Community discussions

MikroTik App
 
Stou
just joined
Topic Author
Posts: 7
Joined: Sun Sep 29, 2024 5:22 pm

CapsMan setup on ax2 & 2x cAP AX 7.15.3 with vlans

Sun Sep 29, 2024 5:30 pm

Hi, I am a beginner user of RouterOS. I have encountered a problem of not being able to connect to one of the vlans. I have 3 villans, one mgmt for capsamana and 2 configured the same for users, one connects without a problem, the ip address is stuck. However, I cannot connect to the other, the message is network connection error.
I have the same rules for vlans on FW.
Can I ask you for support, suggestions
Last edited by Stou on Sun Sep 29, 2024 7:46 pm, edited 1 time in total.
 
erlinden
Forum Guru
Forum Guru
Posts: 2358
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: CapsMan setup on ax2 & 2x cAP AX 7.15.3 with vlans

Sun Sep 29, 2024 7:10 pm

Sure...go ahead.

Like: share config:
/export file=anynameyoulike
Remove the serial and any other private info.

You did read the documentation?
https://help.mikrotik.com/docs/display/ ... ionexample:
 
Stou
just joined
Topic Author
Posts: 7
Joined: Sun Sep 29, 2024 5:22 pm

Re: CapsMan setup on ax2 & 2x cAP AX 7.15.3 with vlans

Sun Sep 29, 2024 7:54 pm

Hey, thanks for such a quick response

Yes of course I read it, without the documentation and YT, I wouldn't do it. Although I don't hide the fact that not everything is clear to me in the documentation.
So ,i can connect to the Stou_CAP_Iot network, but I cannot connect to the Stou_CAP_home network.
my config :
# 2024-09-29 18:51:32 by RouterOS 7.15.3
# software id = 9L00-VFBB
#
# model = C52iG-5HaxD2HaxD
# serial number = 
/interface bridge
add admin-mac=auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface wifi
set [ find default-name=wifi1 ] configuration.mode=ap
set [ find default-name=wifi2 ] configuration.mode=ap
/interface vlan
add interface=bridge name=vlan-10-home vlan-id=10
add interface=bridge name=vlan-20-iot vlan-id=20
add interface=bridge name=vlan-33-mgmt vlan-id=33
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412 name=ch-2G-ax width=20mhz
add band=2ghz-n disabled=no name=ch-2G-n width=20mhz
add band=5ghz-ax disabled=no frequency=5180 name=ch-5G-ax skip-dfs-channels=\
    all width=20/40/80mhz
add band=5ghz-ac disabled=no name=ch-5G-ac skip-dfs-channels=all width=\
    20/40/80mhz
/interface wifi datapath
add client-isolation=no disabled=no name=datapath-home vlan-id=10
add client-isolation=yes disabled=no name=datapath-iot vlan-id=20
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
    name=sec-home
add authentication-types=wpa-psk,wpa2-psk disabled=no ft=yes ft-over-ds=yes \
    name=sec-iot
/interface wifi configuration
add channel=ch-2G-ax country="United States" datapath=datapath-home disabled=\
    no mode=ap name=cfg-home-2G-ax security=sec-home ssid=Stou_CAP_home \
    tx-power=22
add channel=ch-2G-n country="United States" datapath=datapath-home disabled=\
    no mode=ap name=cfg-home-2G-n security=sec-home ssid=Stou_CAP_home \
    tx-power=22
add channel=ch-5G-ax country="United States" datapath=datapath-home disabled=\
    no mode=ap name=cfg-home-5G-ax security=sec-home ssid=Stou_CAP_home \
    tx-power=22
add channel=ch-5G-ac country="United States" datapath=datapath-home disabled=\
    no mode=ap name=cfg-home-5G-ac security=sec-home ssid=Stou_CAP_home \
    tx-power=22
add channel=ch-2G-n country=Poland datapath=datapath-iot disabled=no mode=ap \
    name=cfg-iot-2G-n security=sec-iot ssid=Stou_CAP_iot
add channel=ch-2G-ax country=Poland datapath=datapath-iot disabled=no mode=ap \
    name=cfg-iot-2G-ax security=sec-iot ssid=Stou_CAP_iot
add channel=ch-5G-ac country=Poland datapath=datapath-iot disabled=no mode=ap \
    name=cfg-iot-5G-ac security=sec-iot ssid=Stou_CAP_iot
add channel=ch-5G-ax country=Poland datapath=datapath-iot disabled=no mode=ap \
    name=cfg-iot-5G-ax security=sec-iot ssid=Stou_CAP_iot
/interface wifi steering
add disabled=no name=steering_Stou_CAP_home neighbor-group=\
    dynamic-Stou_CAP_home-f18a66d1 rrm=yes wnm=yes
add disabled=no name=steering_Stou_CAP_iot neighbor-group=\
    dynamic-Stou_CAP_iot-c6d7975b rrm=yes wnm=yes
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool2 ranges=20.20.20.2-20.20.20.254
add name=dhcp_pool3 ranges=10.33.33.2-10.33.33.254
add name=dhcp_pool6 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=dhcp_pool2 interface=vlan-20-iot name=dhcp-vlan-20
add address-pool=dhcp_pool3 interface=vlan-33-mgmt name=dhcp-vlan-33
add address-pool=dhcp_pool6 interface=vlan-10-home name=dhcp-vlan-10
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=20
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=33
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi capsman
set ca-certificate=auto enabled=yes interfaces=vlan-33-mgmt package-path="" \
    require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
    cfg-home-2G-ax slave-configurations=cfg-iot-2G-ax supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=\
    cfg-home-5G-ax slave-configurations=cfg-iot-5G-ax supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no identity-regexp=.*ac.* \
    master-configuration=cfg-home-2G-n slave-configurations=cfg-iot-2G-n \
    supported-bands=2ghz-n
add action=create-dynamic-enabled disabled=no identity-regexp=.*ac.* \
    master-configuration=cfg-home-5G-ac slave-configurations=cfg-iot-5G-ac \
    supported-bands=5ghz-ac
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.10.1/24 interface=vlan-10-home network=10.10.10.0
add address=20.20.20.1/24 interface=vlan-20-iot network=20.20.20.0
add address=10.33.33.1/24 interface=vlan-33-mgmt network=10.33.33.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=192.168.88.1 gateway=10.10.10.1
add address=10.33.33.0/24 dns-server=192.168.88.1 gateway=10.33.33.1
add address=10.40.40.0/24 dns-server=192.168.88.1 gateway=10.40.40.1
add address=20.20.20.0/24 dns-server=192.168.88.1 gateway=20.20.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
add address=192.168.90.0/24 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=accept chain=input in-interface=vlan-10-home
add action=accept chain=input in-interface=vlan-20-iot
add action=accept chain=input in-interface=vlan-33-mgmt
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether1
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Warsaw
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


# 2024-09-29 18:52:17 by RouterOS 7.15.3
# software id = V4TH-LBHQ
#
# model = cAPGi-5HaxD2HaxD
# serial number = 
/interface bridge
add name=bridge-wifi vlan-filtering=yes
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: Stou_CAP_home, channel: 5180/ax/Ceee
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    disabled=no
# managed by CAPsMAN
# mode: AP, SSID: Stou_CAP_home, channel: 2412/ax
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
    disabled=no
/interface vlan
add interface=bridge-wifi name=vlan-33-mgmt vlan-id=33
/interface wifi datapath
add bridge=bridge-wifi disabled=no name=data-cap
/interface bridge port
add bridge=bridge-wifi interface=ether1
/interface bridge vlan
add bridge=bridge-wifi tagged=bridge-wifi,ether1 vlan-ids=10
add bridge=bridge-wifi tagged=bridge-wifi,ether1 vlan-ids=20
add bridge=bridge-wifi tagged=bridge-wifi,ether1 vlan-ids=33
/interface wifi cap
set caps-man-addresses=10.33.33.1 enabled=yes slaves-datapath=data-cap
/ip dhcp-client
add interface=vlan-33-mgmt
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=CAP_1_Flor
/system note
set show-at-login=no

 
neki
Member Candidate
Member Candidate
Posts: 172
Joined: Thu Sep 07, 2023 10:20 am

Re: CapsMan setup on ax2 & 2x cAP AX 7.15.3 with vlans

Sun Sep 29, 2024 10:36 pm

You are missing bridge configuration for wifi interfaces.


CAPsMAN
/interface wifi
set [ find default-name=wifi1 ] configuration.mode=ap datapath.bridge=bridge
set [ find default-name=wifi2 ] configuration.mode=ap datapath.bridge=bridge

CAP
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
disabled=no datapath.bridge=bridge-wifi
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
disabled=no datapath.bridge=bridge-wifi

Do not forget that CAPsMAN can not control local interfaces, just apply configuration directly to the interface.
 
Stou
just joined
Topic Author
Posts: 7
Joined: Sun Sep 29, 2024 5:22 pm

Re: CapsMan setup on ax2 & 2x cAP AX 7.15.3 with vlans

Mon Sep 30, 2024 9:26 am

It works!! :D Thank you for your help and commitment
 
Stou
just joined
Topic Author
Posts: 7
Joined: Sun Sep 29, 2024 5:22 pm

Re: CapsMan setup on ax2 & 2x cAP AX 7.15.3 with vlans

Mon Sep 30, 2024 12:10 pm

I have one more question, to assign for example vlan 10 to ether5 port, I should do this:
add bridge=bridge interface=ether5 pvid=10 
theoretically it works and gets the right address, but is this ok?



by the way, great material, f you are a beginner like me I recommend:
viewtopic.php?f=13&t=143620
Last edited by Stou on Mon Sep 30, 2024 12:22 pm, edited 2 times in total.
 
erlinden
Forum Guru
Forum Guru
Posts: 2358
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: CapsMan setup on ax2 & 2x cAP AX 7.15.3 with vlans

Mon Sep 30, 2024 12:15 pm

Appart from using ether5 instead of wlan5 (typo?), indeed all you have to do is:
/interface bridge port
add bridge=bridge1 interface=ether5 pvid=10

# optional

/interface bridge vlan 
add bridge=BR1 tagged=bridge1 untagged=ether5 vlan-ids=10
 
Stou
just joined
Topic Author
Posts: 7
Joined: Sun Sep 29, 2024 5:22 pm

Re: CapsMan setup on ax2 & 2x cAP AX 7.15.3 with vlans

Mon Sep 30, 2024 2:59 pm

yes, my mistake. Thanks for the confirmation and alternative solution
 
neki
Member Candidate
Member Candidate
Posts: 172
Joined: Thu Sep 07, 2023 10:20 am

Re: CapsMan setup on ax2 & 2x cAP AX 7.15.3 with vlans

Mon Sep 30, 2024 7:19 pm

That's not really "alternate" solution, you should use both settings. And also set frame-types allowed on the port...
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=10
admit-only-vlan-tagged for trunks and admit-only-untagged-and-priority-tagged for access ports.
 
Stou
just joined
Topic Author
Posts: 7
Joined: Sun Sep 29, 2024 5:22 pm

Re: CapsMan konfiguracja na ax2 i 2x cAP AX 7.15.3 z vlans

Tue Oct 01, 2024 12:22 am

I'm trying to implement something like this :
something like that.jpg
the diagram used by user "pcunite" from the post viewtopic.php?f=13&t=143620 has been modified for educational purposes.

I wonder if what you wrote is necessary in this case?
You do not have the required permissions to view the files attached to this post.
 
neki
Member Candidate
Member Candidate
Posts: 172
Joined: Thu Sep 07, 2023 10:20 am

Re: CapsMan setup on ax2 & 2x cAP AX 7.15.3 with vlans

Tue Oct 01, 2024 8:47 pm

I'm some how missing the other CAP in that picture?
 
Stou
just joined
Topic Author
Posts: 7
Joined: Sun Sep 29, 2024 5:22 pm

Re: CapsMan setup on ax2 & 2x cAP AX 7.15.3 with vlans

Thu Oct 03, 2024 5:28 pm

this is what it looks like
something_2.jpg
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: nfix and 7 guests