11, 2024 2:37 am

Hello everyone,
I am currently experiencing issues with 5ghz frequency utilization on some of my network and was hoping to get some guidance from this forum.

Current State: The only 5ghz frequency that works is the 5ghz radio on the router and NONE of the access points.
Expected State: The access points, both 2ghz and 5ghz, are operational and devices can use them.

Background:
My environment consists of 3 devices in total, a hap ax3 and 2 cap ax devices. Software: 7.14.2

Management Setup
  • CAPsMAN server is on the router
  • 2ghz has its own configuration profile SSID: mikrotik
  • 5ghz has its own configuration profile SSID: mikrotik-5g
  • All devices on the network use the configuration from the router to control the 2 access points

Use Case 1: All devices enabled
In this situation both of the configurations are enabled and i see both SSIDs and able to connect to ANY access point on the 2ghz. The 5ghz is ONLY accessible from the router configuration.

Use Case 2: Disable 5ghz on router
In this situation all of the access points (2ghz) work but the 5ghz SSID disappears from the available networks.

The two configurations that support this setup are attached to this post. (These files have the redacted personal information update)

In summary, i am not sure what makes the router work but the access points NOT work as they are all using the same configuration.

If anyone could provide guidance or assistance, it would be greatly beneficial as i am not able to use the fully power of these devices.
You do not have the required permissions to view the files attached to this post.
 
ips
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Mon Oct 09, 2023 6:48 pm
Location: Italy

Re: CAPsMAN configuring 5ghz but always defaulting to 2ghz

Thu Apr 11, 2024 3:25 pm

I'm not sure that I understand the problem.
However, I assume that the `all_enabled_caps.output.rsc` configuration is the one on the ax3.
Could you try to modify the config on the ax3 by disabling cap mode (wifi > cap > uncheck enabled), disabling detect-internet (interfaces > detect internet > set to none everything), and resetting the two cap ax to CAP mode (see https://help.mikrotik.com/docs/display/UM/cAP+ax under Reset Button)?

Moreover, please check that also the routerboard firmware is up-to-date (System > RouterBOARD)
 
ips
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Mon Oct 09, 2023 6:48 pm
Location: Italy

Re: CAPsMAN configuring 5ghz but always defaulting to 2ghz

Thu Apr 11, 2024 3:34 pm

BTW, I cannot see the provisioning rules.
See https://help.mikrotik.com/docs/display/ ... onexample:
 
voy4g3r2
just joined
Topic Author
Posts: 10
Joined: Wed Apr 10, 2024 11:22 pm

Re: CAPsMAN configuring 5ghz but always defaulting to 2ghz

Thu Apr 11, 2024 5:51 pm

The issue I am experiencing is, the 5ghz ONLY works on the hAP ax3 device.. none of the access points.

I did see that the firmware of all devices are out of date and are now up to date.

The configurations shared were to demonstrate that it was disabled (hap ax 5ghz) and another where everything was enabled.

Let me look at the provision stuff a little more but brings up the question why would one radio work and not the other if they are not properly provisioned?
 
ips
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Mon Oct 09, 2023 6:48 pm
Location: Italy

Re: CAPsMAN configuring 5ghz but always defaulting to 2ghz

Thu Apr 11, 2024 6:11 pm

The CAPsMAN and the CAPs have different roles, hence should have different configs. If all of them share the same config, then all of them want to be both CAPsMANs and CAPs, and the result is difficult to predict.

Please keep the configuration of the ax3 as you shared (plus the modifications I suggested), add the provisioning rules (see docs), and then reset the CAP AXs to CAP mode (with the reset button).
 
voy4g3r2
just joined
Topic Author
Posts: 10
Joined: Wed Apr 10, 2024 11:22 pm

Re: CAPsMAN configuring 5ghz but always defaulting to 2ghz

Thu Apr 11, 2024 6:41 pm

thank you. i will work on the following items then
1. Make a unique configuration for hap ax3
2. Make a unique configuration the cap ax can use
3. Add provisioning rules to the cap configuration

hopefully i am not misunderstanding the recommendation, correct?
 
ips
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Mon Oct 09, 2023 6:48 pm
Location: Italy

Re: CAPsMAN configuring 5ghz but always defaulting to 2ghz

Thu Apr 11, 2024 6:45 pm

Actually, provisioning rules are part of the configuration of the ax3, not of the caps.
Configuration of the caps should be only matter of resetting them to cap mode.

Sorry if I was not clear enough.
 
voy4g3r2
just joined
Topic Author
Posts: 10
Joined: Wed Apr 10, 2024 11:22 pm

Re: CAPsMAN configuring 5ghz but always defaulting to 2ghz

Fri Apr 12, 2024 12:48 am

That makes total sense and the only way for this to really work, i need a 5ghz wifi and 2ghz wifi.

by trying to combine them into one wifi network.. it just won't work? The documentation keeps pushing towards 2 networks and not 1.

I was hoping for just one master network and letting the client and ap do the negotation.
 
voy4g3r2
just joined
Topic Author
Posts: 10
Joined: Wed Apr 10, 2024 11:22 pm

Re: CAPsMAN configuring 5ghz but always defaulting to 2ghz

Fri Apr 12, 2024 5:03 am

Thanks for the help, i got it operational with provisioning rules and two seperate wifi networks.. while not ideal at least the 5g radios are operational.
 
erlinden
Forum Guru
Forum Guru
Posts: 2040
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: CAPsMAN configuring 5ghz but always defaulting to 2ghz

Fri Apr 12, 2024 8:44 am

Can you share your config? Still a bit puzzled by the problem you are running into and what you are trying to accomplish.
 
voy4g3r2
just joined
Topic Author
Posts: 10
Joined: Wed Apr 10, 2024 11:22 pm

Re: CAPsMAN configuring 5ghz but always defaulting to 2ghz

Fri Apr 12, 2024 2:41 pm

My ultimate goal is to be able to have CAPsMAN manage and configure my hap ax3 along with my 2 additional access points.

The current configuration, attached to this post, has the networks setup with two SSIDs which i would like to get to one.

Originally I was NOT getting the 5ghz band working with the configuration but with two SSIDs i can have both antennas manage clients.
# 2024-04-12 07:38:10 by RouterOS 7.14.2
# software id = 1504-C6QG
#
# model = 
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="AP UPSTAIRS"
set [ find default-name=ether3 ] comment="NETGEAR SWITCH"
set [ find default-name=ether4 ] comment=cap-ax-office
set [ find default-name=ether5 ] comment="WAN PORT"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no name=router-2ghz
add band=5ghz-ax disabled=no name=router-5ghz
add band=2ghz-ax disabled=no name=accesspoint-2ghz
add band=5ghz-ax disabled=no name=accesspoint-5ghz
/interface wifi datapath
add bridge=bridge disabled=no name=router-datapah
add bridge=bridge disabled=no name=accesspoint-datapath
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=foxglenacres
/interface wifi configuration
add country="United States" datapath=router-datapah disabled=no mode=ap name=\
    router-2ghz security=foxglenacres ssid=foxglenacres
add channel=router-5ghz country="United States" datapath=router-datapah \
    disabled=no mode=ap name=router-5ghz security=foxglenacres ssid=\
    foxglenacres-5G
add country="United States" disabled=no mode=ap name=accesspoint-2ghz \
    security=foxglenacres ssid=foxglenacres
add country="United States" disabled=no mode=ap name=accesspoint-5ghz \
    security=foxglenacres ssid=foxglenacres-5G
/interface wifi
set [ find default-name=wifi2 ] channel=router-2ghz \
    channel.skip-dfs-channels=10min-cac configuration=router-2ghz \
    configuration.mode=ap .tx-chains="" datapath.bridge=bridge disabled=no \
    name=router-2ghz security=foxglenacres security.connect-priority=0 .ft=\
    yes .ft-over-ds=yes
set [ find default-name=wifi1 ] channel=router-5ghz configuration=router-5ghz \
    configuration.mode=ap datapath=router-datapah disabled=no name=\
    router-5ghz security=foxglenacres security.authentication-types="" .ft=\
    yes .ft-over-ds=yes
/iot lora servers
add address=eu.mikrotik.thethings.industries name=TTN-EU protocol=UDP
add address=us.mikrotik.thethings.industries name=TTN-US protocol=UDP
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
    UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
    UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
    UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip pool
add name=dhcp ranges=192.168.0.50-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    disabled=yes disabled=yes name=zt1 port=9993
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=router-5ghz
add bridge=bridge comment=defconf interface=router-2ghz
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=all lldp-med-net-policy-vlan=1
/interface detect-internet
set detect-interface-list=all internet-interface-list=LAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether5 list=WAN
/interface wifi cap
set caps-man-addresses=127.0.0.1 discovery-interfaces=bridge enabled=yes
/interface wifi capsman
set ca-certificate=WiFi-CAPsMAN-CA-789A1846D770 enabled=yes interfaces=bridge \
    package-path="" require-peer-certificate=no upgrade-policy=\
    require-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
    accesspoint-5ghz supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=\
    accesspoint-2ghz supported-bands=2ghz-ax
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
    192.168.0.0
/ip dhcp-client
add comment=defconf interface=ether5
/ip dhcp-server lease
add address=192.168.0.63 client-id=1:78:9a:18:cb:87:25 mac-address=\
    78:9A:18:CB:87:25 server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 caps-manager=192.168.0.1 comment=defconf \
    dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
add address=192.168.0.1 name=router.home
add address=192.168.0.25 name=harley.home
add address=192.168.0.5 name=current.home
add address=192.168.0.10 name=momas.home
add address=192.168.0.7 name=plex.home
add address=192.168.0.15 name=fritz.home
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=cap-ax-office
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

 
erlinden
Forum Guru
Forum Guru
Posts: 2040
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: CAPsMAN configuring 5ghz but always defaulting to 2ghz

Fri Apr 12, 2024 3:37 pm

In regards to channel (which handles the...channel):
/interface wifi channel
add band=5ghz-ax disabled=no frequency=5180-5700 name=5G-80 skip-dfs-channels=10min-cac width=20/40/80mhz-Ceee
add band=2ghz-ax disabled=no frequency=2412,2437,2460 name=24G-20 width=20mhz
By using the above, the frequency is automatically chosen (based on a quick scan when enabling the interface).

A single datapath is sufficient, if you are not using VLAN's.

I ran into lots of problems with a combination of WPA2 & WPA3 (iPhone 11), set this to WPA2 only:
/interface wifi security
add authentication-types=wpa2-psk connect-priority=0/1 disabled=no ft=yes ft-over-ds=yes group-encryption=ccmp name=[securityname] wps=disable
With the above, roaming will be great. WPS is up to you...

You can use 2 configs, one for 2.4GHz and one for 5GHz:
/interface wifi configuration
add channel=24G-20 country=Netherlands datapath=DP_AC disabled=no dtim-period=3 name=[Name-2.4G-AC] security=[securityname] ssid=[SSID] tx-power=5
add channel=5G-80 country=Netherlands datapath=DP_AC disabled=no dtim-period=3 name=[Name-5G-AC] security=[securityname] ssid=[SSID]
Add provisioning rules:
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=[Name-2.4G-AC] name-format=%I supported-bands=2ghz-n
add action=create-dynamic-enabled disabled=no master-configuration=[Name-5G-AC] name-format=%I supported-bands=5ghz-ac
And at last the /interface/wifi:
/interface wifi
set [ find default-name=wifi1 ] channel=5G-80 configuration.country=Netherlands .dtim-period=3 .mode=ap .ssid=[SSID] disabled=no security=[securityname]
set [ find default-name=wifi2 ] channel=24G-20 configuration.country=Netherlands .dtim-period=3 .mode=ap .ssid=[SSID] disabled=no
security=[securityname]
This should be sufficient to get a clean config which is prepared for becoming CAPsMAN.
By adding this line, CAPsMAN is active:
/interface wifi capsman
set enabled=yes interfaces=bridge package-path=/packages require-peer-certificate=no upgrade-policy=none
Hope this provides some more insides on a way to config.

Do you really need this poolsize?
/ip pool
add name=dhcp ranges=192.168.0.50-192.168.88.254
 
voy4g3r2
just joined
Topic Author
Posts: 10
Joined: Wed Apr 10, 2024 11:22 pm

Re: CAPsMAN configuring 5ghz but always defaulting to 2ghz

Fri Apr 12, 2024 4:17 pm

wow, i see where things are going with it.

I am there but not quite there yet.

Follow-up to your question:
-Why do i have dhcp pool set: I have a set of servers in the 2-20 range that i want to be outside of the dhcp ip range, setting this allowed me to achieve that. I could also just remove the range and set those specific mac addresses to ips. The one area i did not want to "deal with" was adding some virtual machines and having to "fight" for that lower end range.
 
erlinden
Forum Guru
Forum Guru
Posts: 2040
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: CAPsMAN configuring 5ghz but always defaulting to 2ghz

Fri Apr 12, 2024 4:43 pm

In regards to the poolsize:

192.168.0.x - 192.168.88.y

Sure that is what you want?
 
voy4g3r2
just joined
Topic Author
Posts: 10
Joined: Wed Apr 10, 2024 11:22 pm

Re: CAPsMAN configuring 5ghz but always defaulting to 2ghz

Fri Apr 12, 2024 7:31 pm

ohh.. i did not see the 1 to 88 range, thank you! that is NOT what i want :)
 
voy4g3r2
just joined
Topic Author
Posts: 10
Joined: Wed Apr 10, 2024 11:22 pm

Re: CAPsMAN configuring 5ghz but always defaulting to 2ghz

Sat Apr 13, 2024 6:18 am

just for the purpose of completeness, this is what i ended up doing. I was not able to combine SSID, it would go back to defaulting to 2ghz no matter what I tried.. maybe there is something i am just missing.

I do have to say after getting this all worked out my 5ghz connected devices went from 200mbps to 450-500 which is a great improvement.
# 2024-04-12 23:09:48 by RouterOS 7.14.2
# software id = 1504-C6QG
#
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="AP UPSTAIRS"
set [ find default-name=ether3 ] comment="NETGEAR SWITCH"
set [ find default-name=ether4 ] comment=cap-ax-office
set [ find default-name=ether5 ] comment="WAN PORT"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2460 name=router-2ghz width=\
    20mhz
add band=5ghz-ax disabled=no frequency=5180-5700 name=router-5ghz \
    skip-dfs-channels=10min-cac width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2412,2437,2460 name=accesspoint-2ghz \
    width=20mhz
add band=5ghz-ax disabled=no frequency=5180-5700 name=accesspoint-5ghz \
    skip-dfs-channels=10min-cac width=20/40/80mhz
/interface wifi datapath
add bridge=bridge disabled=no name=router-datapah
add bridge=bridge disabled=no name=accesspoint-datapath
/interface wifi security
add authentication-types=wpa2-psk connect-priority=0/1 disabled=no ft=yes \
    ft-over-ds=yes group-encryption=ccmp name=foxglenacres
/interface wifi configuration
add channel=router-2ghz country="United States" datapath=router-datapah \
    disabled=no mode=ap name=router-2ghz security=foxglenacres ssid=\
    foxglenacres tx-power=5
add channel=router-5ghz country="United States" datapath=router-datapah \
    disabled=no mode=ap name=router-5ghz security=foxglenacres ssid=\
    foxglenacres-5G
add channel=router-2ghz country="United States" datapath=accesspoint-datapath \
    disabled=no mode=ap name=accesspoint-2ghz security=foxglenacres ssid=\
    foxglenacres tx-power=5
add channel=accesspoint-5ghz country="United States" datapath=router-datapah \
    disabled=no mode=ap name=accesspoint-5ghz security=foxglenacres ssid=\
    foxglenacres-5G
/interface wifi
set [ find default-name=wifi2 ] channel=router-2ghz \
    channel.skip-dfs-channels=10min-cac configuration=router-2ghz \
    configuration.mode=ap .tx-chains="" datapath.bridge=bridge disabled=no \
    name=router-2ghz security=foxglenacres security.connect-priority=0 .ft=\
    yes .ft-over-ds=yes
set [ find default-name=wifi1 ] channel=router-5ghz configuration=router-5ghz \
    configuration.mode=ap datapath=router-datapah disabled=no name=\
    router-5ghz security=foxglenacres security.authentication-types="" .ft=\
    yes .ft-over-ds=yes
/iot lora servers
add address=eu.mikrotik.thethings.industries name=TTN-EU protocol=UDP
add address=us.mikrotik.thethings.industries name=TTN-US protocol=UDP
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
    UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
    UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
    UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip pool
add name=dhcp ranges=192.168.0.50-192.168.0.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp interface=bridge name=defconf
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    disabled=yes disabled=yes name=zt1 port=9993
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=router-5ghz
add bridge=bridge comment=defconf interface=router-2ghz
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=all lldp-med-net-policy-vlan=1
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=LAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether5 list=WAN
/interface wifi cap
set caps-man-addresses=127.0.0.1 discovery-interfaces=bridge enabled=yes
/interface wifi capsman
set ca-certificate=WiFi-CAPsMAN-CA-789A1846D770 enabled=yes interfaces=bridge \
    package-path="" require-peer-certificate=no upgrade-policy=\
    require-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
    accesspoint-5ghz name-format=%I supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=\
    accesspoint-2ghz name-format=%I supported-bands=2ghz-ax
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
    192.168.0.0
/ip dhcp-client
add comment=defconf interface=ether5
/ip dhcp-server lease
add address=192.168.0.63 client-id=1:78:9a:18:cb:87:25 mac-address=\
    78:9A:18:CB:87:25 server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 caps-manager=192.168.0.1 comment=defconf \
    dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
add address=192.168.0.1 name=router.home
add address=192.168.0.25 name=harley.home
add address=192.168.0.5 name=current.home
add address=192.168.0.10 name=momas.home
add address=192.168.0.7 name=plex.home
add address=192.168.0.15 name=fritz.home
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl certificate=WiFi-CAPsMAN-789A1846D770 disabled=no
set api disabled=yes
set winbox port=8292
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=hap-ax3-router
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

 
erlinden
Forum Guru
Forum Guru
Posts: 2040
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: CAPsMAN configuring 5ghz but always defaulting to 2ghz

Sat Apr 13, 2024 9:30 am

just for the purpose of completeness, this is what i ended up doing. I was not able to combine SSID, it would go back to defaulting to 2ghz no matter what I tried.. maybe there is something i am just missing.
Looks a lot better, think that channels is a bit redundant (as one definition per channel is enough). But that is not the problem.

What could be the problem is clients connecting while the 5GHz radio is performing DFS scanning (for a minute at max). DUring that time only the 2.4GHz radio is available. Bu tbe aware...it is up to the device to make a choice which radio it will connect to.

When I see devices connected to the 2.4GHz radio (and after all radios are available), I just remove them from the Registration. Afterwards, they reconnect and tend to prefer 5GHz.

Question: what is the difference between the two datapaths? Why not use a single datapath (definition)?
And are you aware that the highlighted parts underneath are allready set?

/interface wifi
set [ find default-name=wifi2 ] channel=router-2ghz \
channel.skip-dfs-channels=10min-cac configuration=router-2ghz \
configuration.mode=ap .tx-chains="" datapath.bridge=bridge disabled=no \
name=router-2ghz security=foxglenacres security.connect-priority=0 .ft=\
yes .ft-over-ds=yes

set [ find default-name=wifi1 ] channel=router-5ghz configuration=router-5ghz \
configuration.mode=ap datapath=router-datapah disabled=no name=\
router-5ghz security=foxglenacres security.authentication-types="" .ft=\
yes .ft-over-ds=yes


And please be aware that empty settings could screw things up. Like security.authentication-types="".
This will overwrite the setting from security!

Hence you want to have a single security definition and use it in the confguration.

Edit
Think the underneath config is sufficient in your situation.
Haven't tested it, passphrase is (obviously) missing. Lot of cleaning up nevertheless....
And naming convention of the different parts makes it a lot more readable.

Hope this brings you to the preferred situation.
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2460 name=2ghz-channel width=\
    20mhz
add band=5ghz-ax disabled=no frequency=5180-5700 name=5ghz-channel \
    skip-dfs-channels=10min-cac width=20/40/80mhz
/interface wifi datapath
add bridge=bridge disabled=no name=wifi-datapath
/interface wifi security
add authentication-types=wpa2-psk connect-priority=0/1 disabled=no ft=yes \
    ft-over-ds=yes group-encryption=ccmp name=foxglenacres
/interface wifi configuration
add channel=2ghz-channel country="United States" datapath=wifi-datapath \
    disabled=no mode=ap name=2ghz-configuration security=foxglenacres ssid=\
    foxglenacres tx-power=5
add channel=5ghz-channel country="United States" datapath=wifi-datapah \
    disabled=no mode=ap name=5ghz-configuration security=foxglenacres ssid=\
    foxglenacres
/interface wifi
set [ find default-name=wifi1 ]configuration=5ghz-configuration \
	disabled=no name=5ghz-wifi
set [ find default-name=wifi2 ] configuration=2ghz-configuration \
	disabled=no name=2ghz-wifi
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
    5ghz-cnfiguration name-format=%I supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=\
    2ghz-configuration name-format=%I supported-bands=2ghz-ax
 
voy4g3r2
just joined
Topic Author
Posts: 10
Joined: Wed Apr 10, 2024 11:22 pm

Re: CAPsMAN configuring 5ghz but always defaulting to 2ghz

Sat Apr 13, 2024 3:38 pm

interesting.. these little quirks throughout the configuration and gui can add up.

The datapath item, since i was making an AP based and a router based configuration, it seemed to make sense to have 2 datapath configurations.. but you are right in the end it is the same and just adds to the complexity of it all.

As for the DFC scan, i do notice when i make a change ONLY the 5ghz channel seems to show that message. Is that due to the nature of the frequency range? Part of me just wants to disable the 2.4ghz altogether but i have devices that ONLY work on that frequency range.

I do have a question on the tx power, from the manual the tx-power option sets the power of the 802.11a/b/g/n and by setting the 2.4ghz to 5 is that "lowering" the power of it.. to assist with having devices go "Hey 2.4 is low, connect to 5ghz because the signal is better?"

Thank you for the explanation and the thoroughness. This flexibility is a blessing and a curse all at the same time.
 
erlinden
Forum Guru
Forum Guru
Posts: 2040
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: CAPsMAN configuring 5ghz but always defaulting to 2ghz

Sat Apr 13, 2024 4:06 pm

That is correct.
And you are very welcome...wifi on MikroTik is a real quest. Any experiences with it, should be shared.

Who is online

Users browsing this forum: kleshki and 5 guests