Community discussions

MikroTik App
 
Elvis1991
newbie
Topic Author
Posts: 25
Joined: Wed Jan 02, 2019 12:59 am

Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Fri Nov 01, 2024 10:20 pm

Hello everyone,

I'm looking for guidance on testing the feasibility of the following network setup, which requires implementing VLANs for distinct networks (Guest 5G, Private 5G, IoT 2.4G) distributed via CAPsMAN on a multi-building Wi-Fi mesh infrastructure.

Layout and VLAN Specifications:

VLANs:
  • IoT VLAN (192.168.1.xxx): External access for MQTT, API (Google), Chirpstack, Node-RED, and full internet access.
  • Private VLAN (192.168.2.xxx): Full access to the internet.
  • Guest VLAN (192.168.3.xxx): Internet access with restrictions on unsafe or undesirable sites.
  • HRDWRete VLAN 192.168.4.xxx: Dedicated to network devices (Access Points, PtMP antennas, and the Central Router).
VPN and Remote Access:
WireGuard for remote access with a 16-character password.
Limit login attempts to 5, with a 48-hour block for any IP exceeding this.
Configuration of two remote access levels:
Super User: Full access to all VLANs and ports.
Normal User: Restricted access to specific services only.
Hardware Structure:

Building 1 - Main Home:

Floor1:
MikroTik SXTsq Lite2 antenna (part of the PtMP link, transmitting to the Garage) connected via ethernet to the Central Router.
MikroTik hAP ac lite RB952Ui-5ac2nD Access Point (only if Floor2 signal isn’t sufficient) connected via ethernet to the Central Router..
Client Device: PC with Home Assistant for home automation.

Floor2:
hAP ac2 for Wi-Fi connected via ethernet to the Central Router.
Client Devices: PC1 and PC2, connected via Ethernet to the hAP ac2.

Boiler Room:
RBcAPGi-5acD2nD-XL cAP XL ac directly connected to the Central Router via ethernet, distributing Wi-Fi VLAN across the main home.

Building 2 - Garage:

MikroTik SXT 2 antenna (PtMP link between Main Home and Other Home).
MikroTik hAP ac lite RB952Ui-5ac2nD Access Point for the VLANs.
Client Device: Raspberry Pi Lora for IoT device management.

Building 3 - Other Home:

MikroTik SXTsq Lite2 antenna (PtMP link).
MikroTik hAP ac lite RB952Ui-5ac2nD Access Point for Wi-Fi.
Point-to-MultiPoint Link:

Three MikroTik SXTsq Lite2 antennas:
One in the Main Home (connected to the Central Router).
One in the Garage (linking Main Home and Other Home).
One in the Other Home.

Central Router (RB4011iGS+RM): Manages connections, routing, and CAPsMAN for all access points across the three buildings.
 
Elvis1991
newbie
Topic Author
Posts: 25
Joined: Wed Jan 02, 2019 12:59 am

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Sat Nov 02, 2024 10:14 am

Questions:

  • CAPsMAN Compatibility: Is the hardware in the Main Home compatible for implementing a CAPsMAN-based mesh network?
  • VLAN and VPN Extension: Is it feasible to extend the VLANs and VPN access across the Garage and Other Home?
  • Does the SXTsq Lite 2 in Building 1 need to be configured as a CAP, or is this unnecessary? If it does, would the Level 3 license limit its functionality, given that it lacks a Level 4 license?
Any advice or shared experience is highly appreciated! Thanks in advance.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM  [SOLVED]

Sat Nov 02, 2024 11:09 am

Forget about CAPsMAN for your PtMP setup: CAPsMAN can only provision APs and in your case AP-bridge (SXT in garage) is not accessible from CAPsMAN (RB4011) until the link between main building and garage is already up ... which means AP-bridge device can't be provisioned by capsman.
And since PtMP will have a completely different set of wifi parameters, I don't see any benefit of having it capsman-provisioned. There is an IMO major drawback of having PtMP gear managed by capsman: if capsman becomes unreachable, then AP stops working (and restarts working after it can reach capsman again). Which can be a royal PITA if you have to use certain wireless connection to fix problems. For the very same reason I always manually set IP addresses of network infrastructure gear even if I have DHCP server running and static leases would seem to do the trick (well, they wouldn't if device for some reason can't talk to DHCP server when it needs to).

Your RB4011 is fine as CAPsMAN. All of your AP devices are capable of tunning wifi-qcom-ac driver (I only did a quick ovrrview, I nay be missing something though), so if you'll run ROS version 7.13 or higher, you can control all of them by configuring capsman on RB4011 under /interface/wifi.
If for some reason not all of APs will run wifi-qcom-ac driver, then you'd either have to run two capsmans on RB4011 (new wifi one and legacy wireless one), configuratiobs for both are distinct, they don't cooperate. Tdy to avoud this scenario, new wifi setup brings quite a few benefits (better AC speeds, WPA3 if stations behave, better station mobiliry between capsman-driven APs, etc.)

The PtMP gear is capable of acting as transparent bridge between parts of your network, and that includes passing VLANs.
 
Elvis1991
newbie
Topic Author
Posts: 25
Joined: Wed Jan 02, 2019 12:59 am

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Sat Nov 02, 2024 11:45 am

Thank you for the detailed response!

I want to confirm that I understood your suggestions correctly. Based on your guidance, my plan is to configure all access points in Building 1 as CAPs, with the central router managing CAPsMAN exclusively for Building 1. For the point-to-multipoint link, I will configure the antennas in a traditional setup—one as a station and the other as a transparent bridge—without involving CAPsMAN. This means CAPsMAN management would be limited to the access points and the central router in Building 1. Could you please confirm if this configuration approach is correct and if it would work as expected?

Additionally, I need the Wi-Fi in Buildings 2 and 3 to extend the VLANs from Building 1, so I’m unsure which “new Wi-Fi” you referred to in your response. Could you clarify this part?

I’ll also check compatibility with the QCOM AC Wi-Fi driver for my access points. Both devices use the Qualcomm IPQ-4018 chipset, which supports the 802.11ac standard and appears compatible with the wifi-qcom-ac driver.

Another question: would you recommend configuring CAPsMAN in Building 1 first and then setting up the point-to-multipoint bridge, or would it be better to establish the bridge first and then configure the local mesh network?

Finally, regarding IP configuration, if I understood correctly, adding a VLAN specifically for the antennas, APs, etc., might not be necessary, as it would be more effective to assign them static IPs. In any case, would it be advisable to place them on a dedicated subnet?

Thank you again for your help!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Sat Nov 02, 2024 7:42 pm

Configuration of PtMP gear is a separate task from configuring the rest of APs. In principle you first configure the device which will act as AP-bridge (the "hub" device) ... set up wireless parameters. Then set both "spoke" devices as station-bridge devices and get them connect to the hub device. After you get it done, configure all 3 devices with VLANs as you want. The trick about passing VLANs over PtMP devices is to add wireless interfaces as trunk ports to the bridge (each PtMP will have one vlan-aware bridge, added wired and wireless ports as tagged members).

After the PtMP network is up and running, connecting all 3 buildings (transparrently), you can configure also APs in the other two buildings as CAPsMAN managed devices if you want and if that would make the task of managing network easier.

As to IP addressing: it all depends on the trust you can place in all of networked devices. Usually management is separate from (one or multiple) user network to protect network infrastructure from potential (or real) threats, coming from other networked devices. Normally it's advisable to do the separation, but it doesn't help much if it's not done properly ...
 
Elvis1991
newbie
Topic Author
Posts: 25
Joined: Wed Jan 02, 2019 12:59 am

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Sun Nov 03, 2024 12:17 am

Thank you for the detailed guidance! I still have a question regarding the Point-to-Multipoint (PtMP) setup. Building 1, equipped with the SXTsq Lite2, has a line of sight only to the SXT 2 in Building 2 and cannot directly see the second SXTsq in Building 3, forming a triangular layout with each antenna at a corner. Given that the device connected to the modem is not in a central location, would this affect my configuration or limit the VLAN or VPN capabilities I intend to propagate throughout the network?

Additionally, should I configure the spoke in Building 2 with two wireless interfaces: one as a station-bridge directed toward the hub and the other as an AP-bridge connecting to the spoke in Building 3? Alternatively, would it be better to set the SXT 2 in Building 2 as the hub (ap-bridge) and configure the SXTsq Lite2 in the Main Home as a station-bridge “spoke”?

This revised version improves readability and adds clarity to your questions. Let me know if you need further adjustments!

Here it's a draft:
             Garage 2 (SXT 2)
               /              \
              /                 \
             /                    \
   (Direct line of sight) (Direct line of sight)
           /                         \
  Main Home 1               Other Home 3 (SXTsq Lite2)
  (SXTsq Lite2)              (Connected via Building 2)
  to WWW.

Lastly, I think it may be more practical to assign static IPs to the APs, antennas, and router, provided that the firewall is configured to prevent direct access from other VLANs (except for authorized users). I assume that’s the direction I should take, correct?

As soon as the missing hardware arrives, I’ll proceed with applying these configurations and will update you on the success (or challenges) of this small but complex home network setup. :D
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Sun Nov 03, 2024 11:16 am

"Traffic direction" over PtMP has nothing to do with radio topology of PtMP setup. It's all about radio: single radio can not be station to two APs because it can only operate at one frequency. For this reason hub devices normally operate as APs and spoke devices operate as stations. It is possible to configure single radio as two interfaces (virtual/slave in addition to physical/master) and use one as AP. However, master has to operate as station. The reason is that only master can control physical properties of radio (frequency, channel width, Tx power, etc.) and if any of interfaces is used as station it has to follow whatever changes AP decides to do.
So your garage device will be hub/AP, house devices will both be spokes/stations.

The question about number of wireless interfaces on hub device: you could go with one interface per spoke, one would use physical radio interface, the other would use virtual wireless interface. But this woukd only make sense if you'd treat both links as "s+alien" links, i.e. you'd run firewall and control traffic between them. Which is, if I understand your intended layout, not something you want ... you would bridge them this way or another to get VLANs going between both houses. So no benefit in setting up two SSIDs on hub node. Simply set single SSID (for use solely for PtMP, so different than the one used on CAPs) and configure bith spoke devices as station-bridge to the same SSID. Doing so will actually spare some pricessing on hub device, traffic between both houses will be entirely handled by wireless driver on AP-bridge, it won't even hit the bridge itself. Just make sure that wireless interface has default-forwarding set to yes (it's default setting).
 
Elvis1991
newbie
Topic Author
Posts: 25
Joined: Wed Jan 02, 2019 12:59 am

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Sat Nov 09, 2024 5:12 pm

I hope it’s alright to reply here without opening a new topic.

I’ve attempted to set up the point-to-multipoint (PtMP) configuration as advised but ran into a few issues. Here’s the current setup:
1. Building 1 (Main Home) - The SXTsq Lite2 here only configures in station mode, and I’m unable to set it as station-bridge, but the connection works fine.
2. Building 3 (Other Home) - The SXTsq Lite2 here also won’t configure in station-bridge. Additionally, I’m experiencing about a 30% packet loss when pinging the modem in Building 1, and in the routing menu, the gateway shows as ‘unreachable,’ which results in no internet access (ping to 8.8.8.8 times out).
3. Garage Hub - I successfully added an access point bridge here, and the connected clients are browsing without any issues.

I haven’t configured the VLANs yet, as I wanted to complete the PtMP setup first.

I’m wondering if the limitations I’m facing could be related to the Level 3 license on the SXTsq Lite2 devices, or potentially because I couldn’t upgrade them to RouterOS 7 due to memory constraints. Do you think it would be necessary to replace these with Level 4 devices to achieve full PtMP functionality?

Thanks in advance for any guidance.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Sat Nov 09, 2024 7:37 pm

The difference between license level 3 and 4 (when it comes to radio) is that level 3 device can only be connected to one peer ... so any of station modes or bridge (but not ap-bridge). In PtMP scenario this means it can only be "spoke", not "hub". As to the rest of performance there's no real difference (in this scenario).

As long as you'll use these devices to run L2 PtMP links you don't need them to run ROS v7. ROS v7 brings new functionality, such as wireguard or zerotier. But it's not needed for L2 links.
 
Elvis1991
newbie
Topic Author
Posts: 25
Joined: Wed Jan 02, 2019 12:59 am

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Sun Nov 10, 2024 6:47 pm

Thank you, mkx, for the clarification. I’ll try to pinpoint where the data flow stops using a traceroute; I suspect the lack of connection in Building 3 may be due to the low Tx/Rx signal quality, which is around 35/6% CCQ.

In any case, I assume that even if I were to use WireGuard or ZeroTier on the RB4011 (the main router in Building 1), the VPN packets would still be routed through the SXTsq Lite2 devices located in Building 3, correct? Thanks again for your help!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Sun Nov 10, 2024 10:27 pm

By setting both spoke devices to station instead of station-bridge mode things get less transparent. So I wonder why you can't set these devices into station-bridge ... what is error message?

Seeing CCQ considerably less than say 90 (100 would be ideal) while link is in use means trouble for the link. Can mean interfrence, can mean antenna misalignment (how are signal levels, compared to the link with beter CCQ?), can mean too long distance, can be obstacles between antennas (line of sight and close surroundings), etc.
 
Elvis1991
newbie
Topic Author
Posts: 25
Joined: Wed Jan 02, 2019 12:59 am

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Tue Nov 12, 2024 1:19 am

Hi mkx,

I accessed the antenna using Winbox 3.41 and positioned it in a "comfortable" location, and it appears to be working well (the mode stays in station-bridge don't change in bridge), including internet connectivity. I’ll try repositioning the SXTsq Lite2 on the roof, which provides a clear line of sight to the HUB station.

Regarding the CAPsMAN configuration, I’ve looked up various guides and examples online, but many seem quite complex. Do you have any recommendations for a setup similar to mine to configure CAPsMAN in Building 1 while extending the VLANs to the other buildings? I’ll follow your valuable suggestion not to provision the AC-Bridge HUB as a CAP, instead managing traffic from the PtMP link as if it’s coming through the ethernet port connected to the SPOKE in Building 1, thanks to the transparent link across the three buildings.

Thanks again for your guidance!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Tue Nov 12, 2024 2:19 pm

Did you manage to set up your PtMP into transparent operation? After this is done, you can add configuration to transparently pass 802.1Q headers (VLANs). Or you can decide not to go with VLANs and keep the whole network (all 3 sites) as one flat LAN. In any case, CAPsMAN / CAP configuration is exactly the same as if there were UTP cables connecting all 3 sites (which is the point of having PtMP fully transparent to L2 traffic).

If you can't wrap your head around the concepts, then post configuration of all 3 PtMP devices and of main router (I guess you'll run CAPsMAN on that device) and we'll try to help you to push forward.
 
Elvis1991
newbie
Topic Author
Posts: 25
Joined: Wed Jan 02, 2019 12:59 am

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Tue Nov 12, 2024 6:55 pm

Thank you, mkx. Indeed, I’m building this network as a hobby and out of a passion for doing things well. I’m also trying to understand the details as much as possible. For instance, I read about Trunk ports for passing VLANs, but it seems that these might not be available on the spoke stations, at least based on what I read in the manual

I managed to configure both spokes in station-bridge mode, with the hub set to AC-bridge. However, I’m unable to update the SXTsq Lite2 devices due to low memory (when I try installing the new RouterOS, it fails due to insufficient space, and I can't get Netinstall to work on Mac). As a result, these devices are running RouterOS v6.40.4, which I believe may not fully support VLAN options, though please correct me if I'm mistaken (I’ve reviewed the Manual
VLAN Trunk guide).

I’ve also configured the RB4011 as CAPsMAN, and I’ve successfully provisioned a CAP (cAP XL ac). I’m currently waiting for the additional CAPs to arrive to complete the setup.

In any case, I’ll first work on configuring the VLAN propagation between the main house and the garage. Later, once I’ve cleared the line of sight from trees, I’ll add the second spoke, which is currently connected to the hub from a different location (where PtMP shows good communication signals).

If you confirm that I can proceed with configuring the spokes to propagate VLANs on this RouterOS version, I’ll go ahead and share my configuration with you. Otherwise, I’ll need to find a way to update RouterOS.
Thanks again for your guidance!
 
Elvis1991
newbie
Topic Author
Posts: 25
Joined: Wed Jan 02, 2019 12:59 am

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Tue Nov 12, 2024 7:12 pm

Here the cofiugraiton of the PtMP, now connected to other router/modem with only one flat LAN.

SPOKEs ed. 1/same as ed. 2 exept that I will set an other IP on MNG subnet (ex. 192.168.99.XXX)
# jan/06/1970 05:50:10 by RouterOS 6.40.4
# software id = TGDA-J80N
#
# model = RouterBOARD SXTsq 2nD
# serial number = 935F088F2F42
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=5 band=2ghz-b/g/n country=italy \
    disabled=no frequency=auto frequency-mode=regulatory-domain mode=\
    station-bridge nv2-preshared-key=MY_KEY nv2-security=enabled radio-name=\
    CANTINA ssid=LINK_PTMP wireless-protocol=nv2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1
/ip address
add address=192.168.1.222/24 interface=bridge1 network=192.168.1.0
/ip route
add distance=1 gateway=192.168.1.1
/system identity
set name=CANTINA

HUB garage:

# nov/12/2024 18:09:21 by RouterOS 6.47.10
# software id = 24XI-Z525
#
# model = RBSXTG-2HnD
# serial number = E2200FBAAE75
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=italy disabled=no \
    mode=ap-bridge nv2-preshared-key=MY_KEY nv2-security=enabled radio-name=\
    MASTER ssid=LINK_PTMP wds-mode=dynamic wireless-protocol=nv2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=LAN
add comment=defconf interface=wlan1 list=WAN
/ip address
add address=192.168.1.223/24 comment=defconf interface=bridge1 network=\
    192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.1.1
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MASTER-BAITA
/system ntp client
set enabled=yes primary-ntp=193.204.114.232 secondary-ntp=193.204.114.233
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Access Point connected to the HUB
# nov/12/2024 18:13:16 by RouterOS 6.49.13
# software id = RDEZ-NLWV
#
# model = RBD52G-5HacD2HnD
# serial number = HGG09JPQ53D
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] country=italy disabled=no frequency=auto \
    installation=indoor mode=ap-bridge ssid=baita_sp
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add name=profile1 supplicant-identity=""
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.1.2 interface=bridge1 network=192.168.1.1
/ip dhcp-relay
add dhcp-server=192.168.1.1 disabled=no interface=bridge1 name=relay1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip route
add distance=1 gateway=192.168.1.1
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=hAPac2-baita

--------here is the config. for RB4011, the router will be the next MAIN ROUTER and will substitute the current modem/router when the Iliad box will come-----

MAIN ROUTER:
# 1970-01-02 00:16:45 by RouterOS 7.16.1
# software id = YIFI-TGP1
#
# model = RB4011iGS+
# serial number = F0260E3AB466
/caps-man configuration
add country=italy datapath.local-forwarding=yes .vlan-id=10 .vlan-mode=\
    use-tag name=Config_WORK security.authentication-types=wpa-psk,wpa2-psk \
    ssid=WiFi_WORK
add country=italy datapath.local-forwarding=yes .vlan-id=20 .vlan-mode=\
    use-tag name=Config_GUEST security.authentication-types=wpa-psk,wpa2-psk \
    ssid=WiFi_GUEST
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=ether1 name=VLAN10 vlan-id=10
add interface=ether1 name=VLAN20 vlan-id=20
/caps-man datapath
add bridge=bridge1 name=datapath1 vlan-mode=use-tag
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/iot lora servers
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
    UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
    UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
    UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip pool
add name=dhcp_pool10 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool20 ranges=192.168.20.2-192.168.20.254
/port
set 0 name=serial0
set 1 name=serial1
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    disabled=yes disabled=yes name=zt1 port=9993
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=ether3
add disabled=no interface=ether4
add disabled=no interface=bridge1
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config_WORK \
    slave-configurations=Config_GUEST
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=ether1,ether2,ether3 vlan-ids=10
add bridge=bridge1 tagged=ether1,ether2,ether3 vlan-ids=20
/ip address
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
/ip dhcp-server
add address-pool=dhcp_pool10 interface=VLAN10 name=dhcp10
add address-pool=dhcp_pool20 interface=VLAN20 name=dhcp20
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
/system note
set show-at-login=no
CAPs
# 1970-01-02 00:21:33 by RouterOS 7.16.1
# software id = RVFE-U8JJ
#
# model = RBcAPGi-5acD2nD
# serial number = HGF09PSNR27
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(14dBm), SSID: WiFi_WORK, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(17dBm), SSID: WiFi_WORK, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface wireless cap
# 
set discovery-interfaces=bridge1 enabled=yes interfaces=wlan1,wlan2
/system note
set show-at-login=no
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Tue Nov 12, 2024 7:22 pm

6.40 is ancient and can miss some functionality. I highly recommend you to upgrade to 6.49.17 (latest v6). I understand you may struggle but IMO this is essential. And yes, netinstall is a almost certainly a must (lack of space likely indicates remnants of unwanted config and/or unnecessary files on filesystem).

My reading of help document you linked doesn't corroborate your theory about VLANs not being supported on spoke devices, manualy clearly shows them on AP and station side (in your PtMP setup you'll have two stations and that's the biggest difference).
 
Elvis1991
newbie
Topic Author
Posts: 25
Joined: Wed Jan 02, 2019 12:59 am

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Tue Nov 12, 2024 7:29 pm

Thank you, mkx. I may not have explained myself clearly—I was only concerned from the manual that it might not be possible to configure VLANs properly on the spokes with RouterOS 6.40.

I’ll try to update RouterOS with Netinstall somehow, but it’s quite challenging to do this from macOS. I’ll find a Windows PC if necessary to make it work.
 
Elvis1991
newbie
Topic Author
Posts: 25
Joined: Wed Jan 02, 2019 12:59 am

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Thu Nov 14, 2024 5:54 pm

Currently, I have a setup where my RB4011 is placed between the AGCOMBO (current ISP) and a PtoMP bridge (station bridge spoke to an AC bridge HUB), which is connected to an output of the RB4011.

I am adding VLANs only to a portion of the network at this time. I’ve set all ports of the hAP ac2 as trunks to carry all VLANs, with plans to optimize the VLAN table later.

Initially, I wanted to keep the IoT subnet on 192.168.1.0/24 to avoid changing IPs and routes of existing nodes, but I encountered conflicts. I then configured the subnet to 192.168.10.xxx. This allowed the RB4011 to reach the network, but the other devices are receiving an IP from the RB4011’s DHCP that differs from what I had manually assigned to them, causing access issues.

The problem is that while the RB4011 pings the AGCOMBO and Google correctly, it cannot reach the devices. These devices remain isolated, as if there were a physical barrier rather than a network connection. I suspect there may be issues with the routing. My intention was to set up a route for all nodes to point to the RB4011, but I’m not sure where the configuration is going wrong.

I’ve also tried configuring some forwarding rules between the RB4011 and AGCOMBO to allow access from the external environment during debugging, but these haven’t worked.

I would appreciate any advice on how to better configure this network to resolve the access and routing issues between the devices and the RB4011.

RB4011
# 1970-01-02 00:44:11 by RouterOS 7.16.1
# software id = YIFI-TGP1
#
# model = RB4011iGS+
# serial number = F0260E3AB466
/caps-man configuration
add country=italy datapath.local-forwarding=yes .vlan-id=20 .vlan-mode=\
    use-tag name=Config_WORK security.authentication-types=wpa-psk,wpa2-psk \
    ssid=WiFi_WORK
add country=italy datapath.local-forwarding=yes .vlan-id=30 .vlan-mode=\
    use-tag name=Config_GUEST security.authentication-types=wpa-psk,wpa2-psk \
    ssid=WiFi_GUEST
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=ether_to_WAN
set [ find default-name=ether2 ] comment=CAPs-3-sala
set [ find default-name=ether3 ] comment=CAPs-1-cantina
set [ find default-name=ether4 ] comment=CAPs-2-lab
set [ find default-name=ether5 ] comment=LINK_PTMP
/interface vlan
add comment=IoT interface=bridge1 name=VLAN10 vlan-id=10
add comment=Privata interface=bridge1 name=VLAN20 vlan-id=20
add comment=Ospiti interface=bridge1 name=VLAN30 vlan-id=30
add comment=MNGM interface=bridge1 name=VLAN99 vlan-id=99
/caps-man datapath
add bridge=bridge1 client-to-client-forwarding=no name=datapath1 vlan-mode=\
    use-tag
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/iot lora servers
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
    UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
    UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
    UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip pool
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool20 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool30 ranges=192.168.30.2-192.168.30.254
add name=dhcp_pool99 ranges=192.168.99.2-192.168.99.254
/port
set 0 name=serial0
set 1 name=serial1
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    disabled=yes disabled=yes name=zt1 port=9993
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge1
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config_WORK \
    slave-configurations=Config_GUEST
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=10
add bridge=bridge1 interface=ether3 pvid=20
add bridge=bridge1 interface=ether4 pvid=30
add bridge=bridge1 interface=ether5 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=ether3,ether2,ether4,ether5 vlan-ids=10
add bridge=bridge1 tagged=ether2,ether3,ether4,ether5 vlan-ids=20
add bridge=bridge1 tagged=ether2,ether3,ether4,ether5 vlan-ids=30
add bridge=bridge1 tagged=ether2,ether3,ether4,ether5 vlan-ids=99
/ip address
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
add address=192.168.99.1/24 interface=VLAN99 network=192.168.99.0
add address=192.168.1.3/24 comment="Static IP for WAN" interface=ether1 \
    network=192.168.1.0
/ip dhcp-server
add address-pool=dhcp_pool1 interface=VLAN10 name=dhcp1
add address-pool=dhcp_pool20 interface=VLAN20 name=dhcp20
add address-pool=dhcp_pool30 interface=VLAN30 name=dhcp30
add address-pool=dhcp_pool99 interface=VLAN99 name=dhcp99
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.3
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=8.8.8.8 gateway=192.168.30.1
add address=192.168.99.0/24 dns-server=8.8.8.8 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall nat
add action=dst-nat chain=dstnat comment=prt-frw-HOA_raspi dst-address=\
    192.168.1.3 dst-port=8123 protocol=tcp to-addresses=192.168.10.244 \
    to-ports=8123
add action=dst-nat chain=dstnat comment=prt-frw-IOT-NR_raspiiot dst-address=\
    192.168.1.3 dst-port=9995 protocol=tcp to-addresses=192.168.10.246 \
    to-ports=1880
add action=dst-nat chain=dstnat comment=prt-frw-IOT-NR_raspiiot dst-address=\
    192.168.1.3 dst-port=9995 protocol=udp to-addresses=192.168.10.246 \
    to-ports=1880
add action=dst-nat chain=dstnat comment=prt-frw-lora_g_ChripS_raspilora \
    dst-address=192.168.1.3 dst-port=9997 protocol=tcp to-addresses=\
    192.168.10.249 to-ports=8080
add action=dst-nat chain=dstnat comment=prt-frw-lora_g_ChripS_raspilora \
    dst-address=192.168.1.3 dst-port=9997 protocol=udp to-addresses=\
    192.168.10.249 to-ports=8080
add action=dst-nat chain=dstnat comment=prt-frw-lora_g_NR_raspilora \
    dst-address=192.168.1.3 dst-port=9996 protocol=udp to-addresses=\
    192.168.10.249 to-ports=1880
add action=dst-nat chain=dstnat comment=prt-frw-lora_g_SSH_raspilora \
    dst-address=192.168.1.3 dst-port=9994 protocol=tcp to-addresses=\
    192.168.10.249 to-ports=22
add action=dst-nat chain=dstnat comment=prt-frw-HOA_raspi dst-address=\
    192.168.1.3 dst-port=8123 protocol=tcp to-addresses=192.168.10.244 \
    to-ports=8123
add action=dst-nat chain=dstnat comment=prt-frw-IOT-NR_raspiiot dst-address=\
    192.168.1.3 dst-port=9995 protocol=tcp to-addresses=192.168.10.246 \
    to-ports=1880
add action=dst-nat chain=dstnat comment=prt-frw-IOT-NR_raspiiot dst-address=\
    192.168.1.3 dst-port=9995 protocol=udp to-addresses=192.168.10.246 \
    to-ports=1880
add action=dst-nat chain=dstnat comment=prt-frw-lora_g_ChripS_raspilora \
    dst-address=192.168.1.3 dst-port=9997 protocol=tcp to-addresses=\
    192.168.10.249 to-ports=8080
add action=dst-nat chain=dstnat comment=prt-frw-lora_g_ChripS_raspilora \
    dst-address=192.168.1.3 dst-port=9997 protocol=udp to-addresses=\
    192.168.10.249 to-ports=8080
add action=dst-nat chain=dstnat comment=prt-frw-lora_g_NR_raspilora \
    dst-address=192.168.1.3 dst-port=9996 protocol=udp to-addresses=\
    192.168.10.249 to-ports=1880
add action=dst-nat chain=dstnat comment=prt-frw-lora_g_SSH_raspilora \
    dst-address=192.168.1.3 dst-port=9994 protocol=tcp to-addresses=\
    192.168.10.249 to-ports=22


/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade comment="NAT for Internet access"

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main \
    suppress-hw-offload=no
/system note
set show-at-login=no
SXTsq lite 2 - 1st (and unique, for the moment, spoke).

# 2024-11-14 13:40:25 by RouterOS 7.12.1
# software id = TGDA-J80N
#
# model = RBSXTsq2nD
# serial number = 935F088F2F42
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=italy disabled=no \
    frequency=auto mode=station-bridge nv2-security=enabled radio-name=\
    CANTINA ssid=LINK_PTMP station-roaming=enabled wireless-protocol=nv2
/interface ethernet
set [ find default-name=ether1 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full"
/interface vlan
add interface=bridge1 name=VLAN99 vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 hw=no interface=ether1
/interface detect-internet
set detect-interface-list=all
/ip address
add address=192.168.10.222/24 interface=bridge1 network=192.168.10.0
add address=192.168.99.222/24 interface=VLAN99 network=192.168.99.0
/ip dns
set servers=8.8.8.8
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=CANTINA
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=193.204.114.232
add address=193.204.114.233
/system package update
set channel=development
SXT2 - AC bridge - HUB device:
# nov/14/2024 13:42:31 by RouterOS 6.47.10
# software id = 24XI-Z525
#
# model = RBSXTG-2HnD
# serial number = E2200FBAAE75
/interface bridge
add ingress-filtering=yes name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=italy disabled=no \
    mode=ap-bridge nv2-preshared-key=alvise nv2-security=enabled radio-name=\
    MASTER ssid=LINK_PTMP wds-mode=dynamic wireless-protocol=nv2
/interface vlan
add interface=bridge1 name=VLAN99 vlan-id=99
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=ether1 list=LAN
add comment=defconf interface=wlan1 list=WAN
/ip address
add address=192.168.10.223/24 comment=defconf interface=bridge1 network=\
    192.168.10.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping distance=1 gateway=192.168.10.1
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MASTER-BAITA
/system ntp client
set enabled=yes primary-ntp=193.204.114.232 secondary-ntp=193.204.114.233
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
AC-bridge hAPac2: distribute VLANS to devices + wifi
# nov/14/2024 13:37:26 by RouterOS 6.49.13
# software id = RDEZ-NLWV
#
# model = RBD52G-5HacD2HnD
# serial number = HGG09JPQ53D
/interface bridge
add ingress-filtering=yes name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] country=italy disabled=no frequency=auto \
    installation=indoor mode=ap-bridge ssid=baita_sp
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=bridge1 name=VLAN99 vlan-id=99
add interface=bridge1 name=vlan10 vlan-id=10
add comment=guest interface=bridge1 name=vlan20 vlan-id=20
add comment=WORK interface=bridge1 name=vlan30 vlan-id=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add name=profile1 supplicant-identity=""
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether4
add bridge=bridge1 ingress-filtering=yes interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=ether1,ether2,ether3,ether4,wlan1,wlan2,ether5 \
    vlan-ids=10
add bridge=bridge1 tagged=ether1,ether2,ether3,ether4,ether5,wlan1,wlan2 \
    vlan-ids=20
add bridge=bridge1 tagged=ether1,ether2,ether3,ether4,ether5,wlan1,wlan2 \
    vlan-ids=30
add bridge=bridge1 tagged=ether1,ether2,ether3,ether4,ether5,wlan1,wlan2 \
    vlan-ids=99
/ip address
add address=192.168.10.220 interface=bridge1 network=192.168.10.1
add address=192.168.99.223 interface=VLAN99 network=192.168.99.0
/ip dhcp-relay
add dhcp-server=192.168.1.1 disabled=no interface=bridge1 name=relay1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip route
add distance=1 gateway=192.168.10.1
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=hAPac2-baita
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Thu Nov 14, 2024 6:36 pm

Two things which poke my eyes:
  1. disable detect-internet at least on PtMP devices ... I'd disable it on all devices since you're trying to configure things properly yourself.
    Function detect-internet may help in case when user connects WAN to a wrong ether port. But it also have potential to royally mess with your (painfully crafted) manual configuration.
  2. remove all routing and firewall stuff on hub device. As well as DHCP server etc. The idea is that PtMP appears as aan ethernet switch to connected devices (i.e. transparently connect parts of network, connected to ether1 ports of all 3 PtMP devices) ... so your main router (RB4011) is supposed to perform those tasks - routing between VLANs and internet, firewalling, serving DHCP requests, etc.
    Adding a single default route on each of those devices via management IP address of main router has only one purpose: to allow PtMP devices comunicate with other subnets (including internet) - if FW on main touter allows. It has nothing to do with traffic only passing PtMP between ether ports (on edges of your PtMP "cloud").
 
Elvis1991
newbie
Topic Author
Posts: 25
Joined: Wed Jan 02, 2019 12:59 am

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Fri Nov 15, 2024 7:00 pm

I have configured the first access point, which should tag incoming traffic.

If I have understood the concept correctly so far, between the RB4011 and the hAP ac2, it’s as if there is a single Ethernet connection (connected to eth5 on the router and eth1 on the AP). This is true thanks to the transparency of the Point-to-Multi-Point bridge that you have already explained to me in detail.

Once the RB4011 is introduced and all traffic directed to it is masked, it forwards the traffic to the ISP. So far, so good. The problem now lies with the hAP ac2, which does not tag VLAN10 for the hosts trying to connect to the vwlan-iot. In fact, running a Torch does not show any VLAN ID.

Additionally, wlan1 "baita_sp" is also active, which I use as untagged to manage communications. The goal is to gradually move the various devices to their respective VLANs over time.

Below is the configuration and attached the .rsc just in case:
# nov/15/2024 17:52:09 by RouterOS 6.49.13
# software id = RDEZ-NLWV
#
# model = RBD52G-5HacD2HnD
# serial number = HGG09JPQ53D
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] country=italy disabled=no frequency=auto \
    installation=indoor mode=ap-bridge ssid=baita_sp
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface vlan
add comment=IOT interface=bridge1 name=VLAN10 use-service-tag=yes vlan-id=10

[b]DISABLED[/b]
[i]add comment=guest disabled=yes interface=bridge1 name=VLAN20 vlan-id=20
add comment=WORK disabled=yes interface=bridge1 name=VLAN30 vlan-id=30
add disabled=yes interface=bridge1 name=VLAN99 vlan-id=99[/I]

/interface wireless
add disabled=no keepalive-frames=disabled mac-address=D6:01:C3:B1:E8:68 \
    master-interface=wlan1 multicast-buffering=disabled name=vwlan-iot ssid=\
    WiFi-IOT vlan-id=10 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add name=profile1 supplicant-identity=""
/interface bridge port
add bridge=bridge1 interface=ether3 pvid=10 tag-stacking=yes
add bridge=bridge1 ingress-filtering=yes interface=ether1
add bridge=bridge1 ingress-filtering=yes interface=ether2 pvid=10 \
    tag-stacking=yes
add bridge=bridge1 ingress-filtering=yes interface=wlan1
add bridge=bridge1 ingress-filtering=yes interface=ether4
add bridge=bridge1 ingress-filtering=yes interface=ether5
add bridge=bridge1 interface=vwlan-iot tag-stacking=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,vwlan-iot untagged=ether2,ether3 vlan-ids=\
    10
    
 [b]DISABLED[/b]
[i]add bridge=bridge1 disabled=yes tagged=ether1,ether2,ether3,ether4,ether5 \
    untagged=wlan1,wlan2 vlan-ids=20
add bridge=bridge1 disabled=yes tagged=ether1,ether2,ether3,ether4,ether5 \
    untagged=wlan1,wlan2 vlan-ids=30
add bridge=bridge1 disabled=yes tagged=ether1,ether2,ether3,ether4,ether5 \
    untagged=wlan1,wlan2 vlan-ids=99[/i]
    
/ip address
add address=192.168.10.220 interface=bridge1 network=192.168.10.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=hAPac2-baita
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Fri Nov 15, 2024 7:39 pm

Commenting on config from attached rsc file ...

You shouldn't set use-service-tag=yes, it switches over to different type of VLAN headers. And no tag stacking.

All in all device config is a mess. So I suggest you to start over:
  1. install ROS 7.16.1 on your hAP ac2, it'll improve wifi performance quite a lot compared to legacy wireless driver you have currently installed. I suggest you to use netinstall and if you're going with 7.16.1, you have to install also optional package "wifi-qcom-ac"
  2. use winbox to connect to device and go from empty config
  3. create single bridge with VLAN filtering enabled, add all ether ports except tge one you'll use to configure it (you'll add it later when you check that other ports are fine). Also add both wifi interfaces.
  4. configure wifi parameters. The new driver has configuratiin under /interface/wifi , configuration philosophy is a bit different. Don't configure VLANs in wifi section (wifi-qcom.ac doesn't even support it)
    You'll configure one SSID on master interface (e.g. wifi1) and you'll create additional slave wifi interfaces (using wifi1 as their master but setting otger SSIDs)
  5. on bridge port wifi1 set PVID to desired VLAN ID for main SSID (e.g. 30 for baita_sp)
  6. add the slave wifi interfaces as bridge ports and set pvid to values appropriate for SSIDs (e.g. 10 for wifi interface configured with SSID vwlan-iot
  7. you only need bridge port to be set as tagged member of management VLAN (e.g. 30) and you only need VLAN interface for tgat VLAN. Add IP address to that VLAN interface, don't forget to include netmask (e.g. 192.168.10.220/24, netmask is missing in your current config) and set default route.
  8. set ether1 as tagged memver of all VLANs involved and set the rest of ether ports as access ports to appropriate VLANs (set pvid on port and they will be automatically added as untagged members of corresponding VLAN)

If you don't want to go with ROS v7, then you can proceed with current version, but the config is not correct either.

I guess VLANs are overwhelming you. I suggest you to study this excellent tutorial: viewtopic.php?t=143620
Bridge has a few personalities and this article will help you understand them: viewtopic.php?t=173692

I suspect that VLAN setup might be suboptimal on RB4011 as well, so you may want to post config as well. Or, if you're into learning, try fixing them after you read the articles linked above (but come back for help if you get stuck).
 
Elvis1991
newbie
Topic Author
Posts: 25
Joined: Wed Jan 02, 2019 12:59 am

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Thu Nov 21, 2024 2:51 pm

First of all, thank you! I hadn't come across such clear and explanatory tutorials on VLANs and bridges (which I still don’t think I fully understand). However, the network is now working, at least the one with the PTMP link and the central RB4011 router, and I have successfully added a VPN tunnel as well.

That said, I still have a couple of issues:
I can't seem to add the CAPs to the RB4011. Running a torch on the RB4011 on the port connected to the CAPs shows traffic, but I can't see the IP of the CAPs. The devices are configured in the default CAP mode (default configuration + CAPs enabled). Even the ping times out.

What could be causing this?

I suspect the issue could be related to the VLAN filtering option enabled on the bridge. Since the Ethernet 2 port connected to the CAP is part of the bridge, the bridge might only be handling tagged packets, and because the new device is not sending tagged packets, this is causing a communication problem. If this is the case, how should I resolve it? Should I configure the Ethernet 2 port connected to the CAP as a hybrid port, or is it better to enable tagged packets on the CAP and configure it accordingly? What would be the best approach?
You do not have the required permissions to view the files attached to this post.
Last edited by Elvis1991 on Sat Nov 30, 2024 1:13 am, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Fri Nov 22, 2024 12:14 pm

Two things:
  1. you are running the new "wifi" driver on cAP (optional package wifi-qcom-ac installed I presume), so you'll have to configure the matching CAPsMAN on RB4011 ... and for that, you'll have to focus on /interface/wifi and its subtree (that's the place to configure new CAPsMAN). It's a bit confusing, I know. If I understand things correct, then your RB4011 is without wireless. Which means that you (most probably) don't need wireless package installed on it. After you'll uninstall this package, you'll (very probably) loose the /capsman configuration subtree (which confuses you at the moment).
  2. Yes, currently CAP client on cAP can't talk to RB4011 ... cAP is configured without VLANs (yes, bridge has vlan-filtering enabled but everything else regarding VLANs is missing). So you have two options:
    1. configure VLANs on cAP properly ... the same manner as on RB4011. So configure ether1 as trunk port, add bridge as tagged member to VLAN supposed to be used to communicate with CAPsMAN (management?).
      Since cAP is running wifi-qcom-ac, which doesn't properly support VLANs inside driver, you'll have to go with "create enabled" (default is create dynamic enabled) and set those wifi interfaces as access ports to appropriate VLANs after cAP gets provisioned by CAPsMAN for the first time.
      If you go this way, then you'll need appropriate VLAN interface and move DHCP client to that VLAN interface.
    2. configure ether2 on RB4011 as hybrid port with PVID set to VID of management VLAN. Which should fix the CAPsMAN communication, but using appropriate VLANs for wifi interfaces is then still up to configuration as in bullet a above.
    I'd go with bullet a (I want to keep VLANs tagged within LAN infrastructure).
 
Elvis1991
newbie
Topic Author
Posts: 25
Joined: Wed Jan 02, 2019 12:59 am

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Fri Nov 22, 2024 8:07 pm

Thank you for your suggestions! I followed option A, configuring the VLANs and setting the ports as trunks on the CAP. As a result, I was able to successfully provision the CAP's wireless interfaces.

However, I am now encountering a new issue: hosts attempting to connect to the Wi-Fi are not obtaining an IP address. I would like to think this is due to a missing DHCP relay, but I suspect there might still be something incorrect in the VLAN configuration on the CAP.

Could you provide some guidance on how to confirm or troubleshoot this?
You do not have the required permissions to view the files attached to this post.
Last edited by Elvis1991 on Sat Nov 30, 2024 1:12 am, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Sun Nov 24, 2024 12:03 pm

The config you posted seems to be old one ... with capsman settings still under /caps-man ... but to provision your hAP ax2 you need to configure CAPsMAN under /interface/wifi ... e.g. /interface/wifi/capsman/set enabled=yes. Etc.

I missed that your CAP device is hAP ax2 in your previous post. So your CAP device is running wifi-qcom driver (the non "-ac" varsion) which can nicely tag/untag frames according to datapath settings on CAPsMAN. It'll be added to bridge on CAP device as tagged interface.

Mikrotik manual at https://help.mikrotik.com/docs/spaces/R ... ionexample: has example, follow the one titled "CAP using "wifi-qcom" package".
 
Elvis1991
newbie
Topic Author
Posts: 25
Joined: Wed Jan 02, 2019 12:59 am

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Tue Nov 26, 2024 11:38 pm

Thank you! I successfully implemented CAPsMAN on the hAP ax² by following the guide.

However, I have some doubts regarding the cAP XL ac. According to the page you kindly shared (https://help.mikrotik.com/docs/spaces/R ... onexample:), it seems that the XL ac should support the qcom-ac package. Yet, after uninstalling the Wireless package and attempting to install qcom-ac, I can't even add WiFi interfaces (the master interface is missing).

Am I missing something, or should I stick with the Wireless package instead?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Wed Nov 27, 2024 9:04 am

After you uninstall wireless package and install wifi-qcom-ac package - verify that it's actually installed, cAP ac XL has only 16MB storage space which is really tight - (and upgrade routerboard firmware for good measure ... and cold boot device for another good measure), it may be good to reset device to default config. Then you should see new interfaces under /interface/wifi ...

If wifi-qcom-ac doesn't install (check logs, it may mention something about inadequate storage space), then you may have to netinstall device ... if that will be necessary, select both main (routeros) and wifi (wifi-qcom-ac) packages to install at the same time ... netinstall can upload multiple packages in one go.
 
Elvis1991
newbie
Topic Author
Posts: 25
Joined: Wed Jan 02, 2019 12:59 am

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Thu Nov 28, 2024 11:41 pm

Thank you so much for your help, your advice was, as always, spot-on! It seems the issue was related to physical space limitations. Although the available space appeared sufficient based on the data, the qcom-ac package wouldn’t install, even after removing the wireless package first. In the end, I used a Windows PC with a native Ethernet port to perform the flash using Netinstall, which resolved the problem.

I’ve now successfully configured CAPsMAN, but I’m still fine-tuning the roaming between rooms. The thick, old walls in the building occasionally make it challenging for devices to transition seamlessly between APs, though I’m continuing to test and optimize.

That said, I have a couple of questions: I’ve set up WireGuard to access my network via VPN, but I’m unable to reach the spoke in my PtMP setup or the loaclAP (hAPac2) connected to the hub of the wireless bridge. However, I can access both the CAPs and the router, as well as hosts in Building 2 via MGM(99)wifi interface.

I don’t think the issue lies with firewall rules, as I’m just starting to explore those, and currently only have accept rules in place. Initially, I suspected it might be related to VLAN tagging. For example, I can reach all devices when connecting via the WiFi-MANAGEMENT SSID, as I’ve left VLAN filtering disabled on the hub bridge. However, VLAN filtering is enabled on the spoke, which I cannot reach via VPN.

ON SPOKE:
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
.......
/interface vlan
add interface=bridge1 name=VLAN99 vlan-id=99
Instead ON HUB:
/interface bridge
add name=BR1 port-cost-mode=short
/interface wireless
.......
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
Here’s my main question: what’s the best approach to ensure that a specific WireGuard admin IP can access all MikroTik devices in the network? Should I enable VLAN filtering, and if so, how can I properly tag the packets to achieve this?

I hope this is clear with the diagrams and configurations I’ve already shared. If not, I’d be happy to redraw or provide more detailed information about the setup. Once I’ve finalized everything (and tested as much as I can), I’d also like to write a summary post to help anyone who might face a similar situation in the future.

Thanks again for your continued support!
You do not have the required permissions to view the files attached to this post.
Last edited by Elvis1991 on Sat Nov 30, 2024 1:11 am, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Fri Nov 29, 2024 8:37 am

I just had a quick look at HUB configuration and it seems to me that routing configuration is flawed:
/ip address
# You probably don't need this:
add address=192.168.0.223/24 comment=defconf interface=BR1 network=192.168.0.0
# and you probably don't need this either:
add address=192.168.0.223/24 interface=BASE_VLAN network=192.168.0.0

# Something like this you need:
add address=192.168.10.223/24 comment=defconf interface=BR1BASE_VLAN network=192.168.10.0
#
/ip route
# effectively you don't have any route at all
add disabled=no dst-address=192.168.0.223/0 gateway=192.168.0.1 routing-table=main suppress-hw-offload=no
Now, with address assigned to some interface (e.g. add address=192.168.10.223/24 interface=BASE_VLAN) adds route to that subnet (effectively something like /ip route add dst-address=182.168.10.0/24 gateway=BASE_VLAN). But if you want to communicate with peers in other subnets (e.g. in wireguard subnet), you have to configure additional routes. In your particular case, a default route should do the trick: /ip route add dst-address=0.0.0.0/0 gateway=192.168.10.1 ... it will allow both communication with wireguard devices (residing in 192.168.100.0/24) and internet (you may need it to upgrade ROS or to set up NTP client).


BTW, on main router (RB4011) bridge BR1 has a few ports members which are invalid (interface=*<number>) ... look into it, it shows some orphaned configuration.
 
Elvis1991
newbie
Topic Author
Posts: 25
Joined: Wed Jan 02, 2019 12:59 am

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Fri Nov 29, 2024 5:41 pm

Thanks, mkx! I believe I’ve pinpointed the root of the issue—it seems there was some confusion regarding the IPs and routes.

To clarify, the management subnet is aaa.bbb.0.0/24 (e.g., 192.168.0.223 for the HUB, .222 for SPOKE1, and .220 for the AP connected to SPOKE1).

To better understand the process, could you clarify where exactly the packets get tagged in the WireGuard setup? :mrgreen:

Lastly, I’ve addressed the missing configurations on the RB4011, which were remnants from the WiFi interfaces using qcom-ac. If I’ve understood correctly, these interfaces should already be VLAN-tagged locally on the CAP bridge.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Fri Nov 29, 2024 9:19 pm

To better understand the process, could you clarify where exactly the packets get tagged in the WireGuard setup? :mrgreen:
The smiley you used makes me wonder whether you expect an answer or not. But anyway, here it is: wireguard is IP tunnel so natively it doesn't carry (nor care about) VLAN tags. Traffic passing between other end of wireguard and the rest of subnets are routed ... and after appropriate egress interface is selected (in your case one if vlan interfaces), they are tagged by lower layers (in this case by vlan interface).
 
Elvis1991
newbie
Topic Author
Posts: 25
Joined: Wed Jan 02, 2019 12:59 am

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Wed Dec 04, 2024 6:16 pm

Thank you for the clarification, mkx! I'm trying to deepen my understanding of device configurations, but since I’m still building my knowledge base, I find it challenging to proceed fully on my own.

I’d like to ask for further help regarding a variation of my setup. I noticed that one room in the main building has poor wireless coverage, so I want to add another cAP in cascade. Specifically, I’d like to understand how to properly configure a cAP ax connected in cascade to:
  • 1. Another cAP ax (hAP ax2 with qcom WiFi)
  • 2.Or an access point such as the hAP ac2 (IP 192.168.0.220 in my LAN also with qcom drivers).

For testing I tried the 2nd option. I disconnected the working cAP ax and connected it to an Ethernet port configured as "trunk" on the hAP ac2 (Ethernet 5). The cAP ax was able to ping the main router and access the internet, but its wireless interfaces were not provisioned by the RB4011. Specifically:

The cAP ax reported "no connection to CAPsMAN."
However, two new wireless interfaces appeared in the RB4011 menu, both with the same MAC address as the relocated cAP ax.
In the "Remote CAP" menu of the RB4011, the cAP ax was missing, even though it appeared there when connected directly to the router.
Since the cAP ax works correctly when directly connected to the router, what should I modify:
  • -On the hAP ac2 to make it work properly in cascade?
    -Alternatively, what steps should I take if I want to cascade a cAP ax to another cAP ax (hAP ax2)?
Thank you very much for your help!
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Wed Dec 04, 2024 10:04 pm

You have ether1 on hAP ac2 configured as trunk port. If you want to connect additional cAP ac to ether5 of hAP ac2, then you can simply configure ether5 identically to ether1 ... add it to bridge and set the same VLAN properties.
 
Elvis1991
newbie
Topic Author
Posts: 25
Joined: Wed Jan 02, 2019 12:59 am

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Wed Dec 04, 2024 11:25 pm

Thank for your reply, as always. Anyway, am I missing something more specific to set up eth5 as trunk?
hAPac2:
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge1 comment=iot-HOA_raspi frame-types=\
admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge1 comment=iot-LORA_raspi frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=wifi24-iot pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=wifi50-private pvid=30
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=vwifi50-gst pvid=20
add bridge=bridge1 comment=stampante interface=ether4 pvid=30
add bridge=bridge1 interface=vwlan50_mngm pvid=99
add bridge=bridge1 interface=ether5
/interface bridge vlan
add bridge=bridge1 tagged=ether1,ether5 untagged=\
wifi24-iot,ether2,ether3,ether4 vlan-ids=10
add bridge=bridge1 tagged=ether1,ether5,bridge1 untagged=vwlan50_mngm \
vlan-ids=1,99
add bridge=bridge1 tagged=ether1,ether5 untagged=\
vwifi50-gst,ether2,ether3,ether4 vlan-ids=20
add bridge=bridge1 tagged=ether1,ether5 untagged=wifi50-private,ether4 \
vlan-ids=30
/ip address
add address=192.168.0.220/24 interface=BASE_VLAN network=192.168.0.0
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feasibility of CAPsMAN VLAN and VPN Configuration on Point to Multi-Point with RB4011iGS+RM

Thu Dec 05, 2024 9:37 pm

That's mostly what I had in mind ... plus setting frame-types the same way as it's done for ether1

Who is online

Users browsing this forum: No registered users and 10 guests